Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
The Courts Government News Your Rights Online

Legally Defining "Unauthorized" Computer Access 359

SDuane writes "Orin S. Kerr, Associate Professor at George Washington University Law School, has written an article trying to answer the question "what does it mean to 'access' a computer? And when is access 'unauthorized'?" It's long, but interesting and he's looking for feedback."
This discussion has been archived. No new comments can be posted.

Legally Defining "Unauthorized" Computer Access

Comments Filter:
  • Popups? (Score:5, Insightful)

    by jmv ( 93421 ) on Friday May 09, 2003 @02:33PM (#5920691) Homepage
    When thinking about it. One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)
    • Re:Popups? (Score:3, Insightful)

      Yeah, or one could say that you accessed a popup add.
    • Re:Popups? (Score:5, Insightful)

      by Surak ( 18578 ) * <surakNO@SPAMmailblocks.com> on Friday May 09, 2003 @02:39PM (#5920756) Homepage Journal
      Not only that, but a lot of things could be illegal on the OTHER side of that fence.

      For instance, your ISP forbids you to hook more than one machine to your connection. You setup a NAT box. That NAT box is of course accessing one or more computers on the ISPs network (DNS server, mail server, news server, etc.). But you now have MULTIPLE computers accessing those boxes THROUGH the NAT box.

      You've just violated your contract between your ISP and yourself. And according to this paper, that means that you may have just committed not only a civil breach of contract, but also a CRIMINAL act for which you can be *incarcerated*.

      Wow. The implications of this are *staggering* if you think about that way.
      • Re:Popups? (Score:4, Funny)

        by pete-classic ( 75983 ) <hutnick@gmail.com> on Friday May 09, 2003 @02:49PM (#5920858) Homepage Journal
        Woah, there. Ethernet is serial, I have an Ethernet connection from my NAT box to my cable modem. Therefore I only have one PC communicating with (AKA "hooked up to") the ISP at at time.

        HA!

        -Peter
        • Re:Popups? (Score:3, Funny)

          by corsec67 ( 627446 )
          Ethernet is serial, I have an Ethernet connection from my NAT box to my cable modem.

          just be careful that the ISP doesn't put limits on the number of times per second that you can switch computers

          "Yeah, I only have one computer hooked to the cable modem at a time. I just switch them 2^20th times per second..."
        • No, that's just it. That's the point of the article. What defines access? If we use your side of the argument and go to a different extreme, then I may be able legally crack Slashdot's security to adjust to my karma because although I've agreed (whether expressly or implicitly) not to crack Slashdot's security by signing up for an account, I'm not actually accessing Slashdot to do so. I'm accessing my NAT box, which is in tern accessing my ISPs routers, which is in turn accessing some other routers ...(
      • I always wonder... (Score:5, Insightful)

        by Corvaith ( 538529 ) on Friday May 09, 2003 @03:01PM (#5920987) Homepage
        Are there really that many ISPs out there which disallow NAT use?

        The last three places I've used--all broadband, in two different areas of the country--actually came out and just said to people, "You get one IP. If you want more than one machine hooked up, get a broadband router."

        Okay, granted, one of those three does actually offer extra IPs for sale. (Which I'd have if I could; I don't *like* using NAT, personally. But I get a deal through my university, so.) The other two, it wasn't even an option.

        But they never seemed to really care if you used NAT or not. Multiple computers in a household becoming a common thing, it seems like the only sensible way to handle it.

        Are there that many places out there that ban NAT?
        • I was reading through RoadRunner's FAQ and they specifically allow use of NAT's and those little Linksys doodad boxes, they even have "RoadRunner Wireless" being rolled out, where you hook up wireless AP to share your connection in your home, and specifically list in their FAQ that VPN's are ok.

          The following links might not work if you attempt to access them from outside RoadRunner's IP blocks
          LANs on RoadRunner [rr.com]

          VPNs on RoadRunner [rr.com]

          Wireless RoadRunner [rr.com]

          Roadrunner is owned by Time Warner/AOL.
      • Re:Popups? (Score:3, Interesting)

        by 3247 ( 161794 )
        Actually, the paper says exactly the opposite:
        ... the Article offers a normative proposal ... [and] argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges.
        • Re:Popups? (Score:3, Interesting)

          by Surak ( 18578 ) *
          This is how the author would change the laws if it were up to him. A recommendation. Actual laws may very, but the article specifically says that some jurisdictions are actually defining 'illegal access' by the contract theory of authorization.

      • Re:Popups? (Score:4, Interesting)

        by SN74S181 ( 581549 ) on Friday May 09, 2003 @03:27PM (#5921239)
        Or, it could be said that since your keyboard, which has a microprocessor in it, and also your hard drive, are both connected to the CPU that is attached to your computer, which is connected to the Internet through an ISP, that you've attached multiple machines to the network, even when you only have one 'computer' connected. Or is it the embedded controller in your modem or on your ethernet card that is connected and hence your main CPU is in violation of the 'one machine' rule??
      • Suppose your gateway, rather than forwarding requests, actually creates a new IP packet. Does that mean only one machine is "accessing" your connection?

        What if you download a movie onto the net-connected box and then SCP it to another machine. Is that other machine accessing the connection? If not, what delay must exist between data arriving at the gateway and arriving at the eventual destination in order for it not to count as access? A NAT or proxy box basically fetches things on behalf of a differen
    • Re:Popups? (Score:3, Insightful)

      by papadiablo ( 609676 )
      When thinking about it. One could say that a popup add "accesses" your computer in some way

      It's not that the popup is accessing your computer, your computer is accessing the popup. Your computer sends the request to the webpage with the popup and interprets it, you authorize it by loading that website with popups enabled. Therefore it isn't illegal. If you want to prevent them then use a browser that blocks the popups.
      • Well, the popup runs code on my computer. Where do you draw the line between that and (more) malicious code executed through the browser (BTW, yes I use mozilla so I haven't seen a popup for a while). I'm not saying that popup *should* be illegal, just that if you interpret a couple word loosely, it might.
    • Re:Popups? (Score:5, Interesting)

      by lightspawn ( 155347 ) on Friday May 09, 2003 @02:59PM (#5920964) Homepage
      One could say that a popup add "accesses" your computer in some way. Since it is also unauthorized, could it be illegal? :)

      Of course it's authorized. Your browser preferences allow pop-up to be displayed, or you'd never see them. The combination of your browser configuration and your request for a web page that contained Javascript code, plus the fact you authorized your browser (and by extension, the sites you access) to run such code, is all the authorization that is needed.

