Re: Computer Misuse Act
- From: Cynic <cynic_999@xxxxxxxxxxx>
- Date: Wed, 26 Oct 2005 12:19:27 +0100
On Tue, 25 Oct 2005 19:54:50 +0100, Chris Lawrence
<news03@xxxxxxxxxxxxxxxxxxxxx> wrote:
>> >I'm aware of that incident and the outcome, I'm just wondering how you
>> >leapt from that to "you should *not* enter a path that you do not know
>> >has been published". What defines what is "published", and what is a
>> >"path" in the context of a URL?
>>
>> Read through the thread. I have detailed both many times and
>> exhaustively.
>
>Unfortunately you haven't - you think you have, but you have not. The
>attempted path traversal has been widely published, and altering a path
>is a perfectly valid and legal form of navigation. The logical
>conclusion of your advice is that no typing should take place in the
>address field, on pain of prosecution for anything from typos to full
>blown hack attempts.
The only time that Joe Soap would type a URL is if s/he was copying it
from a published source. The average web user does not have the
slightest understanding of the mechanics of how a URL is broken down
and used by a web server.
I have stated that you could be convicted if a court is convinced that
what you did was done in order to access something for which you know
or suspect you have no permission to access. The chances are very
high that the person making that judgement (a magistrate or a jury)
will have little technical knowlege. If therefore you did something
that *they* regard as unusual, and it had the effect of accessing or
attempting to access a "private" area of a server, the chance is
extremely high that they will conclude that you knew full well that
you were attempting to do so.
You *may* be able to get a defence expert to convince the court
otherwise, but do you want to take the chance?
In practice of course, you will not come to the attention of the
authorities unless you *do* attempt to access something that you are
not entitled to access. I put it to you that if you are in the habit
of guessing at paths, there is a chance that sooner of later that will
happen.
>Not for "entering a path that you do not know has been published"
>though. For attempting to exploit a known vulnerbility, yes, in this
>case.
In this case, the reason was far simpler. The defendant openly
admitted that what he did was an attempt to access a part of the
server that he knew he had no permission to access. He made the
admission because like many posters in this thread, he believed that
he was entitled to enter whatever path he wanted on a public server to
see whether it granted him access. He now knows that the law does not
agree. And also that ignorance of the law is no excuse.
--
Cynic
--
Cynic
.
- References:
- Re: Computer Misuse Act
- From: Alex Heney
- Re: Computer Misuse Act
- From: Cynic
- Re: Computer Misuse Act
- From: Chris Lawrence
- Re: Computer Misuse Act
- From: Chris Lawrence
- Re: Computer Misuse Act
- From: Cynic
- Re: Computer Misuse Act
- From: Chris Lawrence
- Re: Computer Misuse Act
- From: Cynic
- Re: Computer Misuse Act
- From: Chris Lawrence
- Re: Computer Misuse Act
- Prev by Date: Re: Misuse of data protection act
- Next by Date: Re: Are you allowed to borrow your mortgage deposit?
- Previous by thread: Re: Computer Misuse Act
- Next by thread: Re: Computer Misuse Act
- Index(es):
Relevant Pages
|
|
