Home page logo
/

basics logo Security Basics mailing list archives

RE: application for an employment
From: "Craig Wright" <cwright () bdosyd com au>
Date: Sat, 25 Mar 2006 09:17:40 +1100


Hi Lg
I am completing an LLM in International Commerce Law focusing on ecommerce and computer crime (I am an academic 
junkie). Does this make me versed? Well it will depend on the jusristiction and level of the court. First there is 
Civil and Common law (and I am from a common law background). Next ther eis the issue that the UK and continental 
Europe have joint EC treaties. Thus EC directives overrule UK law.
Australian and NZ look at decisions in the UK, but they are not binding. The US, though derived from commn law has it's 
own set of legistlation.
Next in places like the US and Australia there are Federal, State and other levels of law. Some like deligated 
legistlation (eg councils) may only be civilly acted.
The issues need to be looked at from criminal and civil angles. They are in no manner the same. A course in basic 
jurisprudence would be good compulsory high school course - it is amazing the lack of knowledge in our legal systems.
I will stay away from civil law. Although EU law does cause an overlaw, this is an advanced topic and the basics nned 
to be defined first - well beyond the scope of this post.
Common law is "judge made law". Although statutory law is made by parliment it needs to be "interpreted" by the 
judiciary. This is where precedent come in. Civil law does not place as much emphasis on precedent. The level of the 
court also determined the weight of precedent.
The simple way to look at this is to look through the eyes of the judge. They are not (generally) even remotely 
computer literate (with one or two exceptions worldwide). They see this as a common law action in property.This is:
Is there damage to property?
Has there been a violation to the right to use property?
Was there access to the property without permission (eg tresspass)?
 
This does not mean that there was a criminal violation. There may only be a civil (not the same as Civil) violation. 
There is a difference from civil and criminal tresspass. Both get you into trouble - the issue is the level of trouble.
 
Mathias did not access the systems or alter any data and cuased no damage from what was stated. There is a weak 
arguement of theft of bandwidth, but this is not likely to succeed (unless Mathias was silly enough to pleed quilty). 
He has not thus (quite) commited a criminal offence. There is no way to demonstrate the necessary Mens Rea (intent for 
all purposes - means guilty mind). 
On the other hand, (and the US is a common law duristiction, Not Civil) he has violated the civil law rights to 
property of the university. If he worked there, they could use this to take action to sack him. They could also seek 
damages. Being that he did not yet work there there is not a contractual etc issue. This means that the Uni could seek 
to extract damages from Mathias in Tort. I will not go into Tort here - it is a whole discipline in itself, but let us 
just state damages for his actions (technically wrong I know, but this is a gross oversimplification). 
He will not end up in goal, but there are worse things. The damages claims in the US are not like damages claims in 
Commonwealth countries. Damages in the US can have you in debt for a long time.
 
The Restatement (Second) of Torts § 217 defines trespass to chattels as “intentionally… dispossessing another of the 
chattel, or using or intermeddling with a chattel in the possession of another.” He has clearly intermedded with the 
rights of the University to their property. This is not a criminal act, but still is a breach of the legal rights of 
the Uni.
 
Read more on -
the tort of trespass to chattels.
 writ of trespass de bonis asportatis.
 intangible assets including choses in action
 
There would likely also be action in regards to the Tort of Invasion of privacy 
 
Regard
Craig

        -----Original Message----- 
        From: L G [mailto:nitziya74 () hotmail com] 
        Sent: Thu 23/03/2006 11:23 AM 
        To: security-basics () securityfocus com 
        Cc: 
        Subject: Re: application for an employment
        
        

        This is a good thread which begs further discussion.
        
        My question is, at what point is it illegal?  Do we have correspondents on
        this list better versed in the law?  Obviously, based Randal's experience,
        you need to be careful in Oregon, but at what point is port scanning
        illegal?  And what are the precedents?
        
        Is dig-ing illegal?  Are not dns entries, domain names and associated ip
        ranges, and net block owners all public knowledge?
        
        I guess the crudest part of my question is, was Mathias picking a lock, or
        did he see a door hanging wide open?
        And at what point is someone going through an open door versus looking in a
        window versus admiring someone's architecture from the street?
        
        lg
        
        ----- Original Message -----
        From: "Al Gettier" <agettier () tealeaf com>
        To: <security-basics () securityfocus com>
        Sent: Tuesday, March 21, 2006 1:57 PM
        Subject: RE: application for an employment
        
        
        What you did might be illegal without their permission.  Take a look at the
        Randal Schwartz situation over 10 years ago:
        
        http://www.lightlink.com/spacenka/fors/
        
        
        
        -----Original Message-----
        From: Steveb () tshore com [mailto:Steveb () tshore com]
        Sent: Tuesday, March 21, 2006 7:14 AM
        To: MatzeGuentert () gmx de; security-basics () securityfocus com
        Subject: RE: application for an employment
        
        Not if you want them to employ you.  It's not good practice to probe their
        network without their permission.  There may be a serious lack of trust if
        you reveal to them that you where doing so without going through proper
        channels.
        
        -----Original Message-----
        From: Matthias Güntert [mailto:MatzeGuentert () gmx de]
        Sent: Monday, March 20, 2006 7:46 AM
        To: security-basics () securityfocus com
        Subject: application for an employment
        
        Dear listmembers,
        
        i am seeking for a new job as a Unix/Linux systemadministrator. There has
        been an advertisement at a well known university. So I started to prepare my
        self for the application. While collecting some information about the
        network, using nmap, dig, etc... I was able to read the whole namespace from
        the ip range (255.255.0.0)
        
        My question is should I use some of the information I have found out to push
        my application forward? What do you think how a director would react?
        
        --
        Mit freundlichen Grüßen
        
                        Matthias Güntert
        
        
        ---------------------------------------------------------------------------
        EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
        The Norwich University program offers unparalleled Infosec management
        education and the case study affords you unmatched consulting experience.
        Tailor your education to your own professional goals with degree
        customizations including Emergency Management, Business Continuity Planning,
        Computer Emergency Response Teams, and Digital Investigations.
        
        http://www.msia.norwich.edu/secfocus
        ---------------------------------------------------------------------------
        
        
        ---------------------------------------------------------------------------
        EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
        The Norwich University program offers unparalleled Infosec management
        education and the case study affords you unmatched consulting experience.
        Tailor your education to your own professional goals with degree
        customizations including Emergency Management, Business Continuity Planning,
        Computer Emergency Response Teams, and Digital Investigations.
        
        http://www.msia.norwich.edu/secfocus
        ---------------------------------------------------------------------------
        
        
        ---------------------------------------------------------------------------
        EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
        The Norwich University program offers unparalleled Infosec management
        education and the case study affords you unmatched consulting experience.
        Tailor your education to your own professional goals with degree
        customizations including Emergency Management, Business Continuity Planning,
        Computer Emergency Response Teams, and Digital Investigations.
        
        http://www.msia.norwich.edu/secfocus
        ---------------------------------------------------------------------------
        
        


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]