No subject

[Thomas Junker]

On 26 Aug 2001, at 11:22, Declan McCullagh wrote:

 > Date: Sat, 25 Aug 2001 19:41:18 -0400
 > From: John Noble <jnoble at dgsys.com>
 > Subject: Re: FC: U.S. Attorney replies to "Good Samaritan" outcry with
 >   statement
 >
 > It's an interesting defense -- accidental penetration.

It's more than interesting:  we seem to have entered the age of
Click on a Link, Go to Jail.  Amplification below...

 > Maybe somebody on
 > your list, Declan, who knows more about network security can answer this
 > question: if a hypothetical cracker was nailed by real-time monitoring -- a
 > "gotcha" while online and inside the network -- would he likely know it or
 > suspect it?

No, but the question presupposes something not suggested by the
published facts I have so far seen:  that Mr. West was "inside the
network."  According to the reports he simply clicked on a function
in Microsoft Front Page to capture a Web page for use as a sample
and, to his surprise, found that Front was allowed editing access to
that page.  That's like walking up to a door in an unfamiliar office
building to read the occupant information and finding one's self
sucked through the door and to an open file cabinet, whereupon the
hidden cameras film one "penetrating" someone's confidential
information.  It was Front Page, a tool from a company notorious for
going out of its way to facilitate insecure accesses by automating
security holes, that did the penetrating, and that was only possible
because the site had not been secured in any way.  No doubt leaving
the site wide open to public modification is the default in Front
Page, which would be true to form.

Another analogy could be visiting a business office for information,
seeing a sign saying, "Public information this way," following the
arrow, opening the door to which it points, finding one's self in a
room full of file cabinets, briefly examining some file folders
thinking they must contain the public information, discovering that
the information is most decidedly not of a public nature, leaving,
reporting the lack of security to the management, and being accused
of "penetrating" the company's files.  It is absurd.

Had Mr. West used something like WebWhacker to capture pages, or
even "Save As" in his browser, he would have been in no danger of
"penetrating" anything, intentionally or otherwise.  His basic
mistake was in using software that tries to do Dangerous Things at
the touch of an innocuous button.  His second mistake was pride --
he had to tell someone how smart he was.  Reporting an unlocked door
to clueless weasels is probably a good way to be asked, "And what
were *you* doing opening that door?" and to be accused of
trespassing.  Or to have detectives show up and ask one, "Can you
show us this door you found unlocked, and can you show us exactly
how you opened it?"  Translate all this into the context of doors
with ambiguous markings in public offices where public information
is advertized to be available and it becomes clear how silly it is.

 > Or can we assume that his voluntary report of his accidental
 > accomplishment was the product of good faith and stupidity?

Yes, overwhelmingly so.  To suggest that he somehow tipped to some
form of monitoring by using Front Page and then 'fessed up to seem
of innocent intent is a far reach.  And what monitoring, for that
matter?  It seems unlikely that people disorganized enough to leave
their Website completely open to editing by Front Page by anyone on
the planet would be together enough to be monitoring their network
in real time for intrusions.  More likely the "monitoring" was the
examination of logs after the fact.

Something else I have not seen mentioned is this:  many TCP/IP
tools, particularly browsers and other Web tools, incessantly send
requests for documents until they receive an answer.  Crank up a
sniffer or other form of raw TCP/IP monitoring and point a browser
at a host that doesn't exist or doesn't answer on Port 80.  You will
see the browser send dozens, perhaps hundreds of requests.  There is
little in such traffic logs to suggest any correlation between the
numerous "attempts" and any wilfullness or repeated action on the
part of the person using the software making the requests.  Worse,
the user is unaware of all that activity, seeing only the spinning
logo of the Web browser, for example, as it tries to contact a
Website.  It is as if your phone had an automatic redial feature
that would continue to dial until achieving a connection.  It would
be as mindless to count the number of calls as some kind of
indication of intent or persistence on the part of the caller as it
may be to count "attempts" to connect to something in the Internet,
particularly something intended to be connected to by its very
nature and by tools that customarily contain automatic retry
functionalities.  Have we now reached a place in La-La Land where
each of 100 or more TCP port connection tries automatically made by
a browser is to become a "count" in an indictment?

 > Date: Sat, 25 Aug 2001 11:30:21 -0700
 > From: Anthony Mournian <mournian at acusd.edu>
 >
 > August 25, 2001
 >
 > ...
 >
 > Somehow this whole thing of Internet security has begun to turn upside
 > down.

Yea, verily!

 > It has a chilling effect on free and open communication when it
 > becomes a crime to talk about the possibility of breaching security, or
 > to discuss it in an open forum. It has a chilling effect on free speech
 > when the U.S. Government decides to act like the 800 lb gorilla and go
 > after a person like Brian K. West, who did in fact look at the content
 > of another person's computer, and had the common sense to report the
 > complete lack of security to the computer's owner.

Very well put.

 > Funny, I feel even by writing you this note I invite
 > investigation by Big Brother.

As do I by writing to Declan with the possibility that he may
include my message in his public list.

 > ...
 >
 > Much of this note is off the point, and yet is directly on point. The
 > U.S. Government is too much in many of our lives already, and this
 > newfound Mecca of computer investigation and The Hammer for those who
 > even technically step off the line, as apparently did Mr. West, is a bit
 > too much.

It is way too much.  It is probably to be expected, though.  People,
including law enforcement, have demonstrated some difficulty in
translating concepts well settled in non-computer contexts into the
world of computers and Internet.  In time this will all shake out
but there will be many casualties along the way.  In a few decades
readers of old accounts of such bizarre applications of law and
legal concepts as we are today witnessing will no doubt shake their
heads over the silliness of it all, much as we can now gape at the
absurdity of the Salem witch trials and others such excursions, but
they will in no way gain a sense of the horror of being one of the
casualties.

There does indeed appear to be a flight of common sense from most
all walks of modern life, from the hamburger flipper who replies to
an order for a burger to go by asking, "Here or to go?" to the
legion of businesses whose Customer Service is less useful than the
time-of-day recording to elected representatives who fall all over
themselves to offer and pass legislation clearly prohibited by
various constitutions.  It should not be all that surprising that
law enforcement entities are seizing on new computer-related
legislation as if the underlying concepts had just been imported
from another galaxy and were to be taken without regard to common
sense or any other established legal wisdom.  On the one hand people
in general are having difficulty applying what they already know to
the Internet; on the other hand it is in the nature of law
enforcment to seek any advantage at the cost of any principle or any
loss of rights for all.  What we cannot yet see is how far down the
road of lunacy this trend will go before it is corrected.

Regards,

Thomas Junker
tjunker at tjunker.com

********