Progressing any further then is prosecutable. They were explicitly warned (like in tresspassing) and logged.
The main defense of people (legitimate, and one that works is) "hey, I didn't know. I thought it was so-and-so's site."
With the warning, this doesn't fly.
Here, verbatim:
Background
The Warning Message is a notice to all users of a computer system that the use of the system is subject to certain restrictions:
The system is for authorized users for business purposes only
Unauthorized use will be punished
Use of the system may be monitored
Users must protect information
The wording of the message is actually dictated by the U.S. Department of Justice in cooperation with the Law Department. The warning has been carefully worded to help Lucent and the Government prosecute unauthorized users. If an intruder breaks into a computer system which does not display the warning message the case against the intruder is substantially weakened and may, in fact, be dismissed.
Message Formats
The Warning Message comes in two forms: the standard message and the short message. The standard message should be used in all cases except where physical limitations prevent its display. The standard message is as follows:
Warning Notice
This system is restricted solely to authorized users for legitimate business purposes only. The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited by . Unauthorized users are subject to Company disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system may be monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of criminal activity, may provide the evidence of such activity to law enforcement officials. All users must comply with Corporate Instructions regarding the protection of information assets.
The short message is as follows:
Warning: This system is restricted to authorized users for business purposes. Unauthorized access is a violation of the law. This service may be monitored for administrative and security reasons. By proceeding, you consent to this monitoring.
It is not possible with a web client (other than maybe 'telnet') to connect to a web server and not get the "default" data. The default setting of a web server is to not require/request/respond to user authentication information. You have to enter it explicitly for the server.
Connecting to an SQL server with a client only establishes a connection -- no data is requested. The default actions of the server are to require a user and database name -- and unless explicitly turned off, a password. No records are sent across -- you have to ask for them (and know what you are asking for). --
Charles E. Hill
Logs == Cameras in this case -- they just aren't visible to the "naked eye".
Okay, I'll concede the bank analogy.
The simple fact remains that having an SQL server accesable by the Internet *doesn't* mean it is intended for the public. I can lease space in a strip mall and run a business by appointment only or only for my established clientel -- not for the browsing public even though my door is "open".
My point is the service isn't offered until you have an agreement with the bank.
Yes they DO have terminals that can browse everyone's account. They are for INTERNAL use, even though they may be sitting on someone's desk in the middile of a wall-less cube.
Just because I have an SQL server that is net accessable for convience, doesn't mean everyone is allowed to browse all the data. (Yes, it is a dumb idea, but that isn't the point.)
If I take a $20 bill and put it on the dash of my car, windows open and parked on a public street -- no one has the right to reach in and take it.
Okay, change that $20 to proprietary customer list (no cash value, but business data with business value). The list is upside down -- you can't read it without turning it over. Legally, you don't have the right to reach in and turn it over. If it was right-side up, you could read it to your heart's content.
Connecting an SQL client to a server doesn't spew data at you (like a web server does). You have to enter a query and ask for data (reach in and turn the paper over). That is ILLEGAL.
A web site is not the same thing, as it's intent is public information (unless it is on a private network) and it presents data simply by connecting -- you don't have to "ask".
Don't worry about the last one. In the FUTURE, make a solid point about your proactive security and examples of how you deal with everything.
Make it so THEY will approach other company about security concerns.
Point out the increased awareness in security in general; more hacks and vulnerabilities reported daily; and have a list of potential weak points of competitors systems.
Read it again. He was describing "common law burglary".
B & E has nothing to do with "intent to remove property"; nor is it restricted to "night" or "private dwellings". It does require some form of force -- pushing a door open; breaking a window; etc. Simply walking in an open door doesn't cut it.
There is a similar law in many jurisdictions called "unlawful entry" that is a bit looser (and not as severe as B&E). This can be applied in the "walk in the open door" case.
On the other hand, there are some interesting peculiarities with computer sites (FTP/WWW/SQL/Whatever) that start with "Welcome!".
When I was a SysAdmin at a big company, we had "greeting" messages that were written by the legal dept just for this purpose. They were warnings about unauthorized access.
Come to think of it, my laptop boots with one on the login screen -- as does the FTP "welcome" message when I am running a server off of the laptop (company property). I've seen it so often I tune it out.
You are confusing "publically available" with "available to the public".
