ch31.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,189 行 · 第 1/4 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 31 -- Reality Bytes: Computer Security and the Law</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch30/ch30.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../apa/apa.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">31</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Reality Bytes: Computer Security and the Law</FONT></H1>
</CENTER>
<P>This chapter discusses law as it applies to the Internet both here and abroad.
For the most part, my analysis is aimed toward the criminal law governing the Internet.
<H2><FONT COLOR="#000077"><B>The United States</B></FONT></H2>
<P>My timeline begins in 1988 with <I>United States v. Morris</I>, the case of the
Internet worm. I should, however, provide some background, for many cases preceded
this one. These cases defined the admittedly confused construct of Internet law.
<H3><FONT COLOR="#000077"><B>Phreaks</B></FONT></H3>
<P>If you remember, I wrote about phone phreaks and their quest to steal telephone
service. As I explained, it would be impossible to identify the precise moment in
which the first phreak hacked his or her way across the bridge to the Internet. At
that time, the network was still referred to as the <I>ARPAnet</I>.</P>
<P>Concrete evidence of phreaks accessing ARPAnet can be traced (at least on the
Net) to 1985. In November of that year, the popular, online phreaking magazine <I>Phrack</I>
published its second issue. In it was a list of dialups from the ARPAnet and several
military installations.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The list of dialups from
	ARPAnet can be found in <I>Phrack</I>, Volume One, Issue Two, &quot;Tac Dialups taken
	from ARPAnet,&quot; by Phantom Phreaker. Find it on the Net at <A HREF="http://www.fc.net/phrack/files/p02/p02-1.html"><TT>http://www.fc.net/phrack/files/p02/p02-1.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>By 1985, this activity was being conducted on a wholesale basis. Kids were trafficking
lists of potential targets, and networks of intruders began to develop. For bright
young Americans with computers, a whole new world presented itself; this world was
largely lawless.</P>
<P>But the story goes back even further. In 1981, a group of crackers seized control
of the White House switchboard, using it to make transatlantic telephone calls. This
was the first in a series of cases that caught the attention of the legislature.</P>
<P>The majority of sites attacked were either federal government sites or sites that
housed federal interest computers. Although it may sound extraordinary, there was,
at the time, no law that expressly prohibited cracking your way into a government
computer or telecommunication system. Therefore, lawmakers and the courts were forced
to make do, applying whatever statute seemed to closely fit the situation.</P>
<P>As you might expect, criminal trespass was, in the interim, a popular charge.
Other common charges were theft, fraud, and so forth. This all changed, however,
with the passing of the Computer Fraud and Abuse Act of 1986. Following the enactment
of that statute, the tables turned considerably. That phenomenon began with <I>U.S.
v. Morris</I>.
<H3><FONT COLOR="#000077"><I><B>United States of America v. Robert Tappan Morris</B></I></FONT></H3>
<P>The Internet worm incident (or, as it has come to be known, the Morris Worm) forever
changed attitudes regarding attacks on the Internet. That change was not a gradual
one. Organizations such as CERT, FIRST, and DDN were hastily established in the wake
of the attack to ensure that something of such a magnitude could never happen again.
For the security community, there was vindication in Morris' conviction. Nonetheless,
the final decision in that case would have some staggering implications for hackers
and crackers alike.</P>
<P>The government took the position that Morris had violated Section 2(d) of the
Computer Fraud and Abuse Act of 1986, 18 U.S.C. 1030(a)(5)(A)(1988). That act targeted
a certain class of individual:

<DL>
	<DD>...anyone who intentionally accesses without authorization a category of computers
	known as &quot;[f]ederal interest computers&quot; and damages or prevents authorized
	use of information in such computers, causing loss of $1,000 or more...
</DL>

<P>For those of you who aren't attorneys, some explanation is in order. Most criminal
offenses have several elements; each must be proven before a successful case can
be brought against a defendant. For example, in garden-variety civil fraud cases,
the chief elements are

<UL>
	<LI>That the defendant made a false representation<BR>
	<BR>
	
	<LI>That the defendant knew the representation was false<BR>
	<BR>
	
	<LI>That he or she made it with intent that the victim would rely on it<BR>
	<BR>
	
