Legally Defining "Unauthorized" Computer Access 359
SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
Popups? (Score:5, Insightful)
Re:Popups? (Score:3, Insightful)
Re:Popups? (Score:5, Insightful)
For instance, your ISP forbids you to hook more than one machine to your connection. You setup a NAT box. That NAT box is of course accessing one or more computers on the ISPs network (DNS server, mail server, news server, etc.). But you now have MULTIPLE computers accessing those boxes THROUGH the NAT box.
You've just violated your contract between your ISP and yourself. And according to this paper, that means that you may have just committed not only a civil breach of contract, but also a CRIMINAL act for which you can be *incarcerated*.
Wow. The implications of this are *staggering* if you think about that way.
Re:Popups? (Score:4, Funny)
HA!
-Peter
Re:Popups? (Score:3, Funny)
just be careful that the ISP doesn't put limits on the number of times per second that you can switch computers
"Yeah, I only have one computer hooked to the cable modem at a time. I just switch them 2^20th times per second..."
Re:Popups? (Score:2)
Re:Popups? (Score:3, Funny)
I always wonder... (Score:5, Insightful)
The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."
Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.
But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.
Are there that many places out there that ban NAT?
Re:I always wonder... (Score:2)
The following links might not work if you attempt to access them from outside RoadRunner's IP blocks
LANs on RoadRunner [rr.com]
VPNs on RoadRunner [rr.com]
Wireless RoadRunner [rr.com]
Roadrunner is owned by Time Warner/AOL.
Re:Popups? (Score:3, Interesting)
Re:Popups? (Score:3, Interesting)
Re:Popups? (Score:3, Insightful)
I use the proxomitron and NetCaptor to prevent seeing popups. I have therefore implemented an authorisation system - I only authorise popups from specific places.
Therefore, if I get a popup I don't want, it means someone has circumvented my authorisation measures.
Re:Popups? (Score:4, Interesting)
Re:Popups? (Score:2)
What if you download a movie onto the net-connected box and then SCP it to another machine. Is that other machine accessing the connection? If not, what delay must exist between data arriving at the gateway and arriving at the eventual destination in order for it not to count as access? A NAT or proxy box basically fetches things on behalf of a differen
Re:Popups? (Score:3, Insightful)
It's not that the popup is accessing your computer, your computer is accessing the popup. Your computer sends the request to the webpage with the popup and interprets it, you authorize it by loading that website with popups enabled. Therefore it isn't illegal. If you want to prevent them then use a browser that blocks the popups.
Re:Popups? (Score:2)
Re:Popups? (Score:5, Interesting)
Of course it's authorized. Your browser preferences allow pop-up to be displayed, or you'd never see them. The combination of your browser configuration and your request for a web page that contained Javascript code, plus the fact you authorized your browser (and by extension, the sites you access) to run such code, is all the authorization that is needed.
Don't try solve technical problems by legal means. It wastes your time and annoys the pig.
Re:Popups? (Score:5, Informative)
That isn't at all an "of course" issue. If I place an unpatched default installation of Red Hat 6.2 on an Internet-connected host, my "preferences" (read: installed software) by default allow remote users to obtain root access. No matter how stupid or negligent I would be to do so, I would still expect that for someone to take advantage of those "preferences" to r00t the b0x0r would indeed be illegal. Similarly, just because Jane Winecooler's browser by default allows the installation of spyware and the forced display of popup spam, does not authorize anyone to set up booby-trapped Web sites which do such things to her browser.
The idea that any access that my host does not block is by default an authorized access is compelling to the hacker (in the old sense) since it means that everything one can do, one may do, provided it is not obviously harmful. Under this construction, if you leave your box r00table, then I may r00t it -- but I may not (for instance) delete your files or use your host to DoS someone. However, I do not think this is a solid foundation for a polity which must include non-hacker computer users. Such people expect that unless they intend to grant access, nobody may access their computers.
I hold host operators responsible for their own hosts' behavior and security. However, I also hold abusers responsible for their behavior in exploiting vulnerable hosts to do things that they know would be unwelcome to those hosts' owners. Spyware, abusive popup spam, r00ting, email spam, and the many other unwelcome abuses of people's systems are all simply different degrees of unwelcome, unauthorized access.
Re:Popups? (Score:3, Insightful)
Is that illegal access?
