>>>>> "Tom" == Tom Phoenix <
rootbeer+fors-d@...> writes:
Tom> On Thu, 30 Aug 2001, David Keegel wrote:
>> getting legislators to focus more on intent (eg: requiring clear
>> mal-intent for computer crime offenses) seems a realistic goal.
Tom> I agree. But it won't be easy to accomplish, since I'm sure that most
Tom> legislators (judges, juries, reporters, columnists, employers) think that
Tom> "breaking in" to a computer shows sufficient "mal-intent" all by itself.
Tom> "After all", they'll say, "if you broke into my _home_, we wouldn't need
Tom> to show that you had evil intentions."
Tom> So, this has convinced me (and surely just about everyone on this list)
Tom> that we should look at the intent as well as the deed. But what can we say
Tom> to convince all of those other folks that the intent of West (Schwartz,
Tom> Sklyarov, you, me) was benign? Or not merely benign, but (in several
Tom> cases) with a helpful intent?
That's brilliant, Tom. I hadn't seen it that way.
We need to show that "breaking in" is done by both white hats and
black hats. That *is* different from the way it's done in the real
world. We can design a lock, and test it in a lab, and then install
it in a door, and not test that door because we know the door is
correct. But we can't build complex systems that way... we have to
field-test them, and field-test them repeatedly, because systems
change.
So one of the things that was probably missing in my defense case was
how frequently Crack had actually been run, and that this is a normal
(and Intel-mandated) tool. And that sysadmins frequently run
assistance tests on each other's boxes, and sometimes discover and
report errors in setups even when it's not in their charter (like
Brian West) even without running formal tests.
Going back to a parallel... if I wander by an open doorway that I
think should ahve been locked, am I permitted to call the supervisor
without being arrested for trespassing?
What if when I push my garage door opener, expecting to open my door,
I also open the neighbor's door? Should I be arrested for breaking
into my neighbor's house? This is pretty close to what Brian West
did. Will the jury/prosecutor understand? Can we please not make it
illegal for our unintentional acts to be considered felonies? Or even
our intentional acts performed on behalf of the owner to demonstrate
the flaw?
As an aside, does anyone have any connections to get to Brian? I want
to talk to him about his defense strategy, and share notes.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<
merlyn@...> <URL:
http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
Send Email