Being safe on the internet (was Re: Here we go again - ISP DPI, but is it interception?)

Peter Tomlinson pwt at iosis.co.uk
Sat Jul 31 14:46:43 BST 2010 

Mary Hawking wrote:
> In message 
> <mailman.0.1280559135.19741.ukcrypto at chiark.greenend.org.uk>, 
> ukcrypto-request at chiark.greenend.org.uk writes
>
>> On Fri, 30 Jul 2010, Peter Fairbrother wrote:
>>
>> | I don't get it.
>> |
>> | If I want to find out whether a site allows directory traversal - 
>> some sites | do, some don't - how else am I going to find out other 
>> than adding a "/.." ?
>>
>> And it seems the tsunami hacker didn't even add "/.."
>>
>> - he simply truncated the URL, to find a parent or root page.
>
> I'm not sure I can get my head around the laws making this illegal - 
> but I am sure that if truncating a URL to find a home page *is* 
> illegal, the majority of ordinary internet users are criminals!
>
> I do it all the time - and it is often the *only* way to find the home 
> page if you have been sent the URL for a document on a website, rather 
> than the website itself.
>
I find it unbelievable that its illegal, if only because it is so easy 
to do by mistake - so I do not even support the conditional discharge, 
because the prosecution should never have been brought. I suppose that 
the physical world analogue is that you are tampering with a locked door 
if you send that message - but really you are just trying a doorknob, 
and thus the prosecutor should have to provide evidence that you have 
malicious intent. So you need to find an internet police person and 
report that somebody is tampering with your internet access - fat chance.

Recently I was at an IAAC Working Group about being safe on the 
internet, and there the nature of the internet (wild and woolly) was 
discussed, and whether it could be made tame. Having thought about it 
both then and later, I'm of the opinion that the protection should be in 
both web server and user system, and that it should be routinely 
installed and configured in both, and be ubiquitous in its operation. So 
protection against inadvertent illegality needs to be there in the 
protection software in the user system, and the web server's system 
should protect against a user doing the illegal thing. Its rather like 
you having to have both working brakes and crashworthy bodywork on your 
car if you drive it on the highway.

Peter

More information about the ukcrypto mailing list