      Don't try solve technical problems by legal means. It wastes your time and annoys the pig.
      • Re:Popups? (Score:5, Informative)

        by Frater 219 ( 1455 ) on Friday May 09, 2003 @03:30PM (#5921266) Journal
        Of course it's authorized. Your browser preferences allow pop-up to be displayed, or you'd never see them.

        That isn't at all an "of course" issue. If I place an unpatched default installation of Red Hat 6.2 on an Internet-connected host, my "preferences" (read: installed software) by default allow remote users to obtain root access. No matter how stupid or negligent I would be to do so, I would still expect that for someone to take advantage of those "preferences" to r00t the b0x0r would indeed be illegal. Similarly, just because Jane Winecooler's browser by default allows the installation of spyware and the forced display of popup spam, does not authorize anyone to set up booby-trapped Web sites which do such things to her browser.

        The idea that any access that my host does not block is by default an authorized access is compelling to the hacker (in the old sense) since it means that everything one can do, one may do, provided it is not obviously harmful. Under this construction, if you leave your box r00table, then I may r00t it -- but I may not (for instance) delete your files or use your host to DoS someone. However, I do not think this is a solid foundation for a polity which must include non-hacker computer users. Such people expect that unless they intend to grant access, nobody may access their computers.

        I hold host operators responsible for their own hosts' behavior and security. However, I also hold abusers responsible for their behavior in exploiting vulnerable hosts to do things that they know would be unwelcome to those hosts' owners. Spyware, abusive popup spam, r00ting, email spam, and the many other unwelcome abuses of people's systems are all simply different degrees of unwelcome, unauthorized access.

  • by b-baggins ( 610215 ) on Friday May 09, 2003 @02:34PM (#5920699) Journal
    This is yet another example of our society moving from a common law system to a civil law system. Good for the lawyers (who make a lot of money) and the government (who can club you with it), bad for your average Joe (robbed by the lawyers, threatened and intimidated by the government).
    • by Anonymous Coward
      not necessarily, my dad and me had a discussion on this yesterday in the terms of spammers.

      Is a spammer unauthorized to use an open relay. I definately think its unethical, but think about it for a second. The admin set up the mail sever as an open relay. Now did he purposely set it up this way, or was it defaulted that he wouldnt have wanted. If the person set it up to allow others to use it, maybe for some remote users. But he didnt intend the general public to use it.

      How does the law apply here, i
      • by LarsG ( 31008 ) on Friday May 09, 2003 @03:55PM (#5921516) Journal
        Is a spammer unauthorized to use an open relay. I definately think its unethical, but think about it for a second. The admin set up the mail sever as an open relay. Now did he purposely set it up this way, or was it defaulted that he wouldnt have wanted. If the person set it up to allow others to use it, maybe for some remote users. But he didnt intend the general public to use it.

        This point is also relevant with regards to wireless access. Is the fact that an access point allows you to associate with it and a DHCP server provides network settings for you mean that it is ok for you to access the network?

        My personal view is that the Internet should default to open - if there are no barriers (whether effective or ineffective), then the default assumption should be that the administrator/installer/owner intended for the resource to be available to the Internet at large. Otherwise, it would become a legal minefield just to surf, let alone turning on your laptop with a wireless card in the middle of Wall Street. The effect is that the owner of a resource has an obligation to block/deny access if he does not intend for it to be publically available.

        That goes both for wireless access point and mail relays.
    • by alkali ( 28338 ) on Friday May 09, 2003 @03:20PM (#5921168)
      Criminal law has been almost exclusively a law of statutes for a very long time. California eliminated common law crimes in 1873 [findlaw.com]; many other states have also done so.

      There is no federal common law of crimes, and pretty much no federal common law of any sort outside of a few narrowly defined areas (e.g., admiralty and maritime law).

      Why you think that common law (unwritten, a tradition embedded in thousands of precedential cases contained in law reporters that few public libraries have) is necessarily better for the "average Joe" than civil law (statutes available online for anyone who cares to read them) is not clear.

  • by carpe_noctem ( 457178 ) on Friday May 09, 2003 @02:34PM (#5920701) Homepage Journal
    Does /.'ting a server count as unauthorized use? Because then, we should be a bit worried here...
    • by donutz ( 195717 ) on Friday May 09, 2003 @02:59PM (#5920967) Homepage Journal
      Does /.'ting a server count as unauthorized use? Because then, we should be a bit worried here...

      I would think a lawyer could twist it that way, but they'd have to prove intent to /. the server, I'd think. If you are just going to the linked page to read the article, that's fine. But if you're collectively conspiring to bring a server to its knees...(as is the case in some links in comments to a story), well, consider yourself vulnerable to those laywers.
  • by Anonymous Coward on Friday May 09, 2003 @02:34PM (#5920703)
    ..but the computer can't say no, I thought it wanted me to access it, honest!
  • PDF link (Score:4, Informative)

    by Anonymous Coward on Friday May 09, 2003 @02:34PM (#5920708)
    The article links to an abstract, which has a pdf link in it to the actual goodies. here is the pdf link, for your viewing pleasure. http://papers.ssrn.com/sol3/delivery.cfm/SSRN_ID39 9740_code030507630.pdf?abstractid=399740
  • Which is worse? (Score:5, Interesting)

    by jonfelder ( 669529 ) on Friday May 09, 2003 @02:36PM (#5920719)
    The fact that what constitutes "unauthorized access" is very broad, or that the penalties for "unauthorized access" are ridiculously out of whack. You could practically murder someone and spend less time in jail then if you commit a computer crime.
    • "You could practically murder someone and spend less time in jail then if you commit a computer crime."
      So if you murder someone, don't do it with a computer then. *scnr*
    • The hackers are either with us or against us. We will fight this war on hax0rism, and we shall be victorious. Do not destroy important files, a source of data that belongs to the user.
  • I think... (Score:5, Funny)

    by Kickstart70 ( 531316 ) on Friday May 09, 2003 @02:37PM (#5920726) Homepage
    posting "1 4/\/\ 0wnz0ring j00!!!!!! luser!!!! FEE KEVIN" on their website, qualifies.

