Published and presented at the 19th National Information Systems Security Conference, 
Baltimore,
MD, October 22-25, 1996 

             Legal Aspects of Ice-Pick Testing 

                  Dr. Bruce C. Gabrielson, NCE 
                      Kaman Sciences Corp. 
                          Alexandria, VA 

              in Association with Naval Research Laboratory 
                    Contract No: M00014-93-C-2033 

Abstract 

The ice-Pick package is a window driven program that provides a multi-layered
approach to network testing. The automated tool is used to identify frequently
exploited security problems present on well known UNIX based operating systems.
Information provided by testing is used to determine what protective mechanisms
need to be implemented by network administrators. 

The paper deals with two issues of primary concern, the user's legal basis for
performing vulnerability identification testing, and the consequences of unauthorized
use or release of the software itself. It is essential for self protection that the 
tester
understands what he or she can legally do with a tool such as Ice-Pick. The issue of
trust can also effect users. Trusting each user to protect Ice-Pick against 
unauthorized
release is essential for absolute control of the technology involved. 

The structure of this document allows traceability from top level law through
applicable Navy regulation. The most important points are the understanding of what
monitoring involves, and knowing what the Ice-Pick test tool can be used for. The
use of other penetration type testing tools, such as SATAN, will not be discussed,
nor will the regulatory requirements of non-Navy organizations. However, the
discussion can be applied to using similar test tools in other organizations. 

Introduction 

This paper discusses the legal basis for performing Ice-Pick testing in the Navy, and
the consequences of unauthorized use or release of the software itself. It's essential
for self protection that the tester understands what he or she can and can't do with 
the
tool. Providing the information background for the tester to evaluate test activities 
is
one means of accomplishing affective conditioning. Therefore, the legal basis
supporting testing and accountability when using the tool will be derived first. 

Trusting the user is another issue. Although trust of each user against the 
unauthorized
release of Ice-Pick is assumed, its distribution must be absolutely controlled.
Therefore, a discussion of the repercussions of improper release, particularly to the
user, will enhance the user's awareness of the problem, as well as provide the legal
basis for prosecution should the software find its way into the wrong hands. 

Background on Ice-Pick 

Ice-Pick is an unclassified automated tool that can be used for breaking into
networks. The Navy developed it to proactively attack its own networks for SST&E
purposes. Ice-Pick does what it is intended to do very well. The Ice-Pick user can
only test for vulnerabilities. Private information can not be accessed with the
Ice-Pick application running. 

Ice-Pick's software incorporates protection mechanisms to ensure only
pre-authorized. The software can be directed to only run on one pre-designated
machine. However, these controls are directed at software operation. Using the
program requires a certain level of technical skills. The skills required are security
sensitive in nature in that the individual using the program could basically become an
accomplished "hacker". 

....snip...

http://www.blackmagic.com/ses/bruceg/legal.html

Reply via email to