Supreme Court decision from Norway

Date: 1/4/99 7:42:15 AM Pacific Standard Time
From: (Stein Schjolberg)

I forward you information of a Supreme Court decision from Norway. The Norwegian Supreme Court has in a decision of December 15, 1998, ruled on an Internet criminal case. You will find link to the decision in Norway at a site for International Supreme Court decisions

The Council of Europe adopted on September 13, 1989 a minimum list of offences necessary for a uniform criminal policy on legislation concerning computer-related crime. The list was based on the OECD Guidelines from 1986. The recommendation from the Council of Europe on unauthorized access reads as follows: "The access without right to a computer system or network by infringing security measures". The Norwegian Penal Code was amended in 1987 and unauthorized access to data or information was made a criminal offence. § 145 was based on the principles from OECD, and reads as follows: ".... any person who by breaking a protective device or in a similar manner, unlawfully obtains access to data or programs which are stored or transferred by electronic or other technical means". You will find the Recommendation from the Council of Europe and the Norwegian Penal Code § 145 in fulltext at a site for the Legal Framework - Unauthorized Access to Computer Systems, Penal Legislation in 37 countries.

The Norwegian Supreme Court decision is an interpretation of "breaking a protective device or in a similar manner", and discusses the difference between legal activities and attempted criminal offence. The case involved an employee in a Norwegian software security company, and his activities through the Internet against computers at the University of Oslo. At the time of his activities the Universitys server was a computer named INFO with an IP address He tried 10 and 12 in the last digits, and found two other computers, ERNST and HERMOD. By using "finger" commands against HERMOD, he found another computer, VIRAK and the only user "OEA". He then gave a "telnet" command against VIRAK. He did not try any user name or password , but tried to log on as "guest" and was not allowed access. He tried also to log on as "anonymous", but once again was not allowed access. He contacted the "sendmail" program on VIRAK, and gave the command "vrfy OEA". He got information on which version of the sendmail program that was available on VIRAK. These activities lasted from 0957am to 1011am.

After an hour and twenty minutes he ran a "portscan" program against INFO, ERNST and HERMOD. It lasted from 1132am to 1135am. Through the portscanning the computers confirmed the following services: finger, ftp, telnet, rlogin, rsh, and pop. He explained in the Appeal Court that this information was not logged on the program.

In the District Court he and the Company was found guilty of attempted unauthorized access and misuse of anothers computers. In the Appeal Court both was acquitted of the attempted unauthorized access, but found guilty of the misuse. In the Supreme Court they were acquitted on all charges. The Supreme Court held that none of the programs he ran against the Universitys computers could have been considered as attempting to be breaking a protective device or in a similar manner, unlawfully obtained access to data or programs. Neither "guest" or "anonymous" or the "portscan" program could have given such access. If he had used VIRAK successfully as "guest" he would either have been welcomed as guest, or the University had neglected to install basic protective devices. In addition he did not do any activities to further access information in the Universitys computers. He was also acquitted of the charges of misuse of the computers. INFO,ERNST and HERMOD was logged on the Internet and it was not illegal to visit these sites. In doing so the University had accepted anyone to inquire what kind of information the computers could offer. When the computers responded it was not illegal use. The Court held that the purpose of his activities was a disclosure of the lack of security measures, and not obtaining services from the Universitys computers.

If you find this interesting, you are welcomed to forward it to anyone interested in the decision.

Yahoo! News
Technology Headlines

Thursday December 24 12:40 PM ET

European court clears way for hackers

By Christopher Jones

SAN FRANCISCO (Wired) - In a decision that sets a precedent in the realm of hacking, the Norwegian supreme court ruled last week that probing computer networks linked to the Internet is not illegal.

The University of Oslo charged a private security-software company, Norman Data Defense Systems, with attempted break-ins and disruptions on machines linked to its computer network. Norman Data conducted the network probes in 1995 on behalf of a Norwegian public news network, which was filming a program about the Internet and wanted to demonstrate the inner workings of open systems and the pitfalls therein.

"The essence of the ruling is that if you want to join the Internet, you have to assure that you're protected," said Gunnel Wullstein, president and CEO of Norman Data Security. "If you don't want to be visited, close your ports."

The case also illustrates the fine line between hackers and crackers. The former describes those who merely want to explore computer systems, while the latter refers to intruders with malicious intent. They exploit networks using specialized tools and tricks of the trade, including unauthorized access operations.

During the experiment, the company's engineers used finger commands to find out which users were logged on to the university's machines and information related to their session. They used telnet - a remote login command - to verify email addresses on the university's mail port. They also ran scans to see if any ports were open.

The University of Oslo could not be contacted in time for this story.

One of the engineers involved in the experiment, who asked not to be identified, stressed that all of these operations are based on open protocols and were not designed to break into systems. Rather, the test was done to show what information is freely available from machines hooked to the Internet. During the experiment, he said, no user IDs or other such information was retrieved.

"We wanted to help the news service tell the world that when you surf you leave your IP address all over the place, especially if you use the same machine," said the engineer. "This information can be used to find out quite a bit about you."

Hackers and crackers will often use commercial port-scanning tools, or war dialers, as a way to identify easy entries into computer networks. Norman Data said it only limited port scans and found no open ports during the experiment.

"I would say that it's not hacking to show if you go on the Internet, you expose yourself," said Wullstein. "It is up to you to decide which part you want to be exposed and which you do not."

When an Oslo court first ruled in the case, it found the company guilty of an attempted break-in on a computer network and misuse of other people's machine resources, causing inconvenience. Both charges carried a steep fine, and the company was also ordered to pay for repairs to the university's network. After Norman appealed the decision, a district court overturned the more serious break-in charge, but upheld the misuse charge.

In Tuesday's supreme court decision, however, the engineer and the company were cleared on both charges.

"This is very principal, the first time the supreme court has taken a standpoint in a case like this," said Frode Pedersen, news editor at Aftenposten, a daily newspaper in Oslo. "The high court said that if you have a service on the Internet not directly protected, you have to stand for people searching for security holes."

Last updated 99/02/10