Mark Rasch, 2008-01-23
"Mommy, can I have a cookie?"
Colapse all |
Post comment
Mother, May I?
2008-01-23
Anonymous (1 replies)
Anonymous (1 replies)
Interesting stuff. I also think that it is applicable in part to the RIAA's crusade against P2P file sharers, with respect to the "making available" of copyrighted materials.
Say, for example, I rip a copy of "Achtung Baby" by U2 to my harddrive (OK, the RIAA doesn't like it, but it is not illeg...
[ more ] [ reply ]
Say, for example, I rip a copy of "Achtung Baby" by U2 to my harddrive (OK, the RIAA doesn't like it, but it is not illeg...
[ more ] [ reply ]
Re: Mother, May I?
2008-01-24
Mark D. Rasch
Mark D. Rasch
It does. If you place it in a file without knowing it is capable of being shared, I think the RIAA would have a hard time showing that you KNOWINGLY made it available, although under some circumstances you can infringe a copyright even without intent or knowledge.
But if you put it in the direct...
[ more ] [ reply ]
But if you put it in the direct...
[ more ] [ reply ]
You're overlooking some issues.
2008-01-23
Anonymous (2 replies)
Anonymous (2 replies)
Ok, you've got the guessing of URLs as possibly unauthorized. Let's try a different real world analogy. You cut your finger, and go to the doctor, who then puts stitches in. On your way home the stitches fall out. Is it the doctor's fault that they fell out and can he be sued for malpractice? The an...
[ more ] [ reply ]
[ more ] [ reply ]
Re: You're overlooking some issues.
2008-01-24
Mark D. Rasch
Mark D. Rasch
Brief response
Most contracts between security consulting companies and thier clients limit to some extent the liability of the consultant (they are a consultant, not an insurere), but the short answer is, if a security provider screws up, they probably can be sued - depending on the circumstance...
[ more ] [ reply ]
Most contracts between security consulting companies and thier clients limit to some extent the liability of the consultant (they are a consultant, not an insurere), but the short answer is, if a security provider screws up, they probably can be sued - depending on the circumstance...
[ more ] [ reply ]
Mother, May I?
2008-01-23
Erik N
Erik N
1st: Ritz motives can be many. Maybe he did a zone transfer to compile a list of public ips he may receive spam from. Unfortunately in doing the zone transfer undesired information was disclosed too.
2nd: The analogy with sql injections and XSS etc is bad: These exploits are not published as allo...
[ more ] [ reply ]
2nd: The analogy with sql injections and XSS etc is bad: These exploits are not published as allo...
[ more ] [ reply ]
Mother^H^H^H^H^H^H directory manager, May I?
2008-01-23
reiisi
reiisi
Two points:
One, I disagree with the conclusion about the -l option of host, and about the HELO and vrfy commands. My analogies:
You walk into the lobby of an office building, and you see a directory by an elevator. I suppose that looking at the directory might be considered valid, where copyi...
[ more ] [ reply ]
One, I disagree with the conclusion about the -l option of host, and about the HELO and vrfy commands. My analogies:
You walk into the lobby of an office building, and you see a directory by an elevator. I suppose that looking at the directory might be considered valid, where copyi...
[ more ] [ reply ]
OS utilities and public "keys"
2008-01-23
Ole Juul (1 replies)
Ole Juul (1 replies)
It seems to me that the computer/house analogy is often incorrect because computers use permissions and the commands (keys) are public. Whether you type, click, or push a button, nothing happens without using that bundle of keys that the OS provides. We probably all agree that to control access in a...
[ more ] [ reply ]
[ more ] [ reply ]
Re: OS utilities and public "keys"
2008-01-28
Mark D. Rasch (1 replies)
Mark D. Rasch (1 replies)
You note "ALL utilities, such as "host", have execute permission signs which tell you explicitly whether you can or cannot run them" and therein lies the problem. They tell you whether you CAN run them, but not whether you MAY. An unlocked or even open door says you CAN enter, but only infers whet...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: OS utilities and public "keys"
2008-01-29
Jon Hash
Jon Hash
If I left my doors unlocked, and someone came in my house and took pictures of all the rooms and furniture, then I would not have any right to complain: I allowed it by not preventing it. If you connect a device to the internet, and you dont lock it down, you deserve whatever intrusion that happens ...
[ more ] [ reply ]
[ more ] [ reply ]
Be careful what you ask for
2008-01-23
overshoot
overshoot
Sierra has now established in at least on State that sending a HELO to a mailserver for purposes other than those desired by the owner violates that State's Computer Crime act and (by a lovely turn of estoppel) they can't argue to the contrary in the future.
For a spammer, this isn't a real brigh...
[ more ] [ reply ]
For a spammer, this isn't a real brigh...
[ more ] [ reply ]
Mother, May I?
2008-01-24
Thomas Downing (1 replies)
Thomas Downing (1 replies)
Excellent article.
But I do have a question, as a layman at law.
I seems to me that the argument that the internet is a commons is compelling. If this is so, might not the application of a commons as a legal concept help in the resolution of some of the many difficult and ambiguous issues pre...
[ more ] [ reply ]
But I do have a question, as a layman at law.
I seems to me that the argument that the internet is a commons is compelling. If this is so, might not the application of a commons as a legal concept help in the resolution of some of the many difficult and ambiguous issues pre...
[ more ] [ reply ]
Internet as Commons
2008-01-28
Mark D. Rasch (1 replies)
Mark D. Rasch (1 replies)
Even if you accept the concept that the "Internet" is a commons, the individual machines that are accessible on the Internet are not necessarily a commons, nor are individual directories or files on them. The problem lies when some part of them is accessible online, or some command is capable of be...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Internet as Commons
2008-01-29
Jon Hash (1 replies)
Jon Hash (1 replies)
But if you connect your computer to the internet, you should assume that, while connected, anything that is accessible is part of 'The Commons'....
