Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)
Peter Tomlinson
pwt at iosis.co.uk
Sat Jul 31 14:46:43 BST 2010
Mary Hawking wrote:
> In message
> <mailman.0.1280559135.19741.ukcrypto at chiark.greenend.org.uk>,
> ukcrypto-request at chiark.greenend.org.uk writes
>
>> On Fri, 30 Jul 2010, Peter Fairbrother wrote:
>>
>> | I don't get it.
>> |
>> | If I want to find out whether a site allows directory traversal -
>> some sites | do, some don't - how else am I going to find out other
>> than adding a "/.." ?
>>
>> And it seems the tsunami hacker didn't even add "/.."
>>
>> - he simply truncated the URL, to find a parent or root page.
>
> I'm not sure I can get my head around the laws making this illegal -
> but I am sure that if truncating a URL to find a home page *is*
> illegal, the majority of ordinary internet users are criminals!
>
> I do it all the time - and it is often the *only* way to find the home
> page if you have been sent the URL for a document on a website, rather
> than the website itself.
>
I find it unbelievable that its illegal, if only because it is so easy
to do by mistake - so I do not even support the conditional discharge,
because the prosecution should never have been brought. I suppose that
the physical world analogue is that you are tampering with a locked door
if you send that message - but really you are just trying a doorknob,
and thus the prosecutor should have to provide evidence that you have
malicious intent. So you need to find an internet police person and
report that somebody is tampering with your internet access - fat chance.
Recently I was at an IAAC Working Group about being safe on the
internet, and there the nature of the internet (wild and woolly) was
discussed, and whether it could be made tame. Having thought about it
both then and later, I'm of the opinion that the protection should be in
both web server and user system, and that it should be routinely
installed and configured in both, and be ubiquitous in its operation. So
protection against inadvertent illegality needs to be there in the
protection software in the user system, and the web server's system
should protect against a user doing the illegal thing. Its rather like
you having to have both working brakes and crashworthy bodywork on your
car if you drive it on the highway.
Peter
More information about the ukcrypto
mailing list