Bugtraq: Re: Major hack attack on the U.S. Senate

[Crispin Cowan <crispin () immunix com>]

Kirk Spencer wrote:

> Agreed this was not a "hack attack" as usually considered.  However, I would 
> raise two points.  The first is simple - If someone starts reading files on a 
> computer to which they are not supposed to have access, do we not consider 
> this an attack?  Even if the reason they got in is configuration errors?
That would depend on the configuration error. In particular, if your 
"configuration error" was to publish a page to a web server where you 
didn't want people to read it, and the "attack" was just surfing URLs, 
or even manually editing the URLs, then I think you'd have a hard time 
making the case for "intrusion". In particular, you effectively offered 
the page for public viewing, so it breaks the notion of "not supposed to 
have access".
The problem is that the barrier of what an anonymous visitor is 
"supposed" to have access to is fuzzy. Then again, if it was not fuzzy, 
it would be relatively easy to secure, too.
Caveat: IANAL, so my opinion that the courts will decide this fuzzy 
issue in favor of whoever has the most money holds to weight :)
Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com
Immunix 7.3           http://www.immunix.com/shop/