  • Court case (Score:5, Informative)

    by DNS-and-BIND ( 461968 ) on Friday May 09, 2003 @02:37PM (#5920729) Homepage
    I was involved in a federal case where the defendant was accused of unauthorized access because he used EXPN and VRFY to determine a range of email addresses to mailbomb. I thought it was bullshit, and faxed them a copy of this page [burningvoid.com] (God forbid they use email) indicating that these commands were publically availible to anyone on the internet, but the prosecutors weren't particularly interested and were rather disappointed at my opinion.

    The charge was eventually dropped at any rate.

    • I was involved in a federal case where the defendant was accused of unauthorized access because he used EXPN and VRFY to determine a range of email addresses to mailbomb. I thought it was bullshit, and faxed them a copy of this page (God forbid they use email) indicating that these commands were publically availible to anyone on the internet, but the prosecutors weren't particularly interested and were rather disappointed at my opinion.

      A crowbar is a perfectly legal, commonly available tool to anyone who
    • Re:Court case (Score:3, Insightful)

      by Dynedain ( 141758 )
      but the prosecutors weren't particularly interested and were rather disappointed at my opinion

      You should have sent that to the defense. The prosecutors aren't going to bring up any info that will possibly weaken their case.
  • Abstract of Article (Score:3, Informative)

    by zoobaby ( 583075 ) on Friday May 09, 2003 @02:37PM (#5920732)
    Since their server is almost dead, I managed to pull this off before /. effect kills it.

    Cybercrime's Scope: Interpreting "Access" and "Authorization" in Computer Misuse Statutes

    ORIN S. KERR
    George Washington University - Law School

    GWU Law School, Public Law Research Paper No. 65
    New York University Law Review, Vol. 78, November 2003

    Abstract:
    In the last twenty-five years, the federal government and all fifty states have enacted new criminal laws that prohibit unauthorized access to computers. These new laws attempt to draw a line between criminality and free conduct in cyberspace. No one knows what it means to "access" a computer, however, nor when access becomes "unauthorized." The few courts that have construed these terms have offered divergent interpretations, and no scholars have yet addressed the problem. Recent decisions interpreting the federal statute in civil cases suggest that any breach of contract with a computer owner renders use of that computer an unauthorized access. If applied to criminal cases, this approach would broadly criminalize contract law on the Internet, potentially making millions of Americans criminals for the way they write e-mail and surf the Web.

    This Article presents a comprehensive inquiry into the meaning of unauthorized access statutes. It begins by explaining why legislatures enacted unauthorized access statutes, and why early beliefs that such statutes solved the problem of computer misuse have proved remarkably naïve. Next, the Article explains how the courts have construed these statutes in an overly broad way that threatens to criminalize a surprising range of innocuous conduct involving computers. In the final section, the Article offers a normative proposal for interpreting "access" and "authorization." This section argues that courts should reject a contract theory of authorization, and should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges. The section justifies this proposal on several grounds. First, the proposal will best mediate the line between securing privacy and protecting the liberty of Internet users. Second, the proposal mirrors criminal law's traditional treatment of crimes that contain a consent element. Third, the proposed approach is consistent with the basic theories of punishment. Fourth, the proposed interpretation avoids possible constitutional difficulties that may arise under the broader constructions that courts recently have favored.

    Keywords: cybercrime, computer crime, unauthorized access, code

  • Common sense... (Score:5, Interesting)

    by Elvisisdead ( 450946 ) on Friday May 09, 2003 @02:38PM (#5920749) Homepage Journal
    ...dictates that it means that you're somewhere where you're not supposed to be. If you're not authorized (given permission, implicitly or otherwise), then don't access. Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you know it.

    I'll be interested to see how this plays legally with the hack-back technologies the RIAA and MPAA are currently developing/considering.
    • Re:Common sense... (Score:3, Interesting)

      by zapp ( 201236 )
      It does seem to make sense that wya, but what if you got a virus that forces your computer to act as part of a node in an attack network. your computer actively intrudes... but you may not even know what's going on.

      Are you liable for allowing a virus on your computer?
      Is your Anti-Virus make liable for allowing your computer to have a virus, even though you have their protection software installed?
      Is the virus writer (if you can find him/her) liable since they wrote it?
      What if that virus was just an academ
      • The simple fact of the matter is that you're responsible for securing your computer. Now, I'm not saying that a person should be arrested or prosecuted if they get exploited and used as a node, but something should happen.

        Say you didn't lock your car doors and left the key in the ignition when someone stole it and ran it into a busload of Nuns and killed them all?

        Are you liable for not locking your car? No.

        Is GM liable, even though there were locks on the car? No.

        Is the the guy who stole the car wit
      • ...they call it various things but falls roughly under "maintaining a public nusiance" or some such. You don't even have to be aware of it, or you can claim stupid, and it doesn't matter. Hmm, for instance, having a full swimming pool with no fence around it, some kid falls in, whoops! It's happened to people. I could see it easily applied to running a totally unsecured computer that is used as a spammer relay or zombie machine in an attack.

        AND THEN, in turn, once clueless computer owner gets shafted, THEY
    • Re:Common sense... (Score:5, Interesting)

      by Beryllium Sphere(tm) ( 193358 ) on Friday May 09, 2003 @02:51PM (#5920882) Homepage Journal
      But there's a wide range of activities that educated computer users can argue about. Consider the debates that pop up regularly on Slashdot about the ethics of port scans, war driving, spam and so forth.

      Of course you're free to argue that Slashdot discussions aren't informed by "common sense".

      The root problem is that a lot of permission is implicit and is conditional on unwritten rules. The Bedouin did the same thing with water wells. Everybody knew that a well was property. Everybody knew that travelers were implicitly allowed to dip in one or two at a time. Everybody also knew that watering your entire flock at someone else's well would get you killed.

      The legal system may already have answers. After all, it's been resolving disputes for thousands of years. Trespass law has all sorts of concepts of notice and intent that could be used for computer law.
    • Don't split hairs about the meaning of authorized or access

      Um, you haven't met many lawyers, then?

