mitnick-digest Wednesday, December 23 1998 Volume 01 : Number 226 ---------------------------------------------------------------------- Date: Mon, 21 Dec 1998 14:54:07 EST From: SkyFireZ@aol.com Subject: Re: [mitnick] Re: Bylaws. (touched up a bit) In a message dated 12/21/98 7:49:15 AM Pacific Standard Time, howree@cable.navy.mil writes: > Why not locate all chapter houses within 1 block or equivalent distance of > DMV buildings. THEY have coverage of 1 per each arbitrary unit, follow suite. > Why don't we all just move along from the subject of the chapters, seeing as how theres no point to have them, nor any way that its going to get done.... AcidRayne ------------------------------ Date: Mon, 21 Dec 1998 12:53:48 -0800 (PST) From: rOTTEN Subject: Re: [mitnick] Re: Bylaws. (touched up a bit) On Mon, 21 Dec 1998 SkyFireZ@aol.com wrote: > > Why not locate all chapter houses within 1 block or equivalent distance of > > DMV buildings. THEY have coverage of 1 per each arbitrary unit, follow > suite. > > > > Why don't we all just move along from the subject of the chapters, seeing as > how theres no point to have them, nor any way that its going to get done.... > > AcidRayne Well it's a DAMN good thing that AcidRayne is here. Where would we be without him/her/them/it? <..rOTTEN..> nobody move, nobody get hurt error187(1) critical failure - - - - - - It was once said by a man who couldn't quit, "Dopeman, please can I have another hit?" ------------------------------ Date: Mon, 21 Dec 1998 20:56:14 -0800 (PST) From: Support Services Subject: Re: [mitnick] Re: Bylaws. (touched up a bit) On Tue, 22 Dec 1998 00:30:49 +1000, Reeza! wrote: > > Why not locate all chapter houses within 1 block or equivalent > distance of DMV buildings. THEY have coverage of 1 per each > arbitrary unit, follow suite. Phhhhbbbttttttt. Good idea. Let us all know when you do it. ------------------------------ Date: Tue, 22 Dec 1998 17:25:40 +0100 From: Tor Fosheim Subject: [mitnick] on another note .. The Highest court in Norway has freed a computer engineer from Norman Data Defense Systems from charges relating to a computer break-in at the University of Oslo in 1995. It acknowledged the fact that he broke in through a security hole, but said it was not illegal for him to do so. The court said that anyone who makes their computers available on the internet should be prepared for the machines to accept "requests for information contained on it". Ie, if its not protected well enough -- its the owner of the machine who is to blame. Tor ------------------------------ Date: Tue, 22 Dec 1998 14:13:28 EST From: Phoenxknt@aol.com Subject: Re: [mitnick] on another note .. I'm moving to Norway. - -AM << The Highest court in Norway has freed a computer engineer from Norman Data Defense Systems from charges relating to a computer break-in at the University of Oslo in 1995. It acknowledged the fact that he broke in through a security hole, but said it was not illegal for him to do so. The court said that anyone who makes their computers available on the internet should be prepared for the machines to accept "requests for information contained on it". Ie, if its not protected well enough -- its the owner of the machine who is to blame. Tor >> ------------------------------ Date: Tue, 22 Dec 1998 15:07:08 -0500 From: john barleycorn Subject: Re: [mitnick] on another note .. Tor Fosheim wrote: > > The Highest court in Norway has freed a computer engineer from Norman Data > Defense Systems from charges relating to a computer break-in at the > University of Oslo in 1995. It acknowledged the fact that he broke in > through a security hole, but said it was not illegal for him to do so. > > The court said that anyone who makes their computers available on the > internet should be prepared for the machines to accept "requests for > information contained on it". Ie, if its not protected well enough -- its > the owner of the machine who is to blame. > > Tor Is ther an artical anywher on the web about this? I'd love to read it. - -----BEGIN GEEK CODE BLOCK----- Version: 3.1 - www.geekcode.com GCS/MU d s:-- a-- C+++ UBLHI+ P+ L++ E- W+ N+++ o+ K--- w+ O+ M+ V- PS+(++) PE++(--) Y+ PGP-(++)$ t++ 5+ X+ R- tv+ b+++ DI+++ D++ G+ e+ h++ r- y+ - ------END GEEK CODE BLOCK------ ------------------------------ Date: Tue, 22 Dec 1998 21:20:14 +0100 From: Tor Fosheim Subject: Re: [mitnick] on another note .. >Is ther an artical anywher on the web about this? I'd love to read it. Keep an eye out - it should be out on loads of places once im done with it :) Tor At 15:07 22.12.98 -0500, you wrote: >Tor Fosheim wrote: >> >> The Highest court in Norway has freed a computer engineer from Norman Data >> Defense Systems from charges relating to a computer break-in at the >> University of Oslo in 1995. It acknowledged the fact that he broke in >> through a security hole, but said it was not illegal for him to do so. >> >> The court said that anyone who makes their computers available on the >> internet should be prepared for the machines to accept "requests for >> information contained on it". Ie, if its not protected well enough -- its >> the owner of the machine who is to blame. >> >> Tor > > >-----BEGIN GEEK CODE BLOCK----- > Version: 3.1 - www.geekcode.com > GCS/MU d s:-- a-- C+++ UBLHI+ P+ L++ E- W+ N+++ o+ K--- w+ > O+ M+ V- PS+(++) PE++(--) Y+ PGP-(++)$ t++ 5+ X+ R- tv+ b+++ DI+++ D++ > G+ e+ h++ r- y+ >------END GEEK CODE BLOCK------ > > ------------------------------ Date: Tue, 22 Dec 1998 13:47:28 -0800 (PST) From: Hardrock Llewynyth Subject: Re: [mitnick] on another note .. On Tue, 22 Dec 1998, Tor Fosheim wrote: > The court said that anyone who makes their computers available on the > internet should be prepared for the machines to accept "requests for > information contained on it". Ie, if its not protected well enough -- its > the owner of the machine who is to blame. am i the only one who finds that slightly ridiculous. that is like a judge saying that if a thief jimmys the lock on my car door to steal my stereo, i'm to blame for not owning a car with a jimmy-proof lock (not many of those around). vaguely ridiculous. hardrock - -- blank signature ------------------------------ Date: Tue, 22 Dec 1998 14:08:21 -0800 From: Nick Biller Subject: Re: [mitnick] on another note .. >> The court said that anyone who makes their computers available on the >> internet should be prepared for the machines to accept "requests for >> information contained on it". Ie, if its not protected well enough -- its >> the owner of the machine who is to blame. > >am i the only one who finds that slightly ridiculous. that is like a >judge saying that if a thief jimmys the lock on my car door to steal my >stereo, i'm to blame for not owning a car with a jimmy-proof lock (not >many of those around). > >vaguely ridiculous. > >hardrock I disagree. If someone looked through the window of your car, which is parked on the side of the street, and took a picture of something inside without making money off the picture, is that illegal? Could you sue them for looking through your window? If the information is available, it is your fault for putting it in the open? - -As for cracking into a computer system to get data, that blurs the line of legality a little. But remember it is not stealing the data, just looking at and/or copying. There is a difference there. The use of the data is a completely different thing. theman2 - -=-==-===-====-===-==-=- theman2 -Also know as the greatest man alive - -=-==-===-====-===-==-=- ------------------------------ Date: Tue, 22 Dec 1998 14:47:22 -0800 From: "Caliban Tiresias Darklock" Subject: Re: [mitnick] on another note .. - -----Original Message----- From: Hardrock Llewynyth To: mitnick@2600.com Date: Tuesday, December 22, 1998 2:04 PM Subject: Re: [mitnick] on another note .. >On Tue, 22 Dec 1998, Tor Fosheim wrote: > >> The court said that anyone who makes their computers available on the >> internet should be prepared for the machines to accept "requests for >> information contained on it". Ie, if its not protected well enough -- its >> the owner of the machine who is to blame. > >am i the only one who finds that slightly ridiculous. that is like a >judge saying that if a thief jimmys the lock on my car door to steal my >stereo, i'm to blame for not owning a car with a jimmy-proof lock (not >many of those around). When planning network security, I have *always* advised that if a computer is outside the firewall, any and all information on it must be considered public. As a result, any company-confidential information *must* be kept inside the firewall; as soon as you place it outside the firewall, it either is or soon will be compromised. Failure to recognise this is like someone saying that you don't have to lock your car because nobody will take your stereo anyway. They would have to open the door to do that, and that's rude. Therefore they won't do it. As if. I think the judge has quite properly placed the blame where it belongs. If your network is insecure, it's like leaving candy on the table. People might take the candy. Some won't. Some will. Those who do are not to blame; you *did* leave it on the table, after all. A system on the internet is intended for public access, and if you want to restrict that access then *you* have to restrict it. Failure to do so is your own failure. Note that my view on this extends to read access only, and is not to be construed as a position supporting the writing or rewriting of data on someone else's internet server. I think anyone should be allowed to read anything they can acquire permissions to read on any internet host they can access, as the ability to acquire such permission is an implicit permission to read it. I also think that people should write only what they have been given *explicit* permission to write, out of simple politeness if nothing else. | Caliban Tiresias Darklock caliban@darklock.com | Darklock Communications http://www.darklock.com/ | U L T I M A T E U N I V E R S E I S N O T D E A D | 774577496C6C6E457645727355626D4974H -=CABAL::3146=- ------------------------------ Date: Tue, 22 Dec 1998 15:38:13 -0800 (PST) From: Support Services Subject: Re: [mitnick] on another note .. On Tue, 22 Dec 1998 14:08:21 -0800, Nick Biller wrote: > > I disagree. If someone looked through the window of your car, which > is parked on the side of the street, and took a picture of something > inside without making money off the picture, is that illegal? Could > you sue them for