[Gllug] Insecure practices at my ISP

David Pashley david at parguild.co.uk
Fri Apr 4 11:42:21 UTC 2003 

On Apr 04, 2003 at 11:03, James Bailey praised the llamas by saying:
> 
> 
> > 
> > 
> > >> On 4 Apr 2003 10:19:37, David Pashley <david at parguild.co.uk> said:
> > 
> >    >> If he has not actually accessed areas of the system he is not
> >    >> authorised to access there has been no offence.
> > 
> >    > <http://www.ddplus.co.uk/DDPlus_Website/News_Community/
> >    > Easynet_Story/Easynet_dont_shoot_the_messenger.htm>
> > 
> > Not analogous at all.  In the article, "Certainly, he strayed into an
> > account (or accounts) other than his own, but wouldn't anyone with a
> > healthy sense of curiosity be tempted to do exactly the same?". Well,
> > no, not anyone who wants to stay out of prison..
> > 
> > Notifying your ISP that the version of {sendmail, bind, mysql} that
> > they're running is insecure and exploitable *without* getting a root
> > shell from it yourself can never be against the Computer Misuse Act,
> > which classifies against unauthorised access and modification, as 
> > Jason said.
> > 
> Surely if the ISP has set 755 permission on a directory they are saying the
> owner can read, write and execute this file and group and other can read and
> execute.  If they have got this wrong then they should own up and fix the
> problem not attack the person who quite rightly explored the limits of his
> account and when feeling that some of the areas he was allowed into should
> in fact be closed off to him and others advises them of this fact.
>
Entering a property through an open door or window does not stop it
being theft. 

Section 1:

 1.-(1) A person is guilty of an offence if-
 (a) he causes a computer to perform any function with intent to secure
     access to any program or data held in any computer;
 
 (b) the access he intends to secure is unauthorised; and
 
 (c) he knows at the time when he causes the computer to perform the
     function that that is the case.

(2) The intent a person has to have to commit an offence under this
    section need not be directed at-
 (a) any particular program or data;
 
 (b) a program or data of any particular kind; or
 
 (c) a program or data held in any particular computer.

(3) A person guilty of an offence under this section shall be liable on
    summary conviction to imprisonment for a term not exceeding six months
    or to a fine not exceeding level 5 on the standard scale or to both.

http://www.legislation.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm#mdiv1

If he views any data which he knows is unauthorised, he is guilty of an
offense unders section 1 of the Computer Misuse Act (1990). The ISP
could argue that viewing anything other than his files has not be
authorised. Esp if you assume everything is unauthorised unless
permitted.


> They should be thankful that someone as decent as Gary found this and not
> some spotty 14 year old 733t with an attitude problem.
> 


-- 
David Pashley
david at davidpashley.com
Nihil curo de ista tua stulta superstitione.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20030404/f27374e3/attachment.pgp>

More information about the GLLUG mailing list