tag:blogger.com,1999:blog-21633793.post3970006715270167503..comments2023-12-12T03:19:42.467-05:00Comments on CYB3RCRIM3: "Access" as Over-inclusiveSusan Brennerhttp://www.blogger.com/profile/17575138839291052258noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-21633793.post-13956466801791533842009-06-12T03:40:56.616-04:002009-06-12T03:40:56.616-04:00what i mean is that it's the way e-mail system...what i mean is that it's the way e-mail system is designed to work - it is suposed to be accessed unles configured otherways. like postman has the right to put mail addressed to you in your mailbox. ain't it like that?Atishttp://www.freedom.lvnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-90214571866825716202009-06-11T11:49:45.679-04:002009-06-11T11:49:45.679-04:00Atis,
While partially correct, that does not chan...Atis,<br /><br />While partially correct, that does not change the fact that when you send an email, you are causing a remote computer system, that you do not know if you have the authority to access, to be accessed.Lokihttps://www.blogger.com/profile/18406257117259929618noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-74666195962156353512009-06-11T04:58:45.974-04:002009-06-11T04:58:45.974-04:00I belive that when you send an e-mail you do not a...I belive that when you send an e-mail you do not access compyter system of e-mail recipient. Normaly you access mail server of your own IPS (which could require login/password or could be bind to exact IP address(es)) both when receiving and sending e-mails. then your ISPs mail server sends your e-mail to recipients e-mail server - they communicate between themselves and it's normal behaviour (i.e., it's a way e-mail system works). actually it's very similar to how snail mail works.<br />recipient's server can reject your e-mail if it doesn't fit rules set on recipients e-mail server (for example, it's sent to non-existant mailbox or is too lage and so on).Atishttp://www.freedom.lvnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-8416181897290747152009-06-04T11:23:22.300-04:002009-06-04T11:23:22.300-04:00dsr -
Also, I should mention that what you are de...dsr -<br /><br />Also, I should mention that what you are defining as three levels of access is very much an oversimplification. Those three may be what you commonly see, but in actuality there is no "protected" or "unprotected" or "administrator" - there is just what the computer is designed to do.<br /><br />While it is common on a unix system to have a user "root" with a group "wheel" (0:0), this is in no way necessary to the operation of the system - I could use any username, group name, or user number, and as long as I configured the system properly it would behave correctly. The same could be done on a windows system, essentially.<br /><br />This is the problem with computer law - the people writing it may understand basic usage - but they do not usually understand computer or network architecture.Lokihttps://www.blogger.com/profile/18406257117259929618noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-35933780449796807962009-06-04T11:13:22.363-04:002009-06-04T11:13:22.363-04:00dsr -
But what about the most common form of hack...dsr - <br />But what about the most common form of hacks - like SQL injections or the like - that simply cause a public facing website to do something other then what the owner of that website intended? Hell, even a buffer overflow is the same idea - the software does what it is told.Lokihttps://www.blogger.com/profile/18406257117259929618noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-55304499806237328322009-06-04T10:52:32.713-04:002009-06-04T10:52:32.713-04:00Use of a computer can be reasonably differentiated...Use of a computer can be reasonably differentiated into three levels:<br /><br />Public access encompasses services enabled and authorized by the owner of the computer for general interaction with other computers. The key is that the owner generally makes such access available and only denies it in specific circumstances. Running an email server, a web server's non-password-protected areas, or a web service with automatic or self-service account creation are all good examples. An unrestricted WiFi access point is similar. It should not be a crime to use the public access facilities in an ordinary way.<br /><br />Limited access, the next level up, is granted by the owner of the computer to specific people. These services are not automatically available, but typically require identification, authentication and authorization to use these facilities. Examples of limited access include printing services on college campuses, password-protected WiFi services, and indeed most cases where an account holder can have financial transactions or incur costs. Unauthorized access to a limited access facility should be an offense.<br /><br />Finally, there is administrative access. These are the functions which are normally carried out only by the owner of the machine and specifically designated and authorized persons acting in their place. Windows and Macintosh systems call these functions "Administrator" privileges; UNIX derivatives call them "root". There are applications which have similar features -- databases, other systems -- in all cases it is clear that there is a differentiation between the rights accorded to a general user and the special functions available to a privileged administrator. Unauthorized administrative level access should be treated as a more serious offense.<br /><br /> Some computer systems do not have much, if any, differentiation between access levels -- I'm thinking of cellphones and PDAs, mostly, but also various computerized appliances. Even so, two levels of access can usually be discerned based on common usage. This is a grey area.dsr-cyber@tao.merseine.nunoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-62177345663157124932009-06-03T19:23:13.175-04:002009-06-03T19:23:13.175-04:00IANAL, but I was involved with some of the early A...IANAL, but I was involved with some of the early AOL-vs-spammer cases. As I recall:<br /><br />- We added some "you're not authorized to spam" text to the protocol headers, so we could point out that we had effectively placed a sign at the point of entry, as Susan postulates in #3. But it was really a belt-and-suspenders thing, just to say we'd tried.