[cap-talk] bundling designation and authority

Sandro Magi smagi at naasking.homeip.net
Wed Oct 12 22:05:40 EDT 2005


Ian G wrote:
>> However, in this case the defendant did not deny his actions nor his 
>> *intent*.
> 
> He intended to type ../../../ but what was the
> reason for doing that?  The intent behind the
> intent is what matters here.

He clearly stated his intent by explaining that he was investigating the 
legitimacy of the website involved.

> The court decided to ignore it.  Well, it probably
> wasn't presented. 

This is entirely possible.

>> The argument put forth by the "computer crime expert" is ultimately 
>> what matters, "...the access was unauthorised. He came to a site for 
>> which he did not have permission to exceed the normal user levels of 
>> access and attempted to elevate that access."
> 
> Why is it ultimately what matters?  I would have
> thought that if someone like Ross Anderson got up
> and presented the alternate, the "expert" would
> have been left no more than a pair of smoking
> boots.
> 
> "The access was not unauthorised, as he was invited
> to enter his credit card.  When the protocol failed,
> the guy went looking for his receipt and some
> proof of bona fides ... he tried a few doors in his
> quest for satisfaction."
> 
> I wouldn't say that is a compelling argument, but
> it sounds no less compelling than "access was
> unauthorised" which to me smacks of assumption
> and convenience.

Perhaps I was unclear in my explanation. The links on the web pages 
served by BT's web server, starting from the homepage, are taken as 
explicit authorizations. Any links or URLs not explicitly presented on 
these pages, are implicitly assumed to be unauthorized. This is how I 
believe the court is interpreting the web.

Thus, the legitimacy as specified in RFCs is irrelevant. BT did not 
provide a link to the URL the defendant attempted to access, thus his 
access was unauthorized [1].

[1] To enforce this requirement, perhaps they should have used the 
Web-Calculus  http://www.waterken.com/dev/Web/

>> While the URL may indeed be valid as per the RFC, the interpretation 
>> of attempting to access that URL by fabrication are illegal.
> 
> OK.  So if I encourage you to go to
> 
>    http://donate.bt.com/../../../
> 
> and tell you there is a free ferrari
> waiting for you if you just donate 30
> pounds ... and you click ... have you
> committed a crime?
> 
> (Ignore me ... I could be a phisher or
> a computer or a website.)

I don't know, it's not my decision. :-)

>> If I may be allowed an analogy, it's illegal to utilize/enter private 
>> property without permission, regardless of how many unlocked windows 
>> or open doors one has; merely the intent and attempt to obtain 
>> unauthorized access is enough to violate the letter of the law. How 
>> one did it, either by walking right in or picking a lock, is often 
>> irrelevant (except that you might *also* get charged with possession 
>> of illegal items in the latter case depending on where you live).
> 
> It is only the claim of BT after the fact
> that makes it unauthorised.  I'd wave the
> RFC and point out where it is specifically
> authorised.  What document is their expert
> going to wave?

The fact that the link was not explicitly provided but was fabricated by 
the defendant is the difference here. You are using the RFC as an 
implicit authorization/contract that the web server must satisfy; if it 
were really a contract it would hold legal weight. RFCs do not hold 
weight as far as I know; seems to me, an RFC is merely an informal 
agreement between co-operating parties.

I think the ruling is a bit silly and worrying too, but it's not 
completely unfounded.

Sandro


More information about the cap-talk mailing list