“No Trespassing Signs” and Hacking Crimes.

I was researching the recent case of the suicide of Aaron Swartz the information activist, computer hacker and co-founder of Reedit and started reading some of the legal documents on the Federal computer crime law, 18, USC 1030 which is about intentional access to a computer without authorization. The same day, I mistakenly attempted to log into my work domain and mistyped my username. Because of this typo, the password failed to work. To my surprise, the computer displayed a “Welcome” message. I thought wow, here is my computer telling me I am welcome on my system by default even though I have failed to authenticate and login properly.

To say the least, it got me thinking and I did further research on what is considered “No Trespassing”.  I also researched about the effect of the welcome banner on authorized computer entry.

hacker

I could find no case where a defendant successfully used welcome messages or improper banners as a defense against criminal charges. What I did find was warning by judges that improper or missing banners could leave an institution unable to prosecute a “hacker”.  I would have preferred to see an actual case, Oh Well!

I did find reference to several cases where companies used scrapers to get large volumes of data from sites such as a case where a company scraped data from an American airlines site.  The judge found that by providing a link on a website that listed the terms of use was enough to give the defendant proper notice that scraping was a misuse of the system. Therefore, they could be prosecuted.

In the Aaron Swartz case, did the administrators of the systems provided the proper notice of the limits of use of the system?  I also wonder if the banners were properly displayed on the ports used to access the system. Lastly, did the system properly prohibit the scraping of data from the system? The laws on this subject are clear all ports must be identified with proper banners.

I find it shocking that Windows default of no banner and a welcome message provides unfettered access to the system under the terms of the laws that I researched.  I think the same situation applies to Cisco routing and switching equipment. I haven’t even considered home wireless devices yet.

Is it time that operating system vendors be required to provide administrators of the systems with configuration wizards that would help prevent these loopholes from being available in systems? Should the laws be federalized and standardized across all states and shouldn’t the reach of the laws be such that they encompass any system owned by any US entity independent of the country where it is deployed?

hacker

In the modern computer virtualization era, these systems can be dynamically redeployed in different states and countries with the “click of the mouse”.

Bypassing system password for security has never been easier. Simple techniques for resetting Windows system/domain passwords can be executed within 10 minutes using standard installation CD’s for Windows Server/Desktop. Encryption has never been more important than it is with virtualized systems, but few companies use encryption to protect the operating system and active directory installs, not to mention the protection of private data. Even the disk encryption commercial products have had their disk encryption schemes cracked as of late.

Simply shutting down a virtualized active directory controller and booting from a Windows CD would allow one to reset the domain admin password. If anyone had access to VMware Virtual Center (or other virtualization management interface) through some minor security flaw like a desktop screen saver not enabling soon enough would effectively allow one to totally avoid all warning messages about authorized access! This seems to be an even a bigger security hole than the content of the banner!

Should we start posting warning messages about proper system use on the front doors of businesses like the warning messages one sees about businesses being monitored by closed circuit T.V.?

The relevant sections of the law that I could find are listed below as links to the locations where I found them:

18 USC 1030 Fraud and Related Activity in Connection with Computers

Computer Crimes and the USA PATRIOT Act

Using BitLocker Without a Trusted Platform Module

Southwest Airlines Co. vs. FARECHASE, INC.

EF Clutural Travel BV v Zefer Corporation (Use of Website Scrapers)

Department of Justice Order 2640.2D Chapter 2 Section 20

Reset Widows Server 2008 R2 domain password/username

Group Policies and Legal Notices

Computer Safety Rules for Admins