looking through your window? That's a pretty stupid comparison. We're not talking about "what is left in PLAIN SIGHT" -- we're talking about having to break in. Suppose I picked the trunk of your car open, and photographed the confidential information you kept there. > -As for cracking into a computer system to get data, that blurs the > line of legality a little. But remember it is not stealing the data, > just looking at and/or copying. There is a difference there. The use > of the data is a completely different thing. Oh really? What if I decided to inspect your sister's tattoos... so while she's sleeping, I take her panties off and look at the pretty tattoo on her crotch. She later finds out I did this. Tell me; all I did was look; did I violate her in any way?? After all, her tattoo is still there... ------------------------------ Date: Tue, 22 Dec 1998 15:45:03 -0800 (PST) From: Support Services Subject: Re: [mitnick] on another note .. On Tue, 22 Dec 1998 14:47:22 -0800, Caliban Tiresias Darklock wrote: > > A system on the internet is intended for public access, and if you > want to restrict that access then *you* have to restrict it. Failure > to do so is your own failure. Not true at all. Just because the Internet is public does not make anything hooked up to it public. Just because your phone conversation is carried through the switched public telephone system does not mean others have a right to snoop in on it. If a computer system requires some type of access authentication, such as a username, that doesn't give you the right to access it simply because you've successfully guessed the password to that username. Similarly, I don't have the right to access your home simply because I've figured out the right key to your front door. Similarly, gaining access to a computer system via some exploit (such as VAX/VMS argument probing) does not make the info public. While there is an obligation to secure the information, there is not an obligation to protect against all exploits, both known as well as UNKNOWN. ------------------------------ Date: Tue, 22 Dec 1998 16:22:30 -0800 From: "Caliban Tiresias Darklock" Subject: Re: [mitnick] on another note .. - -----Original Message----- From: Support Services To: mitnick@2600.com Date: Tuesday, December 22, 1998 3:54 PM Subject: Re: [mitnick] on another note .. > >What if I decided to inspect your sister's tattoos... >so while she's sleeping, I take her panties off and look at the >pretty tattoo on her crotch. She later finds out I did this. >Tell me; all I did was look; did I violate her in any way?? >After all, her tattoo is still there... We're talking about a physical location, which invites the "hacking is trespass" comparison that so many people complain is not appropriate. If hacking is not comparable to trespassing, then trespassing is not comparable to hacking. You can't have it both ways. So we will assume for the sake of this argument that they are comparable in this instance, but not necessarily in others. That said, there's one important piece of data missing here... how exactly did you get into a situation where you could take off her panties while she's sleeping? I mean, you would sort of have to be in the house and in her bedroom while she was asleep. So to qualify your activity under the restrictions I previously mentioned, we would need to know: is her house on the internet, and which side of the firewall is her bedroom on? If the house is on the internet, and her bedroom is outside the firewall, then sure! That's fine! However, if her bedroom is behind the firewall *or* her house is not on the internet, you don't have any business looking at her tattoos. I also don't have a sister, so you can look all you want and you won't find any tattoos. Or any panties, for that matter. :P | Caliban Tiresias Darklock caliban@darklock.com | Darklock Communications http://www.darklock.com/ | U L T I M A T E U N I V E R S E I S N O T D E A D | 774577496C6C6E457645727355626D4974H -=CABAL::3146=- ------------------------------ Date: Tue, 22 Dec 1998 16:17:07 -0800 (PST) From: Lew Payne Subject: Re: [mitnick] on another note .. On Tue, 22 Dec 1998 16:22:30 -0800, Caliban Tiresias Darklock wrote: > > I also don't have a sister, so you can look all you want and you > won't find any tattoos. Or any panties, for that matter. :P You're no fun. ------------------------------ Date: Tue, 22 Dec 1998 16:40:14 -0800 From: "Caliban Tiresias Darklock" Subject: Re: [mitnick] on another note .. - -----Original Message----- From: Support Services To: mitnick@2600.com Date: Tuesday, December 22, 1998 3:58 PM Subject: Re: [mitnick] on another note .. > >On Tue, 22 Dec 1998 14:47:22 -0800, Caliban Tiresias Darklock wrote: >> >> A system on the internet is intended for public access, and if you >> want to restrict that access then *you* have to restrict it. Failure >> to do so is your own failure. > >Not true at all. Just because the Internet is public does not >make anything hooked up to it public. Just because your phone >conversation is carried through the switched public telephone >system does not mean others have a right to snoop in on it. It does, however, mean that others can call my telephone. The fact that I have a telephone and a number attached to