    • Re:Common sense... (Score:3, Insightful)

      by GlassHeart ( 579618 )
      If you're not authorized (given permission, implicitly or otherwise), then don't access.

      What constitutes "implicit permission"? Is an open port 80 and a responsible HTTP server evidence of "implicit permission", until the web page asks for a password? How would I get to that page (and realize that my access is explicitly prohibited because I don't have a password) without "accessing"?

      Don't split hairs about the meaning of authorized or access. Usually, if you're attempting unauthorized access, you kn

    • Re:Common sense... (Score:4, Insightful)

      by Above ( 100351 ) on Friday May 09, 2003 @06:11PM (#5922576)
      It's almost that simple...but let's use a real world example.

      You go to a business on a tuesday at 3PM. You try their door and find it locked. Turns out they are closed on tuesdays. Is it unauthorized access? I think not.

      Now, you go to the same business on the same tuesday at 3PM. They are still closed, but forgot to lock their door. You walk right in, realize something is funny, and leave without taking anything. Is it unauthorized access? Maybe.

      Finally, you go to the same business on Sunday night at 3AM, and poke at the door until it opens for you. Unauthorized access, yep.

      You see, in the real world your /intent/ matters, often more than your actions. Don't intend to murder someone but you do, not such a big thing. Intend to murder someone but don't, a much bigger deal. Unfortunately intent is not understood very well when it comes to cyber crimes. The law can't tell the difference between someone just checking if the door is closed because they legitimately wanted to access something, and someone trying to find the back door into the place. These standards will, for better or for worse always vairy from person to person, location to location. Try a door in East Nowhere Iowa and you're probably a good guy, try a door in Harlem and you must be a crook.
  • by Anonymous Coward on Friday May 09, 2003 @02:39PM (#5920751)
    If RIAA comes looking for the MP3's that aren't on my computer and in the process even look at a single byte of the copyrighted data on my hard drive, that is unauthorized. BTW, that data is available under perfectly reasonable license terms. I charge $1/Kb. I have 2 80Gb drives. The $160,000,000 is payable in advance, thank you.
    • I charge $1/Kb.

      Wow, that is low. Why not $1 / BIT! then that 160 gigs would cost just $640 BILLION!!!!!!!
      then, you would be protected from a search.

      until, the RIAA frames you for something and the government searches you...
    • by ePhil_One ( 634771 ) on Friday May 09, 2003 @05:37PM (#5922331) Journal
      If RIAA comes looking for the MP3's that aren't on my computer and in the process even look at a single byte of the copyrighted data on my hard drive, that is unauthorized.

      Unfortunately I see this drivel from time to time. If you have your entire hard drive available via your web server, kazaa, CIFS, or any other non-password protected (that is reasonably secure, as in, not posted to alt.hacks.cracks.warez.porn) you have effectively granted permission to the world to view it for free. You can't arbitrarily decide group A can't read it without charge, anymore than you could walk down the street with a sign saying anyone who reads this notice owes me $100.

      Now, if the RIAA were to hack into your computer an access data, that would be another thing, though stupid claims about your data being worth $1/kb (Not even Oracle costs that much) will label you as an idiot for the court.

      Someone will be by to bitch-slap you later. Be expecting them.

  • by Anonymous Coward on Friday May 09, 2003 @02:40PM (#5920767)
    From a federal law perspective, "access" becomes illegal if use of the system exceeds $5K (say in CPU cycles), OR if ANY copying of information or information altering is done. Take a screen snapshot - illegal. Modify a system log to cover your tracks - illegal. Under federal law, "simple trespass" is not in itself illegal.

    HOWEVER, many states have local statutes making simple trespass illegal.

    Furthermore, if a SysAdmin notices someone unauthorized has been on the system, and their time and resources investigating the access exceeds $5K, you've hit the federal legal limit.

    Vic Vandal
  • I tried to download and to mail the paper in MacOS 9 with IE. No luck -- the same page kept opening regardless of what link was clicked. Switched computers, had the same issue in OS X with Mozilla and IE.

    Any Mac users getting it to work? For that matter, has anyone gotten it to work? None of the comments suggest that the poster has read the whole thing, not that's necessarily unusual.

  • It's long, but interesting and he's looking for feedback.

    .. thereby guaranteeing that every slacker like me is going to post with R'ing the F'ing A.

  • Good ol' days (Score:5, Interesting)

    by ergonal ( 609484 ) on Friday May 09, 2003 @02:46PM (#5920820)
    Remember when the Internet was about sharing? These days some people would have you believe that any packet you receive is "unauthorised access". You probed me, unauthorised access. You visited my website, unauthorised access. You sent me an instant message, unauthorised access. This really needs to play out in the courts before any precedent is set for what is or is not "unauthorised access". (replace the s in unauthorised with z if you're American :P)
    • Yes, but is was also about behaving yourself and having ethics. Not spamming.
    • Re:Good ol' days (Score:5, Insightful)

      by Fiver-rah ( 564801 ) * <slashdot AT qiken DOT org> on Friday May 09, 2003 @03:17PM (#5921134) Homepage Journal
      But this isn't how things work. When a case comes up, and people ask "is this authorized?" the judge isn't going to sit there and decide on his or her own with no input at all from legal scholars. What's going to happen is that the judge (or, more likely, the judge's clerks) will query Lexis or Westlaw or something like that, and see what else has been written. The judgement that sets the precedent will most likely cite an immense body of legal work, possibly including this article.

      Thinking about how to deal with hairy situations before they go to the court room is not a bad idea.

  • Length?? (Score:5, Funny)

    by bathmatt ( 638217 ) on Friday May 09, 2003 @02:46PM (#5920821)
    It's long, but interesting and he's looking for feedback.

    Since when does an articles length matter?? Nobody reads them anyway, this is /. :)

  • by LordNimon ( 85072 ) on Friday May 09, 2003 @02:46PM (#5920828)
    How about declaring that if access requires the user to specify a password, and the user is not "authorized" to know the password, then that access is not authorized. If no password is required, then there's no way the access can be unauthorized.
    • This is a naive suggestion.

