[NTLUG:Discuss] OT: What constitutes unauthorized access?

Sat Jun 21 15:13:44 CDT 2003

On Saturday 21 June 2003 11:00 am, Richard Geoffrion wrote:
> If a service is started on a port and is accessible without a
> password..and that service is then put on the 'public'
> internet...is that an open invitation for public access?
>
> Does someone have to NOTIFY you of their don't access beyond
> this point boundery?

In many cases, yes.  If I were to allow directory listings on my 
web server and accidentally post, say, pics of my 18+ GF doing 
amateur pr0n, I'm in no position to tell someone, "you shouldn't 
have looked at that!"  She might be angry, granted, but she's in 
a position to be angry with _me_, not the people gaping at the 
pics. ;)

> How does that 'jive' with the idea of unauthorized access to
> my mail server for the expressed purpose of sending spam?? 
> Are spammers trespassing into MY system by sending
> unauthorized spam?  Are spammers terrorists??

I would say the main sticking points here are "reasonable 
measures for protection" and what constitutes "private 
property."  If your neighbor disrobes on her front lawn, it's 
not really "bad" for you to watch (although the Pope might 
disagree).  If she disrobes behind a dumpster in an alleyway, 
it's not illegal to catch a peek (hey, she doesn't own the space 
behind the dumpster), but it's certainly not very nice.  If she 
disrobes in her bedroom with the shades closed, it's definitely 
wrong (and illegal) for you to go peeking through the shades.

It's generally accepted that the Internet (and anything hosted on 
the Internet) isn't really "private property," unless 
restrictions like auth passwords are in place.  IMO it's 
accepted that someone's "C:\" drive is private property, even if 
he stupidly shares it out via SMB/NetBIOS without a 
password--this is because Windows has been known to stupidly 
share it out without the user knowing.  The user would kind of 
surrender the "private property" status by sharing it out via 
HTTP with directory listing permissions, though, due to the 
"reasonable measures" sticking point.

To go further, take the case of portscanning.  Portscanning isn't 
really illegal, because it's just checking what someone else has 
declared or left open.  It's like looking at your neighbor's 
house to see what doors and windows it has, without necessarily 
trying to enter those doors or break through those windows.  
Portscanning is, however, bad netiquette (and thus may be 
against your ISP's acceptable usage policy).  If you use nmap's 
output to find and exploit a security hole, OTOH, then you're 
breaking the law.

Using or abusing open relays is a fine line.  You have to keep in 
mind that at one time, open SMTP relays were the norm, before 
spammers started abusing them.  Now, though, it's so easy not to 
run an open relay, so easy to check if you are, and really so 
unnecessary to run one, that having one open kind of blows your 
case based on the "reasonable measures" bit.  That doesn't make 
it polite for spammers to send spam through an open relay--but 
keep in mind, we hate spammers because of their goals, not the 
means by which they achieve said goals.

-- 
Kelledin
"If a server crashes in a server farm and no one pings it, does 
it still cost four figures to fix?"