Act as If You Care About Security

Opinion: If you don't protect your assets, the law might not either.

If a path crosses private property, and theres a long-standing habit of public use of that path, and the owner of the property makes no effort to demonstrate ownership—for example, by building a gate and closing it for one day each year—then the owner risks a judgment in law that a public right of way has come to exist.

This is perhaps the strongest (or even the only) argument available in the defense of Gary McKinnon—a self-labeled "bumbling computer nerd" who faced, as of mid-May, the risk of extradition from Britain to face trial in the United States on charges of repeated illegal access to government computers.

McKinnons two-pronged argument might begin with his public assertion that the systems he accessed had default administrative user IDs and no password protection—not merely trivial passwords, but no passwords at all. "The fact that I logged on with no password meant there was no security to begin with," McKinnon said in May to reporters in London.

This 40-year-old is not a devious hacker seeking riches or revenge. McKinnon is a minimally educated stoner who was looking for evidence of multinational government dealings with extraterrestrials. Far from employing advanced techniques, he used freely downloadable tools and made no effort to disguise himself on the Net.

/zimages/5/28571.gifThe Government Accountability Office slammed the IRSs security procedures. Click here to read more.

McKinnon went after a target of opportunity: "I found out that the U.S. military uses [Microsoft] Windows," he told the BBC last summer, "and having realized this, I assumed it would probably be an easy hack if they hadnt secured it properly."

Prosecutors will doubtless call that last statement an admission of knowingly doing wrong, but McKinnon has another point to make: "Once youre on the network, you can do a command called NetStat—Network Status—and it lists all the connections to that machine," he explained to another interviewer from a UFO-related Web site. "There were hackers from Denmark, Italy, Germany, Turkey, Thailand …" The incredulous interviewer asked him, "All at once?" McKinnons reply: "Every night."

So, heres the picture that McKinnons defense team can paint: These systems had their front doors wide open, with a cosmopolitan come-as-you-are party going on inside. Lawyers can invoke at least three different labels to describe this situation, with many variations under the law in different countries.

"Permissive easement" can arise if you continually let a person do something with your property; at some point, a court may find that that person has acquired the right to keep on doing it.

"Estoppel by acquiescence" may be found to arise if you dont complain that youve been harmed; your silence becomes a consent that bars future complaint.

"Laches" can become another partys affirmative defense if you dont assert a right promptly against that party, and that party proceeds in (presumed) ignorance of your right. You cant then ambush the infringer, complaining of an augmented offense that you could have prevented by earlier action to minimize your own harm. Its like a statute of limitations, but one thats based on fairness rather than an arbitrary length of time.

Regardless of the lawyerly label, though, youre in a weak position if someone accesses your systems and can claim that there was no barrier—not even a notice of ownership—to make it clear that a resource on the public network was not being offered for public use. Centuries of precedent make it the obligation of an owner to assert control or lose it.

Im not wearing a "Free Gary" T-shirt, nor am I even asserting that these defenses ought to succeed in this case. What Im urging here is that you think about the situation that youd be in if someone intruded on your systems, perhaps causing damage that clearly was not intended, and claimed that there was no clear notice on the path that permission was required to pass.

Your own systems should be nontrivially defended and prominently labeled to eliminate the chance that either an intruder or a careless employee will be able to disclaim responsibility for abusing your IT assets.

/zimages/5/28571.gifFor reader response to this column, click here.

Technology Editor Peter Coffee can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.