Legal question

Discussion of non-phpBB related topics with other phpBB.com users.
Forum rules
General Discussion is a bonus forum for discussion of non-phpBB related topics with other phpBB.com users. All site rules apply.
User avatar
EA117
Registered User
Posts: 2158
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: Legal question

Post by EA117 »

Curious Artichoke wrote: Sun Jan 06, 2019 2:54 pm Not that anyone is going to waste time and money to pursue it but.... is it a crime For random member X to use an admin password they found/was given thru the grapevine to log in as an admin and fiddle around? Half the group says that case is a hacking, the other half says no thats just our tough luck.
No idea what the legal definition would actually be in a given jurisdiction, but without other facts I agree that just sounds like "poor security" or "poor password management" on the part of the person who let it get out, intentionally or otherwise. And not some kind of "active hacking attempt" when the unwanted person(s) were essentially provided with a username and password to login with. I would expect there would need to be some kind of active attempt to "trick" or social engineer the login credentials out of someone for it to have been viewed as "they maliciously obtained the login credentials." Rather than "here's my login info" having been volunteered or mismanaged.

I presume that's why many companies' security auditors require that logging into a system requires a preamble written by the lawyers of "access to this system is restricted to authorized persons only, blah, blah" before being able to login, even to just your local machine and/or network. Such that if you're not supposed to be there, you couldn't reach the login prompt without having been advised that you're not authorized to login. Even if you technically "can" login because you lifted up someone's keyboard and found their password Post-It or whatever.
User avatar
Toxyy
Registered User
Posts: 942
Joined: Mon Oct 24, 2016 3:22 pm
Location: Namek
Contact:

Re: Legal question

Post by Toxyy »

EA117 wrote: Sun Jan 06, 2019 11:09 pm because you lifted up someone's keyboard and found their password Post-It or whatever.
I dislike this so much :(
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Legal question

Post by AmigoJack »

Curious Artichoke wrote: Sat Jan 05, 2019 4:21 amgrant admin status
That alone does not exist. Making a user a member of the "Administrators" group will give him all the permissions set for that group, which doesn't automatically imply all administrator permissions. Assigning just one administrator permission to a user gives him access to the ACP and its modules where he then is allowed to have access to, and it also makes him appear in the team list.

Curious Artichoke wrote: Sat Jan 05, 2019 4:21 amWe chased their socks around for a long time before we got rid of them all
In the ACP you can browse the log for this, so tracing back actions of individual users, moderators and administrators should help you (unless an administrator deleted log entries on purpose, which is also logged).
Curious Artichoke wrote: Sun Jan 06, 2019 12:26 amanything actually illegal
Legality is bound to nationality - you'd first have to find out with national laws apply to him at all (his person and the server's location).

Curious Artichoke wrote: Sun Jan 06, 2019 12:26 amIs it illegal for the admin to do as they please with that authority?
No. How many authorities (officers, teachers, street workers, conductors, guards, mail carriers...) do you meet during your average day who do as they please? Most people I've met cannot distinguish between their own authority and their person, let alone know what authority means (in contrast to power). So did he really have authority or just power?

Curious Artichoke wrote: Sun Jan 06, 2019 12:26 amsince the admin in question was set to founder, he had the right to do anything he wanted
Not automatically. Founders have the permission to alter permission assignments - thru this they can give themselves all permissions.

Curious Artichoke wrote: Sun Jan 06, 2019 12:26 amwhat he and the other admin he made did was hacking and they committed a crime
That would mean the gained access was without consent, but the start of your story sounds differently. Such an understanding of hacking would be ridiculous, but then again there are ridiculous laws, too.

Curious Artichoke wrote: Sun Jan 06, 2019 2:54 pmsome random member who got their hands on a login/password for an admin/founder account) and uses it to get in and change settings ect... is that a crime?
See above: laws differ from nation to nation. Anyone nowadays gaining login credentials should be awarded, as they reveal how irresponsible the owner (website or person) was.

Curious Artichoke wrote: Sun Jan 06, 2019 2:54 pman admin password
Such a thing does not exist - you can rarily tell from just looking at login credentials if they're related to administrative actions or not.

