[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [dvd-discuss] Hang the RIAA in their own noose.

To: dvd-discuss(at)cyber.law.harvard.edu
Subject: RE: [dvd-discuss] Hang the RIAA in their own noose.
From: Michael.A.Rolenz(at)aero.org
Date: Fri, 19 Oct 2001 09:34:34 -0700
Reply-To: dvd-discuss(at)cyber.law.harvard.edu
Sender: owner-dvd-discuss(at)cyber.law.harvard.edu

I hate to use the lock analogy but a buffer overflow attack is analogous 
to opening a lock that you know is not yours with a lockpick. Furthermore, 
it shows intent. Somebody is spending a lot of time to do something.

One problem here is what constitutes a 'publically accessable" machine. 
This is a pretty gray area. Clearly Putting a server on the internet 
without any protections constitutess a publically accessable machine. 
Putting one on with a password is less publically accessable but we all 
know the dangers of passwords for authentication. (a distinction needs to 
be made here. Passwords are such a week authentication scheme that they 
truly are only a form of access control. Furthermore, what's to stop 
people from just giving out passwords NOTHING. )

 On the other extreme. Putting up a firewall is analogous to putting up a 
do not trespass sign and a fence. At what point do you tell someone "look. 
just because the fence was only 10 foot tall and you had a 12 foot pole 
for vaulting isn't a defense against trespassing."

Jeme A Brelin <jeme@brelin.net>
Sent by: owner-dvd-discuss@eon.law.harvard.edu
10/18/01 11:46 AM
Please respond to dvd-discuss

        To:     Openlaw DMCA Forum <dvd-discuss@eon.law.harvard.edu>
        cc: 
        Subject:        RE: [dvd-discuss] Hang the RIAA in their own noose.

On Thu, 18 Oct 2001, Ballowe, Charles wrote:
> What is considered granting access? Does the fact that the machine
> allows me to access the content mean that I was granted access to that
> content? My personal thought is that the machine grants access based
> on the policies that it is aware of. If those policies don't match the
> intent of the operator, then it wouldn't be the "intruder" who is at
> fault for accessing information not intended for them.

And a computer doesn't know when it's being exploited.

If you overflow some buffer and get some arbitrary code to execute, you've
gained access.  Running a service that allows for buffer overflow is, in
essence, just like an open port.  Do you really think it matters how much
knowledge is required to turn the doorknob?

Personally, I think private information shouldn't be kept on publicly
accessible machines.  And that's the end of that story.  If you think you
can build a perfectly secure box, go for it.  But don't go crying to me
when someone gets hold of your data without your permission.

It is, in my view, exactly like CSS.

Now, using a stolen passphrase is forgery or ... whatever they call that
crime wherein one uses another's (or a false) identity for personal gain.

J.
-- 
   -----------------
     Jeme A Brelin
    jeme@brelin.net
   -----------------
 [cc] counter-copyright
 http://www.openlaw.org

Follow-Ups:
- RE: [dvd-discuss] Hang the RIAA in their own noose.
  - From: Jeme A Brelin <jeme@brelin.net>

Prev by Date: RE: [dvd-discuss] Hang the RIAA in their own noose.
Next by Date: Re: [dvd-discuss] EFF opposes blacklisting spammers
Previous by thread: RE: [dvd-discuss] Hang the RIAA in their own noose.
Next by thread: RE: [dvd-discuss] Hang the RIAA in their own noose.
Index(es):
- Date
- Thread