Some DNS Requests Ruled Illegal in North Dakota

jgreco writes "A judge in North Dakota has just ruled that requesting a zone transfer from a public DNS server is criminal activity within the meaning of the North Dakota Computer Crimes Law. A zone transfer is a simple request that a DNS server hand over information in bulk, and a DNS server may be configured to allow or deny such requests. That the owner of a DNS server would configure the server to allow such requests, and then claim such requests were unauthorized, is simply stunning."

beware

[ratonu]

So now there is a good chance i can go buy some adwords and advertise my website and then sue anyone who will access it... A good business model.

Re:

[Nos.]

It says (even in the summary) we're talking about zone transfers, not regular lookups. So sue all you want, just don't be surprised when every case is thrown out.

Re:

[cheater512]

Regular DNS lookups will be illegal next if the law keeps going down hill like this.

Maybe I'll patent that idea....

Unbelievable

[Chrisq]

This in effect means that you cannot set up a secondary DNS server in North Dakota. Any ISPs in the state should probably relocate!

Re:

[BoomerSooner]

This is typical of most judges I've encountered. They are too lazy to actually understand the information in front of them they are adjudicating. For example, getting divorced. 10k pages of discovery and the judge just flips through it. No understanding of accounting or much of anything else. It's like arguing to a 5th grader about law. 99% goes over their head if it's not criminal related. So beware if you're in any kind of trial where it's a technical field, or hell, even anything with discovery beyond wh

Re:Unbelievable

[billcopc]

I don't think a judge should be expected to read through 10k pages of vindictive banter in order to decide how to split a marriage. I don't expect them to become an expert in the simple-yet-confusing DNS system either. The important facts should be presented in concise layman's terms.

"Sir, a zone transfer is when you type 'dig google.com axfr'. It is a standard feature of the DNS protocol and software suite. The only way it can be abused is if it is left unprotected by the network administrator, much the same as a house can be abused if you leave your doors and windows unlocked."

J:"I get it. Plaintiff, you're an idiot! Case dismissed."

The fact that these simple truths can be irreversibly concealed through the one-way hash known as legalese, is just evidence that the legal system is broken beyond repair. At least you can brute-force RSA :/

Re:Unbelievable

[Pollardito]

"Sir, a zone transfer is when you type 'dig google.com axfr'. It is a standard feature of the DNS protocol and software suite. The only way it can be abused is if it is left unprotected by the network administrator, much the same as a house can be abused if you leave your doors and windows unlocked."

if you leave your doors and windows unlocked it's still a crime to "abuse" the house, it almost sounds like you're arguing that zone transferring is trespassing

Re:

[cas2000]

actually, in this analogy, the zone transfer request is more like knocking and asking "can i come in?" (i.e. "can i have this zone file?").

if the DNS server is left in default configuration, then the answer is "No, you can't have it".

if the DNS server is deliberately reconfigured to allow the transfer, then the answer is "Yes, here it is".

so this ruling is the equivalent of successfully having someone convicted of trespass after you've given them permission to enter.

Your example is wrong

[thejuggler]

Even if I did leave my doors and windows unlocked anyone that entered without my person would be doing so illegally and subject to my wrath.


--
Just because the door is unlocked does not mean you have permission to enter.

Re:

[jgarra23]

Even if I did leave my doors and windows unlocked anyone that entered without my person would be doing so illegally and subject to my wrath.


Before I comment I'll say I completely agree with your statement and would probably shoot a trespasser.

The precedence in America has now been set that this is not the case. According to the RIAA by leaving my computer insecure and not changing the default share settings in Kazaa or eMule (or whatever) I am liable for sharing all the files that it detects even though peo

Re:Your example is wrong

[j-pimp]

Just because the door is unlocked does not mean you have permission to enter.

Well look at it this way. If I walk into a laundromat and there is no attendant on duty I would not consider myself trespassing. No reasonable person would. I've been to laundromats without attendants on duty. I assume someone opens them up ion the morning, locks them up in the evening and periodically comes buy to refill the vending machines and the like.

If I am a reasonable person on the internet, and a server responds to a zone transfer request, I expect that I am authorized to look at this information,

"Your example is wrong" is wrong.

[roggg]

Your DNS server is not your house. It's your store. Yes, it's private and belongs to you, but it has a public interface. People walk into your store when it's unlocked because the door is the public interface, and the lock on the door is how the owner meters or controls access. DNS servers are much the same. They serve up a public interface. Making a DNS request of an open server should be no more illegal than walking into the 7/11. If they don't lock it, how am I supposed to know it's closed?

Re:

[Skreems]

This is more like walking up to someone, asking them if you can have 10 dollars please, and being arrested for theft when they willingly give it to you.

Re:

[ultranova]

Even if I did leave my doors and windows unlocked anyone that entered without my person would be doing so illegally and subject to my wrath.