Curious Artichoke wrote: Sun Jan 06, 2019 2:54 pmif we let a lose active password float around, thats our fault for not locking the doors
Exactly. Nowadays it's easy to maintain passwords and credentials being stored securely, i.e. thru KeePass.
User avatar
warmweer
Jr. Extension Validator
Posts: 11233
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: Legal question

Post by warmweer »

AmigoJack wrote: Mon Jan 07, 2019 9:48 am
Curious Artichoke wrote: Sun Jan 06, 2019 2:54 pmsome random member who got their hands on a login/password for an admin/founder account) and uses it to get in and change settings ect... is that a crime?
See above: laws differ from nation to nation. Anyone nowadays gaining login credentials should be awarded, as they reveal how irresponsible the owner (website or person) was.
You say (explicitly): should be awarded.
I'ld agree if that person acted accordingly (meaning with good intentions, however unclear this may sound).
But if that person made unauthorised use of that accidentaly gained knowledge/power, it remains illegal.
In this case, permissions were granted and if there is no "contract" stating explicitly what is allowed ( when, in which circumstances, etc.. the typical legal stuff including the explicit statement that whatever is not mentioned, is automatically not permitted or something like that but then legally watertight), then there is no case whatsoever. I would even go further: if there no proper contract, the board owner is also responsible for actions resulting from permissions granted (caveat: as you mentioned: legislation differs from country to country).

Unfortunately (from what I have seen on many boards), the permission system isn't understood by many a board owner and permissions are granted without consideration of the implications. (This doesn't imply that I know and understand the permissions system through and through, but I'm working on it )
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Legal question

Post by AmigoJack »

warmweer wrote: Mon Jan 07, 2019 10:41 amif that person made unauthorised use of that accidentaly gained knowledge/power
A login is an authorization already. It's neither always clear if I'm "allowed" to use credentials that I have, nor what is "allowed" after authorization. Why should it be my problem if the software does not verify to that extent we're talking about? Login credentials could be as easy as test:test and one could still argue "but (please) don't change permissions".

One could argue I tricked someone into getting his credentials (keylogger, trojan, capturing network traffic, social hacking...), but then it was on purpose, not by chance - another aspect to look at things. One could also argue that authorization based on login credentials alone is just not enough, but then again this can be easily limited by regularily changing passwords, so potentially leaked ones get outdated.
User avatar
warmweer
Jr. Extension Validator
Posts: 11233
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: Legal question

Post by warmweer »

AmigoJack wrote: Mon Jan 07, 2019 11:26 am A login is an authorization already. It's neither always clear if I'm "allowed" to use credentials that I have, nor what is "allowed" after authorization.
A login given to someone is an authorisation to log in, and in legal terms (depending on which legislation, but let's not get into that) it authorises to login only, nothing more. Authorisation to use the permissions associated with the login is not necessarily automatic and could be subject to agreements, either formal or informal. The devil's advocate could have some fun with this (certainly if there is no record of agreement).
For the record, AFAIAC permissions associated with the login, are given when the account credentials are given and it wouldn't surprise me that cases like these would probably be dismissed (is common sense a valid argument?).
User avatar
AmigoJack
Registered User
Posts: 6108
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Legal question

Post by AmigoJack »

warmweer wrote: Mon Jan 07, 2019 12:07 pmA login
...
the login
I distinguish the terms this way:
  • login = the process of entering credentials (almost always a password and mostly also a username) which are then checked
  • (login) credentials = whatever is needed for trying to log in
  • authorization = granting/permitting, as in allowing to proceed
  • permissions = what an account is allowed to do, based on granted and denied settings
  • account = permissions and other details bound to credentials
It's as with "email" versus "email address", and I sense you also synonymize "login" with "account". I wanted to tell that the login (process) is already the place where authorization takes place - where else when not there?
User avatar
warmweer
Jr. Extension Validator
Posts: 11233
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: Legal question

Post by warmweer »

