[Dshield] SC Comp Crime Law (WAS: Re: South Carolina, Computer Crime, Bell South, and Related Frustrations...)
ed.truitt at etee2k.net
Tue Aug 27 23:56:42 GMT 2002
Well, a couple of things, from my perspective:
1) If it is MY system, and I don't do anything to indicate you are not
welcome, then simply accessing the system should not be a crime. This would
include the use of an open SMTP relay (there are some folks who choose to
make their SMTP servers an open relay - I think it is pretty stupid, but
YMMV.) There are better, technical controls for such behavior (RBL the
suckers). Most ISPs also prohibit using open relays in their TOS/AUP. If I
DO do something to indicate you are not welcome (those silly "Legal
Notices", AUPs, etc. come to mind), then I (as the system owner) should be
able to nail a trespasser's skin to the wall. (Also, remember that making
"unauthorized use" of an open SMTP server a criminal act would effectively
prevent testing for open relay conditions, like what happened to ORBZ.)
2) Port scans etc. should NOT be make illegal. It is far too easy to deal
with those in a "technical" manner. Besides, who should have the right to
do a portscan? Me, on a netblock I pay my ISP for? My ISP? A
state/federal agency, conducting research or constructing a "map"?
3) Limit the scope of the law. If you are aiming it at people in SC who are
doing bad things, then scope it to include them, and scope it to EXCLUDE
people who are doing bad things, but who aren't in SC. There is a question
(in this layman's mind, at least) that says if I am being prosecuted for a
crime in SC, then I should have COMMITTED the offense in SC (or in whatever
jurisdiction it is being prosecuted in). In non-IT terms: The speed limit
in Houston on the freeways is 55 MPH. I am travelling down the road in
Sugar Land (a separate city) doing 60. A Houston PD officer pulls me over,
and cites me for violating Houston's speed limits, because (in this
hypothetical example) the city of Houston passed a law that said that "if
any part of the trip is in Houston, then the entire trip is governed under
the laws of Houston". Yep, pretty silly. However, we have a lot of
computer-related laws like this - for instance, the person in California who
was prosecuted in Tennessee for violating their (TN) anti-porn laws with his
website - which was hosted in CA, but could be reached by someone in TN. If
someone attacks a site in SC from a location outside of SC, then let the
attackee pursue it through the civil courts, or through the authorities in
the location where the attacker did the bad thing.
My bottom line: the punishment for committing felonies is pretty severe.
It is also expensive for the taxpayers. Make sure that they are getting
their moneys' worth.
PGP fingerprint: 5368 D25E 468C A250 9833 CCD6 DBAE 9C25 02F9 0AB9
"Note to spammers: my 'delete' key is connected to YOUR ISP.
Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."
----- Original Message -----
From: "Jon R. Kibler" <Jon.Kibler at aset.com>
To: <list at dshield.org>
Sent: Tuesday, August 27, 2002 9:30 AM
Subject: [Dshield] SC Comp Crime Law (WAS: Re: South Carolina, Computer
Crime, Bell South, and Related Frustrations...)
> I was kinda surprised by the responses and non-responses to my original
post... I guess I put too much into my original message to get the feedback
I expected. Therefore, please indulge me as I split the original discussion
into two different messages. (This is part one.)
> The only part of the original post that produced any feedback was
regarding the computer crime law itself. The concerns expressed about the
new law were the same as most first reactions... "What if someone hacks me
and uses my computer to initiate attacks -- Am I now a criminal?" (Short
> Two or three years ago, when I first started asking people "What should be
considered criminal use/misuse of a computer?" the consensus of opinion
seemed to be "As long as it doesn't destroy data, deny service, or disclose
confidential information, everything should be legal." When I asked specific
questions (on some security news groups) such as "Should port scans be
illegal?" or "Should unauthorized sending of mail through open relays be
banned?", the responses I received basically labeled me a heretic out to
destroy the freedom of the Internet for even suggesting such ideas.
> Have times changed so much that everyone now agrees that limits should be
placed on activities once considered perfectly acceptable? For example, I
remember getting dozens of emails that basically said "Anyone so dumb as to
run an open relay mailer deserves all the traffic spammers can shovel
through their mailer." Are opinions such as this now dead? (I hope so!)
> Looking at SC's Computer Crime Law from a purely technical standpoint, I
would appreciate some feedback on a few issues:
> 1) Does the law make illegal activities that should be permitted?
> 2) Are the definitions, such as what is a "computer" or "data" (etc.)
> 3) What loopholes do you see in the law? (That is, what do you think
you could get away with [because of some potential flaw in the law] that the
law appears to make illegal?)
> 4) Are there activities not covered by the law that should be made
> 5) Should a business be able to recover civil damages for "computer
crimes" without first having to obtain a criminal conviction?
> 6) Does your state (or country, if not U.S.) define computer crimes not
covered under the SC law?
> 7) If you were to lobby your state to update its computer crime laws,
what parts of the SC law would you like to see included or excluded by your
> Finally, I would like your general opinion of the law:
> Is it good, bad, or indifferent legislation, and why so?
> What do you feel are its strengths and weaknesses?
> Any other general comments or thoughts on the law?
> We hope to get a couple more changes made to the law in the next
legislative session, so any and all feedback on the current law is greatly
> Thanks for your time and indulgence.
> Jon R. Kibler
> Systems Architect/Chief Technical Officer
> Jon.Kibler at aset.com
> Advanced Systems Engineering Technology, Inc.
> 389 Johnnie Dodds Blvd., Suite 205
> Mt. Pleasant, SC 29464-2969 (Charleston)
> Phone: (843) 849-8214
> Fax: (843) 849-8215
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
More information about the list