Forwarded From: 7Pillars Partners <partners@sirius.infonex.com>
http://www.wired.com/news/news/politics/story/17024.html
Let the Web Server Beware
by Christopher Jones
2:00 p.m. 23.Dec.98.PST
In a decision that sets a precedent in the realm of hacking, the Norwegian
supreme court ruled Tuesday that probing computer networks linked to the
Internet is not illegal.
The University of Oslo charged a private security-software company, Norman
Data Defense Systems, with attempted break-ins and disruptions on machines
linked to its computer network. Norman Data conducted the network probes
in 1995 on behalf of a Norwegian public news network, which was filming a
program about the Internet and wanted to demonstrate the inner workings of
open systems and the pitfalls therein.
"The essence of [the ruling] is that if you want to join the Internet, you
have to assure that you're protected," said Gunnel Wullstein, president
and CEO of Norman Data Security. "If you don't want to be visited, close
your ports."
The case also illustrates the fine line between hackers and crackers. The
former describes those who merely want to explore computer systems, while
the latter refers to intruders with malicious intent. They exploit
networks using specialized tools and tricks of the trade, including
unauthorized access operations.
During the experiment, the company's engineers used finger commands to
find out which users were logged on to the university's machines and
information related to their session. They used telnet - a remote login
command - to verify email addresses on the university's mail port. They
also ran scans to see if any ports were open.
The University of Oslo could not be contacted in time for this story.
One of the engineers involved in the experiment, who asked not to be
identified, stressed that all of these operations are based on open
protocols and were not designed to break into systems. Rather, the test
was done to show what information is freely available from machines hooked
to the Internet. During the experiment, he said, no user IDs or other
such information was retrieved.
We wanted to help [the news service] tell the world that when you surf you
leave your IP address all over the place, especially if you use the same
machine," said the engineer. "This information can be used to find out
quite a bit about you."
Hackers and crackers will often use commercial port-scanning tools, or war
dialers, as a way to identify easy entries into computer networks. Norman
Data said it only limited port scans and found no open ports during the
experiment.
"I would say that it's not hacking [to show] if you go on the Internet,
you expose yourself," said Wullstein. "It is up to you to decide which
part you want to be exposed and which you do not."
When an Oslo court first ruled in the case, it found the company guilty of
an attempted break-in on a computer network and misuse of other people's
machine resources, causing inconvenience. Both charges carried a steep
fine, and the company was also ordered to pay for repairs to the
university's network. After Norman appealed the decision, a district court
overturned the more serious break-in charge, but upheld the misuse charge.
In Tuesday's supreme court decision, however, the engineer and the company
were cleared on both charges.
"This is very principal, the first time the [supreme] court has taken a
standpoint in a case like this," said Frode Pedersen, news editor at
Aftenposten, a daily newspaper in Oslo. "The high court said that if you
have a service on the Internet not directly protected, you have to stand
for people searching for security holes."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]
Received on Sat Dec 26 12:38:19 1998