[Prev][Next][Index][Thread]

Re: Tim O'Reilly on Randal Schwartz Prosecution


Geoff Lane <zzassgl@cs6400.mcc.ac.uk> writes:
> Vin McLellan (vin@shore.net) wrote:
> :    I would also be very very surprised if Section 502 did not criminalize
> : unauthorized acts to obtain and illicitly process an (ORA) encrypted
>   ^^^^^^^^^^^^
> : password file, when those actions resulted in the perpetrator gaining
> : access to another person's restricted data, including but not limited to
> : his secret password and other access information.
> 
> Isn't the whole argument here about what a security consultant is
> implicity "authorised" to do in order to complete the job.
> 
> I am not explicitly "authorised" to do most of the system security analysis
> on this machine yet I run crack twice a year to discover stupidly simple
> passwords so we can advise the users to be more aware of their own
> responsibilities. I also sometimes run Satan against other machines which I
> know have .rhosts files refering to this machine.
> 
> If everything that was not explicitly permitted was forbidden I would be
> unable to do my job.

Exactly!  Security testing requires imagination, an observant security
staff, and a license to hack (in the sense of time allowed for
installing new security features, patches, time allowed to keep up to
date with cert announces, etc).

If you are limited to doing only what is specified in a static
document from a management group which in all probability hasn't the
faintest clue what an IP stack is, never mind what FTP means, you're
effectively crippled under silly legislation which stops you doing
your job.

Of course if they begrudge time spent on security, that will be
another problem.

But the wiley cracker has none of these problems, no stuffy managers,
no blinkered restrictions on what is kosher to use as a security
breach.

And it is of course the admin who takes the brunt when someone does
break in.

I'm not sure what you (Vin), are trying to say, if you're just playing
devils advocate, but if you *believe* what you are saying, I have to
disagree.  You want good security, allow computer security staff the
freedom to check.  It's a *given* that you have to trust them, heck
just think what a unix admin could do to their own (and machines in
their organisation) if you didn't trust them.  Rely on the existing
laws against industrial espionage to catch the crooked.

I for one see absolutely no point in making up yet more petty laws you
mustn't do this or that, or having daft policies stating that security
personell must only do these prescribed security measures (I mean the
professional cracker trying to intrude and steal documents won't be
following your guide for fair play).

Randal's case fall exactly under this kind of setting which is why you
see many people sticking up for him.  I'd say that they would need is
to demonstrate criminal intent, which of course they can't; for there
was none.

Adam
Follow-Ups: References: