[Dshield] Port 135

Jon R. Kibler Jon.Kibler at aset.com
Thu Oct 17 18:55:10 GMT 2002


David:

Thanks for your feedback on my thoughts. Question: Pardon my ignorance, but what do YMMV and AUSA mean?

Now, a couple of comments on your remarks.

First, there was a recent appeals court ruling that you could not seek prosecution in Federal courts for computer crime acts, unless you could clearly demonstrate at least $5,000 in actual losses -- that losses less than that did not constitute a violation of Federal laws. Although this ruling technically only covers one judicial district, the FBI and Secret Service have apparently decided to apply that ruling universally and now will not investigate any incident where you cannot prove actual losses in advance. (Or so has been my experience.)

Now, regarding your quote from 18 USC 1030: I have talked to several attorneys about what constitutes "knowingly accessing a computer without authorization" and all, including prosecutors, are of the opinion that if you have a "public service published" (such as an open port), and you do not put access restrictions on that port (such as a login, etc.), or you do not give warnings about unauthorized access and/or use (some banner supplied upon connect), then all accesses to that service are presumed to be authorized; in other words, if you do not make some effort to restrict access, then the presumption is that all accesses are allowed. (That is why we have a very long connect message for sendmail that delineates what we allow and disallow.)

Regarding CPC 502: I think the same arguments about not explicitly stating or limiting access would imply that permission to access the service would therefore be assumed by default. Now, I will grant you that each state has different ways of specifying and interpreting 'legal assumptions', so if CA has a different basis for presuming what is and is not permitted by default, I could see where in CA you may have a case under different assumptions about what is implied permission.

Civil actions: Many states -- too many in my opinion -- require successful criminal prosecution before you can pursue civil damages. I have fought hard to get this changed here in SC, but the lawyers tell me that under the general framework of the State Code, this is not possible. Our current thrust is to create a 'civil only' offense along the lines of 'Intentional Interference with Normal Business Operations' that could allow a business to pursue someone who uses tactics that are not criminal offenses to interfere with the business' operations. (This could cover many things, including computer related interference.) However, there is general reluctance to implement such a wide sweeping statue.

Finally, a comment about your equation: I think that you would also have to include in that equation some factor regarding the potential deterrent effect that a prosecution may have on the actions of other individuals. IMHO, a few high profile cases against a few 'harmless script kiddies' would have a strong deterrent against others trying similar actions.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA




David Kennedy CISSP wrote:
> 
> At 01:43 PM 10/16/02 -0400, you wrote:
> >Believe it or not, in most states this would NOT be considered an illegal act.
> 
> I disagree. However whether there's any prosecutorial interest is a different question. The best question is whether turning this into a federal case is worth anybody's time versus just plugging the dike and getting on with life.
> 
> >From the first lines in 18 USC 1030:
> 
> >>>>
> 
>      having knowingly accessed a computer without authorization or exceeding authorized access
> 
> <<<<
> 
> Clearly this is knowing, without authorization and even though 135, and for the sake of argument 80 may be exposed, the access exceeds what the system's owner authorizes.
> 
> >From the California statute (CPC Section 502):
> 
> >>>>
> 
>      Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.
> 
> <<<<
> 
> Most computer crime statutes are worded such than *any* use of computer or network resources without permission or exceeding authorized access becomes a criminal offense, hence are illegal.
> 
> Without damage or other demonstrable losses, which are often tied to sentencing guidelines, few prosecutors are going to spend their or the courts' time in prosecuting these offenses. An exception might occur if there's an exceptional deterrent value or some other principle to be demonstrated. Some law enforcement agencies won't waste investigator's time on something they'll never get prosecuted; other's will document what happened and file the report; some are required to refer everything to the prosecutor's office. YMMV.
> 
> There is another value to the laws, other than prosecution. It makes possible civil action. Anyone sufficiently exercised about this can pay their own lawyers to pursue the intruders either for injunctive relief or a tort to recover damages. Once again the costs of damage and defense come into play. Is it cheaper to drop UDP/135 at the border routers or to sic your lawyers on the spammer?
> 
> Equation: the fully burdened cost of an IT guy putting in a router ACL that takes 15 minutes versus the fully burdened cost of at least one lawyer, and his/her staff for X hours plus the fully burdened cost of Y hours from the IT guy(s?) explaining to the lawyer/staff the issues involved.
> 
> IANAL, but I am a retired chief of police who's read a law or two in the past and had to decide whether to write the report and file it or send it to the AUSA.
> 
> --
> Regards,
> 
> David Kennedy CISSP /"\
> Director of Research Services, \ / ASCII Ribbon Campaign
> TruSecure Corp. http://www.trusecure.com X Against HTML Mail
> Protect what you connect; / \
> Look both ways before crossing the Net.
> 
> _______________________________________________ Dshield mailing list Dshield at dshield.org To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list