[Gllug] Insecure practices at my ISP
David Pashley
david at parguild.co.uk
Fri Apr 4 11:42:21 UTC 2003
On Apr 04, 2003 at 11:03, James Bailey praised the llamas by saying:
>
>
> >
> >
> > >> On 4 Apr 2003 10:19:37, David Pashley <david at parguild.co.uk> said:
> >
> > >> If he has not actually accessed areas of the system he is not
> > >> authorised to access there has been no offence.
> >
> > > <http://www.ddplus.co.uk/DDPlus_Website/News_Community/
> > > Easynet_Story/Easynet_dont_shoot_the_messenger.htm>
> >
> > Not analogous at all. In the article, "Certainly, he strayed into an
> > account (or accounts) other than his own, but wouldn't anyone with a
> > healthy sense of curiosity be tempted to do exactly the same?". Well,
> > no, not anyone who wants to stay out of prison..
> >
> > Notifying your ISP that the version of {sendmail, bind, mysql} that
> > they're running is insecure and exploitable *without* getting a root
> > shell from it yourself can never be against the Computer Misuse Act,
> > which classifies against unauthorised access and modification, as
> > Jason said.
> >
> Surely if the ISP has set 755 permission on a directory they are saying the
> owner can read, write and execute this file and group and other can read and
> execute. If they have got this wrong then they should own up and fix the
> problem not attack the person who quite rightly explored the limits of his
> account and when feeling that some of the areas he was allowed into should
> in fact be closed off to him and others advises them of this fact.
>
Entering a property through an open door or window does not stop it
being theft.
Section 1:
1.-(1) A person is guilty of an offence if-
(a) he causes a computer to perform any function with intent to secure
access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the
function that that is the case.
(2) The intent a person has to have to commit an offence under this
section need not be directed at-
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on
summary conviction to imprisonment for a term not exceeding six months
or to a fine not exceeding level 5 on the standard scale or to both.
http://www.legislation.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm#mdiv1
If he views any data which he knows is unauthorised, he is guilty of an
offense unders section 1 of the Computer Misuse Act (1990). The ISP
could argue that viewing anything other than his files has not be
authorised. Esp if you assume everything is unauthorised unless
permitted.
> They should be thankful that someone as decent as Gary found this and not
> some spotty 14 year old 733t with an attitude problem.
>
--
David Pashley
david at davidpashley.com
Nihil curo de ista tua stulta superstitione.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20030404/f27374e3/attachment.pgp>
More information about the GLLUG
mailing list