cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Champion

Re: Unauthorized Access or Fixing a Technical Complication?


@Lamont29wrote:

The word ‘access’ is so normalized... 


I think the more relevant discussion is around the word "Unauthorized" (or authorized). 

 

An interesting thought exercise is at what point does "bobby tables" cross the line from authorized to unauthorized access? As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.

 

It also raises the question of negligent software design, but that is a whole different conversation.

 

Community Champion

Re: Unauthorized Access or Fixing a Technical Complication?

 

 


@JoePetewrote:

I think there is also a concept of "abandoned" property. Just as if I am walking down the street and I see on the curb a TV, I can assume someone has left it there for the trash or to be picked up for free.

If it is next to the trash can on trash day, that seems a reasonable presumption.  However, if it were a kids bike on some other day, it is much more likely to be mislaid property, which you have an obligation to return to the true owner.  Check out wikipedia for more comprehensive insight. 

Advocate I

Re: Unauthorized Access or Fixing a Technical Complication?

William,

 

EDIT: I apologize, I had to edit this reply.  It was apparent when I reread your example, you were clearly stating that this was not an example of "Unauthorized Access".  This example however, does pick one of the handful of clauses of the CFAA (18 USC § 1030) that deals with causing or attempting to cause damage, regardless of the level of access. 

 

So, I'm leaving my original reply with the caveat that it is off topic.

 


@denbestenwrote:

An interesting thought exercise is at what point does "bobby tables" cross the line from authorized to unauthorized access?  

I absolutely love this example.  Not only is it cute, but it also subtly illustrates what I believe is an input to the problem.  Computer folks, especially security professionals, and hackers likely the most of all, think they’re clever. 

 

Let me break this cartoon down using legal analysis.  The mother names her son using the construct of an SQL injection.  It’s clever because it causes data destruction and presumably avoids a penalty because the school staff are the ones that entered the command. 

 


@denbestenwrote:

As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.

 


If I understand your conjecture right, you either think (a) this doesn't meet the definition of "Unauthorized Access"; or (b) you believe that this type of behavior is legitimate.  I agree with (a), but completely disagree with (b).

 

The problem is that that the same example shows knowledge and intent to cause damage, meeting the conditions of 18 USC § 1030(a)(5)(A).  First, you might presume that the child’s name was just a random happenstance except that it was specifically the exact syntax needed to cause an SQL injection, the likelihood of such a random occurrence being so low as to be unreasonably a coincidence.  Second, the mother then confirms she understood the concept of SQL commands and tables, SQL syntax, and input sanitization; effectively stating that she knew or should have known that the name had a high probability of causing a damage-inducing SQL injection.  And putting in process a chain of events so as to cause another person to input the data qualifies under 18 USC § 1030(a)(5)(A) .  So, it is not as clever as originally thought.

Advocate I

Re: Unauthorized Access or Fixing a Technical Complication?

Lamont,

 

I appreciate you weighing in on this!

 


@Lamont29wrote:

The word ‘access’ is so normalized in the information security profession, I barely know how to break it down any further. Maybe the law clerks or lawyers who are writing these laws have a poor understanding of information systems?  

I respectfully request that you re-read the thread with the understanding that the claims on either side are being made by security professionals – not lawyers and law clerks.  There is a divide in our own profession.

 

We are talking specifically about the active evasion or circumvention of a security control.  Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control.

 

Where do you sit on this debate?

 

Community Champion

Re: Unauthorized Access or Fixing a Technical Complication?


@Baechlewrote:

 

We are talking specifically about the active evasion or circumvention of a security control.  Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control.

 

Where do you sit on this debate?

 


Okay,

 

I have a better understanding now. The only issue to consider is the ‘intent’ as a matter of legality. We as information security professionals are also required to consider common laws, criminal laws and other forms of regulations and the spirit of those laws and regulations. A hacker cannot offer a defense in court “because it was so easy…” and expect to be exonerated for breaching that access. If I wanted to legally mitigate a perpetrator’s action of making my yard a short-cut, then the I only need to post “Do Not Trespass” signs. There’s nothing etched in law that requires me to build a 10-foot high, razor, electric fence around my property the prisoners would admire.

 

I may choose to set up a small business network utilizing Windows NT (easy to break). Yet, if I put in the security controls, the banners, and do my due diligence to keep the information residing in my NT network from prying eyes, no court will step out of the box and say, “Well you could have used BSD, LINUX or Windows 2008 or higher for better security!” The answer to this question that well all ought to adopt is clearly stated in our code of ethics as ISC2 professionals: “Act honorably, honestly, justly, responsibly, and legally.”

 

Maybe we can offer better advice to discourage poor security configurations, but we should never use our knowledge, skills, and ability to do harm.