True, because entering someone's home without the owner's explicit permission is not part of expected procedure. A more appropriate analogue would be to leave the doors to a shop unlocked during normal business hours and complaining that the people who step inside are trespassing; this correctly captures the idea that the whole purpose of a DNS server is to answer i

Re:Unbelievable

[Intron]

FINDINGS OF FACT

"In all intended uses of a zone transfer, the secondary server is operated by the same party that operates the primary server. A secondary intended purpose for zone transfers is to permit trouble shooting in which case zone transfers may sometimes be undertaken via the manually conducted host -l command. In those instances, however, the person conducting the diagnosis acts with the authorization of the operator of the system and is usually the network administrator for the system."

Sounds like the judge understood it pretty well to me.

Re:Unbelievable

[Sancho]

Geeks don't like this ruling, though, because it's not black-and-white. A geek think that if it's open on the Internet, it ought to be legal. If it asks for a password and you break in, it ought not be. Absent other means of gaining authorization, a request on the Internet implies a request for authorization, and a reply with the requested information from the server ought to imply authorization. The burden should be on the server operator to restrict or allow access, because on a pseudo-anonymous Internet, there's no other metric we can use. "Most of the time, the server operator wouldn't want this?"

Re:Unbelievable

[orclevegam]

In this case, the geek in question performed the DNS queries as part of an ongoing investigation into the spam activities of the ISP in question. This was not a case of someone with malicious intent, or even someone exploring for the sake of exploring, this was a computer professional attempting to track the source of some spam and to compile evidence against the spammer. In this regard he was acting more as a PI (I realize a PI is usually licensed by the state, but it's still close enough) in attempting to investigate something that if not directly a crime, is at least questionable.

If I was investigating you, and I came and knocked on your door saying "My car broke down, can I use your phone to call a tow truck?" and while inside your house used a hidden camera to take pictures, this would also be "not authorized", but in most states it's still perfectly legal, and you couldn't then turn around and try to sue me for trespassing.

The reason the judge ruled against the defendant in this case seems to have had a lot less to do with the merit of the case then it did several instances of the defendant giving false testimony, and in at least one case directly violating an order of the court. Essentially the judge was ticked at the guy, and that biased the case against him.

Re:Unbelievable

[Richard_at_work]

Why the support on Slashdot for anti-spam laws then? If your smtp server accepts my connection and accepts the mail I subsequently send to you through that connection, how is this any different to the arguments posed elsewhere in this thread about public access services and presumed legality?

Re:

[Phoenix Rising]

Two reasons:
1) The disclaimer that anti-spam admins install saying that spam isn't allowed, but more importantly
2) The excessive abuse of system resources and user time.

Requesting a zone transfer isn't terribly abusive in terms of bandwidth (unless you're requesting a zone transfer from IBM or a fully-populated Class A in-addr.arpa zone...), and it takes no permanent resources. A mechanism exists and is in standard use to prevent unauthorized access.

With spam, its cumulative effect is terribly wasteful of

Re:Unbelievable

[dekemoose]

if I make a bad analogy but it makes sense to me, is it still a bad analogy?

Re:Unbelievable

[JakusMinimus]

If I pose a stupid rhetorical question, but it makes me chuckle and/or snicker, is it still a stupid rhetorical question?

Re:Unbelievable

[SanityInAnarchy]

In all intended uses of a zone transfer,

Well, there's a problem right there. No one person knows all the intended uses of a zone transfer. I learned a new one today from a sibling post -- actually migrating DNS information to a new host, when switching service providers.

the secondary server is operated by the same party that operates the primary server.

*chokes on breakfast* ...what?

I've been using it for almost a year now, for dynamic DNS. It means I get to configure and run a real DNS server, and set it up exactly the way I like, and then, when I need to update the records on my real DNS servers (at zoneedit.com, dyndns.com, etc), I only have to change one setting -- the master host. This means that, for example, if I want to switch to another system, I don't have to learn a new API (or write one to crawl their website) that's much more complicated than a single POST request, updating which master server they should update from.

(Just been reading that zoneedit.com sucks, so I'm considering switching to dyndns.com, which honestly is pretty cheap, and their service which does zone transfers is cheaper than their service which has a web interface.)

That is to say: I operate the primary server, and the secondary and tertiary servers are operated by a third party, even if these secondary and tertiary servers are listed in my domain as primary and secondary servers. This is hardly unique to dynamic DNS -- it's also used in cases where there is a static IP, but you only want to maintain one server, and you (obviously) can't guarantee five nines of uptime on that server. So you pay someone to run a secondary DNS server.

A secondary intended purpose for zone transfers is to permit trouble shooting in which case zone transfers may sometimes be undertaken via the manually conducted host -l command. In those instances, however, the person conducting the diagnosis acts with the authorization of the operator of the system and is usually the network administrator for the system.

That's reasonable, but answer this: If I were to use the "host" command -- just "host", by itself, looking up MX records and such -- should I be worried about it being illegal? What about "whois" and such? There are plenty of times when it's reasonable to expect that a third party should run diagnostics -- such as when the first party is completely clueless, and needs to be told so. [centos.org]

Some other poster put it very clearly -- geeks generally believe that if you make a service public, it is public. It's certainly possible to limit zone transfers to the IP address of the secondary DNS server. This would not be an absolute protection, but it would at least show what the intent was.

