My opinion would be if you think you are doing something wrong, then
it probably are.
I.e. consider the Irishman named "O'reilly", if he types that in as
his username, and causes an error code, is he performing an illegal
act? No. But say you do it, "with intent" to causing an error, which
would then provide you with more information which you intend to use
to break into the system, then yes - you are performing an illegal
act.
Anyway, what answer are you looking for here?
The best person to ask here is a lawyer (even if you think they don't
know what they are talking about), because if you get into trouble,
they will be the ones representing you :)
-- Michael
-----Original Message-----
From: Dave Ryan [mailto:dave@mongers.org]
Sent: Friday, 28 January 2005 11:25 PM
To: webappsec@securityfocus.com
Subject: Off topic: what is sensitive information on a website?
Hi list,
This is possibly off topic, but I figured that the technical
experts in the field were better positioned to offer a
helpful answer/opinion to my questions.
In the course of accessing a website (which, for our
purposes, we will consider as "the platforms necessary to
deliver the services provide") what constitutes legal and
illegal access to information?
1. Is an authentication and authorisation procedure required to
grant access to what $SITEX deems sensitive? What is
the minimum
requirement for distinguishing between public/sensitive
information? At what point must a user be notified about this?
2. Must information be classified? Must users of the site,
regardless of whether they are authorised to access sensitive
information be notified that certain information is stored on
the site and authorisation must be granted prior to accessing?
(again, this relates to 1)
3. In the absence of an authentication/authorisation procedure,
what constitutes as protection for the information?
For example
if I attempt to inject SQL into a database to return data, but
this data has not been marked sensitive (i.e. the
site security
policy is not communicated to the user) am I
committing a crime?
I suppose other laws come into play at this point
(DPA). But if
am unaware as to the nature of the data, is the site in
olation by not affording the information adequate protection?
(At this point I suppose I should report this to the DP
Commissioner, but what is my legal position?).
4. What if I attempt to validate the controls in place, i.e. I do
not attempt to exploit a weakness but I do check for the
existence of one (e.g. I test for error codes;). In this
instance, have I committed a crime by putting the
system into a
state where it generates an error code (assume the system has
not been damaged/modified/etc due to this activity). Many real
word analogies to this one (e.g. checking a door to
see if it is
locked), etc.
I suppose the underlying question is:
What is misuse and must I be informed of what constitutes
misuse on
each website I visit?
As a reference, I offer section Section 1 of the Computer
Misuse Act, 1990 (c. 18) [UK] states:
Unauthorised Access to Computer Material
1. - (1) A person is guilty of an offence if -
(a) he causes a computer to perform any function with intent
to secure access to any program or data held in any
computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer
to perform
the function that that is the case
(2) The intent a person has to have to commit an offence under
this section need not be directed at -
(a) any particular program or data;
(b) a program or data of any partciular kind; or
(c) a program or data held in any particular computer
Thanks in advance for your opinions (or pointers to the
obvious answers I may have missed).
Kind Regards,
Dave.
--
http://dave.mongers.org
