[cap-talk] bundling designation and authority

Jed at Webstart donnelley1 at webstart.com
Thu Oct 13 23:08:53 EDT 2005 

At 03:50 PM 10/13/2005, Sandro Magi wrote:
>...
>I think I summarized it clearly here:
>http://eros.cs.jhu.edu/pipermail/cap-talk/2005-October/003972.html
>
>The charges had to satisfy all of the following criteria:
>
>1. "he causes a computer to perform any function with intent to 
>secure access to any program or data held in any computer;" (he was 
>browsing the website)
>
>2. "the access he intends to secure is unauthorised;" (?)
>
>3. "he knows at the time when he causes the computer to perform the 
>function that that is the case." (dependent on #2)
>
>How authorization was determined is currently unspecified. I 
>provided the follwing argument as a possibility:
>
>To quote you, "Accesses are associated with a particular context and intent."
>
>Suspecting a phisher, the defendant openly admitted that he 
>attempted to obtain additional information (intent) not present on 
>the given web pages (the authorized context).

Aren't you assuming what you are trying to demonstrate in the 
above?  Namely that the "given web pages" (whatever those are) are 
the authorized context?

>While individual URLs divorced of context do not have authorization 
>content, once bound in a web program,

A "web program"?  What do you mean by that?  How is the authorization 
context of such a "web program" visible to the user?  E.g. in the 
sense that Nick Szabo noted earlier, "So I'd characterize our issue 
as: what is the (if any) widely understood  way of communicating 
authorization to web users?"

>these URLs do take on meaning. After all, URIs/URLs are "resource 
>identifiers/locators"; given the context of a particular web server, 
>each legitimate URL has significant meaning when compared to URLs 
>that would return 404.

How is that meaning "authorized context" communicated to the user?  I 
don't believe there was any such communication in this case.  It 
seems to me that Mr. Cuthbert had a reasonable believe that his 
../../../ access was "authorized" and perhaps only unexpected in the 
case the site was phishing.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list