This has been debated fairly often with respect to open wireless access points. What you have here is, according to the machine protocols involved, a machine shouting "Look at me! My name is LINKSYS, and I'm open! Just connect if you want to get online!" It is trivially easy, in most cases, to have it instead broadcast "My name is LINKSYS, and you'll need a password to connect!" Or, alternatively, to not brodcast at all -- to just sit in a corner until someone says, "Hey, LINKSYS! Let me connect!"

It's not quite that bad, but it's similar. "Hey, ns1.example.com! Would you mind telling me what all the subdomains of example.com are?" (There are legitimate reasons for doing this, too -- maybe I'm a spider, and I want to find web pages which aren't specifically linked to by www.example.com.) At this point, if ns1.example.com says "Sure! There's mail.example.com, and www.example.com, and, oh yeah, super.secret.stuff.example.com"... how is this your fault? If super.secret.stuff was really that secret, ns1.example.com could've left it out, or could've said "No, sorry, I'm not going to tell you."

The reason geeks w

Re:Unbelievable

[MyLongNickName]

What is more unbelievable is that you'd take an article summary like this as being the gospel. More often than not, it is someone who hasn't really read the whole article, but wants to see his name on the front page of Slashdot. Dispense with a few facts, create some sensationalism, and the crack Slashdot editing team puts it up without fact checking.

Re:

[ari_j]

The article isn't much better. I think that it's going to be nothing but sensationalism unless someone gets ahold of the actual court documents.

Re:

[nschubach]

Did you see the findings [spamsuite.com]?

Re:Unbelievable

[orclevegam]

There's actually a good deal of information in there if you read between the lines a little. What I gathered from it and one of the sites linked by it, is that this guy is well known in the anti-spammer circles as a spam investigator that can compile loads of detailed info on spammers. Apparently Sierra (the plaintiff) is notorious for spam and also for suing anti-spam activists. During the course of compiling evidence against Sierra, this guy performed a DNS Zone transfer (most likely to prove that the source of some spam was actually a server hosted by Sierra). Sierra then sued him claiming the zone transfer wasn't authorized by them, and therefore it was illegal (not going to argue if that's logical or not, just summarizing here). Up to this point any technically minded person would probably think the plaintiff was on pretty shaky ground. However, the defendant screwed himself over it seems by annoying the judge various ways. According to the findings, the defendant gave false testimony on several occasions. It may or may not have been false testimony, it's sometimes hard to say when lawyers get involved, but the judge perceived it as such and that's what counts. Much worse it seems, is that the judge ordered the defendant not to perform certain scans of Sierras network, but he then proceeded to ignore those orders. This action seems to be the one that really blew the case for him, as it's apparent the judge was really not happy with him for that one.

Re:

[nschubach]

wants to see his name on the front page of Slashdot

You're just jealous... poo-poo head.

You have to wonder though: Why would data transfer (of publicly available and non-copyright data) be illegal? Was he using this to perform some kind of DoS attack (polling for a transfer over and over)? If so, why doesn't the DNS server detect and restrict this? If this is a concern over the private data, why wouldn't the DNS only transfer public records (and is this possible)? Maybe he is guilty for the intent of hi

Appeal?

[MoxFulder]

No word in TFA if he plans to appeal... let's hope so!!!

Re:

[Crazy_CorranH]

So if you're in North Dakota and you're reading this, you better run for them thar boondocks, boy. We're coming to git you!

Well, coming from ND, I'd have to say it's all boondocks. Where should I run to now?

Port 53 rebel from hell

[rs79]

You know back in the 80s people on usenet notiuced that there were no uucp connections going into North Dakota and therefore Noth Dakota didn't actually exist. Now I think I know why there were no uucp connections going into North Dakota.

I hear the ladies love a Bad Boy. I just did a zone transfer from a North Dakota nameserver. I am SUCH a rebel. Come get me, biotches.

Now if you'll excuse me I'm going to tear the labels off some mattresses and jaywalk. I be bad, yeah I be bad.

Re:Port 53 rebel from hell

[jtroutman]

I'm guessing you're young, under thirty at least. I only say this because the "the tag may only be removed by the consumer" bit is a change that was made about fifteen years ago, before that they read "Do Not Remove Under Penalty of Law" in bold, black letters. So most people grew up with these ominous tags on all their pillows and mattresses warning that if they removed them there were stiff penalties involved. Nowadays, not so much. Meh.

So who's the nerd now, huh?

consequence of bad computer crime laws

[j0nb0y]

Most states have computer crime laws that pretty much say this: It is illegal to access a computer that you are not authorized to access.

This basically means that if you don't have written permission to access a computer, you can't access it legally.

So everyone who uses computers breaks the law, and the law is only truly defined by who prosecutors decide to prosecute.

This state of affairs is completely ridiculous, but unless you find a tech savvy Judge, the situation is unlikely to be changed through the courts.