AmigoJack wrote: Mon Jan 07, 2019 12:33 pm
warmweer wrote: Mon Jan 07, 2019 12:07 pmA login
...
the login
I distinguish the terms this way:
  • login = the process of entering credentials (almost always a password and mostly also a username) which are then checked
  • (login) credentials = whatever is needed for trying to log in
  • authorization = granting/permitting, as in allowing to proceed
  • permissions = what an account is allowed to do, based on granted and denied settings
  • account = permissions and other details bound to credentials
It's as with "email" versus "email address", and I sense you also synonymize "login" with "account". I wanted to tell that the login (process) is already the place where authorization takes place - where else when not there?
See:
warmweer wrote: Mon Jan 07, 2019 12:07 pm (depending on which legislation, but let's not get into that)
As I said, let's not get into that. Perhaps I used the word "login" (noun) where I should have used "log in" (or "log on)" (verb) but you understood what I meant. If this were a legal forum I could weigh my words and define each (although legislative and linguistic definitions don't always coincide), but I'ld probably find it too tedious and move on.
Curious Artichoke
Registered User
Posts: 1
Joined: Sat Jan 05, 2019 3:56 am

Re: Legal question

Post by Curious Artichoke »

I should add that we found only the admin log entry "xyz deleted the log" and an IP# from outside the US. All our members are (supposedly) from the US. I assume, they were using web proxy or tor.

That is the only trace in the admin/user/mod logs that is out of the ordinary other than the unbanned members and sock puppet accounts added to the admin group.

I an going to assume, any possible legal action would require some kind of traceable proof from a log that.... someone deleted all the entries from.
User avatar
david63
Registered User
Posts: 20646
Joined: Thu Dec 19, 2002 8:08 am

Re: Legal question

Post by david63 »

Curious Artichoke wrote: Mon Jan 07, 2019 2:16 pm I an going to assume, any possible legal action would require some kind of traceable proof from a log that.... someone deleted all the entries from.
There is always a possibility that there could be a database backup containing the log entries that was made after the changes were made but before the log entries were deleted - but that is probably a slim hope!

I think the answer is - it has happened, learn from it and move on.
Curious Artichoke
Registered User
Posts: 1
Joined: Sat Jan 05, 2019 3:56 am

Re: Legal question

Post by Curious Artichoke »

If they deleted the log as soon as they made the changes I doubt that a backup happened.

We learned a lot about phpbb real fast thats for sure.
User avatar
stevemaury
Support Team Member
Support Team Member
Posts: 52768
Joined: Thu Nov 02, 2006 12:21 am
Location: The U.P.
Name: Steve
Contact:

Re: Legal question

Post by stevemaury »

The amazing thing about this post is not that so many of the repliers are lawyers, but that they are apparently conversant with the law in ALL the thousands of jurisdictions which might be applicable to the OP's question.

But I'll try a simple question. What would be the damages in dollars, rupees, euros, zlotys or whatever?
I can stop all your spam. I can upgrade or update your Board. PM or email me. (Paid support)
User avatar
warmweer
Jr. Extension Validator
Posts: 11233
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: Legal question

Post by warmweer »

stevemaury wrote: Mon Jan 07, 2019 6:19 pm What would be the damages in dollars, rupees, euros, zlotys or whatever?
I'm not sure about the dollars, rupees, euros or zlotys but according to my lawyer's calculation it would amount to at least hundreds of whatever's. D. Trump however, the expert in these matters, thinks it may be more, perhaps less, maybe .. who knows? :mrgreen:
User avatar
Lumpy Burgertushie
Registered User
Posts: 69223
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Legal question

Post by Lumpy Burgertushie »

I guess the bottom line is that if you have questions about the legality of something you should ask a lawyer, not post in a phpbb support forum.
or, first found out who did it and then take them to court. you will find out real quick whether you have a case or not.


robert
Curious Artichoke
Registered User
Posts: 1
Joined: Sat Jan 05, 2019 3:56 am

Re: Legal question

Post by Curious Artichoke »

Well we didn't know if it was a common thing to pursue or not. There are no log tracks so our proof is pretty much not there. It's a learning experience.

When you delete the logs in the admin panel, are they gone in the file system everywhere or does phpbb software have some redundant copy somewhere?
Post Reply

Return to “General Discussion”