Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: House approves spyware legislation
From: "Eric Paynter" <eric () arcticbears com>
Date: Thu, 7 Oct 2004 16:08:57 -0700 (PDT)

On Wed, October 6, 2004 8:18 pm, Bankim J. Tejani said:
1) How can you prove what the setting was before?  It's one thing for
you to know what it was, but another to prove it in a court of law.
Otherwise it's your word versus theirs.

This is easy because the (perhaps soon to be) illegal action is usually
automated and repeatable. Simply bring in the police to begin an
investigation (usually happens before anybody is arrested, so the bad site
will still be up). The police can set their browser, go to the website,
note that the browser setting was changed (or whatever breach of the law),
and record their actions and the results as evidence. This is enough to
get a warrant which leads to...


2) How can you find out who exactly was the person or company that took
this action?  You're talking about a massive time undertaking to trace
the packet data through every router between you and the accused.

It's not hard to find the physical location of a web server. Take the
warrant, go to the location, and seize all of their equipment. Now you
have a web server with an application that is performing an illegal
action.


3) Was their machine used by some hacker?  This, unfortunately (or
fortunately, depending on how you see it), has been used in court and
proved to be a successful defense.

That is a weak defense, and more often, especially with corporations, they
are being held accountable for what their systems do. It is their
responsibility to protect their systems. Phrases like "due diligence" come
to mind...


4) What was the motive for changing your computer specifically?

To gather profiling information for marketing purposes. To put their
marketing "in your face" so you see it more. In short, the motive is to
earn more money.


5) What type of crime is appropriate?  Is it theft?  trespassing?
moving your plant from your front yard to your back yard?

As the bill says, the crime is that of altering the funcion of computer
without authorization. This has nothing to do with theft or trespassing.
It is a different type of crime, but it is (or perhaps soon will be) a
crime nonetheless.


6) What is an appropriate sentence?  The five minutes you lost changing
it back paid at your current salary?  A fine?   jail time?

If the bill is passed into law, there will be suggested minimum and
maximum punishments, as with all laws. What's the point of this statement?


Few organizations have successfully prosecuted under any form of cyber
law.  The most notable so far has been the RIAA, whose cases were never
tested in court, but used to torque people into paying fines rather than
facing legal bills that would bankrupt them.

What? You are saying that organizations are not successful prosecuting and
you site as an example an organization that is having such high success
that people settle out of court rather than fight?

I'm not suggesting that this bill is the greatest thing, but we do need to
update the laws and there are ways to reduce cyber crimes. We can start
trying today, maybe take a few tries to get it right. Or we can not start
today, in which case, it will take longer to get it right. I suggest we
start today.

-Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]