'[Owasp-dotnet] Re: Computer Misuse Act Section 1'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       owasp-dotnet
Subject:    [Owasp-dotnet] Re: Computer Misuse Act Section 1
From:       Michael Silk <michaelslists () gmail ! com>
Date:       2005-04-20 2:10:23
Message-ID: 5e01c29a05041919101b1af180 () mail ! gmail ! com
[Download RAW message or body]

On 4/20/05, Markus Willms <markus_willms@hotmail.com> wrote:> Hi Michael, the Group \
...> > apologies for the delay. The reason why I wrote this, is because a lot of> \
people seem to slagg off the Computer Misuse Act. I would like to know why> so? Not \
that I think that it is a perfect Act, although I do not think that> it is such a \
badly formulated one either. I only would like to know how you> could improve it? \
With examples and real cases, if possible. Ahh, I see.

> Additionally I would like to hear from people who have had first hand> experience \
> when they have been threatened to be prosecuted by this Act and> what the actual \
> case and arguments were.> > Concerning Scenario 4. I tried to make the point that \
> by merely looking at> the computer, containing whatever information, and the \
> fingers off the> keyboard and mouse, Marc does not commit a crime under the \
> Computer Misuse> Act, as he does not 'cause the computer to perform a function'.
I still think he does. He has secured access to something he is notauthorised for \
(term b). By looking at the computer he is securingaccessing. You're right though, he \
didn't actually click anything ortype anything, to make the computer display it, but \
I still think hecould be prosecuted under this law, and others. But I guess it's up \
                tointerpretation.
-- Michael

> Whether he commits a crime under any other UK law, I can not say as I do not> know. \
> Although I believe, that the term 'confidential' is immaterial for UK> law ... but \
> I might be mistaken.> > In my opinion it is arguable, whether in the case that he \
> had touched the> mouse and scrolled the document (just in order to read it), that \
> this could> be seen as 'causing the computer to perform a function'. It probably \
> does,> as the movement of the mouse will cause an interrupt at the CPU and so on.> \
> The other side of the argument woud be, that the docuemnt was already loaded> into \
> memory, hence Marc was only seeing the result of this.> > best regards> Markus \
> Willms> > With regard to> > Hey Markus, ...> >  I"ve read your scenarios here and \
> am not sure what your point is ...> ? Do you think that the law needs to be \
> changed? For the exerpts you> posted below, it seems fine to me.> >  Regarding \
> scenario 4 (Reading already-open email) you seemed> concerned this wasn"t under \
> "computer misuse". I disagree; namely> simply by _LOOKING_ at a computer screen you \
> are "using" it. Further,> even if that angle strikes out (which i doubt) he is \
> reading> confidential information [someone else"s email] so he would be> prosecuted \
> under some law covering confidentiality.> >  All your other scenarios and the \
> resulting action based on the> exerpts seemed fine to ...> >  I guess I missed \
> something?> > -- Michael> > On 4/15/05, Markus Willms <markus_willms@ho...> wrote:> \
> > Hello group,> >> > after the conference last sunday, I had a conversation with \
> > Dinis about> the> > CMA, I came up with the following scenarios, in order to \
> > interpret> section 1> > of the act. I saw that Dinis was trying to post my mail \
> > earlier, but to> no> > avail. I post this message, because I do not think it is \
> > correct what it> > says in the vnunet article.> >> > My question is, how would \
> > you improve this law? It is obviously not an> easy> > task to draw the line \
> > between the good and the bad guys.> >> > # Here is where I took  below extracts \
> > from:> > # http://www.hmso.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm#mdiv1> >> \
> > > 1) A person is guilty of an offence if—> > (a) he causes a computer to perform \
> > > any function with intent to secure> > access to any program or data held in any \
> > > computer;> > (b) the access he intends to secure is unauthorised; and> > (c) he \
> > > knows at the time when he causes the computer to perform the> function> > that \
> > > that is the case.> >    (2) The intent a person has to have to commit an \
> > > offence under this> > section need not be directed at—> > (a) any particular \
