[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [dvd-discuss] Hang the RIAA in their own noose.
- To: dvd-discuss(at)cyber.law.harvard.edu
- Subject: RE: [dvd-discuss] Hang the RIAA in their own noose.
- From: Michael.A.Rolenz(at)aero.org
- Date: Fri, 19 Oct 2001 09:34:34 -0700
- Reply-To: dvd-discuss(at)cyber.law.harvard.edu
- Sender: owner-dvd-discuss(at)cyber.law.harvard.edu
I hate to use the lock analogy but a buffer overflow attack is analogous
to opening a lock that you know is not yours with a lockpick. Furthermore,
it shows intent. Somebody is spending a lot of time to do something.
One problem here is what constitutes a 'publically accessable" machine.
This is a pretty gray area. Clearly Putting a server on the internet
without any protections constitutess a publically accessable machine.
Putting one on with a password is less publically accessable but we all
know the dangers of passwords for authentication. (a distinction needs to
be made here. Passwords are such a week authentication scheme that they
truly are only a form of access control. Furthermore, what's to stop
people from just giving out passwords NOTHING. )
On the other extreme. Putting up a firewall is analogous to putting up a
do not trespass sign and a fence. At what point do you tell someone "look.
just because the fence was only 10 foot tall and you had a 12 foot pole
for vaulting isn't a defense against trespassing."
Jeme A Brelin <jeme@brelin.net>
Sent by: owner-dvd-discuss@eon.law.harvard.edu
10/18/01 11:46 AM
Please respond to dvd-discuss
To: Openlaw DMCA Forum <dvd-discuss@eon.law.harvard.edu>
cc:
Subject: RE: [dvd-discuss] Hang the RIAA in their own noose.
On Thu, 18 Oct 2001, Ballowe, Charles wrote:
> What is considered granting access? Does the fact that the machine
> allows me to access the content mean that I was granted access to that
> content? My personal thought is that the machine grants access based
> on the policies that it is aware of. If those policies don't match the
> intent of the operator, then it wouldn't be the "intruder" who is at
> fault for accessing information not intended for them.
And a computer doesn't know when it's being exploited.
If you overflow some buffer and get some arbitrary code to execute, you've
gained access. Running a service that allows for buffer overflow is, in
essence, just like an open port. Do you really think it matters how much
knowledge is required to turn the doorknob?
Personally, I think private information shouldn't be kept on publicly
accessible machines. And that's the end of that story. If you think you
can build a perfectly secure box, go for it. But don't go crying to me
when someone gets hold of your data without your permission.
It is, in my view, exactly like CSS.
Now, using a stolen passphrase is forgery or ... whatever they call that
crime wherein one uses another's (or a false) identity for personal gain.
J.
--
-----------------
Jeme A Brelin
jeme@brelin.net
-----------------
[cc] counter-copyright
http://www.openlaw.org