Maybe we are arguing from a different legal tradition? I'm only familiar
with finnish law really. In that context "normal" means what an average
person could be assumend to do in the circumstanses. In this context it
would probably mean connecting to a service that has been advertised to
them in such manner that they can reasonably expect it to be
permissible. For example if you have not been told if my site has ftp
server running you are expected to conclude that A) FTP service is not
available or B) you are not allowed to use it, if it is available. I you
have need to access my ftp server and don't know if it is availble, you
are expected to ask first (or maybe see if my web site has link to it
something).
Another difficult legal question is your need to find aout about my bona
fide in offering services. This is only my opinion (not based on legal
precedent), but if someone offers a mailing list service, I am permitted
to assume, unless informed otherwise, that the person offering it has
the right to offer it. If I join the list in good faith, I cannot be be
blamed for his unauthorised use in offering the service. This is also a
question of what average end user can be expected to know or find out.
Sakari M
> -----Original Message-----
> From: Derek Martin [SMTP:[EMAIL PROTECTED]]
> Sent: Friday, July 23, 1999 7:49 PM
> To: Myllym�ki Sakari
> Subject: RE: trial & charges
>
> On Fri, 23 Jul 1999, [iso-8859-1] Myllym�ki Sakari wrote:
>
> > Here is some points I that have come to my mind reading this thread:
> >
> > 1. At least the finnish law speaks of ATTEMPTED computer break in,
> it
> > does not mention any specific techniques, like port scanning. The
> > qustion the court might need to answer is, if it is probable that a
> > break-in was attempted. This is not only about the intension of the
> > attacker, but also about if the person could normally be expected to
> act
> > as he did. eg people do not normally walk down the street trying car
> > doors to see if they are locked. Or a person can normally expected
> to
> > hit TCP port 80 of a web server, not trying every port she thinks
> worth
> > wile.
>
> I can't argue with that vehemently enough... see my previous posts.
> LOTS
> of servers run LOTS of services on LOTS of other ports. If I want to
> know
> if a particular server, say sunsite.unc.edu, which is a repository of
> software and all sorts of other information, in many ways a very
> PUBLIC
> server (which has anonymous logins and even allows uploads from
> anonymous
> users, last I checked), is running other services such as GOPHER,
> talk, or
> what have you, the only PRACTICAL way to do this is with a port scan.
> Checking each "legitimate" service manually is extremely impractical.
>
> Who decides what services are "NORMAL" and therefore what I can and
> can't
> try to connect to?
>
> > 2. Dave Gillett suggested that "the publication of subscription info
> may
> > be s construed as authorization to
> > attempt to subscribe, and the acceptance of a subscription as
> > authorization
> > to post." In legal terms this means the subscriber and the list
> > maintainer have entered a contract giving right to a spesific use of
> the
> > computing facities: I hope I am not in violation of my contract by
> being
> > off topic;)
>
> Once again, this is an assumption. You have no way of knowing if the
> list
> owner has permission or not. It's like buying a Rolex on the streets
> of
> New York and "assuming" that it's not stolen or a knockoff. In the
> former
> case you're still guilty of receiving stolen goods. This is not a
> good
> defense.
>
> > 3. I never thought of it like this before, but now that you mention
> it,
> > It might be "against the law for an administrator to call the ISP in
> > question, and apply heat to get the account cancelled." It might be
> > construed as taking the law in your own hands or illegal threat, if
> you
> > men by "applying heat" burning down the IPS facilities if they don't
> > cancell the account.
>
> This is a good point. ISPs should not be succeptible to this kind of
> pressure. Suppose someone you know happens to run an ISP and is
> really
> pissed off at you. They could make up allegations of hacking on your
> part, and in a lot of cases your account will be shut off without any
> real
> evidence, because your ISP fears the almighty law suit. This
> shouldn't
> happen. It should take a court order or someone at your own ISP seeing
> real documentable proof that you're cracking systems (or otherwise
> breaking your TOS agreement) before your account is shut off.
>
> This also ties in to my argument that ISPs should not be held
> accountable
> for the actions of their users UNTIL THE ISP ITSELF HAS SUBSTANTIAL
> DOCUMENTED PROOF that the user is doing something illegal, and
> subsequently can be shown to have done nothing about it.
>
>
> Derek D. Martin | UNIX System Administrator
> [EMAIL PROTECTED] | [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
