Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Act as If You Care About Security



 By: Peter Coffee
2006-05-29
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Opinion: If you don't protect your assets, the law might not either.

If a path crosses private property, and theres a long-standing habit of public use of that path, and the owner of the property makes no effort to demonstrate ownership—for example, by building a gate and closing it for one day each year—then the owner risks a judgment in law that a public right of way has come to exist.

This is perhaps the strongest (or even the only) argument available in the defense of Gary McKinnon—a self-labeled "bumbling computer nerd" who faced, as of mid-May, the risk of extradition from Britain to face trial in the United States on charges of repeated illegal access to government computers.

McKinnons two-pronged argument might begin with his public assertion that the systems he accessed had default administrative user IDs and no password protection—not merely trivial passwords, but no passwords at all. "The fact that I logged on with no password meant there was no security to begin with," McKinnon said in May to reporters in London.

This 40-year-old is not a devious hacker seeking riches or revenge. McKinnon is a minimally educated stoner who was looking for evidence of multinational government dealings with extraterrestrials. Far from employing advanced techniques, he used freely downloadable tools and made no effort to disguise himself on the Net.

Resource Library:

The Government Accountability Office slammed the IRSs security procedures. Click here to read more.

McKinnon went after a target of opportunity: "I found out that the U.S. military uses [Microsoft] Windows," he told the BBC last summer, "and having realized this, I assumed it would probably be an easy hack if they hadnt secured it properly."

Prosecutors will doubtless call that last statement an admission of knowingly doing wrong, but McKinnon has another point to make: "Once youre on the network, you can do a command called NetStat—Network Status—and it lists all the connections to that machine," he explained to another interviewer from a UFO-related Web site. "There were hackers from Denmark, Italy, Germany, Turkey, Thailand …" The incredulous interviewer asked him, "All at once?" McKinnons reply: "Every night."

So, heres the picture that McKinnons defense team can paint: These systems had their front doors wide open, with a cosmopolitan come-as-you-are party going on inside. Lawyers can invoke at least three different labels to describe this situation, with many variations under the law in different countries.

"Permissive easement" can arise if you continually let a person do something with your property; at some point, a court may find that that person has acquired the right to keep on doing it.

"Estoppel by acquiescence" may be found to arise if you dont complain that youve been harmed; your silence becomes a consent that bars future complaint.

"Laches" can become another partys affirmative defense if you dont assert a right promptly against that party, and that party proceeds in (presumed) ignorance of your right. You cant then ambush the infringer, complaining of an augmented offense that you could have prevented by earlier action to minimize your own harm. Its like a statute of limitations, but one thats based on fairness rather than an arbitrary length of time.

Regardless of the lawyerly label, though, youre in a weak position if someone accesses your systems and can claim that there was no barrier—not even a notice of ownership—to make it clear that a resource on the public network was not being offered for public use. Centuries of precedent make it the obligation of an owner to assert control or lose it.

Im not wearing a "Free Gary" T-shirt, nor am I even asserting that these defenses ought to succeed in this case. What Im urging here is that you think about the situation that youd be in if someone intruded on your systems, perhaps causing damage that clearly was not intended, and claimed that there was no clear notice on the path that permission was required to pass.

Your own systems should be nontrivially defended and prominently labeled to eliminate the chance that either an intruder or a careless employee will be able to disclaim responsibility for abusing your IT assets.

For reader response to this column, click here.

Technology Editor Peter Coffee can be reached at peter_coffee@ziffdavis.com.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Act as If You Care About Security
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Peter Coffee
 