Re:consequence of bad computer crime laws

[mcvos]

By this reasoning, looking at a website without written permission of the webmaster would be illegal too. The Judge has basically declared the internet illegal.

Re:

[CastrTroy]

The act of putting up a website (or any other internet server) on the public internet should be enough to say the operator of the server gave you permission to access it. If you don't want people accessing your server, at least put a password on it for basic access control, or if it requires more security, than put it behind a VPN/Firewall box.

Re:

[Simon Brooke]

The act of putting up a website (or any other internet server) on the public internet should be enough to say the operator of the server gave you permission to access it. If you don't want people accessing your server, at least put a password on it for basic access control, or if it requires more security, than put it behind a VPN/Firewall box.

The act of putting up a DNS server is exactly the same. But we now know it's illegal to access a DNS server, therefore it must be illegal to access a web server.

Without written permission in triplicate, signed in longhand by the owner of the data using a quill pen and attested by the county registrar and the sheriff, of course.

Re:consequence of bad computer crime laws

[Sancho]

Further reading from the link I posted states that the court isn't ruling on normal DNS requests. Under "CONCLUSIONS OF LAW":

2. The Court need not determine whether a normal, single DNS query is authorized within the meaning of the statute. Even if there had been any authorization for a such a DNS query or lookup, Ritz exceeded that authorization in violation of the statute by conducting a zone transfer and attempting further access.

So the court isn't claiming that a DNS query, in the general case, is illegal.

Re:

[mcvos]

The act of putting up a website (or any other internet server) on the public internet should be enough to say the operator of the server gave you permission to access it.

Should be, but what if I didn't intend the whole world to see it? Perhaps my webpage is only for my friends or family. My sister did that, actually. Set up a website with het pregnancy log, mail the address to the family and request that nobody link to it so google wouldn't find it. The intent is clearly that not everybody has permission

Re:

[mini me]

Just because I encourage you to request zone transfers from my public DNS server does not mean that you can request zone transfers from all public DNS servers (as indicated by this case). By the same token, just because I encourage you to read my website, it does not mean you have permission to read all websites.

Re:

[ehrichweiss]

You must have missed some of the stranger court cases recently. Like the woman who put up the website that she didn't want any web spiders to crawl so she put up a text message that said "web spiders are forbidden" instead of a robots.txt that would actually do something. Google indexed it and she sued.

Re:consequence of bad computer crime laws

[_Spirit]

I always think it rather silly to state that a judge declared something illegal. Yes I know that he interprets the law. But all the judge does is look at the law and the case. So all the judge has done is show that the law is stupid. The laws that make this illegal were already around. Don't blame the judge, blame the legislators and push to get the law changed!

Re:

[strangel]

The reason people say that a judge declared something illegal is that in order for there to be consequences in such a case, there must be a trial. A trial will always go through a judge, so a judge always has to interpret the law. Part of this interpretation depends upon past precedent...therefore it is possible that if the next judge isn't bright enough to recognize a bad precedent when he/she sees one, he/she will follow the precedent. This further strengthens the precedent for later cases.

Re:

[vtcodger]

***This basically means that if you don't have written permission to access a computer, you can't access it legally.***

My written permission to access slashdot? Yes officer. I have it around here somewhere. ... Just give me a minute ... Waddyamean 'I have a right to an attorney' ... Hey, not so tight with those handcuffs mate ....

Re:consequence of bad computer crime laws

[kalirion]

Be glad he didn't tase you, bro.

Re:consequence of bad computer crime laws

[morgan_greywolf]

It IS completely ridiculous. I doubt very much that OSDN or SourceForge (or whatever they're called this week) wants to have to give explicit permission to each and every user on Slashdot, but that's what it appears to have come to because judges are techno-illiterates.

If a service is running on a machine connected to the Internet and that service is obviously not secured, then the only thing that can be assumed is that permission to use that service is implicitly granted, especially in absence of notices stating otherwise.

IOW, if you run a Web server on port 80 and require no authentication, then it can be easily assumed that you intend to publish any materials served via the Web server to the public Internet -- you expect people to access it.

Ditto if you run a DNS service that allows zone transfers to all comers -- you expect that DNS zone transfer will occur and no one will need permission from you to do so.

To rule otherwise is nothing but pure stupidity.

Re:

[MightyYar]

I agree wholeheartedly, but there is one more element to consider. If you KNOW that the DNS server is mistakenly configured, then you should not access it. It would be very hard to prove this in court, but it is analogous to taking a "free" New York times because the latch on the newspaper stand was broken.

That doesn't seem to be the case here - it looks like this guy is an anti-spammer using the usual common tools to do his work. I don't know what "hijacking" he did, but that's a separate issue.

Re:consequence of bad computer crime laws

[aproposofwhat]

More to the point, what idiot would put DNS records relating their internal private network on a publically accessible DNS server?

That's what Sierra did, according to the court decision.

Either the admin responsible is incredibly stupid, incredibly lazy or just hasn't thought through the security implications.

