Subject: Re: Internet Law (was:Re: Attemted Theft of Services via FTP)
From: Keary Suska (hierophant@pcisys.net)
Date: Mon Mar 04 2002 - 13:11:30 MST
on 3/4/02 12:45 PM, mtucker@eecs.harvard.edu purportedly said:
> Just out of curiosity... How much at fault is this person for attempting
> to login to your system? Where is the legal line drawn? Is it acceptable
> to ping a whole block of IPs, figure out which are running FTP and then
> try logging in to these (anonymous or with a few name/password "guesses")?
> If you don't have repetitive attempts from a particular IP, is it any
> better? Anyone know the legal code on this stuff?
Although there have been attempts to apply trespassing laws to web sites, I
don't think any precedents have been set. I believe convictions can only
occur with actual break-ins, and are usually prosecuted under intellectual
property theft or corporate espionage laws. Government and military
(including law enforcement) systems have different rules, however.
Provable break-in attempts, however unsuccessful, likely fall under civil
law. They are violations of just about every ISP AUP's, so under civil law
the ISP can be forced to terminate a client's access. IIRC, there *is*
precedent that a company can be held liable for inadequate security if one
or more of their systems were compromised and used to launch attacks against
another system.
In general, I believe that pursuing break-in failures is not worth the time
and effort, but on occasion can be used to put the fear of System
Administrators into stupid script kiddies for purely entertainment purposes.
Keary Suska
Esoteritech, Inc.
"Leveraging Open Source for a better Internet"
This archive was generated by hypermail 2a24 : Mon Mar 04 2002 - 13:26:13 MST