On 26 Aug 2001, at 11:22, Declan McCullagh wrote:
Date: Sat, 25 Aug 2001 19:41:18 -0400 From: John Noble
Subject: Re: FC: U.S. Attorney replies to "Good Samaritan" outcry with statement It's an interesting defense -- accidental penetration.
It's more than interesting: we seem to have entered the age of Click on a Link, Go to Jail. Amplification below...
Maybe somebody on your list, Declan, who knows more about network security can answer this question: if a hypothetical cracker was nailed by real-time monitoring -- a "gotcha" while online and inside the network -- would he likely know it or suspect it?
No, but the question presupposes something not suggested by the published facts I have so far seen: that Mr. West was "inside the network." According to the reports he simply clicked on a function in Microsoft Front Page to capture a Web page for use as a sample and, to his surprise, found that Front was allowed editing access to that page. That's like walking up to a door in an unfamiliar office building to read the occupant information and finding one's self sucked through the door and to an open file cabinet, whereupon the hidden cameras film one "penetrating" someone's confidential information. It was Front Page, a tool from a company notorious for going out of its way to facilitate insecure accesses by automating security holes, that did the penetrating, and that was only possible because the site had not been secured in any way. No doubt leaving the site wide open to public modification is the default in Front Page, which would be true to form. Another analogy could be visiting a business office for information, seeing a sign saying, "Public information this way," following the arrow, opening the door to which it points, finding one's self in a room full of file cabinets, briefly examining some file folders thinking they must contain the public information, discovering that the information is most decidedly not of a public nature, leaving, reporting the lack of security to the management, and being accused of "penetrating" the company's files. It is absurd. Had Mr. West used something like WebWhacker to capture pages, or even "Save As" in his browser, he would have been in no danger of "penetrating" anything, intentionally or otherwise. His basic mistake was in using software that tries to do Dangerous Things at the touch of an innocuous button. His second mistake was pride -- he had to tell someone how smart he was. Reporting an unlocked door to clueless weasels is probably a good way to be asked, "And what were *you* doing opening that door?" and to be accused of trespassing. Or to have detectives show up and ask one, "Can you show us this door you found unlocked, and can you show us exactly how you opened it?" Translate all this into the context of doors with ambiguous markings in public offices where public information is advertized to be available and it becomes clear how silly it is.
Or can we assume that his voluntary report of his accidental accomplishment was the product of good faith and stupidity?
Yes, overwhelmingly so. To suggest that he somehow tipped to some form of monitoring by using Front Page and then 'fessed up to seem of innocent intent is a far reach. And what monitoring, for that matter? It seems unlikely that people disorganized enough to leave their Website completely open to editing by Front Page by anyone on the planet would be together enough to be monitoring their network in real time for intrusions. More likely the "monitoring" was the examination of logs after the fact. Something else I have not seen mentioned is this: many TCP/IP tools, particularly browsers and other Web tools, incessantly send requests for documents until they receive an answer. Crank up a sniffer or other form of raw TCP/IP monitoring and point a browser at a host that doesn't exist or doesn't answer on Port 80. You will see the browser send dozens, perhaps hundreds of requests. There is little in such traffic logs to suggest any correlation between the numerous "attempts" and any wilfullness or repeated action on the part of the person using the software making the requests. Worse, the user is unaware of all that activity, seeing only the spinning logo of the Web browser, for example, as it tries to contact a Website. It is as if your phone had an automatic redial feature that would continue to dial until achieving a connection. It would be as mindless to count the number of calls as some kind of indication of intent or persistence on the part of the caller as it may be to count "attempts" to connect to something in the Internet, particularly something intended to be connected to by its very nature and by tools that customarily contain automatic retry functionalities. Have we now reached a place in La-La Land where each of 100 or more TCP port connection tries automatically made by a browser is to become a "count" in an indictment?
Date: Sat, 25 Aug 2001 11:30:21 -0700 From: Anthony Mournian
August 25, 2001
...
Somehow this whole thing of Internet security has begun to turn upside down.
Yea, verily!
It has a chilling effect on free and open communication when it becomes a crime to talk about the possibility of breaching security, or to discuss it in an open forum. It has a chilling effect on free speech when the U.S. Government decides to act like the 800 lb gorilla and go after a person like Brian K. West, who did in fact look at the content of another person's computer, and had the common sense to report the complete lack of security to the computer's owner.
Very well put.
Funny, I feel even by writing you this note I invite investigation by Big Brother.
As do I by writing to Declan with the possibility that he may include my message in his public list.
...
Much of this note is off the point, and yet is directly on point. The U.S. Government is too much in many of our lives already, and this newfound Mecca of computer investigation and The Hammer for those who even technically step off the line, as apparently did Mr. West, is a bit too much.
It is way too much. It is probably to be expected, though. People, including law enforcement, have demonstrated some difficulty in translating concepts well settled in non-computer contexts into the world of computers and Internet. In time this will all shake out but there will be many casualties along the way. In a few decades readers of old accounts of such bizarre applications of law and legal concepts as we are today witnessing will no doubt shake their heads over the silliness of it all, much as we can now gape at the absurdity of the Salem witch trials and others such excursions, but they will in no way gain a sense of the horror of being one of the casualties. There does indeed appear to be a flight of common sense from most all walks of modern life, from the hamburger flipper who replies to an order for a burger to go by asking, "Here or to go?" to the legion of businesses whose Customer Service is less useful than the time-of-day recording to elected representatives who fall all over themselves to offer and pass legislation clearly prohibited by various constitutions. It should not be all that surprising that law enforcement entities are seizing on new computer-related legislation as if the underlying concepts had just been imported from another galaxy and were to be taken without regard to common sense or any other established legal wisdom. On the one hand people in general are having difficulty applying what they already know to the Internet; on the other hand it is in the nature of law enforcment to seek any advantage at the cost of any principle or any loss of rights for all. What we cannot yet see is how far down the road of lunacy this trend will go before it is corrected. Regards, Thomas Junker tjunker@tjunker.com ********