Re:

[efalk]

The admin in question is Reynolds' right-hand-man, Bradley Allison. And yes, he really is that stupid. In court, he testified [rahul.net] [p.138] under oath that he didn't know what port 25 was, or whether or not you could use telnet to connect to a mail server.

Re:consequence of bad computer crime laws

[jvkjvk]

No, it's not completely ridiculous. We can talk about generalities as long as we want but they are nothing but straw men. This is a specific case, and it appears to be a special case, where the defendant had an injunction against him to prevent him from harassing the company in question.

Essentially, the judge ruled that the injunction did indeed include the DNS servers the company had. Imagine that, he got that one right!

IOW, even if the company was running a web server on port 80 and require no authentication, it can easily be assumed that --- the defendant would still be barred from making requests to that page. No, not people in general one specific individual who was barred from interacting with the company.

To rule otherwise is nothing but pure stupidity.

Re:

[jvkjvk]

Of course, to not properly close your tags or preview foolish!

Re:consequence of bad computer crime laws

[_.- thimk! -._]

You might try reading the actual content of the ruling, not just the article.

http://www.spamsuite.com/node/351 [spamsuite.com]

If you had, you would probably at least know that the Judge was a 'she' not a 'he'. If you did actually read the article, this might be a good indicator of how much you actually paid attention to what you were reading...

Several of the 'conclusions of law', as stipulated, are indeed seriously problematic. She did not specify her rulings upon the basis of an injunction. She specified them based upon the actions themselves. THAT is why technically savvy individuals consider her ruling to be badly flawed.

Her conclusions on Zone Transfer Queries, for starters, are seriously flawed. There are plenty of legitimate reasons to make DNS Zone queries when you are not an employee or someone else acting with the explicit permission of the entity who put the server in place. Many ISPs cache entire zones to cut down on excess DNS traffic for requests from their customers, for example.

For another, while it is difficult to say with certainty not knowing the exact details of the testimony of the defense's expert witness, a reading of her response by someone knowledgeable with DNS configuration suggests reasonably that he may have attempted to explain that there are specific methods that would be used to prevent zone transfers to unauthorized servers, that there were other methods that would be used to configure the server to provide zone information in response to external requests, and that by configuring their DNS server in such a way as to give the Zone information, the plaintiffs were authorizing the transfer of information and making the information publicly available. If their DNS server was configured to respond to external Zone Transfer requests, this information would in effect be public, as anyone at all, not just the defendant, who issued a perfectly normal host command would have received that information. If this was not their intent, the issue would be one of incompetence on the part of their technical staff, not one of 'hacking' on the part of the defendant.

Her suggestion that using a command switch for 'host' that is clearly documented to query information that was publicly available constitutes 'unauthorized use of a computer system' is unfounded, overly broad, and, to any technically knowledgeable individual, deplorable. She does not state that she reached her conclusion because of any injunction against the defendant. She states her finding is based upon the facility of the program itself, and her miraculous idea that somehow use of this normal function is somehow mystically, only intended for a specific subset of target users she has imagined. One that is, again, seriously flawed.

'Knowledge available to the average user' should NEVER be used as a yard stick for what constitutes the acceptable bounds of computer use. The 'average user' is ignorant of the actual function and capabilities of their systems to a point that is common to describe them, quite accurately, as largely 'computer illiterate'.

If no one knew more about any particular thing than an 'average' individual does, at any given point in time, we'd still be hunting and gathering. To suggest that this baseline should have anything to do with determination of what constitutes a potential criminal act, if applied to any other circumstance, would immediately render anyone of actual knowledge, rather than vague theories about a subject a criminal.

What do you know, for example, about repairing the engine of your car. Say you know quite a bit about it. Should you be considered a criminal if you make repairs on it, based upon knowledge you have, if you aren't a certified mechanic? How about if you repair your mother's car with that knowledge. Does that make you a criminal? By this Judge's logic, it would.

If you don't like that analogy, try this one. Let's say that the 'average person' knows that telephone bo

Re:

[Bert64]

Yes, can i see your written permission to access the computers comprising slashdot.org please?

DNS illegal now? Read again.

[Anonymous Coward]

Might want to read the actual court ruling instead of the populistic and alarmist comments surrounding it. As I read it, the defendant already had been told by the court to stop bothering the plaintiff, and he then proceeded to ignore that. In and of itself the ruling doesn't outlaw dns requests, altough the judge's grasp of the technology clearly could stand improvement.

Re:

[Ngarrang]

Might want to read the actual court ruling instead of the populistic and alarmist comments surrounding it. As I read it, the defendant already had been told by the court to stop bothering the plaintiff, and he then proceeded to ignore that. In and of itself the ruling doesn't outlaw dns requests, altough the judge's grasp of the technology clearly could stand improvement.

But, quickly posted inflammatory remarks based solely on the posts of others who did not read the article is required policy! Populistic? I am going to have to find a way of using that word today in conversation. *grin*

Re:DNS illegal now? Read again.