Yet another example (Score:4, Insightful)
Re:Yet another example (Score:2, Interesting)
Is a spammer unauthorized to use an open relay. I definately think its unethical, but think about it for a second. The admin set up the mail sever as an open relay. Now did he purposely set it up this way, or was it defaulted that he wouldnt have wanted. If the person set it up to allow others to use it, maybe for some remote users. But he didnt intend the general public to use it.
How does the law apply here, i
Re:Yet another example (Score:4, Interesting)
This point is also relevant with regards to wireless access. Is the fact that an access point allows you to associate with it and a DHCP server provides network settings for you mean that it is ok for you to access the network?
My personal view is that the Internet should default to open - if there are no barriers (whether effective or ineffective), then the default assumption should be that the administrator/installer/owner intended for the resource to be available to the Internet at large. Otherwise, it would become a legal minefield just to surf, let alone turning on your laptop with a wireless card in the middle of Wall Street. The effect is that the owner of a resource has an obligation to block/deny access if he does not intend for it to be publically available.
That goes both for wireless access point and mail relays.
Re:Yet another example (Score:5, Interesting)
There is no federal common law of crimes, and pretty much no federal common law of any sort outside of a few narrowly defined areas (e.g., admiralty and maritime law).
Why you think that common law (unwritten, a tradition embedded in thousands of precedential cases contained in law reporters that few public libraries have) is necessarily better for the "average Joe" than civil law (statutes available online for anyone who cares to read them) is not clear.
Re:Yet another example (Score:3, Informative)
unauthorized use (Score:4, Funny)
Re:unauthorized use (Score:4, Insightful)
I would think a lawyer could twist it that way, but they'd have to prove intent to
unauthorized (Score:5, Funny)
the TCP Handshake grants you permission (Score:4, Funny)
SYN: (may I access this tcp port?)
SYN ACK: (sure go ahead!)
ACK: (thanks!)
PDF link (Score:4, Informative)
Which is worse? (Score:5, Interesting)
Re:Which is worse? (Score:3, Funny)
Re:Which is worse? (Score:3, Funny)
I think... (Score:5, Funny)
Court case (Score:5, Informative)
The charge was eventually dropped at any rate.
Re:Court case (Score:2)
A crowbar is a perfectly legal, commonly available tool to anyone who
Re:Court case (Score:3, Insightful)
You should have sent that to the defense. The prosecutors aren't going to bring up any info that will possibly weaken their case.
Re:Court case (Score:3, Interesting)
It could work to criminalize doing something legal with illegal intent, but it's a dangerous road to go down.
Re:Court case (Score:3, Insightful)
I think that criminal intent chould be criminalized.
This story is about unauthorized access. I think that defining unauthorized access is easy. It is an access that the owner would not give explicit permission for. If I have a house and leave all the doors open, it should be obvious that that is private property, and I don't expect anyone to welcome themselves inside. However, if I have a ret
Abstract of Article (Score:3, Informative)
Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes
ORIN S. KERR
George Washington University - Law School
GWU Law School, Public Law Research Paper No. 65
New York University Law Review, Vol. 78, November 2003
Abstract:
In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to "access" a computer, however, nor when access becomes "unauthorized." The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.
This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.
Keywords: cybercrime, computer crime, unauthorized access, code
Common sense... (Score:5, Interesting)
I'll be interested to see how this plays legally with the hack-back technologies the RIAA and MPAA are currently developing/considering.
Re:Common sense... (Score:3, Interesting)
Are you liable for allowing a virus on your computer?
Is your Anti-Virus make liable for allowing your computer to have a virus, even though you have their protection software installed?
Is the virus writer (if you can find him/her) liable since they wrote it?
What if that virus was just an academ
Re:Common sense... (Score:2)
Say you didn't lock your car doors and left the key in the ignition when someone stole it and ran it into a busload of Nuns and killed them all?
Are you liable for not locking your car? No.
Is GM liable, even though there were locks on the car? No.
Is the the guy who stole the car wit
they bust people for that all that all the time (Score:3, Insightful)
AND THEN, in turn, once clueless computer owner gets shafted, THEY
Re:Common sense... (Score:5, Interesting)
Of course you're free to argue that Slashdot discussions aren't informed by "common sense".
The root problem is that a lot of permission is implicit and is conditional on unwritten rules. The Bedouin did the same thing with water wells. Everybody knew that a well was property. Everybody knew that travelers were implicitly allowed to dip in one or two at a time. Everybody also knew that watering your entire flock at someone else's well would get you killed.