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Internet as Commons
2008-02-01
Mark D. Rasch
Mark D. Rasch
But what do you mean by "anything that is accessible?" Ultimately ANYTHING can be acessible if you issue the proper commands, find the right authentication, or trick the right people. There IS a difference between intended to be public and publicly accessible. You can argue that the zone transfer...
[ more ] [ reply ]
[ more ] [ reply ]
Mother, May I?
2008-01-24
stacy
stacy
"is failing to prevent something the same authorizing it?"
I would look at it from the point of view of did he use or abuse a public interface. Using the host command (regardless of whether or not it is arcane knowledge) is not abusing the interface; exploiting a buffer overflow and SQL injection...
[ more ] [ reply ]
I would look at it from the point of view of did he use or abuse a public interface. Using the host command (regardless of whether or not it is arcane knowledge) is not abusing the interface; exploiting a buffer overflow and SQL injection...
[ more ] [ reply ]
Not much of a cheese shop, is it?
2008-01-24
Mitch Smith (2 replies)
Mitch Smith (2 replies)
I have to take serious issue with this recurring meatspace analogy in which a computer (system?, LAN? phone? pda? web-server? fancy refrigerator?) is like a person's private residence. This metaphor seems to me perfectly applicable to a PC in one's livingroom which is only intermittantly connected t...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Not much of a cheese shop, is it?
2008-01-28
Mark D. Rasch (1 replies)
Mark D. Rasch (1 replies)
The only question I have is, are you offering a service by not expressly disabling it? Clearly the "service" can be run. I agree that all analogies ultimately fail, and that the law only deals by analogies, so it is very imperfect. However, the "if it CAN be run it MAY be run" argument then permit...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Not much of a cheese shop, is it?
2008-01-29
Camambert
Camambert
Excellent article, thank you!
You made a great point: "the court looked at motive and intent, not just authorization". And I guess it is the most troubling. As a techie, I'd like to believe that the computer world is ruled by the laws of physics, and a port scan is a port scan is a port scan, no ma...
[ more ] [ reply ]
You made a great point: "the court looked at motive and intent, not just authorization". And I guess it is the most troubling. As a techie, I'd like to believe that the computer world is ruled by the laws of physics, and a port scan is a port scan is a port scan, no ma...
[ more ] [ reply ]
Re: Not much of a cheese shop, is it?
2008-01-29
Anonymous
Anonymous
Just curious...this person is offering his WiFi unconditionally to anyone within range, right? Say one of his users was inclined to perform some sort of a malicious act on another computer (even more malicious than the HELO "attack" mentioned in the article!). Now where does that leave the legal r...
[ more ] [ reply ]
[ more ] [ reply ]
Mother, May I?
2008-01-27
Anonymous (1 replies)
Anonymous (1 replies)
I usually agree with you Mark, but in this case I have to disagree.
Sierra's failure to properly secure their server cannot turn what would otherwise be a perfectly legal act into a crime. If Sierra had properly configured split horizon DNS, and left zone transfers enabled, then a zone transfer w...
[ more ] [ reply ]
Sierra's failure to properly secure their server cannot turn what would otherwise be a perfectly legal act into a crime. If Sierra had properly configured split horizon DNS, and left zone transfers enabled, then a zone transfer w...
[ more ] [ reply ]
Mother, May I browse your public server?
2008-01-28
Anonymous (1 replies)
Anonymous (1 replies)
If I put a webserver on the internet and someone downloads the content...well, that's why I put it there....it's public. If a couple if engaged in a romantic moment, and they leave their blinds open to the public.....it's public. If someone puts a server on the net with netbios accessible and anon...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Mother, May I browse your public server?
2008-02-01
Mark D. Rasch
Mark D. Rasch
It depends on whether I put it out BECAUSE I want you to use it (and to make the info available), or simply forgot to secure it (like if I left the door open because I was walking the dog, or inviting someone in.) The question is, do you KNOW why I left the door open? In the Sierra case, the Court...
[ more ] [ reply ]
[ more ] [ reply ]
It's Like a Phone Book
2008-01-30
danielc
danielc
I think a better analogy is a phone book.
If you sign up for phone service, you will likely be listed in the white pages. Anyone can grab the phone book and look up your phone number.
If you don't want people looking you up, you can ask the phone company to give you an unlisted number. Most ...
[ more ] [ reply ]
If you sign up for phone service, you will likely be listed in the white pages. Anyone can grab the phone book and look up your phone number.
If you don't want people looking you up, you can ask the phone company to give you an unlisted number. Most ...
[ more ] [ reply ]
Mother, May I? - WPAD hack appears to be legal
2008-02-01
Bertman
Bertman
As a grey hat, I might set my PC up as a WPAD (Windows Proxy Auto Detect) server. I might also tell any PC that wants to use my WPAD service to use my PC as a Proxy. I also might be sniffing everything on my PC that is acting as a Proxy for passwords. I might do this while at a Hotel or Coffee ...
[ more ] [ reply ]
[ more ] [ reply ]
Mother, May I?
2008-02-07
Victor (1 replies)
Victor (1 replies)
Mother, May I?: Yet another real-world analogy, the court's homework, and ..."Microsoft itself"?
2008-02-09
Anonymous
Anonymous
By the legal definition I am looking at right now, a "peeping-Tom"-type voyeur is guilty if trespassing on private space. If I read this right, a party who can see the view from the sidewalk or a public road isn't violating the law, even if he has to go to some trouble to do so (e.g., find some elev...
[ more ] [ reply ]
[ more ] [ reply ]
I think you captured most of the points in your piec...
[ more ] [ reply ]