      What about exploiting buffer overflows on an HTTP or DNS server - no password was ever requested, but it gave you a root shell because there was a flaw in the software after you gave it a specially formulated request. Does that make your rootshell access authorized?

      There are plenty of other cases where needing a password doesn't cut it as a definition of "authorized access".
      • How about "circumventing the authenticating methodology" to access data that would normally be protected.

        E.G. If I run a site w/o a public password, and a hacker bypasses my password, the site was still passworded, so you weren't authorized...
      • The way I see "granting access" is that the person must 1st be authenticated, ie identified as "themselves" and then authorized.

        To get a shell on any of my systems, you must first authenticate youself with your userid and then your password or key with authorize you access. The buffer overflow does neither. Also if a user shares an account and knows a password, this is fraudently authenticating themselves even though they pass the authorization step.
  • Defenitions (Score:4, Informative)

    by WegianWarrior ( 649800 ) on Friday May 09, 2003 @02:47PM (#5920834) Journal

    Interesting.. I thought I knew what those words meant until I started thinking about it... but that won't stop me from giving it a stab:

    unauthorized: Exposure of information / access to systems to / by individuals not authorized to receive it / access the system.

    access: 1. The ability and means necessary to store data in, to retrieve data from, to communicate with, or to make use of any resource of a system. 2. To obtain the use of a resource. 3. [The] capability and opportunity to gain detailed knowledge of or to alter information or material. 4. [The] ability and means to communicate with (i.e. , input to or receive output from), or otherwise make use of any information, resource, or component in an AIS. Note [for 3 and 4]: An individual does not have "access" if the proper authority or a physical, technical, or procedural measure prevents him/her from obtaining knowledge or having an opportunity to alter information, material, resources, or components. 5. An assigned portion of system resources for one data stream of user communications or signaling.

    Thanks to google [google.com] and Federal Standard 1037C [bldrdoc.gov].

  • Logging onto the internet is sort of like putting your house in the middle of a city, with all the doors and windows open, then letting random strangers walk through your house, along with the people you "want" to walk through your house. Your gonna have a hard time keeping people out of your bed room........
  • Access is a noun. Hence one can perform an act which becomes illegal access, one can grant or revoke access, but one cannot access something anymore than one can plane, car, or fireplug.

    Of course, bitching on /. about grammar is about as pointless as crying "Dupe"
    But what the hell, I do that too.

    --
    • Of course, you could look in a real dictionary, like the OED, and see what they have to say. And they say that access as a verb can be traced back to at least 1962, in a comp sci context no less:

      access, v. 1. trans. a. To gain access to (data, etc., held in a computer or computer-based system, or the system itself).

      1962 A. M. ANGEL in M. C. Yovits Large-Capacity Memory Techniques for Computing Systems 150 Through a system of binary-coded addresses notched into each card, a particular card may be acce

  • by xdroop ( 4039 ) on Friday May 09, 2003 @02:54PM (#5920918) Homepage Journal
    Nobody is going to read this before posting.

    I sure didn't.

  • by MalleusEBHC ( 597600 ) on Friday May 09, 2003 @02:55PM (#5920925)
    Near the end (I started at about page 50), he states that accessing a computer "without authorization" should only be considered true in cases where a cracker has circumvented code-based restrictions, not contract-based restrictions. Part of me things this is a great idea conceptually, but part of me is worried about the implications it would have for the vast majority of home computer users.

    By saying that only when you break code-based restrictions are you committing unauthorized access, this puts the responsiblity on the user to secure their box. For most /.'ers, this is already a given. Be it with firewalls, NIDS, or whatnot, I'm sure everyone on here is doing something to make sure that people aren't getting access to your system. I think of one of the best points he makes is that as long as you implement code that is intended to stop malicious attacks, that is enough legally to build your case. I'm sure many average users have misconfigured firewalls or something that would allow someone knowledgeable to crack their machine. I'm sure there are stupid sysadmins out there who have unsecure networks. While I don't think this excuses you from not keeping up to date, patching, etc., I think it is a good step to take.

    My biggest worry is that the definition of code-based restrictions could be misconstrued. Say for example you lock down everything except Apache/IIS running on port 80. Since both these two have had security exploits in the past (not trying to start a holy war here), what happens if someone exploits your webserver to gain more access? Obviously you have given access to the webserver on port 80. If one of the "features" of the webserver is a buffer exploit, would it still be considered circumventing a code-based restriction to exploit it? I think most here would agree that it is, but as we all have seen, most judges are not your averager /.'er and make rulings that seem ignorant of the technologies.
    • You can look at it as Apache/IIS allowing access to port 80, or restricting access to only port 80, and only a certain publicly available part of the filesystem.

      If you view it the latter way, then exploiting it to get access to another protocol, or section of the filesystem would clearly be a trespass.

      Ie; I run a business like a barbershop out of the front room of my house, or say live above a store. This doesnt give the public access to go check out my bedroom.
  • by egburr ( 141740 ) on Friday May 09, 2003 @02:58PM (#5920946) Homepage
    If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.
    Spam hitting my mailserver would be "access", and using a forged header to circumvent my filters would be "without authorization" because of "false identification".
    I wonder how much money the spammer lobby will be sending to legislators to keep this guys recommendations off the books.
    • If this guys recommendations are followed and made into law, it sounds to me like spam would finally be made into a criminal offense.

      (Clarification: Kerr isn't promoting these laws; they're on the books, and he's suggesting a way of interpreting them.)

      I don't think spamming that defeats your filters is unauthorized access. The access is complete as soon as your mail server accepts the message, which it will do whether or not the message will ultimately satisfy the filters. What your mail server does wi

  • Oregon vs. Schwartz (Score:5, Informative)

    by swm ( 171547 ) * <swmcd@world.std.com> on Friday May 09, 2003 @02:58PM (#5920953) Homepage
    Commentary on a specific (and troubling) case where someone was convicted of "unauthorized" computer access

    http://world.std.com/~swmcd/steven/rants/merlyn.ht ml [std.com]

  • I'm not entirely sure if this is true, but back when I took my undergrad CS classes, one professor mentioned to the class that use of the word "Welcome" at a login prompt was supposedly giving the world legal access to the system to do what they wished. He went on to say that a hacker back in the 80's or 90's got away with hacking into a high-profile computer network because of this loophole, where accessing the system from a remote location prompted the user with "Welcome!". His defense was that since this system was welcoming him to login to it, what crime was being commited?
    • I recommend "Fuck off!"
    • by bensej ( 79049 ) on Friday May 09, 2003 @03:14PM (#5921109)
      Does this mean that if my doormat says "welcome" Then anyone is free to break down my door and take all my stuff? If a judge actually accepted this argument he should be removed from the bench. It never ceases to amaze me how much is allowed to occur with computers that noone would tolerate out in the physical world.
    • By a similar token, does allowing anonymous ftp access mean that anyone can use the ftp site.

