Re: application for an employment

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-04-03 Craig Wright wrote:
> You are failing to understand the distinction between illegal and
> criminal.

Nope. The former is a required precondition to the latter.

> The fact that you are not able to be charged or that there is not any
> enforceable action available does not stop an action being illegal.
> The fact that there is not a penal code associated with an action also
> does not make it legal. This is a condition associated with
> enforceability.

The fact that there is no law prohibiting an action does make it legal.

> As for reading up the articles, Ansgar - I have.

Then you didn't do a very good job. I already pointed out where you were
wrong.

> I have formal training in EU law and International commercial law.
> You?

No. But at least I can read.

> In the case where a party to the treaty (i.e. a nation) has not
> ratified the legislation the court has to approach the International
> court of justice for directions. These directions are binding under
> the treaty.

The treaty specifies certain preconditions, which you conveniently have
been ignoring.

> In reference to; "It does for at least the public facing pages." does
> not refer to public facing servers. In no way is it valid to argue
> that the external interface of a VPN concentrator is available for
> public use.

Of course it is. Anyone can and may connect to it. However, when they
fail to authenticate they will *know* that they are not allowed to use
the VPN.

> My legal training may be English (and Australian), but the EU treaty
> is the same. As far as the conditions associated with the ratification
> of the conventions is concerned it does not matter that you are
> German, English etc.
>
> You are also taking the document as face value without looking to the
> related data needed to interpret it. You asked what EM is, "EM" is
> Explanatory Memorandum.

I thought so. I suppose you were talking about [1] then. Quoting the
paragraphs you mentioned from it:

| 47. The act must also be committed 'without right'. In addition to the
|     explanation given above on this expression, it means that there is
|     no criminalisation of the access authorised by the owner or other
|     right holder of the system or part of it (such as for the purpose
|     of authorised testing or protection of the computer system
|     concerned). Moreover, there is no criminalisation for accessing a
|     computer system that permits free and open access by the public,
|     as such access is "with right."

Please note the last sentence EXPRESSLY stating that access to systems
accessible by the public is always WITH RIGHT.

| 48. The application of specific technical tools may result in an
|     access under Article 2, such as the access of a web page, directly
|     or through hypertext links, including deep-links or the
|     application of 'cookies' or 'bots to locate and retrieve
|     information on behalf of communication. The application of such
|     tools per se is not 'without right'. The maintenance of a public
|     website implies consent by the website-owner that it can be
|     accessed by any other web-user. The application of standard tools
|     provided for in the commonly applied communication protocols and
|     programs, is not in itself 'without right', in particular where
|     the rightholder of the accessed system can be considered to have
|     accepted its application, e.g. in the case of 'cookies' by not
|     rejecting the initial instalment or not removing it.

Please note this paragraph EXPRESSLY stating that the use of tools is
not per se 'without right', so their use is generally allowed unless
there are exceptions.

| 58. For criminal liability to attach, the illegal interception must
|     be committed "intentionally", and "without right". The act is
|     justified, for example, if the intercepting person has the right
|     to do so, if he acts on the instructions or by authorisation of
|     the participants of the transmission (including authorised testing
|     or protection activities agreed to by the participants), or if
|     surveillance is lawfully authorised in the interests of national
|     security or the detection of offences by investigating
|     authorities. It was also understood that the use of common
|     commercial practices, such as employing 'cookies', is not intended
|     to be criminalised as such, as not being an interception "without
|     right". With respect to non-public communications of employees
|     protected under Article 3 (see above paragraph 54), domestic law
|     may provide a ground for legitimate interception of such
|     communications. Under Article 3, interception in such
|     circumstances would be considered as undertaken "with right".

Please note that contrary to your belief anything subject to this treaty
must be done INTENTIONAL AND WITHOUT RIGHT. In addition to that, this
paragraph is referring to data interception, which was not subject to
this discussion.

| 62. The above acts are only punishable if committed "without right".
|     Common activities inherent in the design of networks or common
|     operating or commercial practices, such as, for example, for the
|     testing or protection of the security of a computer system
|     authorised by the owner or operator, or the reconfiguration of a
|     computer's operating system that takes place when the operator of
|     a system acquires new software (e.g., software permitting access
|     to the Internet that disables similar, previously installed
|     programs), are with right and therefore are not criminalised by
|     this article. The modification of traffic data for the purpose of
|     facilitating anonymous communications (e.g., the activities of
|     anonymous remailer systems), or the modification of data for the
|     purpose of secure communications (e.g. encryption), should in
|     principle be considered a legitimate protection of privacy and,
|     therefore, be considered as being undertaken with right. However,
|     Parties may wish to criminalise certain abuses related to
|     anonymous communications, such as where the packet header
|     information is altered in order to conceal the identity of the
|     perpetrator in committing a crime.

Again, only subject when committed 'without right'.

| 68. The term "hindering" refers to actions that interfere with the
|     proper functioning of the computer system. Such hindering must
|     take place by inputting, transmitting, damaging, deleting,
|     altering or suppressing computer data.

Clarification of terms. This is obvious.

| 77. Paragraph 2 sets out clearly that those tools created for the
|     authorised testing or the protection of a computer system are not
|     covered by the provision. This concept is already contained in the
|     expression 'without right'. For example, test-devices
|     ('cracking-devices') and network analysis devices designed by
|     industry to control the reliability of their information
|     technology products or to test system security are produced for
|     legitimate purposes, and would be considered to be 'with right'.

Just a clarification that authorized pen-testing is never to be
prosecuted. This doesn't say a thing about port-scanning or accessing
publicly accessible systems in general.

> From this you will note that "A port scan is not punishable under the
> Penal Code. For an explanation, please refer to Chapter 4 of this
> manual"

I can't find that passage in [1]. Where does this quote come from?
Please try to be more precise when referring to anything.

> This means that the act is not to be treated as criminal. This does
> not make the act unactionable as a civil violation or and
> administrative offence. This is that it is still illegal, but only
> actionable if there is resultant damage.

So you finally agree that the cybercrime convention does not apply to
the matter we were discussing. Thank you so much. Why did you bring it
into the discussion anyway?

[...]
> You also forget that many sites use publicly routed addressing behind
> a firewall. So attempting to scan these is an attempt to scan a
> protected device.

No, because I can only scan what is not protected (i.e. accessible by
the public). That's the purpose of a firewall after all.

[1] http://www.privacyinternational.org/issues/cybercrime/coe/cybercrimememo-final.html

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------