x}kS㸶j&sнyt@$ nUʱăcglH|9uw-I~a=9MWCbKziii?[[~$r ɹkNmJǮ;D[[?!P|oSo9w=z#m)>M3Щ շGl&J~ AT{# x55mC7`2 X M$ +zZ'jZwf6(CLe/ZwG~Vh⻶eMao}{X;Ǻ7 )*X^P~ D;qd #|=x?:a/M˟lm׸ڮUX'[vwB1BEu#I%&'uڪ8NQp/Fwm3EkLN\CZcˆ螥;ɧ5u&5I  1A 4cT(ne8DrHn6, ֈj)1gO?-Ilp\γܲa?uoezVk൯Cϝ:zQL%X䈍YR0wSG&>dRrpXdA-}ٓe̛4a[mޡlطZ*jUE/T]|-t}r2w7[ּkL)(睋e0> ׷up_Rr]U>uܯ>3i^_ad}-1UJ Z. $_#::-'Vyj#txZw kɥo$Y)LN,"#Ҽ6.Z&6OZc$IJ6<JEӀH ZvD ,E%M}!+rԼn6;H _ܩGOM WhB:Bp4:AGAticšhO@7Fh`CZ]Ҏ:L g_a㻃^h>[ <{ }} 0ԟr.D#m| &>t\l8d ((sɹw[P&wz, K}ˋ`w V<2/?>fxs݀ԧP}-{`sDowe}95(x??K1 Ht 7l;`(`R55 K@UKUbګY3ld xAqFFjJ [ ҆ kuksҙxCnFztg@>9`өǟG(a!cQ*}a1*4&0Sgm1LL  4 āXBYaX l]t>N}VF0\}єa˘۷|qVu6$KD(Mܧh&\3atS3Fm0$ t`m\>(apFl`^ |<> B K'"Z``Ek ǖYCǖbTۘІ[|P*'i9~Ò?DBPcC=ܴ>?CU^oVO8;OfjZ(T+16DZUT/J{}|S??=ehČ?@>OF7YfaY8 n_m^R19X>eLJj9AB;<wR)C4By^qpw\pR "[yudEL\vCy!+pDZQ,ߘ_C).(:d٤S(H-qR}Y= w7䪢#݀ޭl.F'F6@\=><vo#(0f4{D[ `}A-~*O1)"ڟqk`豸&@xh8`L )ب5UV *~iO[G5^,ߜMpH1)dyD4@/=qbk NUty;pLjg  +즬h+sJbOW2EHypjC鳰<Ϥp[|`z[>ݩ'Ǩw&R y.A@ /r|#M:f2/c>ˣ#W59 d$fqNg epv=[),13?{諻*+d=p=JV:ݸNYrLRB7PU̞5mdۨX9 2>b([R`cOpTcHj;}'XS0$2݄sqS))rL*H+ů 3ˁ; _֧.4ƓAP{=Gңq+7[g_ su_;n}GDм:9Fyzji%<jԺ8jk Z>\?_IIM q߲oSR=H3 J@C$=ĸz9}/gvl.N+my #8.odhAm 8獫օa}ŏ퓳ESJ:m_7'!5Z'{, Y# B5W ǧͦzpR`Qs cb`&zi+R_Kyʼnb9kI*D|=d_5gHܠ ʆr۵ck~uXLP($Tx0/`$X*Xe2չ9`D~mnb~C<B<Mq< M=8Y,rl%uJ;uMg;dNlp l:`YcrF4-3/pǻ"TyzGFiR'DZ3pq*h hwYeb}ڀĴ&{67g KZ'/GX ;[ .ViH_8_`g",G^`9GR r0Fxf&4Nlywy# xESrc܉Xfʳ/q!~x~GM{@uS意g 955'伅q+N^S{20 }?I-mJ㆟isP>OKȶdLC!I ɫwח}ʜ9%#+w|62(o9P2tI JS`ȞxqKwnbR{C8C?'m ;~ ]ݡPIݡw=~=mҒ(r۞ZD qw5Q4{qI9.|u?s`\TzH^8؈ڝmuU6m>=3hL 6;x0kr:߃L/G OFxVջ3\P`5ͺܵ1JX "i#ĠHYsrMs _5 Z5:ar*|"Zya'8\}5_:"Y1!Ifu1^[P|;_93{M4j Z*2kp1)%ŷ`PBHpN7̼V&&o ZCߓqi+B<ыM\-1j-YmN:d|:X?eȺ,XR ʮ-VۗI'06  S0\zo{_mWrr'ub9W| hό Cn^dߟΨGlYSbAŷ~[ǂ_'#f{#ݑ9,R.Vyũ=CݣR&XUJr[Fi;xhy+ZcX߱ZzgBP{&oaG̑][):@m3oo%\,!7,XUe"-CNGE}8nEx,O)J!1_sۡT0sPĞЃ#N]0^ ?Y*~sȧu;-sLKy4r" M^>L%jvOh}x9 xأ%hsyW._AH^wJ w2RJ=X,\tFɒ+voWuH܃JCye" @cdoDHՂZ!M_$Ҋg Q M8E=+P82iLILJD0Wk00v| C0˺Mg '0N?X(-87ɁVhRbr_~v_tx9EMzS<͐O Į@/xZ EP+TwHb$E @{NmCAŤRu0R^*7.Sbg60QqR r?t{-u$VKbI+dbRơ F$Hb,AGMw!YYo?? x;dWIU%>y- 'CU0iLu|LwHauPf/EGI-_:{y٭}͓ .Kț'aq:l~%j-"őZiOubGd3yڶW&'x󣘰KXXf(`U%OQbH}.x^1x$Byl eL.QW:78:^3Zվ/TֻtLj8Ra6vޥk= !W ?