> > > program or data;> > (b) a program or data of any particular kind; or> > (c) a \
> > > program or data held in any particular computer.> >    (3) A person guilty of \
> > > an offence under this section shall be liable> on> > summary conviction to \
> > > imprisonment for a term not exceeding six months or> to> > a fine not exceeding \
> > > level 5 on the standard scale or to both.> >> > 4) Jurisdiction> > (2) Subject \
> > > to subsection (3) below, in the case of such an offence at> least> > one \
> > > significant link with domestic jurisdiction must exist in the> > circumstances \
> > > of the case for the offence to be committed.> >> > In short this means the \
> > > following. In order for this law being applicable> > for a certain traffic, \
> > > which affects the computer in question, the> traffic> > must either:> > \
> > > *originate in the UK and terminate inside the UK> > *originate in the UK and \
> > > termiante outside the UK> > *originate outside the UK and terminate inside the \
> > > uK> > *originate outside the UK, pass through the UK, and terminate outside \
> > > the> UK> >> > In all 4 cases, there is a significant link to the UK. Hence the \
> > > law is> > applicable. In practice, usually> > prosecution is done in the state \
> > > where the traffic terminates.> Nevertheless,> > the UK officials would have to \
> > > help in evidence gathering for all of> these> > cases, if braught to their \
> > > attention.> >> > 17)> > Access of any kind by any person to any program or data \
> > > held in a> computer> > is unauthorised if—> > (a)     he is not himself \
> > > entitled to control access of the kind in> question to> > the program or data; \
> > > and> > (b)      (b) he does not have consent to access by him of the kind in> \
> > > question> > to the program or data from any person who is so entitled.> >> > \
> > > Here are the examples I wrote to clarify Section 1 a little bit further.> >> > \
> > > Scenario1:> > Steven"s computer is sittling idle in Steven"s office, showing \
> > > the> Windows> > login screen whilst the owner is away. Marc enters the room and \
> > > tries to> > logo on? He has got 3 invalid logon attempts?> >> > Is this \
> > > intentional? Is this criminal intent?> >> > We can not really say at this \
> > > moment, as we do not know who Marc is.> Let"s> > assume Marc is a colleague who \
> > > tries to log onto the domain. Now it is> kinda> > obvious. It would be very \
> > > difficult for any prosecutor to try to convince> > the judge that Marc tried to \
> > > gain unauthorized access. Marc will claim> that> > he had fat fingers that day \
> > > and could not log into his domain account.> >> > Scenario2:> > If Marc tried to \
> > > log in with Steve"s userid because it is cached in the> > userid field, for \
> > > instance, then this is a different story.> >> > If Steve walks in at that time \
> > > and sees Marc trying to log in with his> > credentials, then in the extreme \
> > > case this could be grounds for> dismissal.> > This staff usually never gets to \
> > > court, but it is important that company> > policy writers do bear in mind that \
> > > this is seen as criminal activity> hence> > any civil actions are justifiable. \
> > > Marc will most likely deny everything.> If> > nothing is logged then any action \
> > > to be taken will be difficult and even> if> > logs exist, it will still be \
> > > difficult to say whether Steve was the one> who> > tried to log in at that \
> > > time. It might as well have been somebody else.> >> > These difficulties are \
> > > not due to the nature of the law, they are simple> > problems of evidence \
> > > collection and preservation.> >> > Scnario3:> > Marc was sacked an hour ago, \
> > > now he goes to his office to pack up his> staff.> > He has been informed by his \
> > > (former) boss Steven that his computer has> > already been removed from his \
> > > office and that his network account has> been> > disabled. When passing by at \
> > > Steven"s office, he sees that he is not in.> So> > he tries to log in from \
> > > Steven"s office.> >> > Here it does not matter whether he tries to log in with \
> > > his account or> > Steven"s account, whilst guessing his password. If this \
> > > really went to> > court, which in 99 % would not anyway, presuming they caught \
> > > him in the> act,> > then any judge could easily see the intent to gain \