it means that anyone else with a telephone can dial my number and cause my telephone to ring. I cannot legitimately prevent this, nor can I legitimately complain when someone does so. If I put my computer on the internet, then others are intended to connect to TCP ports on it. They are therefore implicitly permitted to do so. If they do something weird that I didn't expect, it is no different from dialing someone's voice line through a modem so they get that piercing squeal in their ear. Rude? Hell yeah. Forbidden? Of course not. | Caliban Tiresias Darklock caliban@darklock.com | Darklock Communications http://www.darklock.com/ | U L T I M A T E U N I V E R S E I S N O T D E A D | 774577496C6C6E457645727355626D4974H -=CABAL::3146=- ------------------------------ Date: Tue, 22 Dec 1998 18:31:20 -0600 From: "Joe Shambro" Subject: Re: [mitnick] on another note .. What if you have tinted windows... but one of the windows is cracked open a bit... a, security hole, you might say.. and it allows you to look in and see that stereo, and take the picture... Ok, that was plain dumb too. - -Joe - -----Original Message----- From: Support Services To: mitnick@2600.com Date: Tuesday, December 22, 1998 5:58 PM Subject: Re: [mitnick] on another note .. > > >On Tue, 22 Dec 1998 14:08:21 -0800, Nick Biller wrote: >> >> I disagree. If someone looked through the window of your car, which >> is parked on the side of the street, and took a picture of something >> inside without making money off the picture, is that illegal? Could >> you sue them for looking through your window? > >That's a pretty stupid comparison. We're not talking about "what >is left in PLAIN SIGHT" -- we're talking about having to break in. >Suppose I picked the trunk of your car open, and photographed the >confidential information you kept there. > >> -As for cracking into a computer system to get data, that blurs the >> line of legality a little. But remember it is not stealing the data, >> just looking at and/or copying. There is a difference there. The use >> of the data is a completely different thing. > >Oh really? What if I decided to inspect your sister's tattoos... >so while she's sleeping, I take her panties off and look at the >pretty tattoo on her crotch. She later finds out I did this. >Tell me; all I did was look; did I violate her in any way?? >After all, her tattoo is still there... > > ------------------------------ Date: Tue, 22 Dec 1998 17:49:25 -0800 From: Brian Subject: Re: [mitnick] on another note .. - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 04:31 PM 12/22/98 , you wrote: >What if you have tinted windows... >but one of the windows is cracked open a bit... a, security hole, you might >say.. and it allows you to look in and see that stereo, and take the >picture... > >Ok, that was plain dumb too. > >-Joe > >-----Original Message----- >From: Support Services >To: mitnick@2600.com >Date: Tuesday, December 22, 1998 5:58 PM >Subject: Re: [mitnick] on another note .. > > >> >> >>On Tue, 22 Dec 1998 14:08:21 -0800, Nick Biller wrote: >>> >>> I disagree. If someone looked through the window of your car, which >>> is parked on the side of the street, and took a picture of something >>> inside without making money off the picture, is that illegal? Could >>> you sue them for looking through your window? >> >>That's a pretty stupid comparison. We're not talking about "what >>is left in PLAIN SIGHT" -- we're talking about having to break in. >>Suppose I picked the trunk of your car open, and photographed the >>confidential information you kept there. >> >>> -As for cracking into a computer system to get data, that blurs the >>> line of legality a little. But remember it is not stealing the data, >>> just looking at and/or copying. There is a difference there. The use >>> of the data is a completely different thing. >> >>Oh really? What if I decided to inspect your sister's tattoos... >>so while she's sleeping, I take her panties off and look at the >>pretty tattoo on her crotch. She later finds out I did this. >>Tell me; all I did was look; did I violate her in any way?? >>After all, her tattoo is still there... >> >> Lets get off this subject of cars and stuff like that. it is proving your point, but we dont need every technicality on the issue. "well, what if i am holding a rock, and i trip, the rock flying through your window smashing it. well, the rock is my favorite and it is lodged in the stereo. well, i guess i gotta take the stereo AND my rock". yeah, sure. -brain kandy- free kevin mitnick - www.kevinmitnick.com 'stop the violence, hack the planet' e-mail: brainkandy@mindspring.com other contact methods upon request - -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQA/AwUBNoBMJC7sph9laBOUEQLkmQCg6E19OXIIr5KbGN629WWYH+GSpNUAoKzp IyO4k48bBGrhXDrAEp0unkoH =CaAu - -----END PGP SIGNATURE----- ------------------------------ Date: Tue, 22 Dec 1998 19:09:30 -0800 (PST) From: Support Services Subject: Re: [mitnick] on another note .. On Tue, 22 Dec 1998 17:49:25 -0800, Brian wrote: > > Lets get off this subject of cars and stuff like that. it is proving > your point, but we dont need every technicality on the issue. "well, > what if i am holding a rock, and i trip, the rock flying through your > window smashing