Some DNS Requests Ruled Illegal in North Dakota

jgreco writes "A judge in North Dakota has just ruled that requesting a zone transfer from a public DNS server is criminal activity within the meaning of the North Dakota Computer Crimes Law. A zone transfer is a simple request that a DNS server hand over information in bulk, and a DNS server may be configured to allow or deny such requests. That the owner of a DNS server would configure the server to allow such requests, and then claim such requests were unauthorized, is simply stunning."

Turn computer crime laws upside down

[unlametheweak]

From TFA:

"The Court rejects the test for "authorization" articulated by defendant's expert, Lawrence Baldwin. To find all access "authorized" which is successful would essentially turn the computer crime laws of this country upside down."

One could only hope.

Public information?

[suso]

Asking a public internet server for public information that it is configured to provide upon demand?

This quote from the article is debatable and the reason why its not a good idea to allow zone transfers. A lot of times, information that you would rather not be public is in zone files. I've seen a some people put processor information in HINFO records. This is bad because there was a cryptographer in the 90s that discovered that its possible to determine random number generation sequences based on your processor model and frequency. So it wouldn't be good for that info to be public.

Its not a good idea to allow zone transfers. Although its useful when an ISP that you are transfering a zone from doesn't want to give you all the zone records.

Re:consequence of bad computer crime laws

[_Spirit]

I always think it rather silly to state that a judge declared something illegal. Yes I know that he interprets the law. But all the judge does is look at the law and the case. So all the judge has done is show that the law is stupid. The laws that make this illegal were already around. Don't blame the judge, blame the legislators and push to get the law changed!

Re:Unbelievable

[BoomerSooner]

This is typical of most judges I've encountered. They are too lazy to actually understand the information in front of them they are adjudicating. For example, getting divorced. 10k pages of discovery and the judge just flips through it. No understanding of accounting or much of anything else. It's like arguing to a 5th grader about law. 99% goes over their head if it's not criminal related. So beware if you're in any kind of trial where it's a technical field, or hell, even anything with discovery beyond what the court 'thinks' is relevant.

Re:Computer systems vs human systems

[cyxxon]

Well, yes, you are right with what you wrote, but you basically forget the IMO most important angle: "we techies" invented this shit so that it gets used the way we want it. "They" only hopped on, and actually built e.g. their websites in "our" realm. Then, all of a sudden, they realize that our realnm has some consequences that they didn't foresee (for failure to understand the concept, or most often just simply for failure to try to do so), and begin to sue and badmouth those that are leftovers from the original phase, or those that adhere to the original philosphy.

In this case (ignoring the fact that the defendant already had an injunction against him) the operators could probably have prevented their DNS server to serve this data (probably, as I am not an admin in this area). In other cases, such as deep linking, well, it is a little rougher, but they could for example not use frames, but good page layout, which automatically shows all their ads in the standard headers and such, or make stuff password protected, or use .htaccess to redirect requests that go straight for their meat back to the frontpage, just like many free image hosters do now for hotlinking. But no, they just decide to litigate...

Best. Ruling. EVER!

[InfinityWpi]

Why the hell aren't we celebrating this, people? Okay, for DNS, it sucks... but look at it this way...

It doesn't matter if you set up your system to 'automaticly' share the files you just downloaded... people who accessed them did so without authorization. It can't be considered 'sharing' if you didn't authorize people to download them from you... could this ruling be a tool agaisnt the MAFIAA?

Re:Unbelievable

[billcopc]

I don't think a judge should be expected to read through 10k pages of vindictive banter in order to decide how to split a marriage. I don't expect them to become an expert in the simple-yet-confusing DNS system either. The important facts should be presented in concise layman's terms.

"Sir, a zone transfer is when you type 'dig google.com axfr'. It is a standard feature of the DNS protocol and software suite. The only way it can be abused is if it is left unprotected by the network administrator, much the same as a house can be abused if you leave your doors and windows unlocked."

J:"I get it. Plaintiff, you're an idiot! Case dismissed."

The fact that these simple truths can be irreversibly concealed through the one-way hash known as legalese, is just evidence that the legal system is broken beyond repair. At least you can brute-force RSA :/

Re:Your example is wrong

[jgarra23]

Even if I did leave my doors and windows unlocked anyone that entered without my person would be doing so illegally and subject to my wrath.


Before I comment I'll say I completely agree with your statement and would probably shoot a trespasser.

The precedence in America has now been set that this is not the case. According to the RIAA by leaving my computer insecure and not changing the default share settings in Kazaa or eMule (or whatever) I am liable for sharing all the files that it detects even though people should know better than to download them.

You want to see something scary? Go to emule and type in "xls" or something.

Re:Unbelievable

[kionel]

Having setup one of the first three ISPs in Grand Forks, ND, in 1996, I have to say that this doesn't surprise me in the least.

(RANT ON}

North Dakota as a whole is a pretty xenophobic place. They don't like anything new or unusual up therem and they're none too fond of outsiders and anyone who challenges the status quo. (I quickly grew tired of the phrases "'Da colt keeps da riff-raff out!" and "If ya don't like it you cen leaf!") Add in technology -- particularly the kind that the powers-that-be don't understand -- into the mix and they become outright hostile.