      If someone sets up an ftp with full access to anonymous users, can they really say it's unauthorized when a million kiddies start trading warez through there? (I'm wondering about all the 'pubs' which are basically "stolen" space on public ftps for the warez kiddies. )

      The piracy is a crime, but does a computer trespass take place? (Say they were trading Red Hat ISOs for the sake of argument)
  • Brief summary (Score:5, Insightful)

    by alkali ( 28338 ) on Friday May 09, 2003 @03:05PM (#5921033)
    Prof. Kerr points out that a number of statutes criminalize "unauthorized access" to a computer, but that there has been little attention to what that means. He proposes that "access" be broadly defined (to include basically any kind of interaction with a computer) but that "unauthorized" or "without authorization" be narrowly defined.

    In particular, he distinguishes two kinds of "authorization": (1) "code"-based authorization, where computer code limits the scope of user control of the computer, like when a computer requires a password for use, and (2) "contract"-based authorization, where a contract or license limits the scope of user control, like your contract with your ISP.

    He argues that for purposes of criminal statutes, only access that circumvents "code"-based authorization should be deemed "unauthorized" access. Otherwise, you could potentially be deemed a criminal for violating the terms of use of a web site.

    He notes that there are cases in which unauthorized access in the contract sense seems tantamount to criminal conduct. Suppose you delete key files from your employer's computer: you have code-based authority (the password that lets you log on) but not contract-based authority (presumably you understand that your employer expects you not to maliciously delete files). He suggests that those types of acts should be separately dealt with (e.g., under the statutes forbidding intentional damage to computer systems, or with new legislation).

    (Note:: Before anyone posts that the above analysis is too simplistic or otherwise wrong, read Kerr's actual, excellent article, which is far more detailed than this summary. He may have already anticipated your question, or your objection might arise from some confusion inadvertently generated by my summary. )

  • Deja Vu (Score:2, Funny)

    by mikeu45 ( 667229 )
    Does the title to this article sound like what Bill Clinton once said

    "That depends on what the definition of the word 'is' is.

    Spooky
  • by Vaughn Anderson ( 581869 ) on Friday May 09, 2003 @03:11PM (#5921084)
    What is "unauthorized access" to my house?

    1. When some one comes in uninvited.
    2. When someone breaks into my house.
    3. When someone is in my house already and then I ask them to leave and they don't.

    Obviously these rules apply similarily to a website vs a brick and mortar.

    1. All people can come into my business
    2. If it is closed you cannot come in.
    3. If there is a private area you cannot have access to it.
    4. If you are asked to leave and you don't, then you are breaking the law and the nice officer will come and my asking and remove you from my premises.

    Why does the digital world have to be any different?

    My website is my business/public area, if I lock something done with a password, stay out. Anybody can email me or send me snail mail. My computer is like my home, no one is ever allowed here unless I say it is ok, period.

    No access to personal computers should be legal without the consent of the owner of that computer. An ISP has an agreement with the user, so access is needed, but this isn't much different than the water, power and sewer I have. The people running the utilities have certain accesses to my home in an odd way...

    Where do I send this?

  • I think a better question would be , "What constitutes "Unauthorized" _Data_ access?"

    It's often easier to access to the data being served than it is to the machine itself and I think the debate would be much more valuable.

    maybe he adressess this as i didnt RTFA.

  • by Sloppy ( 14984 ) * on Friday May 09, 2003 @03:15PM (#5921116) Homepage Journal
    There are people who need to see this, such as lawmakers. But as for computer nerds, it's kind of obvious: Yes, the terms are vague and complex issues arise as a result. No duh.

    The vagueness of authorization was particularly noticable in the DeCSS trial, although the defense didn't do a very good job of pointing it out. (*grumble*). I bet if you take a poll of regular people on the street, 9 out 10 would think that they have authorization to access the contents of a DVD that they bought. Judge Kaplan disagreed. And that's just it: the guy with the DVD doesn't really know.

    It turns out that in the case of CSS, the authorization is done by obscure means with terms and conditions that the owner of the DVD never finds out about. Apparently (we still don't really know this, but this seems a reasonable speculation) it involves the equipment you're using being made by one 3rd-party (the DVD player manufacturer) who had an agreement with another 3rd party (DVDCCA). Not only does the owner of a DVD not know whether the terms have been met (what do you do, write a letter to Sony?), but the nature of the terms themselves are a secret (you don't even know that a contract between Sony and DVDCCA is a condition). Compare that to a tall fence and an explicit "no trespassing" sign in the physical world. It's positively wacko. But the court didn't have a problem with that.

    The author of this paper touches on this (in the context of accessing computers rather than accessing data, but the same arguments apply, I think):

    Under these precedents, nearly any use of a computer that is against the interests of its owner is an "access" to the computer either "without authorization" or "exceeding authorized access," triggering criminal unauthorizrd access statues.
    And that really does seem to be the kind of thinking that was applied in the DeCSS case -- "against the interests" is what really seems to matter. I mean, no one really bought my above explanation for the terms and conditions of access to a DVD, did they? You know I was full of shit; nothing could possibly be that complex and arbitrary, right? ;-) "Against the interests" is much simpler.

    It's no wonder that there are so many goofy misinterpretations of DMCA here on Slashdot, because when you really get down to it, the way DMCA has been used, it might as well just say, "You can't do anything we don't want you to." The Lexmark case -- wow, try explaining that one to a layman!

    "Authorization" is such a wonderful, flexible, powerful word. Defining it would ruin everything.