 

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC
Community Champion

Re: Unauthorized Access or Fixing a Technical Complication?

A more realistic example are the last names O'Conner and den Besten.  Often times, they will error-out a web site that does not sanitize data inputs, or the web site will corrupt them into Oconner, Denbesten, or Besten.

 

My intended observation was that entering malicious input through the published web interface is likely "authorized access", whereas mucking about with the page to bypass an input validator is much more likely to be "unauthorized".

 

You correctly highlight that even being authorized access, the cartoon taken at face value likely would run afoul of other laws, but that is not the point of Bobby Tables.  It's goal is to remind developers to skeptically handle inputted data, and does so in an engaging fashion that a techie can quickly grasp.

 

 

 

 


@Baechlewrote:

The mother names her son using the construct of an SQL injection.  It’s clever because it causes data destruction and presumably avoids a penalty because the school staff are the ones that entered the command. 

 


@denbestenwrote:

As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.

 


If I understand your conjecture right, you either think (a) this doesn't meet the definition of "Unauthorized Access"; or (b) you believe that this type of behavior is legitimate.  I agree with (a), but completely disagree with (b).

 

The problem is that that the same example shows knowledge and intent to cause damage, meeting the conditions of 18 USC § 1030(a)(5)(A).  First, you might presume that the child’s name was just a random happenstance except that it was specifically the exact syntax needed to cause an SQL injection, the likelihood of such a random occurrence being so low as to be unreasonably a coincidence.  Second, the mother then confirms she understood the concept of SQL commands and tables, SQL syntax, and input sanitization; effectively stating that she knew or should have known that the name had a high probability of causing a damage-inducing SQL injection.  And putting in process a chain of events so as to cause another person to input the data qualifies under 18 USC § 1030(a)(5)(A) .  So, it is not as clever as originally thought.


 

Highlighted
Community Champion

Re: Unauthorized Access or Fixing a Technical Complication?

"We are talking specifically about the active evasion or circumvention of a security control.  Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control."

 

I need to learn the quoting methodology here!

 

Just because the security "professional" knows more then the Geek Squad kid who knows just enough to keep his 70 year old customer safe is not license to step beyond the border of the elderly person's enclave.  Both physically and logically that border is defined by an IP/Mac combination (logic) and NIC/FIOS Gateway (physical).  I don't think FIOS would agree with the security "professionals" definition of probing their network to see which gateway units are stock or modified with tighter controls.  

 

This is not subjective.  We professionals that do take security seriously, that have scruples and respect the intent of others even if they aren't as knowledgeable as us, are duty bound to continually educate those in our sphere of influence on new trends in securing themselves and the issues that are out there.

I do this with my facebook community and those that I lead in church.

Advocate I

Re: Unauthorized Access or Fixing a Technical Complication?

Mark,

 


@Flyslinger2 wrote:

I need to learn the quoting methodology here!

 


I recently got schooled in this also.  Smiley Happy

 


@Flyslinger2 wrote:

 

Just because the security "professional" knows more then the Geek Squad kid who knows just enough to keep his 70 year old customer safe is not license to step beyond the border of the elderly person's enclave.  Both physically and logically that border is defined by an IP/Mac combination (logic) and NIC/FIOS Gateway (physical).  I don't think FIOS would agree with the security "professionals" definition of probing their network to see which gateway units are stock or modified with tighter controls.  

 

I completely agree with your assessment.  Knowledge of how to circumvent a security control != authority to then circumvent that control.  Using that logic, the attackers' mere knowledge of a method to circumvent a security control invalidates that security control as a legal barrier to entry.

 

Many public facing web sites use products that have vulnerabilities in them specifically, or in the combination of several products working together.  Someone with the knowledge to tamper with variables in a URL/URI should know the difference between sending "&strip=1" in a Google query and sending "&record=[someone else's private data]" after realizing site is passing database queries through the browser, is exceeding their authorized access.

 

What are your thoughts on the last example?  I concede that we've moved beyond unauthorized access to exceeding authorized access in the discussion.

 

Sincerely,

 

Eric B.

Community Champion

Re: Unauthorized Access or Fixing a Technical Complication?

 

 

Many public facing web sites use products that have vulnerabilities in them specifically, or in the combination of several products working together.  Someone with the knowledge to tamper with variables in a URL/URI should know the difference between sending "&strip=1" in a Google query and sending "&record=[someone else's private data]" after realizing site is passing database queries through the browser, is exceeding their authorized access.

 

What are your thoughts on the last example?  I concede that we've moved beyond unauthorized access to exceeding authorized access in the discussion.

 

Sincerely,

 

Eric B.


In this example you are authorized, by publication, to access the website.  You are NOT authorized to put your expert knowledge to the test to see what controls they have in place.  Only the contractor that has all the rules in place for their pen testing has that right.