it. well, the rock is my favorite and it is lodged > in the stereo. well, i guess i gotta take the stereo AND my rock". > yeah, sure. -brain kandy- Hey Brain Fart --- Happy Holidays !! ------------------------------ Date: Tue, 22 Dec 1998 20:10:29 -0800 (PST) From: rOTTEN Subject: Re: [mitnick] on another note .. What if your sister's panties are in the car with the tinted broken window, and there's a camera in there ready to take a picture in T minus 10 seconds? Is it still legal to jaywalk? ------------------------------ Date: Tue, 22 Dec 1998 23:12:48 EST From: Phoenxknt@aol.com Subject: Re: [mitnick] on another note .. Easier Comparison to show it Simply say A) Is the house on a MAJOR highway B) Is her room inside or outside a locked house or does she sleep in a barn? In physical terms these make a lil more sense (tho not much...heh) than saying firewall and internet...unless he meant did they have a T1 and was the house going up in flames...well anyway. Just wanted to help make it the slightest bit clearer. - -Absolute Matter << We're talking about a physical location, which invites the "hacking is trespass" comparison that so many people complain is not appropriate. If hacking is not comparable to trespassing, then trespassing is not comparable to hacking. You can't have it both ways. So we will assume for the sake of this argument that they are comparable in this instance, but not necessarily in others. That said, there's one important piece of data missing here... how exactly did you get into a situation where you could take off her panties while she's sleeping? I mean, you would sort of have to be in the house and in her bedroom while she was asleep. So to qualify your activity under the restrictions I previously mentioned, we would need to know: is her house on the internet, and which side of the firewall is her bedroom on? If the house is on the internet, and her bedroom is outside the firewall, then sure! That's fine! However, if her bedroom is behind the firewall *or* her house is not on the internet, you don't have any business looking at her tattoos. I also don't have a sister, so you can look all you want and you won't find any tattoos. Or any panties, for that matter. :P >> ------------------------------ Date: Tue, 22 Dec 1998 22:40:00 -0800 (PST) From: rOTTEN Subject: Re: [mitnick] on another note .. On Tue, 22 Dec 1998 Phoenxknt@aol.com wrote: > B) Is her room inside or outside a locked house or does she sleep in a barn? So it's okay for a woman who sleeps in a teepee to have her panties and pubic tattoo examined in the thick of the night? ------------------------------ Date: Wed, 23 Dec 1998 00:56:20 -0600 From: "poiSiNous" Subject: Re: [mitnick] on another note .. - -----Original Message----- From: rOTTEN To: mitnick@2600.com Date: Wednesday, December 23, 1998 12:50 AM Subject: Re: [mitnick] on another note .. >On Tue, 22 Dec 1998 Phoenxknt@aol.com wrote: > >> B) Is her room inside or outside a locked house or does she sleep in a barn? > >So it's okay for a woman who sleeps in a teepee to have her panties and >pubic tattoo examined in the thick of the night If she does not shave her "thick of the night" you will not be able to see her pubic tattoo in the dark.... using a flashlight would then be a possible violation .... to her security hole ~poiSiNous > > > ------------------------------ Date: Wed, 23 Dec 1998 13:23:47 -0800 (PST) From: Hardrock Llewynyth Subject: Re: [mitnick] on another note .. On Tue, 22 Dec 1998, Caliban Tiresias Darklock wrote: > have a telephone and a number attached to it means that anyone else with a > telephone can dial my number and cause my telephone to ring. I cannot > legitimately prevent this, nor can I legitimately complain when someone does > so. yes, actually, you can. most phone companies have options that allow you to block calls from certain numbers. so if someone keeps calling you at 3 in the morning making loud death threats then it is your own fault, right? > If I put my computer on the internet, then others are intended to connect to > TCP ports on it. They are therefore implicitly permitted to do so. If they > do something weird that I didn't expect, it is no different from dialing > someone's voice line through a modem so they get that piercing squeal in > their ear. Rude? Hell yeah. Forbidden? Of course not. sounds like another round of "blame the victim" to me. good way to absolve your self of responsibility. hardrock, but officer, the way she was dressed, it was obvious she was askin' for it. - -- blank signature ------------------------------ Date: Wed, 23 Dec 1998 15:27:26 -0600 From: Xer0 KelviN Subject: [none] To Whom it may concern: I am making a Flash Project that uses the mentors words. I was wanting to get some pictures of other hackers and using them in this. I don't want to be able to identify who they are though... Like if you want to do a picture of you or one of your associates...then put on some sunglasses and don't let them see your whole face. If you could help just please be artistic. For example, puting on play cuffs and looking like you've been busted....you get the picture just give it some personallity. Thanx, Xer0 KelviN frozenxero@geocities.com FFFFF RRRR EEEEE EEEEE F R R E E FFF RRRR EEE EEE