	<LI>That the victim did rely on the representation<BR>
	<BR>
	
	<LI>That the victim suffered damages because of such reliance
</UL>

<P>If a plaintiff fails to demonstrate even one of these elements, he or she loses.
For example, even if the first four elements are there, if the victim lost nothing
in the fraud scheme, no case will lie (that is, no case brought upon such a claim
will successfully survive a demurrer hearing).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>This is different from criminal
	law. In criminal law, even if the fifth element is missing, the defendant can still
	be tried for fraud (that is, damages are not an essential requirement in a criminal
	fraud case). 
<HR>


</BLOCKQUOTE>

<P>To bring any case to a successful conclusion, a prosecutor must fit the fact pattern
of the case into the handful of elements that comprise the charged offense. For example,
if intent is a necessary element, intent must be proven. Such elements form the framework
of any given criminal information filing. The framework of the Morris case was based
on the Computer Fraud and Abuse Act of 1986. Under that act, the essential elements
were

<UL>
	<LI>That Morris intentionally (and without authorization) accessed a computer or
	computers<BR>
	<BR>
	
	<LI>That these were federal interest computers<BR>
	<BR>
	
	<LI>That in his intentional, unauthorized access of such federal interest computers,
	Morris caused damage, denial of service, or losses amounting to $1,000 or more
</UL>

<P>The arguments that ultimately went to appeal were extremely narrow. For example,
there was furious disagreement about exactly what <I>intentionally</I> meant within
the construct of the statute:

<DL>
	<DD>Morris argues that the Government had to prove not only that he intended the
	unauthorized access of a federal interest computer, but also that he intended to
	prevent others from using it, and thus cause a loss. The adverb &quot;intentionally,&quot;
	he contends, modifies both verb phrases of the section. The government urges that
	since punctuation sets the &quot;accesses&quot; phrase off from the subsequent &quot;damages&quot;
	phrase, the provision unambiguously shows that &quot;intentionally&quot; modifies
	only &quot;accesses.&quot;
</DL>

<P>Morris' argument was rejected by the Court of Appeals. Instead, it chose to interpret
the statute as follows: that the mere intentional (unauthorized) access of the federal
interest computer was enough (that is, it was not relevant that Morris also intended
to cause damage). The defense countered this with the obvious argument that if this
were so, the statute was ill- conceived. As interpreted by the Court of Appeals,
this statute would punish small-time intruders with the same harsh penalties as truly
malicious ones. Unfortunately, the court didn't bite. Compare this with the UK statutes
discussed later, where intent is definitely a requisite.</P>
<P>The second interesting element here is the requirement that the attacked computers
be federal interest computers. Under the meaning of the act, a federal interest computer
was any computer that was intended:

<DL>
	<DD>...exclusively for the use of a financial institution or the United States Government,
	or, in the case of a computer not exclusively for such use, used by or for a financial
	institution or the United States Government, and the conduct constituting the offense
	affects such use; or which is one of two or more computers used in committing the
	offense, not all of which are located in the same State.
</DL>

<P>The first and second requirements were exclusive. The following description was
a second paragraph:

<DL>
	<DD>...which is one of two or more computers used in committing the offense, not
	all of which are located in the same State.
</DL>

<P>In other words, from the government's point of view, any two or more computers
located in different states were federal interest computers within the construct
of the act. This characterization has since been amended so that the term now applies
to any action undertaken via a computer in interstate commerce. This naturally has
broad implications and basically reduces the definition to any computer attached
to the Internet. Here is why:</P>
<P>The legal term <I>interstate commerce</I> means something slightly different from
what it means in normal speech. The first concrete legal applications of the term
in the United States followed the passing of the Sherman Act, a federal antitrust
bill signed by President Benjamin Harrison on July 2, 1890. The act forbade restraint
of &quot;...trade or commerce among the several states, or with foreign nations.&quot;
As defined in Blacks Law Dictionary (an industry standard), interstate commerce is

<DL>
	<DD>Traffic, intercourse, commercial trading, or the transportation of persons or
	property between or among the several states of the Union, or from or between points
	in one state and points in another state...
</DL>

