[Dshield] Port 135

David Kennedy CISSP david.kennedy at acm.org
Fri Oct 18 19:24:11 GMT 2002

Bottom Lines:

+ U$5,000 damages is written into the US Code.
+ Warning banners help but are not prerequisites to prosecution.
+ Not exclusively a US Federal perspective, States and Int'l included
+ Criminal action helps, but is not a prerequisite for civil action
+ Prosecution for deterrence doesn't happen in the real world, but
you're welcome to try.

At 02:55 PM 10/17/02 -0400, Jon R. Kibler wrote:
>but what do YMMV and AUSA mean?

Your mileage may vary (refers to automobile advertisements in the US
several years ago where manufactures make mileage claims but with the
caveat that not all drivers will achieve the same results)

Assistant United States Attorney (refers to the US Federal
prosecutors who actually do the work.  United States Attorneys are
appointed by the President and confirmed by Congress but prosecute
cases rarely, as either a hobby or for some political appearance
purposes.  AUSA's are civil servants who advance their careers in and
out of government by winning cases.)

First, there was a recent appeals court ruling that you could not
seek prosecution in Federal courts for computer crime acts, unless
you could clearly demonstrate at least $5,000 in actual losses 

This is written into the statute, three times; there is no need for a
Circuit Court of Appeals to rule on this, it applies throughout the
United States already.

Now, regarding your quote from 18 USC 1030: I have talked to several
attorneys about what constitutes "knowingly accessing a computer
without authorization" and all, including prosecutors, are of the
opinion that if you have a "public service published" (such as an
open port), and you do not put access restrictions on that port (such
as a login, etc.), or you do not give warnings about unauthorized
access and/or use (some banner supplied upon connect), then all
accesses to that service are presumed to be authorized; in other
words, if you do not make some effort to restrict access, then the
presumption is that all accesses are allowed. (That is why we have a
very long connect message for sendmail that delineates what we allow
and disallow.)

Having a web sever is not the same as allowing Fluffy Bunny to deface
it.  Were this true, every server, of every type in the US would
require a warning banner on first contact before any prosecution
could take place.  Clearly a warning banner makes prosecution easier,
but also clearly convictions have been made without them.  For the
purposes of example, look up Robert Lyttle, Jason Garon, Ken Hamidi
and Bret McDanel in your favorite search engine.

This is not unique to the United States Federal courts.  While
fact-checking my messages I found several examples in Australia and
some in the EU as well as within State courts and this was just using
a search engine, not WestLaw or Lexis.

Civil actions: Many states -- too many in my opinion -- require
successful criminal prosecution before you can pursue civil damages. 

This is not my experience.  In my experience, you can sue anybody for
nearly anything, you just need to figure out how to pay the lawyers. 
The overwhelming majority of torts involve claims of misconduct or
negligence but do not require the involvement of the criminal courts.
 How many traffic accident suits are settled without a citation
having been issued?  How many product liability suits without a
manufacturer facing criminal charges?  How many "I fell on the
slippery floor" suits without the store being charged with criminal
negligence or assault?  How many "my new roof leaks" without the
roofer being charged with fraud?

Finally, a comment about your equation: I think that you would also
have to include in that equation some factor regarding the potential
deterrent effect

I allowed for the possibility of a prosecutor bringing action as a
deterrent in my original post, but in my experience these cases
happen with a frequency slightly greater than asteroid strikes.  But
no one should be deterred by my realism (or cynicism), take the case
to a prosecutor; I'd relish seeing some "example" computer crime
prosecutions.  Forgive me if I don't hold my breath here in the real


David Kennedy CISSP                         /"\
Director of Research Services,              \ / ASCII Ribbon Campaign
TruSecure Corp. http://www.trusecure.com     X  Against HTML Mail
Protect what you connect;                   / \
Look both ways before crossing the Net.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 373 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20021018/8223d56f/attachment.bin

More information about the list mailing list