If a business (say a bank) does business "available to the public", that means you can do business with them. It doesn't mean if there is an open terminal you can browse other people's account information. They provide a PRIVATE service that is available to the public in general.
Unlike, say, a public water fountain in the park -- where anyone and everyone can use it.
Just because a company does business with the public doesn't mean that all the business itself is public. --
Charles E. Hill
Just because it is on the Internet, doesn't give you permission to browse through it. If I leave my doors unlocked (and even standing wide open), it does not give you the right to wander through my house -- that's tresspassing.
Computer Tresspass is similar. In Florida, unauthorized access to computer systems you don't have explicit permission to access is punishable by up to 20 years in prison.
You wouldn't get away with this in non-cyberspace, I don't know why you think you can *in* cyberspace.
IBM doesn't need to rely on other people's innovations to their code. They are the largest patent holder/producer in the world.
IBM collects Billions every year in royalty payments for IP. That revenue would NOT be made up in any fashion by making all their IP GPL. As a stockholder, I'd initiate a suit as fast as I could call my lawyer if IBM GPL'd their IP.
Some, yes as it is beneficial. All? No way. --
Charles E. Hill
Yes, my kids (11, 11, 12) loved it. I loved it. While not as novel as the first -- and packed with FX from beginning to end, it was FUN! --
Charles E. Hill
I wasn't sure you knew about InfoSec. Ignoring the bad (InfoSec) in favor of just the good (OpenHack) is deceptive.
Argus PB *was* hacked at OpenHack III, the hacker just missed the deadline by a couple of hours. Still, they were hacked none the less.
I'm aware their Solaris X86 code isn't kept up to date -- it was pure foolishness on their part to run a contest then say 'well, it wasn't production code, etc.' They should have been using Solaris Sparc or Linux with their product.
Yes, it is a good product. Nothing is perfect, but PB is many steps ahead in the security game.
Well, despite what others here think,.DOC files (95 or 97) are perfectly acceptable. You might want to consider adding an.RTF and a.TXT version.
There are several companies that accept only text resumes via e-mail, as they are automatically 47/*filtered, filed, sorted, etc. which isn't easy with Word.DOC files. (Especially now that many companies are very wary of macros and VB Scipt.)
"Also mentioned in the past is PitBull from Argus Systems (I work across the street from their offices) which stood up to the OpenHack III challenge a few moths back. PitBull gives Trusted OS extentions to Solaris, AIX and Linux. (There's free non-com licenses at Argus Revolution.)"
Sorry, their latest "Open Hack" got them hacked, and they paid the $48,000 prize. This was a couple of days ago.
In defense of a good product, the hack was a flaw in the OS (Solaris x86) that was unpublished (but VERY nasty). --
Charles E. Hill
Except that Tux is a bit slimmer -- it serves static HTTP requests only. Dynamic requests, cgi, etc. are all passed on to a user-space daemon (like Apache).
It isn't bloatware and as long as it is kept slim, it should be managable.
Lucent is the largest supplier of CDMA equipment to Verizon, as well. Sprint is just more agressive on the 3G stuff than Verizon is. Give it a bit of time.
Charles Hill
Core Network Engineer
Lucent Technologies
[For the lawyers: No, nothing proprietary is contained in this post. It is all public knowledge.] --
Charles E. Hill
Installing the initial modules on a fresh install from trusted sources. There are already definitions of "trusted sources" in the industry -- pick the one that suits you best.
ACLs and user compartmentalization. Right now, root==God. In a "trusted" system, this isn't so. Users, including root, are assigned certain rights and if compromised, only those rights are compromised. There is no one account that if breached, compromises the entire system.
Who can install kernsec modules would be very specific and tightly controlled.
Because I sometimes don't want to WAIT for it to be delivered, I want it NOW.
Now, if I can order online and download a full version, they I will be very happy.
One a side note, someone else mentioned that ebgames.com has just about all of the Loki games at $9.99 each. I just ordered about $100.00 worth of games. Sometime next week my kids are going to be ecstatic. --
Charles E. Hill
Apple also invented Firewire. That term is (tm)Apple. Sony calls it iLink(tm). The official standard is IEEE-1394.
Yes, there are more peripherals for USB 1.1 than firewire -- but that is because most of them are low-bandwidth devices (mice, keyboards, etc.)
These probably won't go away any time soon (good thing) and can continued to be used for low-bandwith devices while i1394 can handle the big stuff like video connection, replacing SCSI/IDE and Ethernet.