F R R E E F R R EEEEE EEEEE K K EEEE V V I N N K K E V V I NN N KK EEE V V I N N N K K E V V I N NN K K EEEE V I N N www.KevinMitnick.com Xer0KelviN Chris Stephan frozenxero@geocities.com http://www.angelfire.com/tx/frozenxero FFFFF RRRR EEEEE EEEEE F R R E E FFF RRRR EEE EEE F R R E E F R R EEEEE EEEEE K K EEEE V V I N N K K E V V I NN N KK EE V V I N N N K K E V V I N NN K K EEEE V I N N ------------------------------ Date: Wed, 23 Dec 1998 14:22:49 -0800 From: "Caliban Tiresias Darklock" Subject: Re: [mitnick] on another note .. - -----Original Message----- From: Hardrock Llewynyth To: mitnick@2600.com Date: Wednesday, December 23, 1998 1:42 PM Subject: Re: [mitnick] on another note .. >sounds like another round of "blame the victim" to me. good way to >absolve your self of responsibility. Actually, it doesn't absolve anyone of responsibility. You *still* have a responsibility to be civil and respectful of others. While this is not and never should be a legal statute, it is nonetheless something which all human beings of all countries from all backgrounds should observe in all situations. There are a lot of things which are not illegal, but which we do not do simply because they are rude. It is rude to read someone's email, or to closely watch people typing their passwords in the hope of figuring them out. That ought to be enough, in most cases, to indicate that you should not do these things. But the perception of rudeness alone is not sufficient protection, and you should never assume it is. If you leave the door to your house open and unlocked, someone may walk in and help himself to a cup of coffee. This is very rude. He should not do this. You have a perfect right to tell him to put the damn coffee down and get the hell out of your house. But if you didn't want him in the house, you SHOULD have closed and locked the door. A closed door is usually enough, but city dwellers will note that in many cases it is not. When you open up your doors on the net, you are opening up a whole bunch of doors people can walk through. If you don't label your doors "employees only", close them, and lock them, you will have varying degrees of people walking in through them. Each of these actions will convince progressively more people to stay out, but you must recognise that there are still people who will come through the door -- just a lot fewer of them. And the less action you take to keep them out, the less room you have to bitch about them being there. Most people take no action to keep people out. Ergo, they have no room to bitch. An inverse room to bitch about being yelled at for looking at something is implied by how hard the viewer had to work to look at it. If you had to bust your ass for a week to look at it, it's pretty damn obvious that it wasn't there for you to look at, and if someone yells at you for looking at it -- well, whether they protected it effectively or not, you have no room to bitch. If you just walked into their house and it was on the table, and they yell at you for looking at it, you have a lot of room to bitch. (They, on the other hand, have no room to bitch at all.) It balances; the harder you have to work to get at the info, the more room the owner has to bitch. Think of it as a long stick being pushed through a curtain; the farther back the information is kept, the more of your room to bitch goes away trying to touch the info. That room to bitch is transferred to the person who has the info, because it's now on his side of the curtain. | Caliban Tiresias Darklock caliban@darklock.com | Darklock Communications http://www.darklock.com/ | U L T I M A T E U N I V E R S E I S N O T D E A D | 774577496C6C6E457645727355626D4974H -=CABAL::3146=- ------------------------------ Date: Wed, 23 Dec 1998 14:34:19 -0800 From: "Caliban Tiresias Darklock" Subject: Re: [mitnick] on another note .. - -----Original Message----- From: Hardrock Llewynyth To: mitnick@2600.com Date: Wednesday, December 23, 1998 1:42 PM Subject: Re: [mitnick] on another note .. >On Tue, 22 Dec 1998, Caliban Tiresias Darklock wrote: > >> have a telephone and a number attached to it means that anyone else with a >> telephone can dial my number and cause my telephone to ring. I cannot >> legitimately prevent this, nor can I legitimately complain when someone does >> so. > >yes, actually, you can. most phone companies have options that allow you >to block calls from certain numbers. I can't stop them from going to another phone, though. Compare IP filtering at the router: I can block 229.237.109.81 from my server, but the guy will just switch IP addresses. Trivial. >so if someone keeps calling you at 3 >in the morning making loud death threats then it is your own fault, right? There are laws against using a telephone to cause a nuisance. There are laws against making death threats. There are good reasons for those laws, just like the law that you can't send unsolicited faxes. Why does everyone want to use these violent, antisocial examples? We're talking about reading data off a computer. We should compare asking some sort of question. The obvious question would be "Do you have Prince Albert in a can?" or perhaps "Is your refrigerator running?" -- both of which are basically a pain in the ass, but don't