Subject: Re: Internet Law (was:Re: Attemted Theft of Services via FTP)
From: nathan r. hruby (nhruby@arches.uga.edu)
Date: Mon Mar 04 2002 - 13:33:30 MST
On Mon, 4 Mar 2002, Keary Suska wrote:
> on 3/4/02 12:45 PM, mtucker@eecs.harvard.edu purportedly said:
>
> > Just out of curiosity... How much at fault is this person for attempting
> > to login to your system? Where is the legal line drawn? Is it acceptable
> > to ping a whole block of IPs, figure out which are running FTP and then
> > try logging in to these (anonymous or with a few name/password "guesses")?
> > If you don't have repetitive attempts from a particular IP, is it any
> > better? Anyone know the legal code on this stuff?
>
> Although there have been attempts to apply trespassing laws to web sites, I
> don't think any precedents have been set. I believe convictions can only
> occur with actual break-ins, and are usually prosecuted under intellectual
> property theft or corporate espionage laws. Government and military
> (including law enforcement) systems have different rules, however.
>
> Provable break-in attempts, however unsuccessful, likely fall under civil
> law. They are violations of just about every ISP AUP's, so under civil law
> the ISP can be forced to terminate a client's access. IIRC, there *is*
> precedent that a company can be held liable for inadequate security if one
> or more of their systems were compromised and used to launch attacks against
> another system.
>
True. the holding a company liable bit would be a hard sell in court,
becasue you would need to prove that they knew about the problem, and then
activly ignored it, to whiohc they can come back and say "we weren't
ignoring, but just figuring things out.. we have a big netowrk and this
takes time..."
Regardless of legal mumbo-jumbo, port-scanning and attemping logins isn't
cool and annoys most people. If you're considering doing this just for
fun, please don't.
Odds are that you'll catch one particlarly nasty system admin on a bad day
and he/she will decide to make an example of you and your ISP.
> In general, I believe that pursuing break-in failures is not worth the time
> and effort, but on occasion can be used to put the fear of System
> Administrators into stupid script kiddies for purely entertainment purposes.
>
Reporting scans and attempted logins will bleed your time dry. Stick to
reporting those who scan / try multiple times. Poking at machines and
trying different logins would be an attempted break-in and should be
reported. Generally, my view is that if people are trying to look in the
window (post scan) it's not worth my time. If people look in the window
try the door, find it locked and give it a kick or two to make it pop
(attempted login with a well known username) I report them.
Some ISP's will do something about it, many will not.
-n
-- ...... nathan hruby - nhruby@arches.uga.edu computer support specialist department of drama and theatre http://www.drama.uga.edu/ ......
This archive was generated by hypermail 2a24 : Mon Mar 04 2002 - 13:49:49 MST