(RANT OFF)

In my case I left the business, finished my degree, and got my family the hell out of there. It was the best move I ever made. Reading this just reinforces that point.

For all the right reasons?

[Anonymous Coward]

First off, I have to define what I think SHOULD BE improper access. I say "should" because my comments have nothing to do with the law and the law isn't very clear on that, anyhow. So I'll do my best to define what I think should be considered unauthorized access.

IMHO, and only IMHO, unauthorized access should require that:
A) A person intentionally instructed their computer to access some resource.
B) That person knew or should have known that the access was unauthorized.
C) That person deceived a person or computer into providing the access.

Feel free to ask lawyers to suggest this test to judges. It would be a LOT more reasonable, given that they almost always ignore part C when they want to rule against someone doing something they don't understand.

I feel that the element of deceit should be required because otherwise, you end up with a lot of techies in trouble for accessing things that normal people don't know about and fear simply because they don't know about it. Then you get people blaming those who point out horrible misconfigurations being blamed merely for finding them.

If applied to this case, I can't find that it was unauthorized because there was no deception that I know about. He may be wrong for other reasons, as people point that he had an injunction filed against him so he shouldn't have been doing that. I think that the company in question sounds like a slimeball spam company, too, but that's another matter.

Now how does that apply to spammers? It doesn't, except for botnets, where it should be clear that they trick or exploit people into joining them, which should be clear-cut. I also hate those spammers who offer up illegal schemes and scams for the scam itself.

But what about "honest" spammers, you might say? Aside from the fact that I have a hard time finding any that aren't unlicensed pharmacies, stock scams, etc. I would have to say that I hate them because it's advertising and I don't want it.

But I'm not blaming them due to some double-standard of unauthorized access. I hate them for other reasons.

Re:consequence of bad computer crime laws

[efalk]

The admin in question is Reynolds' right-hand-man, Bradley Allison. And yes, he really is that stupid. In court, he testified [rahul.net] [p.138] under oath that he didn't know what port 25 was, or whether or not you could use telnet to connect to a mail server.

Re:consequence of bad computer crime laws

[_.- thimk! -._]

You might try reading the actual content of the ruling, not just the article.

http://www.spamsuite.com/node/351 [spamsuite.com]

If you had, you would probably at least know that the Judge was a 'she' not a 'he'. If you did actually read the article, this might be a good indicator of how much you actually paid attention to what you were reading...

Several of the 'conclusions of law', as stipulated, are indeed seriously problematic. She did not specify her rulings upon the basis of an injunction. She specified them based upon the actions themselves. THAT is why technically savvy individuals consider her ruling to be badly flawed.

Her conclusions on Zone Transfer Queries, for starters, are seriously flawed. There are plenty of legitimate reasons to make DNS Zone queries when you are not an employee or someone else acting with the explicit permission of the entity who put the server in place. Many ISPs cache entire zones to cut down on excess DNS traffic for requests from their customers, for example.

For another, while it is difficult to say with certainty not knowing the exact details of the testimony of the defense's expert witness, a reading of her response by someone knowledgeable with DNS configuration suggests reasonably that he may have attempted to explain that there are specific methods that would be used to prevent zone transfers to unauthorized servers, that there were other methods that would be used to configure the server to provide zone information in response to external requests, and that by configuring their DNS server in such a way as to give the Zone information, the plaintiffs were authorizing the transfer of information and making the information publicly available. If their DNS server was configured to respond to external Zone Transfer requests, this information would in effect be public, as anyone at all, not just the defendant, who issued a perfectly normal host command would have received that information. If this was not their intent, the issue would be one of incompetence on the part of their technical staff, not one of 'hacking' on the part of the defendant.

Her suggestion that using a command switch for 'host' that is clearly documented to query information that was publicly available constitutes 'unauthorized use of a computer system' is unfounded, overly broad, and, to any technically knowledgeable individual, deplorable. She does not state that she reached her conclusion because of any injunction against the defendant. She states her finding is based upon the facility of the program itself, and her miraculous idea that somehow use of this normal function is somehow mystically, only intended for a specific subset of target users she has imagined. One that is, again, seriously flawed.

'Knowledge available to the average user' should NEVER be used as a yard stick for what constitutes the acceptable bounds of computer use. The 'average user' is ignorant of the actual function and capabilities of their systems to a point that is common to describe them, quite accurately, as largely 'computer illiterate'.

If no one knew more about any particular thing than an 'average' individual does, at any given point in time, we'd still be hunting and gathering. To suggest that this baseline should have anything to do with determination of what constitutes a potential criminal act, if applied to any other circumstance, would immediately render anyone of actual knowledge, rather than vague theories about a subject a criminal.

What do you know, for example, about repairing the engine of your car. Say you know quite a bit about it. Should you be considered a criminal if you make repairs on it, based upon knowledge you have, if you aren't a certified mechanic? How about if you repair your mother's car with that knowledge. Does that make you a criminal? By this Judge's logic, it would.

If you don't like that analogy, try this one. Let's say that the 'average person' knows that telephone bo