I keep reading this argument about theft of service. I'm not saying these are perfect analogies (they're not) but just think:
If I walk by a house or business (on the sidewalk) and they have a widescreen TV in view, with the windows open, and they are playing a pay-per-view movie, and I watch it, am I a criminal?
If someone leaves a table with donuts on it in the middle of a park, with no signs or anything and I take one, am I a criminal?
Just some thoughts. If I just look at your house from the street and see that the door is open (AP identification) without going inside, am I a criminal--NO.
Last I checked 3DES VPN capability was doable with Linux. Also, current versions of IPTables can be configured to use state information in making packet forwarding decisions--"stateful inspection".
Re:Installing programs in /home/pinocchio/bin
on
Triangle Boy Lives
·
· Score: 1
>The Microsoft Windows 2000 operating system allows unprivileged users to install programs that don't 1. write to the registry outside of HKEY_CURRENT_USER, or 2. write to the filesystem outside of/home (called "/Documents and Settings" in English versions).
"Hereforth we, the company, will send to the customer 12 beautiful virginal massage therapists, daily, along with as much pizza and beer as required by the customer..."
Observation from a public area or from a storefront or plaza does not violate privacy or privacy law.
Entering the windows or using an unlocked door to wander through the store after hours would be considered trespass. However, setting off an alarm, for example a motion detector by merely walking by an open window to get a closer look would not be considered a crime.
While perusing a store or restaurant during working hours one might notice that a back door, window, or loading dock was left open, revealing the inventory or billing records. A criminal passerby could then enter the area without difficulty, endangering the storeowner. Mentioning such exposure to the owner of a local shop or restaurant would not merit calling the police at once. In fact, a local businessperson, if unaware of the problem, might thank you. Some merchants might look at you suspiciously, but guessing intent in such case would not be cause for prosecution. The manager or owner would instead be advised, if suspicious, to make sure that the door or window was securely locked and double-checked at close of business.
Mentioning that something is insecure is not a violation. For example, noting that the window(s) were left open is not a crime. Unlike advising the merchant during business hours, such a revelation late at night would cause much more alarm and suspicion, but we would still find it difficult to call this action a crime. An inconspicuous note left where the owner would see it when the store was being made ready for the next day's business might be considered imprudent. A passing criminal might note that as well, and use the information to trespass or even rob the establishment.
Paying a security firm to examine the premises, provide advice and install an alarm system is of course quite common. Employing a locksmith for upgrades of the locks is as well. In some neighborhoods the installation of bars on the windows is a common sight. In a corporate setting, employing after hours security guards is expected. For a large enterprise, 24-hour security personnel are commonly employed. Even in this setting, a visitor wandering the building and examining the security would not be committing a crime. Such curiosity might cause the security guard to detain and question the person. If these actions were discovered via closed-circuit cameras, the guard might choose to make note, and watch carefully in future to determine if the visitor engaged in such activity at a later date, or repeatedly. If, beyond a reasonable doubt, the person was clearly obtaining information used in criminal trespass, the company might have a restraining order issued. Similarly, if the suspect entered an area marked "authorized personnel only", one infraction could be a mistake. A repeated entry into restricted areas is trespass, and legal action would be justifiable.
Application of the Metaphor
Direct application of the metaphorical examples presented should demonstrate that similar actions in an Internet setting may or may not be criminal. Examination of public-facing TCP ports is analogous to an examination of the doors or drive-thru window of a business. Placing unwanted files on a server with loosely defined FTP security (in a non-public directory) is akin to placing boxes of magazines in the storage area of an ice cream shop. "Borrowing" a box of books from the loading dock area of a local reseller is clearly theft. Replacing a storefront sign with a personal one would be considered vandalism. But what of hanging an easily removable banner across the storefront? This might be vandalism as well. If the sign noted in large letters that you found the doors unlocked, perhaps this is a case of reckless endangerment. Case law exists involving decisions on violation of the edges or walls of a private structure. Application of difficult to remove graffiti is criminal. Depositing trash in a private-property parking lot, although publicly accessible, is also a crime. The analogies to actions in cyberspace should be clear.
Some examples provide less obvious conclusions. Is reading another customer's credit card number while in the checkout line a criminal act? Is the simple possession of that information a crime? If a customer drops a receipt with their card number on it, and another picks up that receipt, are they legally obligated to destroy it? When hackers access an e-commerce system and copy credit transaction data they are guilty of trespass. They are in possession of information considered private, although this information is used publicly in commercial transactions. They did not obtain that information by accident. Opinions and case decisions may vary regarding the legality of such possession. Cases exist where volumes of credit card information were stolen and distributed. The intent to engage in criminal activity becomes obvious. When an individual's credit information is used without her permission, a crime has been committed.
