Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!husc6!rutgers!sri-spam!mordor!lll-tis!ptsfa!rtech!daveb From: daveb@rtech.UUCP (Dave Brower) Newsgroups: comp.misc,misc.headlines Subject: Re: Hacker Scholarship Message-ID: <963@rtech.UUCP> Date: Thu, 25-Jun-87 15:05:20 EDT Article-I.D.: rtech.963 Posted: Thu Jun 25 15:05:20 1987 Date-Received: Sat, 27-Jun-87 07:03:01 EDT References: <2757@mtgzz.UUCP> <345@genesis.UUCP> <2318@hoptoad.uucp> <497@cblpe.ATT.COM> <871@van-bc.UUCP> <2240@bunker.UUCP> Reply-To: daveb@rtech.UUCP (Dave Brower) Organization: Relational Technology, Alameda CA Lines: 88 Xref: mnetor comp.misc:747 misc.headlines:746 In article <2240@bunker.UUCP> rha@bunker.UUCP (The Minister of Myrth) writes: >In article <871@van-bc.UUCP> sl@van-bc.UUCP (Stuart Lynne) writes: > >>Walking into someone's house and taking something is theft.... >>This is because most civilized states pass law's making it so... > > If I admit someone into my home and this person walks into my bedroom >while I'm in the bathroom and steals my wife's necklace from her jewelry box, >this person is guilty of larceny. If my office has no reception area but >someone walks in and takes some files out of my file cabinet without my >consent, that person is guilty of larceny. > > Electronically stored information should be no different from any other >tangible good. If a computer system has even basic security features and >this security is violated by someone who is not authorized, then this person >should be guilty of either larceny or breaking and entering, whichever is >more applicable to the particular circumstance. Ah, we're talking hypotheticals and analogies. I have a house and garden next to a city park. There is no fence between them, and no 'no trespassing' signs. * Some people walk in to my garden. Can they be convicted of trespassing? (Not likely) Can I collect civil damages for 'invasion of my space'? (I doubt it.). * Someone reads my tax return that I have left on the picnic table. Can they be convicted of any crime? (I can't think of one). Can I collect any civil damages? (I can't see why). * Someone reads a document showing how my company is going to go chapter 7 next week. This person shorts a bunch of stock. Can he be convicted of anything? (Don't know?) Can I? (Maybe I'm in trouble with the SEC for not adequately protecting sensitive information). * They cut some roses from my bush. Can they be convicted for theft? (Possibly). Can I collect civil damages? (Maybe). * They smash my Mickey Mouse statue. Can they be be convicted of vandalism, or whatever? (Probably). Can collect civil damages? (Probably). * They take my barbecue pit. Can they be convicted of theft? (Probably). Can I collect civil damages if it is not recovered? (Possibly). It seems to make a lot of difference how 'secure' my back yard is from someone doing reasonable and legal activities. If the trespassers do only innocuous actions, it will be difficult for me to collect any civil damages, since I haven't really been hurt. Trespassing may or may not be criminal depending on the law and how well I have held my part of the bargain to deter people from entering. If there is no sign and no fence, I may be out of luck. With the more serious criminal charges, the individuals are probably culpable because their activity is illegal, period. As a reasonable man, I cannot expect the law to protect my rights and property before I suffer harm. I may hope that the existance of law is going to deter illegal actions against me, but I cannot assume this will work. I can hope that the perpetrators are prosecuted to "the full extent of the law." If I want people out of my garden, and don't want my precious Mickey to be at risk of random vandalism, I had better put up an fence adequate to the neighborhood. This isn't a question of legality, but of prudence. The analogies to computer security are clear. If electronic tresspassing is illegal (as I think may be the case), I had better put up whatever 'fences' the law requires for me to fall under it's protection. I cannot expect this law to protect my system from illegal access. If I want to protect my data from destruction or dissemination, I should plug whatever holes places them in jeapordy. I am responsible for it because it is my data. I see Jobs' "scholarship" as inviting people to locate potential problems, in a way that will not greatly endanger the real security of the the systems in question. This does not seem cause for villification. -dB -- {amdahl, cbosgd, mtxinu, ptsfa, sun}!rtech!daveb daveb@rtech.uucp