<br /><br />- We added no-spamming clauses to our Terms of Service. This gets into the Lori Drew question, I think: If unauthorized access is criminal, and if non-government entities can define authorized access in their civil contracts, then haven't you hoisted those civil contracts into criminal law? Not only can't I think of a good answer, but I can't imagine that a good answer could exist. Does this happen in other, non-cyber realms?<br /><br />- We sent paper cease-and-desist letters to the spammers. This was key, I think; it made the whole implicit authorization question moot. We'd clearly revoked any such implicit authorization.<br /><br />- We successfully claimed that, since forged headers (e.g. From: nobody@public.com) were designed to circumvent our spam filters, which are in turn access controls, they were intrinsically fraudulent access. (And trademark violations, too.)<br /><br />- Lots of other fun stuff. I think the lawsuit archives are still up at <a href="http://legal.web.aol.com" rel="nofollow">legal.web.aol.com</a>.Jay Levitthttps://www.blogger.com/profile/16439233263590023396noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-80463562353053314242009-06-03T14:45:42.408-04:002009-06-03T14:45:42.408-04:00In response to Anonymous,
When section 1030 talke...In response to Anonymous,<br /><br />When section 1030 talked about a protected computer, it just means that this is a computer the federal government has jurisdiction over, as in jurisdiction to prosecute. The default assumption in U.S. criminal law is that criminal law belongs to the states, not the federal government; federal criminal jurisdiction is supposed to be the exception (for historical reasons). There was a vast expansion of federal criminal jurisdiction in the twentieth century, but the federal government still has to show that there's constitutional basis for its exercising criminal jurisdiction in a specific context.<br /><br />The way it does that for the section 1030 crimes is to make them apply to protected computers, which section 1030(e)(2) defines as a computer that is exclusively used by the federal government or by a financial institution OR which is used in or in a manner affecting interstate or foreign commerce. The last alternative encompasses any computer that's linked to the Internet, and probably computers that aren't (since they were made, shipped and purchased via interstate commerce).Susan Brennerhttps://www.blogger.com/profile/17575138839291052258noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-35220339805332836672009-06-03T14:40:01.811-04:002009-06-03T14:40:01.811-04:00In response to Lokkju:
I agree with #1 . . . sinc...In response to Lokkju:<br /><br />I agree with #1 . . . since the goal of law, especially criminal law, is to keep people from doing "wrong" things, we really want to make it clear what is "wrong" (and what is not). That's not a big problem with traditional crimes like murder and theft, because we're socialized to understand they're "wrong." I don't think we have a big problem with real world trespass, either; even if I walk by and see your front door standing wide open, I know I'm not supposed to go in.<br /><br />It's much harder when you get to the more rarefied "wrong" things, like unauthorized access. Looks to me like in this context, we have the reverse of my trespass example, i.e., we tend to assume we can access something unless we're told we can't So we could adopt laws requiring people to, in essence, put up no trespassing signs in cyberspace . . . somehow. <br /><br />Agreed as to #2 also, both because law is supposed to be knowledge neutral and because it we did that, we'd be encouraging people to deliberately remain ignorance and so be able to get away with more.<br /><br />Hey, I don't have a solution, at least as yet, so I thought I'd outline the (surprisingly very little) that's out there.Susan Brennerhttps://www.blogger.com/profile/17575138839291052258noreply@blogger.comtag:blogger.com,1999:blog-21633793.post-68451244686625329012009-06-03T14:32:55.831-04:002009-06-03T14:32:55.831-04:00I believe much of the ambiguity comes from 1030(a)...I believe much of the ambiguity comes from 1030(a)(5)(B)'s mention of a "protected computer". When that statute was written, "protection" might have just meant using passwords; today it means passwords, SSL, and audits plus physical security and firewalls. Another issue is that even a modern "protected system" can offer services (e.g. web pages) up to the public but restrict other uses. Is the computer then "protected" and against what? Finally, let's presume you are "authorized" to "access" a computer's web server. So you connect to port 80 and enter random garbage, hoping to cause (and causing) a crash. Can the content of your communication change the nature of the access from authorized to unauthorized? I certainly don't know.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-21633793.post-92178491132114376192009-06-03T11:26:44.150-04:002009-06-03T11:26:44.150-04:00While I think that is a viable approach (as in, po...While I think that is a viable approach (as in, politically), at least to start with, I do have two issues with it:<br /><br />1) You are criminalizing a common behavior, and then leaving a defense open. While that makes sense to do for uncommon behaviors (like shooting someone), I'm not sure it is the right approach to take for something that people do everyday.<br /><br />2) You are putting different burdens on different people depending on their knowledge of the subject. As an example, a computer expert who did an SQL injection attack (put a "'" into a form entry field) would be criminally liable; but a neophyte would not be. I'm not sure I like the idea of criminalization based on your level of knowledge.Lokihttps://www.blogger.com/profile/18406257117259929618noreply@blogger.com