[tgd]

See this is why we need a (-1 Informative) moderation... because clearly from the tone of the post and the the majority of the replies, rational response is not the goal of this story submission.

Re:DNS illegal now? Read again.

[autocracy]

TFA really sucks. The linked judgment is much more useful to read. I'm kind of saddened by the judges focus on "zone transfers," but it's clear that the issue is not about zone transfers. The issue is a pattern of malicious activity that the defendant had an injunction placed on him for. He violated that injunction. It was corporate cyber-stalking harassment, really. I'd say that the zone transfer was illegal in context, especially with an outstanding injunction to stay off the company's servers.

Re:

[ari_j]

It's also not a criminal case, as far as I can tell. The article was dumb, but the Slashdot version is dumber.

Re:

[Pharmboy]

This is *exactly* why I wish moderators could moderate the actual Slashdot article. Not digg style free for all, but I would used one of my mod points (dont have today) to push it off the front page into the "another stupid article that the slashdot editors didn't look at very well" pile. Getting more of those in the last year...

Re:

[Mr. Beatdown]

He was found to have violated an injunction from accessing ANY of the plaintiff's websites. This injunction was issued on August 4th, 2005. That being said, he wanted to argue in the face of the injunction that any access to a public web server was de facto authorized. The judge ruled (correctly) that though all the information remained on the "public" internet, that any access by Ritz after the injunction was unauthorized. Ritz, however, performed the zone transfer query in question on February 27, 200

Facts from the ruling

[InvisiBill]

18. Ritz was not an authoritative name server, a DNS server, nor any kind of computer at the time he accessed Sierra's computer.

I'm pretty sure that one wins some sort of award reserved for the highest level of intellectuals.

21. The information which Ritz published was not public. Moreover, much of the information was not publicly accessible.

In all seriousness, I think this is where the major issue lies. The judge ruled that because most people don't know about host -l, that the information was private, even though it was publicly available with a standard command.

If Ritz had previously been ordered to leave Sierra alone, and hadn't, then that's a basis for the ruling right there, completely ignoring any aspect of DNS. From the court documents, the guy sounds like quite a piehole.

Re:

[twistedsymphony]

In all seriousness, I think this is where the major issue lies. The judge ruled that because most people don't know about host -l, that the information was private, even though it was publicly available with a standard command.

Exactly, that's like saying walking through an unlocked door to a shop is illegal because most people don't know how to turn a door knob.

Re:

[codefool]

It's more like dressing up like a repairman, going through the unlocked gate, the unlocked door, and raiding the unlocked refrigerator. He clearly took all precautions to not be detected and this passes the "walks like a duck" test. His past behavior and public admissions did not help his case. While I wish all the court documents were available, I've read the finding of fact and law and I agree with it. He dug himself a deep hole and now he can't climb out of it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[onecheapgeek]

From the ruling:
7. Ritz, at all times material, acted intentionally and with the intent to gather as much DNS and other information as possible about Sierra and its principals, agents and related entities and persons. Ritz made the information he gathered available to several persons, including a competitor of Sierra, SuperNews and SuperNews accessed that information. Ritz has admitted that SuperNews personnel accessed the zilla queries file where it resided on his computer via http connection.

8. The intend

Re:

[orgelspieler]

Actually, David Ritz is an anti-spam vigilante, who is being sued by Jerry Reynolds who appears to be a Usenet spammer, and sues [rahul.net]* spam-fighters. Though you're right that the court documents make it sound like David's the bad guy.

*Looks like the guy on this site is a co-defendant with David Ritz, so maybe not the most reliable source.

Re:

[0xdeadbeef]

3. At various other times, Ritz issued a variety of commands, including host -l, helo, and vrfy. The afore-mentioned commands are not commonly known to the average computer user.

4. Ritz frequently accomplished his access to Sierra's computers by concealing his identity via proxies and by accessing the servers via a Unix operating system and using a shell accounts, among other methods. He also disguised himself as a mail server.

The Court rejects the test for "authorization" articulated by defendant's expert

Re:

[Kizeh]

Also, the article is a bit unclear as to just what he obtained. If he used programmatic tools to harvest information out of whois, he was in violation of the terms under which this information is provided. Just do a whois query on any .com and actually read the disclaimer.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[sammy baby]

What's absolutely hilarious about this are the number of replies to this article complaining about "clueless" Judges who "don't understand the issues" and aren't prepared to "read the evidence" right in front of them. Uh-hum. Because all you guys did, right?

Welcome to Slashdot! We hope you enjoy your stay. :)

Oops

[slarrg]

I didn't mean for anyone to read this post on the internet. So it illegal.

Re:Oops

[mulvane]

Damn YOU!!!!

I try to be a somewhat law abiding citizen. Thanks for my first criminal act of the day I didn't even mean to commit.

Re:

[Arancaytar]

Well damn. I didn't scroll down fast enough. I hope I won't end up sued!

(And I didn't even try to find out if I was authorized to reply!)

