Thanks Craig--as ever, I defer to your greater knowledge on these
things-thanks for the full breakdown. (Where do you get most of this stuff
from if you don't mind me asking--as you're in Oz too, I could do with
pointing our corporate counsel to some more resources for localized
referencing).
Also, this made me think of how you can use Google to find 'vulnerabilities'
(though perhaps not in the classic sense of the term) on web facing
machines. (check out johnnyihackstuff).
Would the law cover this kind of 'scanning'? I get the feeling it will catch
up at some time soon if it doesn't already.
Regards
Murad Talukdar
-----Original Message-----
From: Craig Wright [mailto:cwright@bdosyd.com.au]
Sent: Wednesday, March 29, 2006 7:54 AM
To: Murad Talukdar; security-basics@securityfocus.com
Subject: RE: application for an employment
Hello,
First to your "Man in the Piddle attack". You would be guilty of any
strict liability offences. You would also be liable under offences where
negligence is involved. "Piddling" on the wall - missing the bowl etc is
damage (I would not want to clean after you ;). There are defences to
criminal trespass, being drunk would likely excuse you if you did not
damage anything.
Being drunk is not an excuse - unless you can show (proof is with you)
that you did not voluntarily drink the alcohol. There are numerous
people who have spent a few nights in the lockup for drunken escapades.
There is a difference in Port scanning and vulnerability scanning - the
law can treat these differently. Port scanning is not a criminal action
UNLESS you cause damage. Damage includes causing a system to reboot. In
the US damage is generally held (state by state varies) at being a
minimum of $5,000. Getting an incident team in to investigate the reboot
will cost more than 5k.
Scanning across international boundaries does not make anything more or
less legal. It makes enforceability more difficult. Action would need to
first be brought in the country you scanned and than that country would
need to seek to enforce it's orders under treaty rights. Scanning within
Europe is an easy case. EC laws make criminal enforcement for all EU
violations simple (in comparison).
In cases where there is no treaty - things are more difficult. You may
have action decided but not be able to enforce it. Sometimes it is
easier to just contact the embassy of the nation involved. They may or
may not do anything depending on the political climate. Port scanning in
Nth Korea or China (without government permits etc) is an offence (as is
owning the tools). Prove (and this is proof to a criminal level) who
scanned you in Cn and the Chinese govt. may have the person shot (this
is an ethical decision to make before you report to these countries).
In most western countries, port scanning (and note port scanning - not
vulnerability scanning) is not strictly illegal. Remember however that
any damage makes the act illegal and criminal in many jurisdictions. The
risk or causing damage may not be great, but the impact is. Thus the
risk of doing this without authorisation is not worth the benefit.
Regards
Craig
-----Original Message-----
From: Murad Talukdar [mailto:talukdar_m@subway.com]
Sent: 28 March 2006 2:18
To: security-basics@securityfocus.com
Subject: RE: application for an employment
When I was a wayward teenager, I once got very drunk during a KISS FM
summer roadshow. The result of three hours of solid drinking in the sun
was a very full bladder. Now, for some unknown reason I decided to tag
onto a group of people that I had never met before and I actually
managed to walk into their house un-noticed by them until we all got
into the kitchen. There I was challenged by someone along the lines of,
"Who the hell are you," (but with more, uhh, brio) at which point I
replied that I needed to use their toilet.
Needless to say they refused and politely, if a little roughly, ejected
me forthwith.
Now you could say that I was port scanning in the hope of finding
somewhere to dump data that did not belong to the owners' of the house
in question. Or something. Maybe I've got this whole analogy thing the
wrong way round.
Perhaps you could say that I was attempting a Man in the Piddle attack.
I don't know. The port scanning issue is such a nebulous one-especially
when applied across international boundaries. What does the law say
where YOU are? What does the law say where you are about scanning OTHER
countries?
What does the law in another country say about you scanning their
country from somewhere else. As someone has pointed out(and I'll defer
to them on this point) the scanning is not illegal in Germany-with the
usual conditions of course.
Is it unethical? Hmmm.
Should he tell the Uni? I don't think so. Not until he works out how
they operate.
Also, has Matthias posted with his real name? This whole thread would no
doubt show up on a quick Google.....will they bother doing that? If the
employers know anything about modern hiring resources then I'd expect
the too....
Regards
Murad Talukdar
-----Original Message-----
From: David Gillett [mailto:gillettdavid@fhda.edu]
Sent: Tuesday, March 28, 2006 5:18 AM
To: 'Craddock, Larry'; security-basics@securityfocus.com
Subject: RE: application for an employment
It's more like throwing a stone at a window to see if it's open.
Sometimes the stone bounces off the closed window, sometimes it sails
through the open window, and sometimes it *breaks* the window.
"I only wanted to find out if the window was open or closed" is not
generally considered an excuse to avoid responsibility for the broken
pane....
David Gillett
Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential.
If you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You
may not rely on this message as advice unless it has been electronically
signed by a Partner of BDO or it is subsequently confirmed by letter or fax
signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