Home Computing
Application of the metaphor presented to the home user is worthwhile. Here there is no storefront or area of business. Trespass is still prosecutable, even when a sign is not present explicitly stating "no trespassing". However, if a neighbor's door or window is surprisingly wide open and can be seen from the street, one would not be blamed for a phone call or a hello made from the edge of the yard. If the situation seemed extremely out of character or different, a phone call to the local police is even normal. Burglar alarms, security systems, and neighborhood watches are akin to intrusion detection systems. If, through such observation a burglary in progress might be discovered. In this case, a call to police might prevent a crime. Remote examination of a residential property with binoculars might be considered inappropriate, but how is such activity itself a crime? If a property owner or resident wishes to prevent such actions, fences, window shades and curtains are readily available. Noting other vulnerabilities is also not criminal, if looking carefully, one might see a large vent or pet door that could be used to gain entry. At the edge of the property there could be a hole in the fence. If a homeowner has a yard sale or an open house, closer examination of the property is unavoidable.
Conclusion
Based on the application of the metaphor above, port scans, ICMP examination of networks, and similar activities cannot be considered illegal. The TCP connect process does not transfer any application layer data. Sending or receiving data occurs after the connection is complete. Displays of information such as server name, operating system or other information about the host are the first data transferred in a telnet connection. E-mail applications also often provide such identifying information during SMTP connections. Obtaining such information is little different from looking in a store window to see what type of construction is present. Other scan types do not even complete the TCP connect process, perhaps these are akin to a passing glance while walking or driving by. Discovering that a door is unlocked or ajar is not a crime. For an information security professional, such activity might even be a hobby, with intent to help neighborhood businesses rather than harm them. Performing such an examination out of curiosity provides no proof of criminal intent. Proof of intent is difficult without conclusive evidence. Since intent cannot be arbitrarily determined, simply engaging in port scanning activity is not a crime.
The situation is altered in the home user's environment. As discussed above, testing the locks and windows of a neighbor's home without their knowledge is a different situation. Once in the yard you are already on their property. Notifying the owner of obviously insecure circumstances (without trespassing) is not considered a crime, however. In some cases, this action is rewardable.
Slashdot Mirror
I keep reading this argument about theft of service.
I'm not saying these are perfect analogies (they're not) but just think:
If I walk by a house or business (on the sidewalk) and they have a widescreen TV in view, with the windows open, and they are playing a pay-per-view movie, and I watch it, am I a criminal?
If someone leaves a table with donuts on it in the middle of a park, with no signs or anything and I take one, am I a criminal?
Just some thoughts.
If I just look at your house from the street and see that the door is open (AP identification) without going inside, am I a criminal--NO.
Lee
#1 cause of death in Belgium?
;)
Wow.
(Maybe you should move here, where lung cancer or heart disease will get you)
Last I checked 3DES VPN capability was doable with Linux. Also, current versions of IPTables can be configured to use state information in making packet forwarding decisions--"stateful inspection".
Perhaps there's a special "Pat Robertson" edition of the Bible for sale?
I Looooovvvve that quote! One of my all time faves from William.
Oh wow... what is THAT guy on?
(I'd like to avoid taking it)
>The Microsoft Windows 2000 operating system allows unprivileged users to install programs that don't 1. write to the registry outside of HKEY_CURRENT_USER, or 2. write to the filesystem outside of /home (called "/Documents and Settings" in English versions).
Only if the ACLs are set up poorly.
The A and S stand for Asymmetric and Symmetric, NOT Asynchronous and Synchronous.
Lee
Hee Hee!! That made me laugh out loud!
"Hereforth we, the company, will send to the customer 12 beautiful virginal massage therapists, daily, along with as much pizza and beer as required by the customer..."
Platonic, not "Plutonic."
"Turn off all services except ssh."
Yeah, that's really a usefull system. Granted, we are talking about novice users, but suppose they *want* to share files, etc? What do they do then?
Um, no. When there are "less than 1" servers left.. (2% of 2 servers is .04 servers) Without a whole server you're not doing much.
Of course this is all purely hypothetical.
