RE: application for an employment

["Craig Wright" <cwright () bdosyd com au>]

Hello,
First you are missing criminal trespass. You have assumed (incorrectly) that you have the right to cross the property 
to "check the doors". This is not a valid reason under the law in any common law country. This is an admission to the 
Actus Rea of the offence of criminal trespass. This is not just a civil action.

However, the various computer crime acts and statutes supersede the trespass provisions these days.

In the US this will not keep him in the clear as you put it. The act of entering he property without a valid reason is 
a criminal offence as noted before. There is no indication that the access was for a legally valid reason.

Next, scanning CAN cause a system to reboot or result in other damage. If this did occur, there is a claim for damages 
in Tort (civil) or an action under the various criminal statutes. As stated above, the Actus Rea is a given, the Mens 
Rea is where he may have an offence. In cases of strict liability - there is no defence for not intending damage. A bit 
of a risk to take - but all to their own.

Nessus is not a port scanner. It is a vulnerability scanner. This is a distinction that you will need to consider. 
Nessus will (in default configuration) verify certain exploits - which is generally enough to breach the statutory 
criminal requirements of intent. If so configured it will also brute force passwords.

Next you are failing in the understanding of intent. It is not if he believed that he was aiding the organisation, it 
is if he understood that he was scanning them. A defence to intent would be where a consultant "scanned" the wrong 
network under a valid contract to scan a network.. This is not criminal intent, this is a civil breach. There would be 
Tort action in negligence or other damage. "Scanning" without a just reason does not forgo intent. Remember this is the 
legal use of the word and not any common use.

The criminal provisions are not detailed as to whether he scanned the network without intending damage (though this may 
aide during sentencing) but rather whether he intended to scan the network without authorisation. He has stated that he 
scanned without authorisation and had made no attempt to obtain it.

In the US, the prosecutor would best go with the S.3121 Act, "Recording of dialling, routing, addressing and signalling 
information" statute. The penalty is that of a Federal criminal offence (and is Federal under the rules as Mathis 
scanned a University). This allows for 1 year max penal incarceration and/or fine. This is a Federal offence and would 
not apply to a general company.

If Mathis had disabled the routing checks and a few other checks in Nessus or had used a simple port scanner this 
provision would not apply. Section 216 of the 2001 USA PATRIOT Act expanded the definition of a pen register to include 
devices or programs that provide an analogous function with internet communications. Though this is not an act of 
intent to use a Pen Register in its own right the tools have this function and the prosecution could attempt to 
demonstrate this intent.

There is no equivalent statute in Australia, NZ or the UK. This US statute would have the mapping by Mathis seen as a 
recording of the Universities private signalling information. Moulton v. VC3 was a Port Scanning case under 18 USC Sec. 
1030(a)(5)(B), which prohibits the "intentional accessing [of] a protected computer without authorization. The issue 
here was different in that (1) Scott Moulton had implied access and (2) the damage was under the threshold.

The USA Patriot Act (2001) does still require damage and loss however. So if Mathis did not cause damage there should 
be no issue criminally. As stated there could be damage if he caused a system to reboot or data was lost (this is a 
possibility in all tests). If there is no impairment to the integrity and availability of the network, then there is no 
crime.

Remember as well that if he was successful, than the "unauthorised access" provisions also kick in. So the issue comes 
to how successful Mathis was as well.

The US DMCA prohibits "circumventing a technological measure" designed to protect a copyright. Vulnerability scans and 
access to non-public but accessible pages could be considered a violation. This would be a costly and difficult case, 
but we have seen companies like Sony spend millions to prove a point.

Some of the "Stealth Scanning" Techniques used by Vulnerability scanners are also a bit up in the air (i.e. untested in 
court). Password guessing/cracking in scanners is clearly illegal. Packet spoofing as supported by Nessus is likely to 
be seen as illegal (though untested ion this type of case). Blended attacks and SQL injections are illegal (and 
available in Nessus).

I think I have covered most aspects, at least briefly.

Regards
Craig


-----Original Message-----
From: Soderland, Craig [mailto:craig.soderland () sap com]
Sent: 25 March 2006 7:00
To: L G; security-basics () securityfocus com
Subject: RE: application for an employment

I believe the correct analogy is that Mathias walked down the street knocking on doors, and came to one when he knocked 
swung wide open (as it was never closed properly) as long as he does not cross the threshold no BNE has occurred. If he 
left a note telling his neighbor to push the door completely closed, so that it latches, he is basically a good 
Samaritan.

And in the US this should keep him legally in the clear, though to may not preclude the neighbor form going after him 
civilly since people over here can sue for any darn reason that they want.

However when we are talking about a computer system/network, at what point is he knocking on the Door, and what point 
is he  stepping over the threshold.

Running Nessus to map a system is akin, to a knock trying to connect is akin to jiggling the door and if it opens 
stepping over the threshold. Running a Sploit, is well kicking the door in and walking in. It all boils down to intent. 
If he is freely offering up his findings, from merely knocking. It can be argued that no trespass has occurred, as he 
has not yet crossed that threshold. And since he is freely given his findings, well there is not a case of extortion. 
At any other level, a trespass has occurred and well the laws are pretty clear about that.



-----Original Message-----
From: L G [mailto:nitziya74 () hotmail com]
Sent: Wednesday, March 22, 2006 7:23 PM
To: security-basics () securityfocus com
Subject: Re: application for an employment

This is a good thread which begs further discussion.

My question is, at what point is it illegal?  Do we have correspondents on this list better versed in the law?  
Obviously, based Randal's experience, you need to be careful in Oregon, but at what point is port scanning illegal?  
And what are the precedents?

Is dig-ing illegal?  Are not dns entries, domain names and associated ip ranges, and net block owners all public 
knowledge?

I guess the crudest part of my question is, was Mathias picking a lock, or did he see a door hanging wide open?
And at what point is someone going through an open door versus looking in a window versus admiring someone's 
architecture from the street?

lg

----- Original Message -----
From: "Al Gettier" <agettier () tealeaf com>
To: <security-basics () securityfocus com>
Sent: Tuesday, March 21, 2006 1:57 PM
Subject: RE: application for an employment


What you did might be illegal without their permission.  Take a look at the Randal Schwartz situation over 10 years ago:

http://www.lightlink.com/spacenka/fors/



-----Original Message-----
From: Steveb () tshore com [mailto:Steveb () tshore com]
Sent: Tuesday, March 21, 2006 7:14 AM
To: MatzeGuentert () gmx de; security-basics () securityfocus com
Subject: RE: application for an employment

Not if you want them to employ you.  It's not good practice to probe their network without their permission.  There may 
be a serious lack of trust if you reveal to them that you where doing so without going through proper channels.

-----Original Message-----
From: Matthias Güntert [mailto:MatzeGuentert () gmx de]
Sent: Monday, March 20, 2006 7:46 AM
To: security-basics () securityfocus com
Subject: application for an employment

Dear listmembers,

i am seeking for a new job as a Unix/Linux systemadministrator. There has been an advertisement at a well known 
university. So I started to prepare my self for the application. While collecting some information about the network, 
using nmap, dig, etc... I was able to read the whole namespace from the ip range (255.255.0.0)

My question is should I use some of the information I have found out to push my application forward? What do you think 
how a director would react?

--
Mit freundlichen Grüßen

                Matthias Güntert


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec 
management education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree customizations including Emergency Management, 
Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------