Check it again. Read further down about Intercept Procedures. I quote:
"1. Identification intercepts during peacetime operations are vastly different than those conducted under increased states of readiness. Unless otherwise directed by the control agency, intercepted aircraft will be identified by type only. When specific information is required (i.e. markings, serial numbers, etc.) the interceptor aircrew will respond only if the request can be conducted in a safe manner. During hours of darkness or Instrument Meteorological Conditions (IMC), identification of unknown aircraft will be by type only. The interception pattern described below is the typical peacetime method used by air interceptor aircrews. In all situations, the interceptor aircrew will use caution to avoid startling the intercepted aircrew and/or passengers. "
Unless the Chinese pilot was legally blind, he was too damn close.
"Upon identification phase completion, the flight leader will turn away from the intercepted aircraft. The wingman will remain well clear and accomplish a rejoin with the leader."
Notice it says nothing about "turning away" other planes.
The diagram you are referring to has a nice "Not Drawn to Scale" on it -- and no distance marks. --
Charles E. Hill
Actually, big air conditioning systems (for large buildings) have graphical interfaces.
The one on the carrier units in the last place I worked was Win 3.1 based (ugh!) but we could see all the rooms, bypasses, blowers, temperature monitors, etc.
One of the features we had requested was a network accessable (preferrably web-enabled) interface. --
Charles E. Hill
Progressing any further then is prosecutable. They were explicitly warned (like in tresspassing) and logged.
The main defense of people (legitimate, and one that works is) "hey, I didn't know. I thought it was so-and-so's site."
With the warning, this doesn't fly.
Here, verbatim:
Background
The Warning Message is a notice to all users of a computer system that the use of the system is subject to certain restrictions:
The system is for authorized users for business purposes only
Unauthorized use will be punished
Use of the system may be monitored
Users must protect information
The wording of the message is actually dictated by the U.S. Department of Justice in cooperation with the Law Department. The warning has been carefully worded to help Lucent and the Government prosecute unauthorized users. If an intruder breaks into a computer system which does not display the warning message the case against the intruder is substantially weakened and may, in fact, be dismissed.
Message Formats
The Warning Message comes in two forms: the standard message and the short message. The standard message should be used in all cases except where physical limitations prevent its display. The standard message is as follows:
Warning Notice
This system is restricted solely to authorized users for legitimate business purposes only. The actual or attempted unauthorized access, use, or modification of this system is strictly prohibited by . Unauthorized users are subject to Company disciplinary proceedings and/or criminal and civil penalties under state, federal, or other applicable domestic and foreign laws. The use of this system may be monitored and recorded for administrative and security reasons. Anyone accessing this system expressly consents to such monitoring and is advised that if monitoring reveals possible evidence of criminal activity, may provide the evidence of such activity to law enforcement officials. All users must comply with Corporate Instructions regarding the protection of information assets.
The short message is as follows:
Warning: This system is restricted to authorized users for business purposes. Unauthorized access is a violation of the law. This service may be monitored for administrative and security reasons. By proceeding, you consent to this monitoring.
--
Charles E. Hill
I'm familiar with a GET request.
It is not possible with a web client (other than maybe 'telnet') to connect to a web server and not get the "default" data. The default setting of a web server is to not require/request/respond to user authentication information. You have to enter it explicitly for the server.
Connecting to an SQL server with a client only establishes a connection -- no data is requested. The default actions of the server are to require a user and database name -- and unless explicitly turned off, a password. No records are sent across -- you have to ask for them (and know what you are asking for).
--
Charles E. Hill
Logs == Cameras in this case -- they just aren't visible to the "naked eye".
Okay, I'll concede the bank analogy.
The simple fact remains that having an SQL server accesable by the Internet *doesn't* mean it is intended for the public. I can lease space in a strip mall and run a business by appointment only or only for my established clientel -- not for the browsing public even though my door is "open".
--
Charles E. Hill
My point is the service isn't offered until you have an agreement with the bank.
Yes they DO have terminals that can browse everyone's account. They are for INTERNAL use, even though they may be sitting on someone's desk in the middile of a wall-less cube.
Just because I have an SQL server that is net accessable for convience, doesn't mean everyone is allowed to browse all the data. (Yes, it is a dumb idea, but that isn't the point.)
If I take a $20 bill and put it on the dash of my car, windows open and parked on a public street -- no one has the right to reach in and take it.