  • The easy answer to the question is that it is unauthorized access when they don't give a damn or can't do anything about it.
  • by smoondog ( 85133 ) on Friday May 09, 2003 @03:20PM (#5921160)
    Unauthorized access should be defined by the user, the isp, the network, and differs from place to place. ISP's as general rule should have broad access restrictions that should be open and accessible, and users with networks or public computers (WWW, etc) should have their own.

    -Sean
  • If it's trivial... (Score:3, Insightful)

    by Realistic_Dragon ( 655151 ) on Friday May 09, 2003 @03:20PM (#5921164) Homepage
    If it's trivial to access the system, then there should be no crime committed.

    You cannot just leave an open webserver and expect people to 'just know' they they cannot request files from it. You cannot expect people not to poke around your unpassworded FTP server.

    Trivial passwords should fall into the same category - you can't be bothered to take care of your data/services, you can't bitch when someone else reads it/uses them.
  • by Anonymous Coward
    1. Put up a website on the net
    2. Wait for 100 hits
    3. Sue the 100 people who visited your site for $50,000 each, claiming that you didn't give them authorization to access your computer. Profit!
  • by Shackleford ( 623553 ) on Friday May 09, 2003 @03:28PM (#5921254) Journal
    I did not read the entire document (all 70 pages of it) but I'd have to say that you don't need to read it all to find that at least some parts of it were quite interesting. For example, after reading pages 38-42, the section on Robert Tappan Morris and the "intended function test", I'd have to say that this section alone is quite interesting and is in itself a topic that worthy of debate.

    For those of you who aren't familiar with what Morris did or didn't read the section I'm discussing, he is the one resposible for the worm that shut down much of the Internet in 1988. He did it using computers to which he had access, and so he was authorized to use them. However, his worm, which exploited bugs in software such as sendmail and the finger daemon, "spread out of control" and caused more damage than intended. He "exceded authorized use" of the computers to which he had access. And there is a subtle distinction between that and "unauthorized use," but is it significant? That's a point to consider. Here are others:

    • The worm that he had written became "out of control." If that hadn't happened, then would we have ever heard about this? What I am saying is that unauthorized computer access and what is done with that access are two separate things. No harm, no foul, as they say.
    • The reason it is called the "intended fuction test" is because he used sendmail and the finger daemon for purposes for which they were not intended. Those that write software implicitly only allow users to use software for its intended purposes. What implications does this have for open source software? And game modifications? What about security testing?

    These are a few points I'd say are worth considering. I'm sure that there's plenty more food for thought in the many pages of the document that I still have yet to read. :)

  • by poopdik ( 623969 ) on Friday May 09, 2003 @03:29PM (#5921260) Journal
    The thing about laws that a lot of people don't understand is that all of those "vague" terms that seem ambiguous.. are actually well defined within the legal code. At least in the states I've lived in.

    In california.. it goes something like this:
    (b) For the purposes of this section, the following terms have the following meanings:
    (1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.
    (2) "Computer network" means any system that provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunication facilities.


    I pondered this quite a bit myself as I was charged and convicted of it in California about 10 years ago.
  • Is there a way to define the willful circumvention of anti-spam filters (e.g. by throwing in random junk to disguise "spammy" words or make each message appear to be different) as "unauthorized access" without opening some can of worms that needs to be kept closed?

    If so, then the legal tools are already available to make some serious examples.

  • UK law perspective (Score:3, Informative)

    by localekko ( 587362 ) on Friday May 09, 2003 @03:32PM (#5921293) Homepage
    In the UK, unauthorised computer access is defined by section 1 of the Computer Misuse Act 1990:
    (1) A person if guilty of an offence if-
    (a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer; (b) the access he intends to secure is unauthorised; and (c) he knows at the time when he causes the computer to perform the function that is the case.
    (2) The intent a person has to have to commit an offence under this section need not be directed at-
    (a) any particular program or data; (b) a program or data of any particular kind; or (c) a program or data held in any particular computer.
    A further offence is defined under section 2 regarding unauthorised access with intent to commit or facilitate commission of further offences. The big problem is subsection (1)(c) - whether or not the person is aware that the access he is attempting to secure is, in fact, illegal. Unlike some other statutes, the CMA 1990 does not say that the person ought to have known that such access was illegal. The provision may have been extended to this effect by case law, but if not, IMO, this renders the law extremely outdated.
  • by mark-t ( 151149 ) <markt@@@nerdflat...com> on Friday May 09, 2003 @03:34PM (#5921324) Journal
    Basically, unauthorized access should fall into a similar domain as trespassing, and can probably be defined as follows: Any person who accesses a system for which authorization to access has not been explicitly or implicitly granted either by the owner of the system or by authorities that the owner is obligated, by either law or position, to yield to.

    Note, lack of security does not equate to implicit authorization, since even if my front door is unlocked, if someone I do not want in my home comes in, they are still trespassing, even if I am not *at* home to tell them to get out (although if they steal anything, my insurance may not cover it since I had not shown diligence in taking care to prevent that). If, however, I come home to find this person in my house, even if they have not stolen or tried to steal anything, I can still charge them with trespassing.

    Also note that mere posession of a suitable entry key or password does not equate to authorization, unless that posession is currently recognized as valid by authorized channels.

  • by gsfprez ( 27403 ) on Friday May 09, 2003 @04:13PM (#5921648)
    Like we talked about before with regards to "breaking into" a Wi-Fi network and using bandwitdh that is attached to the Wi-Fi network (wired or unwired).... these things are much simpler, ans FAR less confusing if you get to the actual bits of the matter. They also, sometimes, allow one to use real-world anaologies of law.. such as breaking and entering. Their downfall (or greatness, depending on what side you take) is that they, in the end, place responsibility of the proprety owners to know - karnally - what is going on with what they bought.

    I think few people would gripe with the idea of sniffing packets and forging MAC addresses and passwords to gain access onto a Wi-Fi base station as "unauthorized access" if the Wi-Fi base station hs MAC address access lists and uses WEP - regardless of how ipss-por they are in providing ACTUAL security ... you clearly have intent of the 3rd party to gain "unauthorized access" because they are doing the equivalent of lock picking - hacking tumblers with a non-key to fake an authorized key.