Observation from a public area or from a storefront or plaza does not violate privacy or privacy law. Entering the windows or using an unlocked door to wander through the store after hours would be considered trespass. However, setting off an alarm, for example a motion detector by merely walking by an open window to get a closer look would not be considered a crime. While perusing a store or restaurant during working hours one might notice that a back door, window, or loading dock was left open, revealing the inventory or billing records. A criminal passerby could then enter the area without difficulty, endangering the storeowner. Mentioning such exposure to the owner of a local shop or restaurant would not merit calling the police at once. In fact, a local businessperson, if unaware of the problem, might thank you. Some merchants might look at you suspiciously, but guessing intent in such case would not be cause for prosecution. The manager or owner would instead be advised, if suspicious, to make sure that the door or window was securely locked and double-checked at close of business. Mentioning that something is insecure is not a violation. For example, noting that the window(s) were left open is not a crime. Unlike advising the merchant during business hours, such a revelation late at night would cause much more alarm and suspicion, but we would still find it difficult to call this action a crime. An inconspicuous note left where the owner would see it when the store was being made ready for the next day's business might be considered imprudent. A passing criminal might note that as well, and use the information to trespass or even rob the establishment. Paying a security firm to examine the premises, provide advice and install an alarm system is of course quite common. Employing a locksmith for upgrades of the locks is as well. In some neighborhoods the installation of bars on the windows is a common sight. In a corporate setting, employing after hours security guards is expected. For a large enterprise, 24-hour security personnel are commonly employed. Even in this setting, a visitor wandering the building and examining the security would not be committing a crime. Such curiosity might cause the security guard to detain and question the person. If these actions were discovered via closed-circuit cameras, the guard might choose to make note, and watch carefully in future to determine if the visitor engaged in such activity at a later date, or repeatedly. If, beyond a reasonable doubt, the person was clearly obtaining information used in criminal trespass, the company might have a restraining order issued. Similarly, if the suspect entered an area marked "authorized personnel only", one infraction could be a mistake. A repeated entry into restricted areas is trespass, and legal action would be justifiable. Application of the Metaphor Direct application of the metaphorical examples presented should demonstrate that similar actions in an Internet setting may or may not be criminal. Examination of public-facing TCP ports is analogous to an examination of the doors or drive-thru window of a business. Placing unwanted files on a server with loosely defined FTP security (in a non-public directory) is akin to placing boxes of magazines in the storage area of an ice cream shop. "Borrowing" a box of books from the loading dock area of a local reseller is clearly theft. Replacing a storefront sign with a personal one would be considered vandalism. But what of hanging an easily removable banner across the storefront? This might be vandalism as well. If the sign noted in large letters that you found the doors unlocked, perhaps this is a case of reckless endangerment. Case law exists involving decisions on violation of the edges or walls of a private structure. Application of difficult to remove graffiti is criminal. Depositing trash in a private-property parking lot, although publicly accessible, is also a crime. The analogies to actions in cyberspace should be clear. Some examples provide less obvious conclusions. Is reading another customer's credit card number while in the checkout line a criminal act? Is the simple possession of that information a crime? If a customer drops a receipt with their card number on it, and another picks up that receipt, are they legally obligated to destroy it? When hackers access an e-commerce system and copy credit transaction data they are guilty of trespass. They are in possession of information considered private, although this information is used publicly in commercial transactions. They did not obtain that information by accident. Opinions and case decisions may vary regarding the legality of such possession. Cases exist where volumes of credit card information were stolen and distributed. The intent to engage in criminal activity becomes obvious. When an individual's credit information is used without her permission, a crime has been committed. Home Computing Application of the metaphor presented to the home user is worthwhile. Here there is no storefront or area of business. Trespass is still prosecutable, even when a sign is not present explicitly stating "no trespassing". However, if a neighbor's door or window is surprisingly wide open and can be seen from the street, one would not be blamed for a phone call or a hello made from the edge of the yard. If the situation seemed extremely out of character or different, a phone call to the local police is even normal. Burglar alarms, security systems, and neighborhood watches are akin to intrusion detection systems. If, through such observation a burglary in progress might be discovered. In this case, a call to police might prevent a crime. Remote examination of a residential property with binoculars might be considered inappropriate, but how is such activity itself a crime? If a property owner or resident wishes to prevent such actions, fences, window shades and curtains are readily available. Noting other vulnerabilities is also not criminal, if looking carefully, one might see a large vent or pet door that could be used to gain entry. At the edge of the property there could be a hole in the fence. If a homeowner has a yard sale or an open house, closer examination of the property is unavoidable. Conclusion Based on the application of the metaphor above, port scans, ICMP examination of networks, and similar activities cannot be considered illegal. The TCP connect process does not transfer any application layer data. Sending or receiving data occurs after the connection is complete. Displays of information such as server name, operating system or other information about the host are the first data transferred in a telnet connection. E-mail applications also often provide such identifying information during SMTP connections. Obtaining such information is little different from looking in a store window to see what type of construction is present. Other scan types do not even complete the TCP connect process, perhaps these are akin to a passing glance while walking or driving by. Discovering that a door is unlocked or ajar is not a crime. For an information security professional, such activity might even be a hobby, with intent to help neighborhood businesses rather than harm them. Performing such an examination out of curiosity provides no proof of criminal intent. Proof of intent is difficult without conclusive evidence. Since intent cannot be arbitrarily determined, simply engaging in port scanning activity is not a crime. The situation is altered in the home user's environment. As discussed above, testing the locks and windows of a neighbor's home without their knowledge is a different situation. Once in the yard you are already on their property. Notifying the owner of obviously insecure circumstances (without trespassing) is not considered a crime, however. In some cases, this action is rewardable.