Okay, change that $20 to proprietary customer list (no cash value, but business data with business value). The list is upside down -- you can't read it without turning it over. Legally, you don't have the right to reach in and turn it over. If it was right-side up, you could read it to your heart's content.
Connecting an SQL client to a server doesn't spew data at you (like a web server does). You have to enter a query and ask for data (reach in and turn the paper over). That is ILLEGAL.
A web site is not the same thing, as it's intent is public information (unless it is on a private network) and it presents data simply by connecting -- you don't have to "ask".
--
Charles E. Hill
Don't worry about the last one. In the FUTURE, make a solid point about your proactive security and examples of how you deal with everything.
Make it so THEY will approach other company about security concerns.
Point out the increased awareness in security in general; more hacks and vulnerabilities reported daily; and have a list of potential weak points of competitors systems.
Offer to let the customer probe your setup.
Be proactive.
--
Charles E. Hill
Read it again. He was describing "common law burglary".
B & E has nothing to do with "intent to remove property"; nor is it restricted to "night" or "private dwellings". It does require some form of force -- pushing a door open; breaking a window; etc. Simply walking in an open door doesn't cut it.
There is a similar law in many jurisdictions called "unlawful entry" that is a bit looser (and not as severe as B&E). This can be applied in the "walk in the open door" case.
On the other hand, there are some interesting peculiarities with computer sites (FTP/WWW/SQL/Whatever) that start with "Welcome!".
When I was a SysAdmin at a big company, we had "greeting" messages that were written by the legal dept just for this purpose. They were warnings about unauthorized access.
Come to think of it, my laptop boots with one on the login screen -- as does the FTP "welcome" message when I am running a server off of the laptop (company property). I've seen it so often I tune it out.
--
Charles E. Hill
You are confusing "publically available" with "available to the public".
If a business (say a bank) does business "available to the public", that means you can do business with them. It doesn't mean if there is an open terminal you can browse other people's account information. They provide a PRIVATE service that is available to the public in general.
Unlike, say, a public water fountain in the park -- where anyone and everyone can use it.
Just because a company does business with the public doesn't mean that all the business itself is public.
--
Charles E. Hill
Just because it is on the Internet, doesn't give you permission to browse through it. If I leave my doors unlocked (and even standing wide open), it does not give you the right to wander through my house -- that's tresspassing.
Computer Tresspass is similar. In Florida, unauthorized access to computer systems you don't have explicit permission to access is punishable by up to 20 years in prison.
You wouldn't get away with this in non-cyberspace, I don't know why you think you can *in* cyberspace.
--
Charles E. Hill
IBM doesn't need to rely on other people's innovations to their code. They are the largest patent holder/producer in the world.
IBM collects Billions every year in royalty payments for IP. That revenue would NOT be made up in any fashion by making all their IP GPL. As a stockholder, I'd initiate a suit as fast as I could call my lawyer if IBM GPL'd their IP.
Some, yes as it is beneficial. All? No way.
--
Charles E. Hill
Yes! That was my first thought. It is FUN.
Yes, my kids (11, 11, 12) loved it. I loved it. While not as novel as the first -- and packed with FX from beginning to end, it was FUN!
--
Charles E. Hill
I wasn't sure you knew about InfoSec. Ignoring the bad (InfoSec) in favor of just the good (OpenHack) is deceptive.
Argus PB *was* hacked at OpenHack III, the hacker just missed the deadline by a couple of hours. Still, they were hacked none the less.
I'm aware their Solaris X86 code isn't kept up to date -- it was pure foolishness on their part to run a contest then say 'well, it wasn't production code, etc.' They should have been using Solaris Sparc or Linux with their product.
Yes, it is a good product. Nothing is perfect, but PB is many steps ahead in the security game.
--
Charles E. Hill
Well, despite what others here think, .DOC files (95 or 97) are perfectly acceptable. You might want to consider adding an .RTF and a .TXT version.
.DOC files. (Especially now that many companies are very wary of macros and VB Scipt.)
There are several companies that accept only text resumes via e-mail, as they are automatically 47/*filtered, filed, sorted, etc. which isn't easy with Word
--
Charles E. Hill
"Also mentioned in the past is PitBull from Argus Systems (I work across the street from their offices) which stood up to the OpenHack III challenge a few moths back. PitBull gives Trusted OS extentions to Solaris, AIX and Linux. (There's free non-com licenses at Argus Revolution.)"
