[H-GEN] (AUSCERT#38535) Re: The recient spate of port scans and intrusion attempts. (fwd)

David Starkoff dbs at humbug.org.au
Tue Jul 21 10:48:37 EDT 1998 

On Tue, 21 Jul 1998, Anthony Towns wrote:

> > Perhaps this is why banners are important: you can tell people exactly
> > which doorknobs they're allowed to turn.  But then, making the initial
> > connection to see the banner ought to be allowed.  
> 
> And then again, it's hard to put banners in a lot of places: telnet, smtp
> and ftp ports are easy, but putting a banner on the nfs, smb or bind ports
> is both a touch more difficult, and a touch less likely to be seen in any
> event.

At the risk of sounding like a lawyer-wannabe, the legislation on this
area sort of covers what Martin has been postulating.

The Commonwealth legislation is contained in the Crimes Act 1914 (Cth)  s
76B (and also see s 76D, entitled `Unlawful access to data in
Commonwealth and other computers'. 

The section covers a few different situations, each with different
wording.[1]  However, the phrases `intentionally and without authority',
`with intent to defraud and without authority', `knows or ought reasonably
to know' pop up.

In other words, it is an element of the offence (ie. something which needs
to be proven beyond reasonable doubt) that the person actually intended to
do the nasty things.  (What the nasty things actually are vary between the
offences.)  This is subjective.  The `ought reasonably to know' is
objective, and is the classic `reasonable person' test.

So, basically, the offences aren't ones of strict liability.  If you
accidentally do something nasty, you won't be guilty.[2]

Yay!  You might say.  I didn't *intend* to crash computer X!  It was an
accident!  Honest!

But the Commonwealth legislation only applies in certain areas, mainly
when the Federal Government can claim jurisdiction.  See sections 51 and
52 of your friendly local Constitution.[3]

For your vanilla case of individual against individual, then you'll have
to resort to State legislation.  (Although, if you used Telstra along the
way, then s 76D would probably apply.)  Additionally, s 76F doesn't
exclude the State laws.

So, we'll look at the Queensland legislation.  It's s 408D of the Criminal
Code.  It talks about `consent' in the base case.  More about that later,
though.  Some of the further offences are strict liablity `causes ...
detriment or damage', or others require intent.  No reasonable person test
here, though.

Note also that in subsection (4), it's a defence to show that the use was
`authorised, justified or excused by law'.  This means that it's not an
element of the offence, but something which must be proved on the balance
of probabilities (ie. over 50%).

By the way, some of the excuses are cute.  You could plead intoxication (s
28).  Or mistake of fact (s 24).  Or, if you decided to try to hack into
AusCERT machines, then you should be able to sell insantity (ss 26, 27) to
the relevant tribunal.  Accidents are covered by s 23.

But, back to consent.  Consent would also be the main issue in any
trespass action, too.  Consent doesn't have to be express.  It may be
tacit, or implied from the circumstances.

aj provided some helpful exploration of the area.  I'll add in my two
cents worth while I'm here.

I'd question whether the whole `buildings on a street' or `rattling
doorknobs' analogies are helpful in anything more than a vernacular sense.
After all, it's not like you really walk down a street on the Internet.
(Well, not usually, anyway.)

Generally, you'll only ever attempt to access a machine when know its
address.  And how do you know its address?  Because it's been told to you.
It either comes from the operator of the machine (in which case you have
consent) or someone else (in which case you can plead mistake of fact if
you weren't meant to be there).

You might also want to consider what services on computers you just
`expect' to be there and for you to be able to use.  And services you
expect others to use on your machine.  In other words, what implied
consent exists.  What would a reasonable Internet user expect to be able
to use?  What steps can you take to displace that reasonable presumption?

Perhaps analogies would be helpful.  Perhaps not.[4] Something to think
about, anyway. 

David.
(IANAL.  I'm just studying to be one.  YMMV.  HTH.  HAND.  And all that. 
I know nothing.) 

[1] If you're interested (or just plain bored), then the full text of the
    section can be found at
    <http://www.austlii.edu.au/au/legis/cth/consol_act/ca191482/s76b.html>

[2] Insert appropriate quips about the legal system, justice, and how good
    your lawyer is here.

[3] No, not *that* Constitution.  :-)

[4] I've always considered that Schroedinger was a bit of a wuss.  Trying
    to describe it in terms of wave equations indeed.  Go Heisenberg.
    Something completely different.  Matrix equations.  Old guard
    physicists leaving us with antiquated notions...[5]

[5] </ObTroll> I know nothing about quantum physics.

--
dbs at humbug.org.au | http://student.uq.edu.au/~s343905/

``For my part, I find the proposition an affront to commonsense.''
        -- Justice Callinan

More information about the General mailing list