I was researching the recent case of the suicide of Aaron Swartz the information activist, computer hacker and co-founder of Reedit and started reading some of the legal documents on the Federal computer crime law, 18, USC 1030 which is about intentional access to a computer without authorization. The same day, I mistakenly attempted to log into my work domain and mistyped my username. Because of this typo, the password failed to work. To my surprise, the computer displayed a “Welcome” message. I thought wow, here is my computer telling me I am welcome on my system by default even though I have failed to authenticate and login properly.
To say the least, it got me thinking and I did further research on what is considered “No Trespassing”. I also researched about the effect of the welcome banner on authorized computer entry.
I could find no case where a defendant successfully used welcome messages or improper banners as a defense against criminal charges. What I did find was warning by judges that improper or missing banners could leave an institution unable to prosecute a “hacker”. I would have preferred to see an actual case, Oh Well!
In the Aaron Swartz case, did the administrators of the systems provided the proper notice of the limits of use of the system? I also wonder if the banners were properly displayed on the ports used to access the system. Lastly, did the system properly prohibit the scraping of data from the system? The laws on this subject are clear all ports must be identified with proper banners.
I find it shocking that Windows default of no banner and a welcome message provides unfettered access to the system under the terms of the laws that I researched. I think the same situation applies to Cisco routing and switching equipment. I haven’t even considered home wireless devices yet.
Is it time that operating system vendors be required to provide administrators of the systems with configuration wizards that would help prevent these loopholes from being available in systems? Should the laws be federalized and standardized across all states and shouldn’t the reach of the laws be such that they encompass any system owned by any US entity independent of the country where it is deployed?
In the modern computer virtualization era, these systems can be dynamically redeployed in different states and countries with the “click of the mouse”.
Bypassing system password for security has never been easier. Simple techniques for resetting Windows system/domain passwords can be executed within 10 minutes using standard installation CD’s for Windows Server/Desktop. Encryption has never been more important than it is with virtualized systems, but few companies use encryption to protect the operating system and active directory installs, not to mention the protection of private data. Even the disk encryption commercial products have had their disk encryption schemes cracked as of late.
Simply shutting down a virtualized active directory controller and booting from a Windows CD would allow one to reset the domain admin password. If anyone had access to VMware Virtual Center (or other virtualization management interface) through some minor security flaw like a desktop screen saver not enabling soon enough would effectively allow one to totally avoid all warning messages about authorized access! This seems to be an even a bigger security hole than the content of the banner!
Should we start posting warning messages about proper system use on the front doors of businesses like the warning messages one sees about businesses being monitored by closed circuit T.V.?
The relevant sections of the law that I could find are listed below as links to the locations where I found them: