On 23 Jul 99, at 19:50, Derek Martin wrote:
> On Fri, 23 Jul 1999, Dave Gillett wrote:
>
> [ Much snipped for brevity's sake]
I think we're getting awfully close to agreeing with each other!
> What's the punishment for simple trespass? I occasionally watch COPS and
> see them escort the trespasser off the property, and that's the end of it,
> so long as that's their only offense. When they do damage to the people,
> thats when they get hauled off to jail.
Exactly so. Where I think we disagree is that if you asked the cops or a
lawyer whether a crime was committed in the first case, they'll answer "Yes:
trespass." Whereas the lay opinion that started this thread says "No, or they
would have gone to jail." In the Real World (sigh), the questions of whether
a law was broken is *routinely* severed from the question of whether
prosecution is justified, and questions of whether damage was done or lives
were endangered are routinely considered.
Relatively few people get prosecuted for trespass (as you point out), or
for exceeding the speed limit, or for a host of other victimless infractions.
Does that make them legal? Of course not.
> My sense of what happens to system crackers from the stories and news
> reports that I've seen/heard is that their punishment is often much more
> severe for what amounts to the same thing.
You'll get no contradiction from me on this!
> You don't have to like it, but you do have to deal with it. The ARPANet,
> and subsequently the Internet, was intended from the start to be a public
> network. The whole idea was to make it easy to share stuff. All this
> commercial crap came later, when the greedy capitalists (which I have
> nothing against, by the way) moved in and tried to make it theirs. It was
> never designed or intended to do the kinds of things people are doing with
> it. Frankly I think this is why there is so much trouble with security.
> Before that happened, the amount of trouble on the internet was pretty
> small.
>
> It's exactly this kind of attitude that had many people who were already a
> part of the internet community (before the advent of graphical http
> browsers) concerned... It was VERY public before, and now everyone's
> trying to run around and privatize it, and commercialize it, and tax it.
> I'm not saying that the recent changes are all for the bad, I just think
> that you (in the general sense) need to realize that you can't have your
> cake and eat it too.
"You don't have to like it, but you do have to deal with it." The
day-to-day reality of my career is that the changes you reject are a fait
accompli. The pieces of Internet that we connect directly to, we pay tolls
to the owners of for the privilege of using. I work with the Internet of
1999, and no longer with that of 1989 or 1979, a world of ISPs and backbone
providers and co-location facilities and commercial sites and TermsOfService
agreements; I miss the Olde Days, but I don't try very hard to live in them.
> > Do you walk up to the door of the local Ford plant when you want to buy a
> > car? Do you knock on every door on your block, looking for someone who has a
> > car to sell? Does every building, by virtue of having a street address,
> > invite your inquiry as to whether perhaps they have a car to sell?
> > NO. You notice (or look for) an advertisement, on TV or in the Yellow
> > Pages or in the newspaper, for someone who tells the world that they have the
> > kind of car you want *offered for sale*.
>
> This doesn't really apply to the Net. In the physical world, we have the
> concept of zones. Some areas are zoned for business and some are not. We
> don't ahve this with the internet. The whole thing is publicly accessible,
> by design.
I don't think zoning is relevant. I believe I was careful to include, in
the analogy, private sales from peoples' homes (locations which are not
businesses) and the Ford plant (sites belonging to business which sell cars,
but where that particular site does not directly offer that service).
> ..., effectively there is no way to define what is permissive and what
> isn't. Therefore I do not see how you can call it "just" to punish someone
> for doing it. Especially since the cost to the scanee is nil. There needs
> to be more. That's the bottom line to my argument.
And this is where I think we come back to the example of trespass at the
top of this message, and come oh-so-close to agreeing.
Should the full weight of anti-hacker hysteria be brought to bear upon
someone for a single port-scan with no damage done? Of course not! If you
thought I was saying it should be, I've clearly failed to communicate
effectively.
The points I have tried to stick to have only been:
(a) The current state of laws *allows* for the possibility of unleashing such
immoderate prosecution upon the heads of those running port scans. The fact
that this has not generally been done is insufficient to warrant the claim
that port-scans are immune from prosecution, and
(b) The fact that port-scans are not often considered to justify criminal
prosecution does not oblige targets of scans to simply "grit their teeth and
ignore it". Even where legislation does not prohibit port-scans, they may be
restricted by Terms of Service agreements, and so a person who conducts a
port-scan may be subject to civil sanctions even if no criminal statute
applies.
I plainly do not believe that it is Justice to jail everyone who does a
port-scan. I also do not know how to write a statute that would distinguish
between attempted[*] SYN-flooding (for instance) and port-scanning.
I *do* think it's irresponsible to tell people that they can port-scan any
machine or network they like with impunity. Even if you believe (for even
the most compelling reasons) that this *should* be true, I don't believe that
it *is*.
[*] "attempted" meaning that no damage was actually done -- probably thanks
to the successful defences of the target, and not to any lack of malice on
the part of the perpetrator.
David G
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