<P>From this, one might conclude that interstate commerce is only conducted when
some physical, tangible good is transferred between the several states. That is erroneous.
The term has since been applied to every manner of good and service. In certain types
of actions, it is sufficient that only the smallest portion of the good or service
be trafficked between the several states. For example, if a hospital accepts patients
covered by insurance carriers located beyond the borders of the instant state, this
is, by definition, interstate commerce. This is so even if the patient and the hospital
are located within the same state.</P>
<P>However, there are limitations with regard to the power of Congress to regulate
such interstate commerce, particularly if the activity is intrastate but has only
a limited effect on interstate commerce. For example, in <I>A. L. A. Schecter Poultry
Corp. v. United States</I> (1935), the Supreme Court:

<DL>
	<DD>...characterized the distinction between direct and indirect effects of intrastate
	transactions upon interstate commerce as &quot;a fundamental one, essential to the
	maintenance of our constitutional system.&quot; Activities that affected interstate
	commerce directly were within Congress' power; activities that affected interstate
	commerce indirectly were beyond Congress' reach. The justification for this formal
	distinction was rooted in the fear that otherwise &quot;there would be virtually
	no limit to the federal power and for all practical purposes we should have a completely
	centralized government.&quot;
</DL>

<P>In any event, for the moment, the statute is sufficiently broad that the government
can elect to take or not take almost any cracking case it wishes, even if the attacking
and target machines are located within the same state. And from inside experience
with the federal government, I can tell you that it is selective. Much depends on
the nature of the case. Naturally, more cracking cases tend to pop up in federal
jurisdiction, primarily because the federal government is more experienced in such
investigations. Many state agencies are poorly prepared for such cases. In fact,
smaller county or borough jurisdictions may have never handled such a case.</P>
<P>This is a training issue more than anything. More training is needed at state
and local levels in such investigations and prosecutions. These types of trials can
be expensive and laborious, particularly in regions where the Internet is still a
new phenomenon. If you were a prosecutor, would you want to gamble that your small-town
jury--members of which have little practical computer experience--will recognize
a crime when they hear it? Even after expert testimony? Even though your officers
don't really understand the basic nuts and bolts of the crime? Think again. In the
past, most crackers have been stupid enough to confess or plea bargain. However,
as cracking becomes more of a crime of financial gain, plea bargains and confessions
will become more rare. Today, cracking is being done by real criminals. To them,
the flash of a badge doesn't mean much. They invoke their Fifth Amendment rights
and wait for their lawyer.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find the full
	text version of the Computer Fraud and Abuse Act of 1986 at <A HREF="http://www.law.cornell.edu/uscode/18/1030.html"><TT>http://www.law.cornell.edu/uscode/18/1030.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>On the question of damages in excess of $1,000, this is a gray area. Typically,
statutes such as the Computer Fraud and Abuse Act allow for sweeping interpretations
of <I>damages</I>. One can claim $1,000 in damages almost immediately upon an intrusion,
even if there is no actual damage in the commonly accepted sense of the word. It
is enough if you are forced to call in a security team to examine the extent of the
intrusion.</P>
<P>This issue of damage has been hotly debated in the past and, to the government's
credit, some fairly stringent guidelines have been proposed. At least on a federal
level, there have been efforts to determine reliable formulas for determining the
scope of damage and corresponding values. However, the United States Sentencing Commission
has granted great latitude for higher sentencing, even if damage may have been (however
unintentionally) minimal:

<DL>
	<DD>In a case in which a computer data file was altered or destroyed, loss can be
	measured by the cost to restore the file. If a defendant intentionally or recklessly
	altered or destroyed a computer data file and, due to a fortuitous circumstance,
	the cost to restore the file was substantially lower than the defendant could reasonably
	have expected, an upward departure may be warranted. For example, if the defendant
	intentionally or recklessly damaged a valuable data base, the restoration of which
	would have been very costly but for the fortuitous circumstance that, unknown to
	the defendant, an annual back-up of the data base had recently been completed thus
	making restoration relatively inexpensive, an upward departure may be warranted.
</DL>

<P>This to me seems unreasonable. Defendants ought to be sentenced according to the