Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

James Firth james2 at jfirth.net
Thu Aug 5 11:17:12 BST 2010 

Jon Ribbens wrote:
> Sorry, you think it should be illegal if automated but legal if done
> manually? 

Not quite.  In the event security is not actually breached, ie probing
attacks made but machine not compromised, I think in order to objectively
show intent to gain unauthorised access it should be proved there was a
repeated and systematic attempt.

Whether this was entered manually or by hand is irrelevant but to get cross
a threshold for clear and systematic realistically it would be script
driven.

> How do you come to that conclusion? If the prosecution can
> show that a person deliberately attempted to fetch one of the latter
> two URLs I gave above, there can honestly be no reasonable doubt that
> they were attempting something they knew was unauthorised, 

I see where you're coming from but I don't think anyone should risk
prosecution for URLs typed into a web browser, even if it was driven by an
attempt to gain unauthorised access.

To my mind the aim should be to catch criminals, not criminalise the
curious.

If server owners don't secure their servers how is the law to establish
whether some oddball actually wants to serve a file /etc/passwd ?  The
protocol is clear - the requestor is able to establish whether any arbitrary
URL is valid by sending a request.  The response code indicates whether
access is authorised.

As others have said there really is no real-world analogy.  The law should
reflect and respect the protocols.

I'm also reminded of crazy attempted prosecutions for those using unsecured
WiFi.  How else is one to differentiate between me offering free WiFi to my
neighbours (no security) or me not offering free WiFi (security).

Yes we could start talking about elitism and protection of vulnerable tech
users left in the lurch by the equipment providers' failure to make security
default-on and easy to use.  But surely this is a civil issue of
manufacturers selling equipment "fit for purpose".  And if these vulnerable
users suffer material loss or damage as a result, then why not leave redress
to the civil courts?

James Firth

More information about the ukcrypto mailing list