The legal system may already have answers. After all, it's been resolving disputes for thousands of years. Trespass law has all sorts of concepts of notice and intent that could be used for computer law.
Re:Common sense... (Score:2, Funny)
Um, you haven't met many lawyers, then?
Re:Common sense... (Score:3, Insightful)
What constitutes "implicit permission"? Is an open port 80 and a responsible HTTP server evidence of "implicit permission", until the web page asks for a password? How would I get to that page (and realize that my access is explicitly prohibited because I don't have a password) without "accessing"?
Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you kn
Re:Common sense... (Score:4, Insightful)
You go to a business on a tuesday at 3PM. You try their door and find it locked. Turns out they are closed on tuesdays. Is it unauthorized access? I think not.
Now, you go to the same business on the same tuesday at 3PM. They are still closed, but forgot to lock their door. You walk right in, realize something is funny, and leave without taking anything. Is it unauthorized access? Maybe.
Finally, you go to the same business on Sunday night at 3AM, and poke at the door until it opens for you. Unauthorized access, yep.
You see, in the real world your
RIAA is unauthorized ... unless licensed (Score:4, Funny)
Re:RIAA is unauthorized ... unless licensed (Score:2)
Wow, that is low. Why not $1 / BIT! then that 160 gigs would cost just $640 BILLION!!!!!!!
then, you would be protected from a search.
until, the RIAA frames you for something and the government searches you...
Re:RIAA is unauthorized ... unless licensed (Score:2, Funny)
Re:RIAA is unauthorized ... unless licensed (Score:4, Interesting)
Unfortunately I see this drivel from time to time. If you have your entire hard drive available via your web server, kazaa, CIFS, or any other non-password protected (that is reasonably secure, as in, not posted to alt.hacks.cracks.warez.porn) you have effectively granted permission to the world to view it for free. You can't arbitrarily decide group A can't read it without charge, anymore than you could walk down the street with a sign saying anyone who reads this notice owes me $100.
Now, if the RIAA were to hack into your computer an access data, that would be another thing, though stupid claims about your data being worth $1/kb (Not even Oracle costs that much) will label you as an idiot for the court.
Someone will be by to bitch-slap you later. Be expecting them.
Definition of illegal access (Score:5, Interesting)
HOWEVER, many states have local statutes making simple trespass illegal.
Furthermore, if a SysAdmin notices someone unauthorized has been on the system, and their time and resources investigating the access exceeds $5K, you've hit the federal legal limit.
Vic Vandal
This working for others? (Score:2)
Any Mac users getting it to work? For that matter, has anyone gotten it to work? None of the comments suggest that the poster has read the whole thing, not that's necessarily unusual.
Re:This working for others? (Score:2)
Watch those caveats! (Score:2)
Good ol' days (Score:5, Interesting)
Re:Good ol' days (Score:2)
Re:Good ol' days (Score:5, Insightful)
Thinking about how to deal with hairy situations before they go to the court room is not a bad idea.
Re:Good ol' days (Score:3, Insightful)
This is the exact reason we have things like traffic lights. Unfortunately, people just can't be trusted to act responsibly (in some situations) on their own.
So you are right, they were being stupid
Length?? (Score:5, Funny)
Since when does an articles length matter?? Nobody reads them anyway, this is /. :)
Re:Length?? (Score:3, Funny)
Just say those words out loud to random people. Trust me, it's fun.
How about if it's password protected? (Score:5, Interesting)
Re:How about if it's password protected? (Score:3, Interesting)
What about exploiting buffer overflows on an HTTP or DNS server - no password was ever requested, but it gave you a root shell because there was a flaw in the software after you gave it a specially formulated request. Does that make your rootshell access authorized?
There are plenty of other cases where needing a password doesn't cut it as a definition of "authorized access".
Re:How about if it's password protected? (Score:2)
E.G. If I run a site w/o a public password, and a hacker bypasses my password, the site was still passworded, so you weren't authorized...
Re:How about if it's password protected? (Score:3, Insightful)
To get a shell on any of my systems, you must first authenticate youself with your userid and then your password or key with authorize you access. The buffer overflow does neither. Also if a user shares an account and knows a password, this is fraudently authenticating themselves even though they pass the authorization step.
