I believe the correct analogy is that Mathias walked down the street knocking
on doors, and came to one when he knocked swung wide open (as it was never
closed properly) as long as he does not cross the threshold no BNE has
occurred. If he left a note telling his neighbor to push the door completely
closed, so that it latches, he is basically a good Samaritan.
And in the US this should keep him legally in the clear, though to may not
preclude the neighbor form going after him civilly since people over here can
sue for any darn reason that they want.
However when we are talking about a computer system/network, at what point is
he knocking on the Door, and what point is he stepping over the threshold.
Running Nessus to map a system is akin, to a knock trying to connect is akin to
jiggling the door and if it opens stepping over the threshold. Running a
Sploit, is well kicking the door in and walking in. It all boils down to
intent. If he is freely offering up his findings, from merely knocking. It can
be argued that no trespass has occurred, as he has not yet crossed that
threshold. And since he is freely given his findings, well there is not a case
of extortion. At any other level, a trespass has occurred and well the laws are
pretty clear about that.
-----Original Message-----
From: L G [mailto:nitziya74@hotmail.com]
Sent: Wednesday, March 22, 2006 7:23 PM
To: security-basics@securityfocus.com
Subject: Re: application for an employment
This is a good thread which begs further discussion.
My question is, at what point is it illegal? Do we have correspondents on this
list better versed in the law? Obviously, based Randal's experience, you need
to be careful in Oregon, but at what point is port scanning illegal? And what
are the precedents?
Is dig-ing illegal? Are not dns entries, domain names and associated ip
ranges, and net block owners all public knowledge?
I guess the crudest part of my question is, was Mathias picking a lock, or did
he see a door hanging wide open?
And at what point is someone going through an open door versus looking in a
window versus admiring someone's architecture from the street?
lg
----- Original Message -----
From: "Al Gettier" <agettier@tealeaf.com>
To: <security-basics@securityfocus.com>
Sent: Tuesday, March 21, 2006 1:57 PM
Subject: RE: application for an employment
What you did might be illegal without their permission. Take a look at the
Randal Schwartz situation over 10 years ago:
http://www.lightlink.com/spacenka/fors/
-----Original Message-----
From: Steveb@tshore.com [mailto:Steveb@tshore.com]
Sent: Tuesday, March 21, 2006 7:14 AM
To: MatzeGuentert@gmx.de; security-basics@securityfocus.com
Subject: RE: application for an employment
Not if you want them to employ you. It's not good practice to probe their
network without their permission. There may be a serious lack of trust if
you reveal to them that you where doing so without going through proper
channels.
-----Original Message-----
From: Matthias Güntert [mailto:MatzeGuentert@gmx.de]
Sent: Monday, March 20, 2006 7:46 AM
To: security-basics@securityfocus.com
Subject: application for an employment
Dear listmembers,
i am seeking for a new job as a Unix/Linux systemadministrator. There has
been an advertisement at a well known university. So I started to prepare my
self for the application. While collecting some information about the
network, using nmap, dig, etc... I was able to read the whole namespace from
the ip range (255.255.0.0)
My question is should I use some of the information I have found out to push
my application forward? What do you think how a director would react?
--
Mit freundlichen Grüßen
Matthias Güntert
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