I just love clueless polititions

[drspliff]

Because eventually their going to make most of my job illegal so I can move onto other more interesting things... like working in marketing or middle management

How the hell are you supposed to run redundant DNS setups when zone transfers aren't allowed? Sure there are inventive ways, but... DNS WAS FRIKKEN DESIGNED FOR THIS!

Re:

[plover]

Polititions?

Y'know, when grub chops your drives up from one big drive into smaller polititions.

Re:

[VJ42]

Judges are generally not politicians.

Indeed, but it's the politicians who wrote the law that this Judge ruled on, so they are not entirely blameless either.

Turn computer crime laws upside down

[unlametheweak]

From TFA:

"The Court rejects the test for "authorization" articulated by defendant's expert, Lawrence Baldwin. To find all access "authorized" which is successful would essentially turn the computer crime laws of this country upside down."

One could only hope.

Default settings allow it...

[mnslinky]

BIND 9.x and earlier allow this activity by default. This being the case, a new and/or ignorant system administrator may not realize their zone file is available for the taking.

One more example of the law having to protect the stupid, but I can *sorta* see the point of it. This falls in line with stealing wifi from unprotected networks. Just because it's not secured doesn't mean it OK to break in.

FUD

[Telephone Sanitizer]

It's a civil case.

The worst that can be said about it is that it's bad precedent and the judgment was wrong.

The judge did not make DNS requests illegal.

Public information?

[suso]

Asking a public internet server for public information that it is configured to provide upon demand?

This quote from the article is debatable and the reason why its not a good idea to allow zone transfers. A lot of times, information that you would rather not be public is in zone files. I've seen a some people put processor information in HINFO records. This is bad because there was a cryptographer in the 90s that discovered that its possible to determine random number generation sequences based on your processor model and frequency. So it wouldn't be good for that info to be public.

Its not a good idea to allow zone transfers. Although its useful when an ISP that you are transfering a zone from doesn't want to give you all the zone records.

Re:

[SharpFang]

Therefore you disable it or restrict access. You don't litigate everyone who accesses it.

Say, instead of using a bank, I leave all my money as cash right by my trashcan on the street, and then sue everyone and accuse them of thievery for taking it.

How would he obtain permission to access it?

[Rogerborg]

He can't email them, because clearly that's zomg h4xx0rz1ng their email server.

an old proverb

[tylersaurus]

Those who can: write code. Those who can't: write laws.

Can you imagine if every politician in the house and senate knew how to program? Granted a good portion of them would still be writing awful spaghetti code... but for the most part at least they would not be able to compile it.

The law of Survival of the Weakest

[malkavian]

It seems more and more that the Law is heading towards penalizing anyone that employs some knowledge in the technical arena that worries people who don't understand it.
The end result is that people in the countries where the laws preventing basic (and in some cases slightly cavalier) activities becomes a criminal offense, thus dissuading a large amount of the indigenous populace from testing the limits themselves (without doing hard time/losing the shirt).
Net effect: Foreign countries that are immune from

Computer systems vs human systems

[mlwmohawk]

What I find interesting is that "computer systems" i.e. networks, disk drives, files, etc. ae well understood by us computer folk. What is "obvious" to us has come from a lot of experience and learning. More over, in constructing things like the internet, we develop a lot of "rules" that make sense within this context.

In the non-nerd world, a lot of the rules created by us nerds run afoul of what most people expect. DNS is a perfect example. To us, it is MADE to serve data. If you put data into DNS, you've made it public. To the rest of the world, however, that doesn't make sense. Its the same issue with HTTP. We see putting stuff on a web site as making it public, but non-nerds see things like deep linking a violation of their site because it does not promote the interaction they expect (viewing ads etc.) and have invested in. To them, you are circumventing their revenue model.

I'm not 100% sure we're 100% right. I don't think we are wrong in our views, but I see the gray area between the two.

Re:

[pla]

I'm not 100% sure we're 100% right

Since we made the whole damned ball of wax for our own amusement, and Joe Public decided to tag along for the free porn, I'd have to say that yes, only the geek interpretation matters. Joe can thank us (as can the Hunters of Commerce who hungrily stalk Joe and his kind), but his "interpretations" of the scenario simply do not matter.

If you don't understand the rules of poker and try to play, you'll go home shirtless. The same idea applies here. If they want into our

Re:

[mlwmohawk]

Since we made the whole damned ball of wax for our own amusement,

This is a far cry from true. A lot of the things *we* did we did on university, government, and corporate moneys.

Re:Computer systems vs human systems

[cyxxon]

Well, yes, you are right with what you wrote, but you basically forget the IMO most important angle: "we techies" invented this shit so that it gets used the way we want it. "They" only hopped on, and actually built e.g. their websites in "our" realm. Then, all of a sudden, they realize that our realnm has some consequences that they didn't foresee (for failure to understand the concept, or most often just simply for failure to try to do so), and begin to sue and badmouth those that are leftovers from the original phase, or those that adhere to the original philosphy.

