[Dshield] Port 135

Kenton Smith ksmith at chartwelltechnology.com
Fri Oct 18 18:13:43 GMT 2002


I'm thinking we need to get a couple of lawyers to sit in on this list.

I have to question this part of your well-stated post:

<snip>
>Now, regarding your quote from 18 USC 1030: I have talked to several
attorneys about what constitutes "knowingly accessing a computer without
authorization" and all, including prosecutors, are of the opinion that >if
you have a "public service published" (such as an open port), and you do not
put access restrictions on that port (such as a login, etc.), or you do not
give warnings about unauthorized access and/or use (some >banner supplied
upon connect), then all accesses to that service are presumed to be
authorized; in other words, if you do not make some effort to restrict
access, then the presumption is that all accesses are >allowed. (That is why
we have a very long connect message for sendmail that delineates what we
allow and disallow.)
<snip>

Do understand this correctly? Say my web server is compromised through port
80 by (we'll say) an undocumented vulnerability and it causes me more than
$5000 in actual losses. What you're saying is that even if I can lead them
to the cracker, I'm SOL because I didn't have a banner saying you can't hack
my system? There has to be line somewhere, otherwise there's no way of
prosecuting anyone unless they come into our data centre.
Am I overreacting or missing something? Maybe this law is really specific
about what it covers and there are other laws that would cover what I'm
talking about.

Kenton Smith

Jon R. Kibler wrote:

David:

Thanks for your feedback on my thoughts. Question: Pardon my ignorance, but
what do YMMV and AUSA mean?

Now, a couple of comments on your remarks.

First, there was a recent appeals court ruling that you could not seek
prosecution in Federal courts for computer crime acts, unless you could
clearly demonstrate at least $5,000 in actual losses -- that losses less
than that did not constitute a violation of Federal laws. Although this
ruling technically only covers one judicial district, the FBI and Secret
Service have apparently decided to apply that ruling universally and now
will not investigate any incident where you cannot prove actual losses in
advance. (Or so has been my experience.)

Now, regarding your quote from 18 USC 1030: I have talked to several
attorneys about what constitutes "knowingly accessing a computer without
authorization" and all, including prosecutors, are of the opinion that if
you have a "public service published" (such as an open port), and you do not
put access restrictions on that port (such as a login, etc.), or you do not
give warnings about unauthorized access and/or use (some banner supplied
upon connect), then all accesses to that service are presumed to be
authorized; in other words, if you do not make some effort to restrict
access, then the presumption is that all accesses are allowed. (That is why
we have a very long connect message for sendmail that delineates what we
allow and disallow.)

Regarding CPC 502: I think the same arguments about not explicitly stating
or limiting access would imply that permission to access the service would
therefore be assumed by default. Now, I will grant you that each state has
different ways of specifying and interpreting 'legal assumptions', so if CA
has a different basis for presuming what is and is not permitted by default,
I could see where in CA you may have a case under different assumptions
about what is implied permission.

Civil actions: Many states -- too many in my opinion -- require successful
criminal prosecution before you can pursue civil damages. I have fought hard
to get this changed here in SC, but the lawyers tell me that under the
general framework of the State Code, this is not possible. Our current
thrust is to create a 'civil only' offense along the lines of 'Intentional
Interference with Normal Business Operations' that could allow a business to
pursue someone who uses tactics that are not criminal offenses to interfere
with the business' operations. (This could cover many things, including
computer related interference.) However, there is general reluctance to
implement such a wide sweeping statue.

Finally, a comment about your equation: I think that you would also have to
include in that equation some factor regarding the potential deterrent
effect that a prosecution may have on the actions of other individuals.
IMHO, a few high profile cases against a few 'harmless script kiddies' would
have a strong deterrent against others trying similar actions.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA






More information about the list mailing list