specifically infringe on any existing laws. Now, given that some dickhole is calling you up at three in the morning and asking whether your refrigerator is running, what room do you have to complain? "Well, it wakes me up." Turn off the ringer. "Well, I might get an important call." Get an answering machine. "Well, I don't want to waste my time on answering machines and turning off ringers." Well, fine, then: deal with it. Ever try calling someone up and asking for their phone number? | Caliban Tiresias Darklock caliban@darklock.com | Darklock Communications http://www.darklock.com/ | U L T I M A T E U N I V E R S E I S N O T D E A D | 774577496C6C6E457645727355626D4974H -=CABAL::3146=- ------------------------------ Date: Wed, 23 Dec 1998 14:38:43 -0800 (PST) From: Hardrock Llewynyth Subject: Re: [mitnick] on another note .. On Tue, 22 Dec 1998, Caliban Tiresias Darklock wrote: > Failure to recognise this is like someone saying that you don't have to lock > your car because nobody will take your stereo anyway. They would have to > open the door to do that, and that's rude. Therefore they won't do it. it isn't "rude" it is theft. even if you leave the door wide open it is still theft. saying that i shouldn't have left the door open doesn't absolve the thief from the crime. it is merely the old "blame the victim" game. > *did* leave it on the table, after all. A system on the internet is intended > for public access, and if you want to restrict that access then *you* have > to restrict it. Failure to do so is your own failure. a system on teh internet is intended for access by a certaiun group of people, which may or may not include the general public. that is why there is such a thing as restricted acccess. passwords and all that. unles syou have specific permission to be there, you are trespassing. no different if i was to go wandering through the corporate offices of Nordstrom's downtown Seattle; playing with their stationary and accounting files, and generally making a nuisance of myself. the doors aren't locked agaisnt me, so why would that be wrong? > someone else's internet server. I think anyone should be allowed to read > anything they can acquire permissions to read on any internet host they can > access, as the ability to acquire such permission is an implicit permission > to read it. even though that the "permission" to read it come through the use of unwanted holes in teh security? flaws that the owner may not even be aware of? sounds like bald-faced rationalizationto me. hardrock - -- blank signature ------------------------------ Date: Wed, 23 Dec 1998 14:45:50 -0800 (PST) From: Hardrock Llewynyth Subject: Re: [mitnick] on another note .. On Wed, 23 Dec 1998, Caliban Tiresias Darklock wrote: > There are a lot of things which are not illegal, but which we do not do > simply because they are rude. It is rude to read someone's email, or to > closely watch people typing their passwords in the hope of figuring them > out. That ought to be enough, in most cases, to indicate that you should not > do these things. But the perception of rudeness alone is not sufficient > protection, and you should never assume it is. reading someone else's mail is illegal, depending ont eh circumstances. > If you leave the door to your house open and unlocked, someone may walk in > and help himself to a cup of coffee. This is very rude. He should not do it is not only rude, it is criminal trespass. > this. You have a perfect right to tell him to put the damn coffee down and > get the hell out of your house. But if you didn't want him in the house, you > SHOULD have closed and locked the door. A closed door is usually enough, but > city dwellers will note that in many cases it is not. whether the door is locked or not doesn't change the fact that te actions are criminal. the only difference a locked door makes is whether one wants to deal with the criminals more often than with a locked door. where i live, i don't need to worry about locking the door. if i lived in the city i would. one could also argue that a trespass is my fault if my door is easy to jimmy, vs. having three deadbolts and a bar. what level of security is enough to change an action from "rude" to criminal? or to shift the blame from the victim to the perpetrator. > And the less action you take to keep them out, the less room you have to > bitch about them being there. Most people take no action to keep people out. > Ergo, they have no room to bitch. false premise. people should not be there period. security is merely a convenience. acording to your premise, how much security is necessary before oneis permitted the right to bitch? again, it is all just blatant rationalization. hardrock - -- blank signature ------------------------------ Date: Wed, 23 Dec 1998 15:42:18 -0800 From: "Caliban Tiresias Darklock" Subject: Re: [mitnick] on another note .. - -----Original Message----- From: Hardrock Llewynyth To: mitnick@2600.com Date: Wednesday, December 23, 1998 2:51 PM Subject: Re: [mitnick] on another note .. >On Tue, 22 Dec 1998, Caliban Tiresias Darklock wrote: > >> Failure to recognise this is like someone saying that you don't have to lock >> your car because nobody will take your stereo anyway. They would have to >> open the door to