• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

When does using a public resource/hacking become illegal?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page 1, 2  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Oct 24, 2002 1:55 pm    Post subject: When does using a public resource/hacking become illegal? Reply with quote

(Branched from http://www.security-forums.com/forum/viewtopic.php?t=1500 )

** Just a few thoughts **

So the same thing could be said if you connected to another computers harddrive via an unprotected netbios share?

If they have shared the root of their harddrive, and have put no password on it, and have connected that machine to the internet, does this mean they want anyone to view their files / use their hd space etc?

After all, they have "provided" an annonymas service on their machine available to anyone who wants it.

What happens if they only intended it to be shared with the local network, but lack of knowledge means that they didnt unbind file sharing on the internet connection adapter.

They have not "authorised" or given explicit permission for you to access their resources, they just fucked up.

As long as you dont steal any of their stuff is it ok?

** end of brain strain **

other thoughts people?

J
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Oct 24, 2002 2:02 pm    Post subject: Reply with quote

Well yes, if someone has shared their whole hard drive over the Internet legally you can look at it I would think, it's part of the Internet and therefore the Public domain, as long as you don't delete anything or damage anything you aren't breaking any laws.

They have not authorised the use but they haven't disallowed it which is more important.

Unless you put a sign saying "No you can't do this" then what's to stop people doing it?

As long as you don't attempt to break anything that stops you accessing a resource, e.g. you can just stroll in go for it.

That's my thought..


Last edited by ShaolinTiger on Thu Oct 24, 2002 2:17 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website
hads
Trusted SF Member
Trusted SF Member


Joined: 23 May 2002
Posts: 3
Location: New Zealand

Offline

PostPosted: Thu Oct 24, 2002 2:15 pm    Post subject: Reply with quote

Would have to agree with ShaolinTiger on that...

Ignorance is no defence as far as any laws go.

(I think I've been watching too many lawyer shows)
Back to top
View user's profile Send private message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Oct 24, 2002 2:39 pm    Post subject: Reply with quote

Scenario:

A person / company puts an IIS web server on the internet, and fail for whatever reason to apply the latest service packs and hot fixes, leaving them vunerable to various Unicode "exploits". They do not put any sort of warning banner in the http header.

Could exploiting the "vunerability", be classed as illegal? ie the "vunerability" is there, they have left it there, they have not explicity "dissallowed" access to the rest of the machine through the "vunerability". they have not said they "DO NOT PERMIT" it.

I use the word "vunerability" cautiously, as they (presumably) purchased the OS/Web Server, "as is". The "vunerability" is then a part of that product, even though it can be exploited and used for mallicious intent. How do you draw the line between "vunerabilities" and "features" of the product?

After all, as in my eariler post i gave the example of open and unpassworded netbios shares. Netbios in general i would consider a "feature" of Windows. Set up incorrectly it is a vunerability.

Once again, as long as you dont steel or delete anything from the machine, is exploiting the vunerability illegal?

Thoughts?

J
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Oct 24, 2002 5:16 pm    Post subject: Reply with quote

Well if you can exploit without causing any damage (folder traversal) and you don't open any programs or cause any degredation to the system (bandwidth or cpu usage) I can't see how it's illegal.

It's only 1 step up from port scanning which is admittedly a grey area regarding legalities but certainly is classed by most as not strictly legal but not actionable.

There are no such things as vunerabilites, just undesirable features Wink

You could say NetBIOS over TCP/IP is a vunerability in itself, but it's also a feature...
Back to top
View user's profile Send private message Visit poster's website
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Thu Oct 24, 2002 5:25 pm    Post subject: Reply with quote

.....

If I leave my pc unattended in the front garden and someone steals it they are breaking the law.

If I leave my pc unattended on the internet and someone connects to it and copies my mail from it.....??

Unfortunately the law and commonsense have little in common.

I know I work with solicitors. Laughing
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Oct 24, 2002 5:28 pm    Post subject: Reply with quote

Yeh but the lawn aint public property, the Internet is a public domain, if you leave your Computer in the street over night and expect it to be there in the morning, you got another thing coming..

You won't get far with the police either..

"Yes office I just left it on the lawn over night and someone came along and took it! The bastards!"
Back to top
View user's profile Send private message Visit poster's website
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Thu Oct 24, 2002 5:38 pm    Post subject: Reply with quote

Don't stop it bein illegal tho.

Just impossible to prosecute (or persuade the dibble to do anything as you say).