Sorry, their latest "Open Hack" got them hacked, and they paid the $48,000 prize. This was a couple of days ago.
In defense of a good product, the hack was a flaw in the OS (Solaris x86) that was unpublished (but VERY nasty).
--
Charles E. Hill
Backbone switching. These things are used for semi-permanent, long haul routes -- like central links from Atlanta to Chicago, or New York to L.A.
You don't switch all the time.
--
Charles E. Hill
Except that Tux is a bit slimmer -- it serves static HTTP requests only. Dynamic requests, cgi, etc. are all passed on to a user-space daemon (like Apache).
It isn't bloatware and as long as it is kept slim, it should be managable.
--
Charles E. Hill
Good timing. I received a letter from the law firm in the mail today. Several pages, mostly legalese, outlining everything.
Since I never had any problem with my Zip (until it eventually died after a couple years), I tossed the form.
--
Charles E. Hill
Lucent is the largest supplier of CDMA equipment to Verizon, as well. Sprint is just more agressive on the 3G stuff than Verizon is. Give it a bit of time.
Charles Hill
Core Network Engineer
Lucent Technologies
[For the lawyers: No, nothing proprietary is contained in this post. It is all public knowledge.]
--
Charles E. Hill
By hooking ACLs (Access Control Lists) as a module. This would allow someone to use ACLs or not.
ACLs would not only be for file/directory access but for Sockets and devices as well.
This would need to be linked in to the code that handles permissions now -- sort of like an optional extra step.
--
Charles E. Hill
Well, this can be minimized by doing two things:
Installing the initial modules on a fresh install from trusted sources. There are already definitions of "trusted sources" in the industry -- pick the one that suits you best.
ACLs and user compartmentalization. Right now, root==God. In a "trusted" system, this isn't so. Users, including root, are assigned certain rights and if compromised, only those rights are compromised. There is no one account that if breached, compromises the entire system.
Who can install kernsec modules would be very specific and tightly controlled.
--
Charles E. Hill
Because I sometimes don't want to WAIT for it to be delivered, I want it NOW.
Now, if I can order online and download a full version, they I will be very happy.
One a side note, someone else mentioned that ebgames.com has just about all of the Loki games at $9.99 each. I just ordered about $100.00 worth of games. Sometime next week my kids are going to be ecstatic.
--
Charles E. Hill
Damn, I was looking forward to this. I hope it goes through.
--
Charles E. Hill
Yes, there are more peripherals for USB 1.1 than firewire -- but that is because most of them are low-bandwidth devices (mice, keyboards, etc.)
These probably won't go away any time soon (good thing) and can continued to be used for low-bandwith devices while i1394 can handle the big stuff like video connection, replacing SCSI/IDE and Ethernet.
--
Charles E. Hill
Check out this SourceForge page for more information.
I have a Belkin 3-port i1394 card in my Linux box (2.4.3 kernel) and can pull in video from my Sony camcorder.
--
Charles E. Hill
Check it again. Read further down about Intercept Procedures. I quote:
"1. Identification intercepts during peacetime operations are vastly different than those conducted under increased states of readiness. Unless otherwise directed by the control agency, intercepted aircraft will be identified by type only. When specific information is required (i.e. markings, serial numbers, etc.) the interceptor aircrew will respond only if the request can be conducted in a safe manner. During hours of darkness or Instrument Meteorological Conditions (IMC), identification of unknown aircraft will be by type only. The interception pattern described below is the typical peacetime method used by air interceptor aircrews. In all situations, the interceptor aircrew will use caution to avoid startling the intercepted aircrew and/or passengers. "
Unless the Chinese pilot was legally blind, he was too damn close.
"Upon identification phase completion, the flight leader will turn away from the intercepted aircraft. The wingman will remain well clear and accomplish a rejoin with the leader."
Notice it says nothing about "turning away" other planes.
The diagram you are referring to has a nice "Not Drawn to Scale" on it -- and no distance marks.
--
Charles E. Hill
Actually, big air conditioning systems (for large buildings) have graphical interfaces.
The one on the carrier units in the last place I worked was Win 3.1 based (ugh!) but we could see all the rooms, bypasses, blowers, temperature monitors, etc.
One of the features we had requested was a network accessable (preferrably web-enabled) interface.
--
Charles E. Hill