[LINK] Super fund security breach lands good Samaritan in hot water
swilson at lockstep.com.au
Wed Oct 19 15:12:55 AEDT 2011
It's definitely not black and white. If a case went to trial and lawyers
constructed arguments around analogies with doors and locks and flimsy
latches, then sure as eggs, expert witnesses would be lined up on both
sides to attest to the goodness of the analogies. I don't know if
'securing' an account by secreting the account number inside a long URL
is comparable to an unlocked door, and if the consultant could be said
to have 'pushed on' such a door. But I must say that to do what he did
required a level of IT expertise that probably exceeds that of the
typical banking user.
So anyway, if you circumvent a security solution no matter how "good" it
is, you may be in trouble.
In another post in this thread, it was revealed that the consultant
availed himself of data on 500 clients. That seems like a lot more than
what's required to make the point.
So here's another analogy. If I found that Commodores had a faulty fuel
system that made them liable to catch fire, and then to prove it, I
arranged for one to actually catch fire, then I guess I might face arson
charges, regardless of the merits of the safety point I was trying to make.
And if I set fire to 500 cars for dramatic effect ...
Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.
On 19/10/2011 12:35 PM, Karl Auer wrote:
> On Wed, 2011-10-19 at 09:43 +1100, Stephen Wilson wrote:
>> Yet the technicality remains: if you circumvent a
>> security system, you may be in trouble.
> If I push open an unlocked door, have I "circumvented security" just
> because the door had a lock?
> What if I push the door to see if it is locked? And surely it also makes
> a difference depening on what I do once I am through the door?
> That's why this is not black and white. Circumvention must (almost by
> definition) have both an element of intent of the part of the
> circumventer, and an element of notice given by the circumventee. For
> example, if the door has a large sign on it saying "private property
> keep out" and I go through it, even if it is unlocked, the situation is
> different to me going through some random unmarked door.
> If security software is supposed to do X, Y and Z, but actually does
> only X and Y, then the situation could be seen as analogous to having
> three doors, only two of which are locked. Is it bad to stroll through
> the unlocked door?
> Or to take a similar but different analogy, if I have a big bunch of
> keys, and I try them all in a lock, and one of them unlocks the door, I
> have not "defeated" the lock, I opened it in the standard manner. What
> if the lock is old and worn, and one of my keys works, even though it's
> not actually the "right" key? What if I use a skeleton key? There are
> many shades of grey even with a physical door, and many more when it
> comes to computer security.
> So I really think that intent and awareness are important.
> Regards, K.
> Regards, K.
> Link mailing list
> Link at mailman.anu.edu.au
More information about the Link