Defenitions (Score:4, Informative)
Interesting.. I thought I knew what those words meant until I started thinking about it... but that won't stop me from giving it a stab:
unauthorized: Exposure of information / access to systems to / by individuals not authorized to receive it / access the system.
access: 1. The ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system. 2. To obtain the use of a resource. 3. [The] capability and opportunity to gain detailed knowledge of or to alter information or material. 4. [The] ability and means to communicate with (i.e. , input to or receive output from), or otherwise make use of any information, resource, or component in an AIS. Note [for 3 and 4]: An individual does not have "access" if the proper authority or a physical, technical, or procedural measure prevents him/her from obtaining knowledge or having an opportunity to alter information, material, resources, or components. 5. An assigned portion of system resources for one data stream of user communications or signaling.
Thanks to google [google.com] and Federal Standard 1037C [bldrdoc.gov].
Stay out of the bedroom..... (Score:2, Funny)
Verbing wierds language (Score:2, Funny)
Of course, bitching on
But what the hell, I do that too.
--
Re:Verbing wierds language (Score:3, Insightful)
Of course, you could look in a real dictionary, like the OED, and see what they have to say. And they say that access as a verb can be traced back to at least 1962, in a comp sci context no less:
access, v. 1. trans. a. To gain access to (data, etc., held in a computer or computer-based system, or the system itself).
1962 A. M. ANGEL in M. C. Yovits Large-Capacity Memory Techniques for Computing Systems 150 Through a system of binary-coded addresses notched into each card, a particular card may be acce
70+ pages? (Score:3)
I sure didn't.
Interesting consequences (Score:4, Interesting)
By saying that only when you break code-based restrictions are you committing unauthorized access, this puts the responsiblity on the user to secure their box. For most
My biggest worry is that the definition of code-based restrictions could be misconstrued. Say for example you lock down everything except Apache/IIS running on port 80. Since both these two have had security exploits in the past (not trying to start a holy war here), what happens if someone exploits your webserver to gain more access? Obviously you have given access to the webserver on port 80. If one of the "features" of the webserver is a buffer exploit, would it still be considered circumventing a code-based restriction to exploit it? I think most here would agree that it is, but as we all have seen, most judges are not your averager
Re:Interesting consequences (Score:2, Informative)
If you view it the latter way, then exploiting it to get access to another protocol, or section of the filesystem would clearly be a trespass.
Ie; I run a business like a barbershop out of the front room of my house, or say live above a store. This doesnt give the public access to go check out my bedroom.
Re:Interesting consequences (Score:3, Insightful)
If I rent an apartment, I pay a monthly fee to use that space. I don't own it. The fact that I don't own it has certain consequences: I have to continue to pay to continue to use it, but also, the owner is responsible for maintenance. If something breaks, the landlord is responsible for fixing it. If I'm renting a car, the company that owns it is also responsible for certain things. I
The ultimate spam law (Score:5, Insightful)
Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.
Re:The ultimate spam law (Score:2)
(Clarification: Kerr isn't promoting these laws; they're on the books, and he's suggesting a way of interpreting them.)
I don't think spamming that defeats your filters is unauthorized access. The access is complete as soon as your mail server accepts the message, which it will do whether or not the message will ultimately satisfy the filters. What your mail server does wi
Oregon vs. Schwartz (Score:5, Informative)
http://world.std.com/~swmcd/steven/rants/merlyn.ht ml
[std.com]
Using the word "Welcome" (Score:5, Interesting)
Re:Using the word "Welcome" (Score:2)
Re:Using the word "Welcome" (Score:5, Insightful)
Re:Using the word "Welcome" (Score:2, Informative)
If someone sets up an ftp with full access to anonymous users, can they really say it's unauthorized when a million kiddies start trading warez through there? (I'm wondering about all the 'pubs' which are basically "stolen" space on public ftps for the warez kiddies. )
The piracy is a crime, but does a computer trespass take place? (Say they were trading Red Hat ISOs for the sake of argument)
Re:Using the word "Welcome" (Score:3, Informative)
Brief summary (Score:5, Insightful)
In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.
He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.
He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).
(Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )
Deja Vu (Score:2, Funny)
"That depends on what the definition of the word 'is' is.
Spooky
apply it like real life, (Score:5, Insightful)
1. When some one comes in uninvited.
2. When someone breaks into my house.
3. When someone is in my house already and then I ask them to leave and they don't.
Obviously these rules apply similarily to a website vs a brick and mortar.
