Hi.In a nutshell:
Some of you have most probably already received this latter before.
Those who didn't read it yet, might find this document interesting: it is a ruling on a hacking case in Israeli court.
http://law.co.il/computer-law/mizrachi.pdf <http://law.co.il/computer-law/mizrachi.pdf>
Defendant Avi Mizrachi wanted to submit his resume to the Mosad. He ran a vuln-testing tool of unknown type on the site, which is maintined on the Ministry of Finance offices, as part of the Tehila project. To his defense, he claims that he wanted to check whether his details are going to be secure enough on the site. Prosecution claims that he wanted to impress his prospective employer.
The judge takes an extreme pro full disclosure attitude, and accuites the defendant. The judge says that he doesn't care what the motives for carrying out the vulnerability scanning was, it is allowed, as is publishing the scan results! It is only not allowed to scan network for the purpose of actually breaking in.
Choice citations:
In paragraph 65 the judge is presenting a theory, though not necessarily adopting it, that regarding cyberspace as a metaphor for the real world is hurting the very spirit that brought about the internet revolution to begin with. He cites Dan Hunter in "Cyberspace as Plaec and the Tragedy of the Digital Anticommons":
There are scholars that claim that the very term "cyberspace" is wrong, and causes harm. The very fact that we see the Internet as a physical, penetretable, place cause us to cast upon it our assumptions from the physical world. We started viewing the Internet as a space where each site has its own private place, which belongs only to it. This stands in complete contradiction to the way the Internet was formed, as a common resource belonging to the entire community, and without private owners or resource controls.This idea is further repeated, this time as expressing the Judge's opinion, in paragraph 87:
This court's principal opinion is that one must exercise caution when doing logical extrapolation of the usual criminal laws on to Internet related laws. The usual criminal laws apply to a world based on clearly defined private owenrship, strict hierchy, private interests and self-caring players. The Internet is based on sharing, donating resource, trust and commonly available resources.
The judge gives reference to an article written by him at http://www.mishpat.ac.il/courses/tennenbaum/index/main/articles/Internet%20Implications-Heb.pdf. Someone should really tell him about http://tinyurl.com.
The judge goes on to point out the flip side in paragraph 88:
There are two sides to this coin, of course. The very same trust that allowed the Internet community to flourish brought along some negative phenomenas as well. The openness and sharing can be exploited, and they often are. Junk mail (spam) is an obvious example to exploiting the trust given to Internet users. Due to the Internet's peer-equal architecture we have reached a point where a large percentage of the total email sent is spam that noone asked to get, and are forced on the public.
When we are interpreting Internet laws, we need to adopt an interpretation that will help the Internet world continue to evolve, and not in a way that will limit, hinder and slow down it's evolvement.
According to this principle, checking the security of other sites is a mainly desired activity that needs to be encouraged, not discouraged, even if it may seem like a "Chutzpa" torwards the owners of the sites. It is important to stress that this is not forgiveness. The very same principle [that requires us to forgive in this case] will require us to interpret the laws in their strictest, burdening, and even harsh form torwards those who hurt, in their very behaviour, the Internet infrastructure, an infrastructure that is, as mentioned above, very vulnerable _because_ of the sharing and trust that make the Internet. People spreading viruses and other malwares should be gravely punished, and a correct interpretation will be to extend their liability, not get away under one pretense or another.
To sum it up, the judge was convinced that vulnerability scanning and full disclosure are a positive thing, and as such should not be punished. This assertation is done in paragraph 69, and I belive that it goes unexplained. I.e. - the judge's assertation that vulnerabilty scanning is a positive thing is a presupposition of the verdict, and is not explained further in the paper.
The basic reasoning behind allowing this, however, is explained. It is in paragraph 72. Basically, the judge says that one vulnerable site is a security problem for everyone, and it is therefor legitimate for everyone to scan all sites. He also mentions (P. 73) that almost all sites get scanned all the time anyways, and must therefor be able to sustain such activity.
I hope this helps.
Shachar
-- Shachar Shemesh Lingnu Open Systems Consulting http://www.lingnu.com/
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