Similarly if you don't put a lock on your door and someone comes in and takes your stuff (the door being analogous to the net connection) they are breaking the law but you won't get any joy from dibble & co.
Back to top
View user's profile Send private message Send e-mail
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Thu Oct 24, 2002 5:47 pm    Post subject: Reply with quote

Yeh but what if the door is open and it's not clear it's a house, it looks somewhat like a shop or perhaps a public toilet and someone wonders in?

They don't know any different, yes ignorance is no defence but they are commiting any felonies, only possible trespassing..

Surely then it's you that are at fault, not the person who stumbled into your property..
Back to top
View user's profile Send private message Visit poster's website
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Oct 24, 2002 5:56 pm    Post subject: Reply with quote

ShaolinTiger wrote:


Well if you can exploit without causing any damage (folder traversal) and you don't open any programs or cause any degredation to the system (bandwidth or cpu usage) I can't see how it's illegal.



Would this include taking a directory listing via a Unicode type of exploit? for this you need to make cmd.exe execute with additional peramiters.

Once again, cmd.exe is a feature of the system, and you may have access to it via entering what an unpatched IIS server sees a a legitimate URL. Obviously this requires correct access permissions on the file. Cmd.exe has no problems with returing the information to you.

With regard to bandwidth and CPU usage, this is just like any other web request, as all requests require CPU and bandwidth, though i do see what you are saying from using the machine for DDOS against other systems.

What about uploading other files to the vunerable machines hard disk.

Where does this fall as far as law is concerned?
What can we identify as being 100% illegal and prosicutable with the right evidence - data theft?
J
Back to top
View user's profile Send private message Send e-mail
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Thu Oct 24, 2002 6:10 pm    Post subject: Reply with quote

If you have the basic skills to connect to another pc and look around it's contents then it's highly unlikely that you didn't know what you were connecting too.

"Sorry officer I thought it was a public toilet!" Won't quite cut it there.

It could even be taken that having a DNS entry for a service is tantamount to offering it for public use. Not having a DNS entry for a service could mean that it's not intended for public use.

What do you think?
Back to top
View user's profile Send private message Send e-mail
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Oct 24, 2002 6:15 pm    Post subject: Reply with quote

I assuming that you are highlighting the fact that if you do not have a domain name, why should people be connecting to a web server or other service on you "annonymas" machine?

I think it comes back to you are still offering the service on your machine, big TV advertising campaign or other wise. If you connect your machine to the internet, you should accept that your machine with have incoming connections.

On the lack of knowledge area, i dont believe it is how much you know, what it comes down to is wether or not you commit a criminal offence.

J
Back to top
View user's profile Send private message Send e-mail
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Thu Oct 24, 2002 7:10 pm    Post subject: Reply with quote

I'm trying to get a baseline for what "offering a service" actually is.

The opinion seems to be that by connecting a machine to the net you are immediately offering the services running on that machine for public use and it is down to you to stop/protect any services you do notwish others to use.

Would it also follow that you become responsible for any missuse of these services?
Back to top
View user's profile Send private message Send e-mail
chris
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777201
Location: ~/security-forums

Offline

PostPosted: Thu Oct 24, 2002 8:21 pm    Post subject: Reply with quote

ShaolinTiger wrote:
Yeh but what if the door is open and it's not clear it's a house, it looks somewhat like a shop or perhaps a public toilet and someone wonders in?



What did I tell you about shaolin....george michael ...cough.cough

Smile


Smile


Last edited by chris on Thu Oct 24, 2002 8:40 pm; edited 1 time in total
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Thu Oct 24, 2002 8:28 pm    Post subject: Reply with quote

I'm gonna still be laughing in the morning!

Laughing Laughing Laughing Laughing Laughing Laughing Laughing Laughing Laughing
Back to top
View user's profile Send private message Send e-mail
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Thu Oct 24, 2002 9:05 pm    Post subject: Reply with quote

I would define "offering a service" in this instance as any software listening for incoming conections, to which it responds.

Any applications / services / daemons which can be accessed from the internet are available for public use, unless explicitly stated.

With regard to who is responsible, i dont know.

If for example a spammer mass mailed 100,000 people with the "Nigerian Scam" email, and one of the receptents handed over their bank details with which the spammer then used to extract money from the victim account, obviously your server has assisted in his/her illegal activities. I doubt you would be held responsible, as you did not commit the act of fraud and you did not **knowingly** assist, unless of course it could be proved that you machine was placed on the internet for such purposes.

What does everyone else think?

I am still interested to hear about peoples thoughts on how uploading other files to a vunerable machines hard disk, without explicit permission stands with the law. Please feel free to give an opinion even if it only applies to your country.

What can we activites / actions are definatly illegal to perform against another machine without the owners permission?

J
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Goto page 1, 2  Next
Page 1 of 2


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register