1. All people can come into my business
2. If it is closed you cannot come in.
3. If there is a private area you cannot have access to it.
4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.
Why does the digital world have to be any different?
My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.
No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...
Where do I send this?
I think there's a better question (Score:2, Insightful)
It's often easier to access to the data being served than it is to the machine itself and I think the debate would be much more valuable.
maybe he adressess this as i didnt RTFA.
"Authorization" and DMCA (Score:5, Informative)
The vagueness of authorization was particularly noticable in the DeCSS trial, although the defense didn't do a very good job of pointing it out. (*grumble*). I bet if you take a poll of regular people on the street, 9 out 10 would think that they have authorization to access the contents of a DVD that they bought. Judge Kaplan disagreed. And that's just it: the guy with the DVD doesn't really know.
It turns out that in the case of CSS, the authorization is done by obscure means with terms and conditions that the owner of the DVD never finds out about. Apparently (we still don't really know this, but this seems a reasonable speculation) it involves the equipment you're using being made by one 3rd-party (the DVD player manufacturer) who had an agreement with another 3rd party (DVDCCA). Not only does the owner of a DVD not know whether the terms have been met (what do you do, write a letter to Sony?), but the nature of the terms themselves are a secret (you don't even know that a contract between Sony and DVDCCA is a condition). Compare that to a tall fence and an explicit "no trespassing" sign in the physical world. It's positively wacko. But the court didn't have a problem with that.
The author of this paper touches on this (in the context of accessing computers rather than accessing data, but the same arguments apply, I think):
And that really does seem to be the kind of thinking that was applied in the DeCSS case -- "against the interests" is what really seems to matter. I mean, no one really bought my above explanation for the terms and conditions of access to a DVD, did they? You know I was full of shit; nothing could possibly be that complex and arbitrary, right?It's no wonder that there are so many goofy misinterpretations of DMCA here on Slashdot, because when you really get down to it, the way DMCA has been used, it might as well just say, "You can't do anything we don't want you to." The Lexmark case -- wow, try explaining that one to a layman!
"Authorization" is such a wonderful, flexible, powerful word. Defining it would ruin everything.
Easy Definition (Score:2)
In the eye of the beholder (Score:3, Interesting)
-Sean
If it's trivial... (Score:3, Insightful)
You cannot just leave an open webserver and expect people to 'just know' they they cannot request files from it. You cannot expect people not to poke around your unpassworded FTP server.
Trivial passwords should fall into the same category - you can't be bothered to take care of your data/services, you can't bitch when someone else reads it/uses them.
Easy way to make $$$ (Score:2, Funny)
2. Wait for 100 hits
3. Sue the 100 people who visited your site for $50,000 each, claiming that you didn't give them authorization to access your computer. Profit!
Morris and the Intended Function Test (Score:3, Informative)
For those of you who aren't familiar with what Morris did or didn't read the section I'm discussing, he is the one resposible for the worm that shut down much of the Internet in 1988. He did it using computers to which he had access, and so he was authorized to use them. However, his worm, which exploited bugs in software such as sendmail and the finger daemon, "spread out of control" and caused more damage than intended. He "exceded authorized use" of the computers to which he had access. And there is a subtle distinction between that and "unauthorized use," but is it significant? That's a point to consider. Here are others:
These are a few points I'd say are worth considering. I'm sure that there's plenty more food for thought in the many pages of the document that I still have yet to read. :)
The good thing about laws (Score:4, Informative)
In california.. it goes something like this:
(b) For the purposes of this section, the following terms have the following meanings:
(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
(2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.
I pondered this quite a bit myself as I was charged and convicted of it in California about 10 years ago.
My Question (Score:2)
If so, then the legal tools are already available to make some serious examples.
UK law perspective (Score:3, Informative)
This is practically a nobrainer. (Score:3, Insightful)
Note, lack of security does not equate to implicit authorization, since even if my front door is unlocked, if someone I do not want in my home comes in, they are still trespassing, even if I am not *at* home to tell them to get out (although if they steal anything, my insurance may not cover it since I had not shown diligence in taking care to prevent that). If, however, I come home to find this person in my house, even if they have not stolen or tried to steal anything, I can still charge them with trespassing.
Also note that mere posession of a suitable entry key or password does not equate to authorization, unless that posession is currently recognized as valid by authorized channels.