In this case (ignoring the fact that the defendant already had an injunction against him) the operators could probably have prevented their DNS server to serve this data (probably, as I am not an admin in this area). In other cases, such as deep linking, well, it is a little rougher, but they could for example not use frames, but good page layout, which automatically shows all their ads in the standard headers and such, or make stuff password protected, or use .htaccess to redirect requests that go straight for their meat back to the frontpage, just like many free image hosters do now for hotlinking. But no, they just decide to litigate...

Re:

[mlwmohawk]

"we techies" invented this shit so that it gets used the way we want it.

"we techies" certainly didn't/don't pay for the infrastructure. Government, university, and corporate money developed the hard infrastructure of the internet. Much of the software development was directed and funded.

It isn't "our" realm. It may have been our genius that created it, but it now belongs to everyone, and with that, comes cultural differences. The internet neighborhood is changing. Like it or not, other people's views and op

Best. Ruling. EVER!

[InfinityWpi]

Why the hell aren't we celebrating this, people? Okay, for DNS, it sucks... but look at it this way...

It doesn't matter if you set up your system to 'automaticly' share the files you just downloaded... people who accessed them did so without authorization. It can't be considered 'sharing' if you didn't authorize people to download them from you... could this ruling be a tool agaisnt the MAFIAA?

A human analogy

[oz1cz]

I can lock my house, but even if I do not do so, you will still be trespassing if you enter my house.

A better analogy

[kalirion]

I can tape a poster of my wife naked to the outside of the front door, and anybody who looks at it is invading her privacy.

Obviously hypothetical as.

Good thing I'm from the OTHER Dakota

[demon]

I'd be embarrassed to be from there right about now.

Hey guys?

[thegnu]

You can all use my DNS servers. Like, whenever you want. It's cool.
-thegnu

It gets worse.

[Minwee]

According to the Findings of Law [spamsuite.com], item 31, he is guilty of using the name "Bastard Operator From Hell" when his name is really David Ritz.

You just don't do that in North Dakota.

Forgive the redundancy,

[Hellad]

but there is NOTHING ILLEGAL mentioned here. This is a civil trial, not criminal. The acts may be found illegal later in Ritz's later criminal trial, but that remains to be seen. Also, the issue is a question of whether Ritz was authorized to do the DNS request. The DNS request is legal for the administrators without problem. Obviously, the issue of Ritz's requests is worth debating. The article summary is horrible, as is the linked article. But, the linked blog entry has yet another link which gives the whole opinion as well as some more informed commentary. For those that want to be informed before spewing, I would suggest checking it out. (for the the other 99% of slashdotters, please feel free to ignore this at will).

The facts on the case

[efalk]

As one of the people involved in this, I think I should take a minute to set the record straight.

Sexzilla was once one of the largest porn spammers on usenet. I wrote about them on my web site. The owner, Jerry Reynolds, sued me for defamation. I asked the other spam-fighters for whatever they had on Sexzilla so I could defend myself.

David Ritz responded with something along the lines of "Oh, it's true alright, here's the dns zone information that proves it." He also published his results on-line.

Reynolds then sued David for an "unauthorized zone transfer".

That zone transfer is the entirety of Reynolds' case against David. The rest of the stuff in the judge's decision was all a bunch of bullshit spoon-fed to the judge by Reynolds. Most of it has nothing to do with the case at hand, and most of it is either untrue or gross distortions of the truth. For example, the "hijacked" computer was an open relay that Ritz used to send one message to Verizon security, proving to them that they had an open relay.

You can read the whole sorry saga here [blogspot.com].

Re:

[jimicus]

It's still theft if someone steals from your house while you left the door open.

Re:Why am I not suprised?

[plover]

That's not at all true. The judges I've had dealings with have been damn smart people.

What you're forgetting is that in most court cases, the defendant is there for one of two possible reasons: they really weren't responsible, or they were responsible but are now lying about it. And the plaintiff or complainant is there to make sure something "legal" happens in their favor, and they're not above lying to get their desired outcome, either. Usually there's a lot of both. That means the judges are professionally sitting at the mouth of a never ending river of bullshit, and they have to keep control of the situation.

It's not that judges can't or refuse to understand the technology; it's that the cases are about the people, which is where their focus must remain. The computer didn't act of its own accord. It operated under the direction of its owner. The question of "was there malicious intent?" has nothing to do with DNS or any other logic-based technology and everything to do with the two guys standing in the courtroom.

Re:

[atomic-penguin]

I think I'm going to grease back my hear and roll my carton of cigarettes up in my sleeve. I'm a bad man.

A whole carton? Damn, those must be some big sleeves!

Re:

[BlueStrat]

...and roll my carton of cigarettes up in my sleeve. I'm a bad man.

You must certainly be a bad man if you have arms large enough to roll an entire carton of 10 packs of smokes up in your T-shirt sleeve!!

Cheers!! (and please don't hurt me!!)

Strat

Re:

[Bert64]

Potentially it is, it's vigilante justice and legally should be left to the police (not that they will actually be capable of doing so).