    But what of the "Linksys" Wi-Fi base stations that are set to defaults which purposefully hand out IPS and DHCP licenses? Or websites with no passwords that provide any file with a simple HTTP GET request? Or SMTP servers that happily forward any SMTP request without passwords or IP filters?

    What is happening in each of these cases - open base stations with DHCP servers, open websites, and open SMTP relays is that, at the actual protocol levles, each of THESE cases is a slam dunk.

    If i request a DHCP lease, and the open base station gives me a IP and a lease, then, by definition, i have no gained access in an unauthorized manner. That person's equpiment functioned properly, within bounds, and GAVE me access. If you GIVE someone access, by definition, its not unauthorized.

    If i request a URL with a HTTP GET, and the server happily sends me a file that was in a directry that was not "meant" to be opened - that person's equipment GAVE me access, and just like in real life, if i ASK for access, and you GIVE it to me, then that access is AUTHORIZED.

    Some of these cases in the whitepaper are foolish and would have been overturned if the RFCs got busted out..

    in the case of Explorica, i could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not. If EF didn't want to have their prices undercut, then wtf did they put them on a public webpage? Explorica REQUESTED information - and EF's computers GRANTED it... all according to the protocols... all according to the rules.

    If i to a properly formatted and non-corrupted HTTP GET, and you SEND me the data - there is no legal case of me GAINING "access of any kind".. i didn't REQUEST ACCESS .. i requested data - and you gave it to me.. be it a letter, a picture named "45728.jpg", the comany's secret files improperly stored on a website...

    If you and I are on the train, and i ask you for all your money, and you give it to me... what are the possible circumstances...

    1. I am a robber, and i threaten you with a gun or a knife or with some form of physical threat... so you give me the money under duress.

    2. I am a begger, and i do not threaten you in any way. You give me all your money freely.

    In example 1- i am violating protocol... i am threatening you. in example 2 - i violate no protocol, and in no way threaten you, you decision to give me all your money, while perhapse foolish and stupid on your part - is you free will.

    open websites, open wi-fi base stations, and smtp relays are ALL example 2. There is a protocol - in all cases clearly laid out in RFCs... and as long as the protocol is followed without any modificaiton, and yet YOU GIVE ME DATA.... there cannot be any crime.

    just as there is no crime in giving a person money on a train, so long as there is no violati
    • In the case of Explorica, I could have kicked their ass. The RFCs clearly state that web services cannot be demanded, they cannot be stolen, they are requested with a GET, and the request is either accepted or not.

      Sounds good on Slashdot, but this is terrible legal advice.

      Interestingly, the CFAA, and not the RFC is the law of the nation. The generalization fails, in both extreme and ordinary cases -- a person who serially guesses passwords until he succeeds has passed the passwd protocol, but has also
  • Regulation by code (Score:4, Interesting)

    by Sloppy ( 14984 ) * on Friday May 09, 2003 @05:42PM (#5922371) Homepage Journal
    I think that "regulation by code" could still be vague.

    Suppose I write an email containing a script that on one particular mailreader, will be executed if someone reads it. The mailreader does this on purpose; it's not a bug, it's just really naive design. The author of the program thought it would be really k3wl to execute scripts automatically.

    The script will display an animation demoing my penis-enlarger product, and it will send an email back to me if the animation runs to completion, so that I will know which recipients watched the whole ad.

    I mail the above message to a bunch of people who are on my penis-enlarger opt-in list. Yes, they actually requested information about penis-enlargers, although they never said anything suggesting that they consent to me running scripts on their machines. I'm not spamming, but my inclusion of the script is slimey, and what the script does surely counts as "access."

    • Most of my recipients are running a mailreader that doesn't automatically execute scripts, so my email has no effect except to use some disk space. Or maybe some of them even run filters that drop my mail before it gets stored.
    • Person A is running the mail client that I designed the script for, and it executes the script. It runs, and then reports back to me he let the animation run to completion. Person A is amused by the animation, though probably doesn't realize everything the script did.

      If I understand correctly, since there is no attempt as "regulation by code" in this situation (the mail reader runs scripts on purpose, not as a bug), then what I did, wasn't without authorization. No crime here, right?

    • Person B also runs that same mailreader, but the mail exchange for his domain, filters out all mail that contains the word "penis." So he never got it and it never even had a chance to run. No crime here.
    • Person C has the same kind of filter, but his filter is misconfigured, and it fails to stop my mail. Again: the exchange is intended to filter, but it's not working correctly. I don't know why. I didn't even know he had a filter. But it's there. I didn't do anything (so far as I know) that influenced whether or not my mail would get through the filter, but it did. Person C's workstation executes my script, and he is annoyed.

      Did I circumvent "regulation by code" with person C?

    • Person D has a filter, but I already suspected that he might have one and that it might filter out messages containing the word "penis." I change that one word in my mail to a synonym and it gets through his filter and executes. I took an active and deliberate (but speculative) measure to bypass a filter that I though may or may not be there. Gee, what a lame filter.

      Did I circumvent "regulation by code" with person D?

    • Person E's filter has a bug that will pass any message that is a multiple of 666 bytes long. Otherwise, it aggressively blocks any mail that contains a script or the name of a body part. I know for certain that he has this filter and I know about the bug, so I pad my message to a multiple of 666 bytes, thereby willfully exploiting the bug and it gets through and executes. Person E is furious.

      There was code intended to prohibit exactly the kind of crap that I was pulling, but I got around it, in defiance of the code and person E's desire. He wanted my ad, but sure didn't want me to run a script on his machine, especially one that mailed me back to say whether or not he watched the ad.

    Surely I crossed the line on person E. I'm not so sure about persons C and D.

  • Passive Access (Score:4, Interesting)

    by Sloppy ( 14984 ) * on Friday May 09, 2003 @06:20PM (#5922619) Homepage Journal
    Yet another nit: he defines "access" in a way that is always active: someone sends a command to a computer. Passive access is unaddressed. I wonder if this is intentional.

    If I park my car on the public street in front of your house or business and sniff your unencrypted 802.11 traffic, many people might say that counts as access. But not by his definition.

What good is a ticket to the good life, if you can't find the entrance?

Working...