>5-㌆>e׵3!Pob&7`8!W}koV3RHYMalOXo㖏&y$|9t}jOX7ԝЩRA וmF Ux^S/!gbl+Eaw) pǹ΂84/.K7Btx/zq{҃V+Pr]ş5z{)㾨wrK[B*eBx/A6`@D|2WA(596w4BHvjme"kk3";A[-~[f6௶fulay&^ê/{dȪhֲƑ=:vBFY,=eevY#gZ];c~u2H@85+Q/NHPD(&Ɗ8f[ZƳ@旤P , S%惽'pM=G;ۮWMs-EuەH0~y`H2&cö$y#kz`'rݢX,hMÙZCt3af)ّ1^ 4N^Yyő߳yxH]Qv`nK%ƵVxr4MvQ0×ӡhF!£ϭACڻ@NXPAfXt~D),?^ Y?`}䷿T}]gK71^sNa2RwP Q?nEW  /SI?[ϕ'wQ 2~(! <5͹=Y=k _o3O^--l`wˊvמR|lڋnû{*ju8f#N^qcI YW ]jqCviJ rNGG30kq+"j\J js3'bbJbfiA i!Fv9ӏ[Kb+nKJ7{F$qHfKjj5n%^ \:akjrF-?x$ǍE/,]^|~8.2dRC^P_7X\ ۜsj61}R>&sjxVQv國|?98^YR z~dtOƄwFWe:=0 j"* JD-~0ki1'=hshC~>Vz^3ZkݫX;Xif«yBE ~K-y-JYՑȾmݹ]櫏<5F<0ڢ R &CqQ=rdZS԰p-|ri?*ܲzF If݀jR}r? Ps|ίЕժTjQܣF +-MK0J4r[Cؾ)Xt=粈G=yԑ8lx##/bZN{:Ra*:d@*,g+G J:s$>D +cޮ5X5Kk hCMܡ!ޜKj $`ŲiS'XgF+iBˠOW1h>C }(W' #%YVmIr .kh>a{ϸR(?hUe~b+;ZAkb&Ҟs+qܔufl@+>  &]& )<]СreGJIgo8<>|6ڐyki$Y0&7Gd.$qq5Dh=5 boEҖIz# ,@y슍\v@|"0\M :#͛Ym^u*'.Bym!< <yc]\ g}Sb l !'@vQ]Q ~x].~'xl:?saqn곟9g+H0 r1;$5j͛OWeW)`#uA~b }O Z l F(ЄG#Os3Uø7G 45A!^C. Q?xx6")(Ĵ0/C79a9=e1;T; _t' O!%ccZ|,{{GǙ;fQ7s CD t]\P"@^K>S|??'~e IHbu~vK1 F.X`Yej xpƧx}<j#ܕeR>&6폭%NnldaQ(;b:MuL}[%nKM ᑋb$!%H$`x=9naeday~XOFˈ_`bJU(IhRW|S \gޕa)豪gՕo) ;ee,s=Mȕ@9ZȀq/wx!&O=lF(Hwn{3̂иρ>3y"cP~Q~ dCyF9E^\dEA3OK;C\}\f%Ut`w`wkugu Y0]3w7Y@7{dwAI]'Iz|ָą)AFy)W?ȠRE৬rXB]gBy<++PA/Ү3 < ?3_u2 ̭L_[BX\jzr+^6Ǻe4v+iAư/^bϽ s^楽I#xEW4<< X1rnmŚ/J̙y<* t!=}cT7#%Y/ܻ Gz‰n(sҷe&mS?`lG@' @8NDw9[eW|nדpK` 9nsOkr>u緶xvY^]ZT_;Yo%P.Y}IsgeGσf{ţu6TK6:5AͷƓDVN)pB `ɠ1zI&'O!4ELTr&-\ʠaCaoYb J;c`\;o=2gji }fy0\9 hw `z4}z<8ԿZ%x-&/f"?S 7oJ/ӡ{x=KQ,V,Hwjc~}! 5t0=_}j:aKƈ DMKIn_!g-x'G;`̑yCwk`b)WO}Ln}{Q!by:W7]ny>D`a\8I(q0rp750,7FW 50sp$nHAxRtOSL IU7N"틷%OAv3&F{dy#aqq%f~̦I eЋbrO/mc6HmTώ{;^:!5KupO^ی6 fL~.Ω'%x^3:GN"Mџ"+ugO`\fBaIgLLxa 6{N:3̄Qxun|%/=Y-)0_p,\ftO 6A|eKo{7[z졗iK?OJ D ϱMm]&X\fTj_ƵѮ\TflPP`Oԙz$0lB e ȁ(lyJ͜GċOǠW<߶RP#jdVw(l2ۖ?Z cϣ1K8~m=`u Vڔ*zYD1e~}=3Ӳg(q7<,@:PpPэK ei$it.1>n)ZlF#$c--典<P0_nc.vQeNܘUFEMhT_ !*lʢ#VM )/ߴ#3qݼ¦,6yX\ F\X3'F3|6,lp/>cwp`2k|/pA&}K\ȏ,,L[˙Z']Xom!hXb-E"ҁ )Q~)'m fK#fY![R?c~ӥ4pRaL ,b[иdS1}7@j0\|ͱH d[\K^مu&3k)/YH~>  &r*r*]xWI"cXM?!:T+w\9ƕyĺXqө8Yo~t5.[ByܾJǍٗ=RIgꎾV;~v?ۏ~m a% ѨT\4['ݽ%ŇU n҃᧓#)h#/(ZNꨙ $RzI"^ֳo &A|>Őy6xL 2kV*wFVtƦI21qz.aD(~rk)}U:M\"GZj/%!.zRMc9Q2;斎Mӝo3a-dcˤ_ o| )