do that, and that's rude. Therefore they won't do it. > >it isn't "rude" it is theft. even if you leave the door wide open it is >still theft. saying that i shouldn't have left the door open doesn't >absolve the thief from the crime. it is merely the old "blame the victim" >game. You're not paying attention. Let me clarify. A thief could almost give a shit whether something is rude or not. If I am going to steal your radio, which is theft, then I probably have no problem with opening your unlocked car door, which is rude. If I open your unlocked car door and do NOT take anything, then it is not theft. It is just rude. If I am a polite and considerate person, this is reason enough not to open your car door. If rudeness matters to me, then I probably have some feelings on theft as well. So the real question here is where the morals lie -- when you want to keep criminals out of your system, you have to lock everything down tight. If you want to keep honest people out of it, you can do absolutely nothing, because honest people don't do things like that anyway. If you want to keep people somewhere in between these two extremes out of your system, you have to do something in the middle somewhere. If you shoot for the wrong mark, don't bitch when you miss the one you wanted to hit. >a system on teh internet is intended for access by a certaiun group of >people, which may or may not include the general public. And as a result, it is YOUR responsibility to restrict access to that group of people. How much effort you invest in that restriction defines your room to bitch about its violation. If the extent of your effort is not to tell anyone it's there, then when someone finds it -- hey, they can access it. If you leave bug-ridden versions of sendmail running -- hey, people can exploit it. If you want a secure system, you have to invest effort in its security. If you don't, you're leaving your doors open. You can certainly expect people not to come in and break stuff, but you can't expect them not to come in and look around. Copying, I will reiterate, is in a grey area. It is very very rude to copy something and hand it out to other people. I would have much *less* of a problem with making a copy to look at yourself, but I still have somewhat of a problem with it. That goes to the question of what the right to read entails; while the right to read HERE and write THERE implies a right to copy in computer terms, I would speculate that lacking the right to both read and write HERE implies a lack of the right to copy unless otherwise specified. This is an oversimplification, however, as by this same logic getting root gives you the right to copy anything and everything on the server... which indicates that this logic is flawed in some fashion I don't feel like examining right now. >unles syou have specific permission to be there, you are trespassing. If you don't put up a fence and/or post a no trespassing sign on your property, then walking across it is arguably not really trespassing. It is your responsibility to inform the public that this is your property and they cannot walk across it. While you can certainly come out and yell at people to get off your land, you can't very well have them arrested for it. No "keep off the grass" sign? People can step on your grass, then. You're welcome to research this matter, if you like. And here we are on this physical property thing again. Is a computer a physical location? Is obtaining a connection on port 23 equivalent to standing on a physical doorstep? Is login the equivalent of walking through a door? Is a password the equivalent of a lock? Logically, rationally, the answer to all of the above is "no" -- but from a psychological and emotional standpoint, the *rough* equivalence suggests an answer of "yes" to be appropriate. Is mankind a rational creature, or an emotional creature? See Hume's "Enquiries Concerning Human Understanding" for more details. He didn't know either. Is physical property an effective comparator for network servers? I don't think so. They don't map too well to each other. The metaphor works for a while, then falls apart sometime after you get halfway to left field, at which point most people evidently figure you're close enough so why not walk the rest of the way? >> someone else's internet server. I think anyone should be allowed to read >> anything they can acquire permissions to read on any internet host they can >> access, as the ability to acquire such permission is an implicit permission >> to read it. > >even though that the "permission" to read it come through the use of >unwanted holes in teh security? flaws that the owner may not even be >aware of? sounds like bald-faced rationalizationto me. Seems rational to me, too. Logically, if your door is open, I'm evidently allowed to come in. If you didn't know it was open, or didn't know it was there, it doesn't change the fact that an open door is generally recognised as an invitation. | Caliban Tiresias Darklock caliban@darklock.com | Darklock Communications http://www.darklock.com/ | U L T I M A T E U N I V E R S E I S N O T D E A D | 774577496C6C6E457645727355626D4974H -=CABAL::3146=- ------------------------------ End of mitnick-digest V1 #226 *****************************