"Go back and read the judgment. Read it all the way through. You’ll see that zone transfers in and of themselves are not being ruled illegal, just that the kid doing them against the hosting provider is."
No, in fact, I've got the judgement (as written here: http://www.spamsuite.com/node/351 ) and I'm reading it, and they've pretty much said that it's a crime to look up public information published by spammers.
I've been reading the "findings of fact and conclusions of law" from the case and the article.
"21. The information which Ritz published [The DNS zone transferred] was not public. Moreover, much of the information was not publicly accessible. "
XXX thanks for playing putz. It was public, or he would not have been able to perform a zone transfer. That much of the computer-using public does not know how to perform a zone transfer does not mean that it's not publicly available. Much of the computer0using public doesn't know how to look up committee reports of the House Oversight Committee.
"22. Without knowing the internal IP addresses specifically used by Sierra, there was noway for Ritz to determine all of the domain and host names used by Sierra through any other sort of lookup or publicly accessible database. While Ritz might be able to identify some domain names and host names if be knew the IP addresses assigned to them, he could not have ascertained both the IP address and the domain and private host names of many of Sierra's servers without having performed the zone transfer. [emphasis mine]"
XXX the DNS records ARE A PUBLIC DATABASE. Gah. Moron.
I'm not contributing to Ritz' defense fund. He seems to have done this in contempt of court order to not do so - among other things - and so he dug his own grave.
Also, under Conclusions of Law:
"2. The Court need not determine whether a normal, single DNS query is authorized within the meaning of the statute. Even if there had been any authorization for a such a DNS query or lookup, Ritz exceeded that authorization in violation of the statute by conducting a zone transfer and attempting further access."
Which means that using email or nslookup or WHOIS /may/ be illegal under that law, but the court isn't going to decide on it, but that in HIS case his INTENT was illegal.
The judge got it wrong. DNS is a public database, designed as a public database, and if you can successfully perform a zone transfer from the given DNS server to a public internet host, it is BY DEFINITION A PUBLIC DATABASE. Security through obscurity is no security at all, and the administrators of the DNS server failed to properly secure and administer their DNS server. They know that there are people with malicious intent who wish to use private information for their own ends or to damage their service or company - it is their responsibility to secure it. If they offer it publicly, they either intended to do so or are incompetent, or insufficient staff and time was spent on this problem.
Their costs in securing ("remapping") their network once their own design or implementation flaws were exposed is THEIR OWN RESPONSIBILITY. Legal costs of preventing Ritz from maliciously using the information: Ritz' responsibility.
In short, this is a bad application of the law. It should address his INTENT, not the actions he took and whether they are "authorised" or not because "authorised" in the context of interstate/international telecommunications systems is a function of security implementation, not of law.
I should also state that "publicly accessible" in computer criminal law has a standard of the efforts taken by the owner of the service or property to secure it. If the administrators did not make a credible attempt to secure the DNS information, then it's public. That any anonymous person on the internet could perform a zone transfer: NO ATTEMPT TO SECURE IT HAD BEEN MADE.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Date: 2008-01-17 04:32 pm (UTC)Hysteria by Skimming
Date: 2008-01-17 04:36 pm (UTC)Re: Hysteria by Skimming
Date: 2008-01-17 04:46 pm (UTC)http://www.spamsuite.com/node/351 )
and I'm reading it, and they've pretty much said that it's a crime to look up public information published by spammers.
Re: Hysteria by Skimming
Date: 2008-01-17 06:09 pm (UTC)(no subject)
Date: 2008-01-18 03:38 am (UTC)Re: Hysteria by Skimming
Date: 2008-01-17 06:10 pm (UTC)(no subject)
Date: 2008-01-17 04:58 pm (UTC)"21. The information which Ritz published [The DNS zone transferred] was not public. Moreover, much of the information was not publicly accessible.
"
XXX thanks for playing putz. It was public, or he would not have been able to perform a zone transfer. That much of the computer-using public does not know how to perform a zone transfer does not mean that it's not publicly available. Much of the computer0using public doesn't know how to look up committee reports of the House Oversight Committee.
"22. Without knowing the internal IP addresses specifically used by Sierra, there was noway for Ritz to determine all of the domain and host names used by Sierra through any other sort of lookup or publicly accessible database. While Ritz might be able to identify some domain names and host names if be knew the IP addresses assigned to them, he could not have ascertained both the IP address and the domain and private host names of many of Sierra's servers without having performed the zone transfer. [emphasis mine]"
XXX the DNS records ARE A PUBLIC DATABASE. Gah. Moron.
I'm not contributing to Ritz' defense fund. He seems to have done this in contempt of court order to not do so - among other things - and so he dug his own grave.
Also, under Conclusions of Law:
"2. The Court need not determine whether a normal, single DNS query is authorized within the meaning of the statute. Even if there had been any authorization for a such a DNS query or lookup, Ritz exceeded that authorization in violation of the statute by conducting a zone transfer and attempting further access."
Which means that using email or nslookup or WHOIS /may/ be illegal under that law, but the court isn't going to decide on it, but that in HIS case his INTENT was illegal.
The judge got it wrong. DNS is a public database, designed as a public database, and if you can successfully perform a zone transfer from the given DNS server to a public internet host, it is BY DEFINITION A PUBLIC DATABASE. Security through obscurity is no security at all, and the administrators of the DNS server failed to properly secure and administer their DNS server. They know that there are people with malicious intent who wish to use private information for their own ends or to damage their service or company - it is their responsibility to secure it. If they offer it publicly, they either intended to do so or are incompetent, or insufficient staff and time was spent on this problem.
Their costs in securing ("remapping") their network once their own design or implementation flaws were exposed is THEIR OWN RESPONSIBILITY. Legal costs of preventing Ritz from maliciously using the information: Ritz' responsibility.
In short, this is a bad application of the law. It should address his INTENT, not the actions he took and whether they are "authorised" or not because "authorised" in the context of interstate/international telecommunications systems is a function of security implementation, not of law.
(no subject)
Date: 2008-01-17 05:04 pm (UTC)(no subject)
Date: 2008-01-17 08:52 pm (UTC)(no subject)
Date: 2008-01-17 09:20 pm (UTC)