>> aren't you still causing your computer to access a program on the target machine<<
The problems come with the whole authorised/unauthorised concept as well at the concept of what consititutes a connection.
If you don't connect how can you read the message that says access is unauthorised, if indeed there is such a message!
What makes an "anonymous" port 80 access to a web server to read a web page "authorised" and a connection to a similarly open port 139 still "anonymously" unauthorised, except that you can assume that port 139 has been left open by an inexperienced admin, or has it, how can someone know?
I won't put up the exact syntax here but using the advanced features of search engines its possible to do some very specific searches on Google. These searches can find .mdb files, .xls files, .doc files and many more permutations. Now is accessing these files authorised or unauthorised since they are indexed by the search engines and quite clearly being "advertised" by the owners. The same goes for people who store copies of credit card transactions on their servers and then let the spiders from Google, Altavista, et al index them.
What has obviously happened is that they are sitting on a folder that is accessible from a web server and the server administrator doesn't have a robots.txt excluding these from being indexed so they can be downloaded by anyone. While checking out this latest method of access used by many hackers I found some shocking exposures such as a hospital displaying all their post-mortems done of children since 1988!!! Shocking irresponsibility on the part of administrators.
There is absolutely no point in having genuine users authenticated on a web server from an Access database if you then put that database on a public folder with Internet access and then just to compound this you fail to exlude that database from being spidered, thus exposing the data to anyone who cares to look!
So where is the line between authorised/unauthorised? Who is doing the authorising? Is a prosecution even possible if you don't have a warning that is issued everytime someone connects to your PC defining what is authorised access and what is unauthorised.
In theory every web site owner is committing an offence when their web server connects to your PC to send the data you requested since they didn't specifically ask your permission to send the data.Strictly speaking your request for information didn't give them explicit permission to connect back to you. To be fully legal the web server should warn that sending the data requires a connection to your machine and ask for your permission.
Furthermore, are cookies strictly speaking legal since they could constitute a section 3 offence by modifying files or creating files on your PC if you didn't specifically authorise them. What about spyware?
The big problem is the CMA became law in 1990 and the Internet was almost non-existent then. It does need an update with clearer definitions! Unfortunately, we will continue to see low levels of prosecution and conviction until this Act is updated.
Regards
Emeric
<a href="http://www.uksecurityonline.com" target="_blank">http://www.uksecurityonline.com</a>