Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!caen!spool.mu.edu!uunet!vtserf!marchany From: marchany@vtserf.cc.vt.edu (Randy Marchany) Newsgroups: comp.admin.policy Subject: Re: Footnote to user who mailed /etc/passwd Message-ID: <1967@vtserf.cc.vt.edu> Date: 27 Jun 91 19:44:10 GMT Article-I.D.: vtserf.1967 References: <1991Jun27.183621.14667@athena.mit.edu> Organization: Virginia Tech, Blacksburg, VA Lines: 56 In article <1991Jun27.183621.14667@athena.mit.edu> purdon@athena.mit.edu (James R. Purdon III) writes: >As you may all recall, recently there was an posting describing a student >who was suspended for mailing the /etc/passwd file of athena.cs.uga.edu >to another individual who was going to run a password guesser against it. >In the posting, mention was made of the Georgial law against computer >fraud and abuse, which was claimed to be strict and in the process of >being made more strict. >a. Either email or terminal sessions were logged and read as a matter of > course, without prior suspicion of wrong doing. >b. The mention of Georgia law, rather than UGA policy, meant that UGA > did not have a clearly stated policy regarding computer use. >In response, I wrote a posting of a critical nature. In my opinion, the >Georgia law is too broad to be good policy. In my posting, I printed >Well, I still think its wrong to routinely log and review the contents of >terminal sessions and email without prior suspicion and without informing >users that a policy of routine logging and review is in effect. Excerpt from the Georgia Computer Systems Protection Act, Title 16, Ch. 9, section 90. 16-9-93. Accessing of computers,etc. for fraudulent purposes; unauthorized access, alteration, destruction, etc., of computers, etc. a) Any person who knowingly and willfully, directly or indirectly, w/o authorization, accesses, causes to be accessed or attempts to access any computer, computer system or network ....is owned by state, county, or local govn't for the purpose of: 1) devising any scheme or artifice to defraud or; 2) obtaining money, property or services for themselves or another by means of false or fraudlulent pretenses, representations or promises, upon conviction thereof, shall be fined a sum of not more than 2.5 times the amount of the fraud or theft or imprisoned not more than 15 years or both. b) ANy person who intentionally and w/o authorization, directly or indirectly accesses, alters, damages, destroys or attempts to damges or destroy any computer, computer system or network or any computer software, program or data, upon conviction thereof, shall be fined not more than $50,000.00 or imprisoned not more than 15 years or both 16-9-95. Duty to report violations of this article; immunity from liability for making such report. It is the duty of every business; partnership; college, university; person; state, county or local governmental agency or dept. or branch thereof; corporation or other business entity which has reasonable grounds to believe that a violation of this article has been committed to report promptly the suspected violation to law enforcement authorities. (the rest of the article states that when done in good faith, the various entities are immune from any civil liability). As an old Doonesbury cartoon said, "it may or may not be wrong but it sure is against the law....". Machine readable text of computer crime statutes of at least 25 states are available via anonymous FTP from ftp.cs.widener.edu under the /pub/cud/law directory. -Randy Marchany