No attempt to dissect what is actually happening (Score:5, Interesting)
I think few people would gripe with the idea of sniffing packets and forging MAC addresses and passwords to gain access onto a Wi-Fi base station as "unauthorized access" if the Wi-Fi base station hs MAC address access lists and uses WEP - regardless of how ipss-por they are in providing ACTUAL security
But what of the "Linksys" Wi-Fi base stations that are set to defaults which purposefully hand out IPS and DHCP licenses? Or websites with no passwords that provide any file with a simple HTTP GET request? Or SMTP servers that happily forward any SMTP request without passwords or IP filters?
What is happening in each of these cases - open base stations with DHCP servers, open websites, and open SMTP relays is that, at the actual protocol levles, each of THESE cases is a slam dunk.
If i request a DHCP lease, and the open base station gives me a IP and a lease, then, by definition, i have no gained access in an unauthorized manner. That person's equpiment functioned properly, within bounds, and GAVE me access. If you GIVE someone access, by definition, its not unauthorized.
If i request a URL with a HTTP GET, and the server happily sends me a file that was in a directry that was not "meant" to be opened - that person's equipment GAVE me access, and just like in real life, if i ASK for access, and you GIVE it to me, then that access is AUTHORIZED.
Some of these cases in the whitepaper are foolish and would have been overturned if the RFCs got busted out..
in the case of Explorica, i could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not. If EF didn't want to have their prices undercut, then wtf did they put them on a public webpage? Explorica REQUESTED information - and EF's computers GRANTED it... all according to the protocols... all according to the rules.
If i to a properly formatted and non-corrupted HTTP GET, and you SEND me the data - there is no legal case of me GAINING "access of any kind".. i didn't REQUEST ACCESS
If you and I are on the train, and i ask you for all your money, and you give it to me... what are the possible circumstances...
1. I am a robber, and i threaten you with a gun or a knife or with some form of physical threat... so you give me the money under duress.
2. I am a begger, and i do not threaten you in any way. You give me all your money freely.
In example 1- i am violating protocol... i am threatening you. in example 2 - i violate no protocol, and in no way threaten you, you decision to give me all your money, while perhapse foolish and stupid on your part - is you free will.
open websites, open wi-fi base stations, and smtp relays are ALL example 2. There is a protocol - in all cases clearly laid out in RFCs... and as long as the protocol is followed without any modificaiton, and yet YOU GIVE ME DATA.... there cannot be any crime.
just as there is no crime in giving a person money on a train, so long as there is no violati
Consent is a slippery issue (Score:3, Insightful)
Sounds good on Slashdot, but this is terrible legal advice.
Interestingly, the CFAA, and not the RFC is the law of the nation. The generalization fails, in both extreme and ordinary cases -- a person who serially guesses passwords until he succeeds has passed the passwd protocol, but has also
Regulation by code (Score:4, Interesting)
Suppose I write an email containing a script that on one particular mailreader, will be executed if someone reads it. The mailreader does this on purpose; it's not a bug, it's just really naive design. The author of the program thought it would be really k3wl to execute scripts automatically.
The script will display an animation demoing my penis-enlarger product, and it will send an email back to me if the animation runs to completion, so that I will know which recipients watched the whole ad.
I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."
If I understand correctly, since there is no attempt as "regulation by code" in this situation (the mail reader runs scripts on purpose, not as a bug), then what I did, wasn't without authorization. No crime here, right?
Did I circumvent "regulation by code" with person C?
Did I circumvent "regulation by code" with person D?
There was code intended to prohibit exactly the kind of crap that I was pulling, but I got around it, in defiance of the code and person E's desire. He wanted my ad, but sure didn't want me to run a script on his machine, especially one that mailed me back to say whether or not he watched the ad.
Surely I crossed the line on person E. I'm not so sure about persons C and D.
Passive Access (Score:4, Interesting)
If I park my car on the public street in front of your house or business and sniff your unencrypted 802.11 traffic, many people might say that counts as access. But not by his definition.
Re:Just what kind of dumbass question is this? (Score:3, Interesting)
Is it legal for you to ring your neighbours' doorbell? Technically it is trespassing. So when is trespassing not trespassing eh?
If you pop into one of my webservers are you accessing the computer in an "authorized" fashion? How do you know if I'm technically competant enuf to configure it so the people who should have access do have access and the ones who shouldn't have access don't?
If I have my winders file shares open - are you "authorized" to pop in for a look?
I say "YES