> > > unauthorized system> > access as he had been notified before. How well Marc can \
> > > argue with his> boss> > that he had forgotten about this and that he still \
> > > thaught he had an> account> > etc. is irrelevant for this.> >> > Scnario4:> > \
> > > Marc gets into Steven"s office in order to leave the access badge to his> > \
> > > manager, in order to leave once and for all this stupid company. He sees> > \
> > > that Steven has not logged out and starts therefore to read an email,> which> > \
> > > Steven had forgotten to close, which explains in detail why Marc had been> > \
> > > sacked. At that moment Steven steps in and challenges him furiously about> > \
> > > who had allowed him to access the file?> >> > Has Steven committed a crime \
> > > according to Section 1 of CMU? No, as he has> > not caused the computer to \
> > > cause a function. It is therefore arguable> > whether there was intent.> >> > \
> > > Scenario5:> > If Marc had opened another file, before Steven entered the room, \
> > > would he> > have committed a crime?> >> > Yes, as he would have caused the \
> > > computer to cause a function. And yes,> > there was intent to read it. Besides, \
> > > he knew that he was not authorized> as> > nobody had given him right to do so \
> > > explicitly, after being notified of> > having no longer an account on the \
> > > netowrk. By whom could he have been> > authorized? By Steven for instance.> >> \
> > > > Scenario6:> > Joe was hired recently as an accountant. On his job \
> > > > description, which he> > had to sign, was a note on his responsibilities and \
> > > > access privileges. It> > actually reads "clearance: confidential". The first \
> > > > week, he accesses all> > the files in his home directory: .Secret.payment, \
> > > > Confidential.accounts> and> > Confidential.employees. When the system \
> > > > administrator does a routine job,> he> > realizes that he had forgotten to \
> > > > set the permission masks in Joe"s home> > directory. Uups. He sees in his \
> > > > logs that Joe has accessed all files in> his> > home directory, including the \
> > > > "hidden" file .Secret.payment. He lets> Joe"s> > manager know. The following \
> > > > day Joe is called into the manager"s office.> >> > Has Joe committed a crime \
> > > > according to section 1 of CMA? No!> >> > Yes, he has committed the computer \
> > > > to perform a function when listing the> > directory and accessing the file, \
> > > > but he did not know at the time that> this> > access request would be an \
> > > > unauthorized request (as he has not received> any> > security training yet, \
> > > > nor has he been explained how the access> mechanisms> > work).> >> > \
> > > > Scenario7:> > The manager has his talk with Joe and reminds him that security \
> > > > is taken> > very seriously in the company and that all access requests will \
> > > > be> > monitored. At the same time, he books Joe onto the introductory \
> > > > "security> > awareness" course. After 6 months in the office, Joe gets bored \
> > > > (as he> > always is doing the same type of jobs) and starts browsing \
> > > > material> within> > other parts of the server. He comes across a file called> \
> > > > > Secret.security.infrastrucutre. He tries to open it, and gets immediatley> \
> > > > > > Access Denied!> >> > Has he committed a crime? No! As it is undecidable \
> > > > > > whether this access> > request was by mistake or with intent.> >> > If \
> > > > > > Joe tries twice or three times in a time to access this file and> always> \
> > > > > > > gets the> > same response. The picture changes and almost anybody could \
> > > > > > > not perceive> > some form of intent in Joe"s actions.> >> > I shall \
> > > > > > > post some stuff on section 2 and 3 soon.> >> > I Hope you found this \
> > > > > > > useful. I would appreciate some feedback.> >> > best regards> > Markus \
> > > > > > > Willms> \
> > > > > > > >ےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےس†+َ^µéڑٹX¬²ڑ'²ٹقu¼ے5ى¯+-jT \
> > > > > > > > ^¦ٹي±rےUêىٹ‰ُص§]²w°~éـ¶*'jXة×¬ٹ	قvع+yغœzط¦z)ï¢[قv)ـوٹxےٹ{^‚¶ٹxےjw] \
> > > > > > > > z™hت)àêh®ط§‚ت%؛ط¨‍دإç«؛{b™è§~ڈç{قjغ«zدèْقzعâj_ع·ّm¶ںےے0‎»¬ٹw¬²†مy \
> > > > > > > > ثl‎ت&‎×¯ئ/ûغدےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےےüى²ںف¢ظق¶f¢–)à–+-;¬§÷h¶w‏X¬¶دى¢êـyْ+پïçzطm¶›ےےùb²غے²‹«qçè®ے‌ë–+-³ùb²ط§~ڈèء«)‎ع-
> > > > > > > > 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic