Re: tlug: telnet: different question + others

[Frank Bennett <bennett@example.com>]

The most recent posting as of this writing was:

  Tue, May 30, 2000 at 11:43:20AM +0900, Stephen J. Turnbull

Steve Turnbull's contributions to this thread gave me pause for thought
over tea and biscuits this morning, and I planned to send a note in to the
list after my morning class.  The volume of the discussion seems to have
risen and abruptly dropped in the meantime, but no worries; I was already
feeling my way toward the response below beforehand, so here it is for
what it's worth.

This discussion has been interesting because it raises a number of
problems that I had not thought through carefully.  I'm not yet sure what
the answers are, although I am reasonably certain that some of the legal
conclusions proposed are in error.  What I write here are just musings,
but I will pursue more complete information on the legal side -- time I
did some work for the list in that line.

There are two ethical questions.  The first has no direct connection with
computer networks; the student is attempting to falsify attendance
records.  The moral issue at this level is lying, not attendance.  Lying
is a general form of antisocial behavior that educational institutions
seek to discourage.  This is something that an educational institution
should properly view as a disciplinary matter, because a prevailing
honesty improves the condition of society as a whole. 

The second, discrete ethical issue concerns third-party effects of an
individual's actions. As Steve has it:

> Violating security has other effects, that impact third parties.
[snip]
> Insiders always have an implicit responsibility to not weaken system
> security.

I agree with these general rule statements by themselves, but problems
begin to emerge when we attempt to apply them to specific scenarios.  I
offer a few, and some questions that apply to each.  Reasonable minds
could differ about the answers, and I don't offer any.  Further down, I
turn to the law.

  Scenario 1: Suppose that the user places a terminal's IP
  address into a dot-rhosts file in his account in order to simplify the
  task of connecting to the server during ordinary sessions.

The poster has not violated the security of the system, but he has
certainly weakened it, and in a way that could impact third parties.  Is
he then morally culpable?  If so, does his (moral) guilt depend upon
whether he knows of the security risk?  Can he balance the risk to the
community against any benefit that he himself enjoys?

  Scenario 2: Suppose that the user above is our poster, and that the
  poster knew nothing of dot-rhosts files before posting the query.
  After reading through the posts in the thread, he or she decides
  not to spoof his or her attendance, but does use a dot-rhosts
  file for the purpose described in Scenario 1.

Are the respondents to the poster more (morally) culpable here? Insofar as
they (oops -- we) encouraged dishonesty, the answer must be yes.  But with
respect to third party effects raised in Scenario 2?  Does it make any
difference if respondents accompanied technical discussion with
disclaimers or cautions?  Does the ultimate result matter?

In the worst case, we get something like this:

  Scenario 3: Suppose that the user above is our poster.
  After reading through the posts in the thread, he or she decides
  to spoof his or her attendance, and does use a dot-rhosts file
  granting access to a daemon script process that he then launches into
  memory on the terminal.  The script does its work while the poster works
  an arbeit elsewhere.  Later, an attacker enters the lab, accesses the
  poster's account using the same dot-rhosts entry, and from there 
  inflicts serious damage on the computer systems of a financial
  institution.  The attacker is never identified.

I would guess (and am only qualified to guess) that someone with the eye
of a system administrator will read Scenario 3 as the potential that makes
the user's action in Scenarios 1 and 2 nearly as horrifying in themselves.

Personally, my most serious reservation concerns the immediate community; 
abuse of privileges on local systems is likely to cause administrators to
restrict those privileges.  That's a big external cost to impose on your
local community for the sake of a few hours of free time at the beach. 


A lawyer would say that no crime is committed in Scenarios 1 or 2, but
that one (and, under federal law, at least, probably only one) has
potentially been committed in Scenario 3: 

  Computer fraud:  Under US federal law, security attacks on computers
  critical to the operations of financial institutions trigger the
  computer fraud provisions of USC 1030.  However, neither
  the poster nor the respondents are guilty of aiding and abetting the
  compromise of the financial institution's systems in this example.
  Aiding and abetting requires intent in aiding and abetting AND intent
  with respect to the actual crime itself.  Both instances of intent are
  missing here.

On my reading of the law, the forgery of attendance records in this
instance is not likely to constitute a crime under US federal law.  The
applicable Federal statute is USC 1030, which requires (among other
things) an intent to obtain economic gain, or intentional acts leading
immediately to damage.  The "economic gain" here would almost certainly be
dismissed as de minimis.  The same goes for "damage".

Depending on the jurisdication, state law might give the prosecutor more
joy.  But it's hard to imagine a judge that wouldn't toss this one out
cold as de minimis.

Like it or not, the policy of the US government, set forth at:

  http://www.usdoj.gov/criminal/cybercrime/unlawful.htm

is that there should be consistency of treatment between online and
offline crime.  In other words, analogies to the practice "back in our
day" are regarded as correct practice, and the special risks to third
parties inherent in the online medium, even if they materialize as in
Scenario 3, are not to be taken into account in fixing criminal
responsibility for a given act, unless a specific statutory provision
(such as USC 1030) applies.

I'll check the position in Japan later (since this is presumably the
country where I would get busted), but in the meantime I would just like
to leave off with the observation that the law's reach is not as deep as
lawyers sometimes like to suggest ... and that that is precisely what
makes the moral issues so important.

More later.

Cheers,
----
-x80
Frank G Bennett, Jr         @@
Faculty of Law, Nagoya Univ () email: bennett@example.com
Tel: +81[(0)52]789-2239     ()

--------------------------------------------------------------------
Next Nomikai Meeting: June 16 (Fri), 19:00   Tengu TokyoEkiMae
Next Technical Meeting: July 8 (Sat) 13:30   Topic: TBA
--------------------------------------------------------------------
more info: http://www.tlug.gr.jp        Sponsor: Global Online Japan