Slashdot Mirror
Some DNS Requests Ruled Illegal in North Dakota
jgreco writes "A judge in North Dakota has just ruled that requesting a zone transfer from a public DNS server is criminal activity within the meaning of the North Dakota Computer Crimes Law. A zone transfer is a simple request that a DNS server hand over information in bulk, and a DNS server may be configured to allow or deny such requests. That the owner of a DNS server would configure the server to allow such requests, and then claim such requests were unauthorized, is simply stunning."
I always think it rather silly to state that a judge declared something illegal. Yes I know that he interprets the law. But all the judge does is look at the law and the case. So all the judge has done is show that the law is stupid. The laws that make this illegal were already around. Don't blame the judge, blame the legislators and push to get the law changed!
beauty is only a light switch away
Well, yes, you are right with what you wrote, but you basically forget the IMO most important angle: "we techies" invented this shit so that it gets used the way we want it. "They" only hopped on, and actually built e.g. their websites in "our" realm. Then, all of a sudden, they realize that our realnm has some consequences that they didn't foresee (for failure to understand the concept, or most often just simply for failure to try to do so), and begin to sue and badmouth those that are leftovers from the original phase, or those that adhere to the original philosphy.
In this case (ignoring the fact that the defendant already had an injunction against him) the operators could probably have prevented their DNS server to serve this data (probably, as I am not an admin in this area). In other cases, such as deep linking, well, it is a little rougher, but they could for example not use frames, but good page layout, which automatically shows all their ads in the standard headers and such, or make stuff password protected, or use .htaccess to redirect requests that go straight for their meat back to the frontpage, just like many free image hosters do now for hotlinking. But no, they just decide to litigate...
Why the hell aren't we celebrating this, people? Okay, for DNS, it sucks... but look at it this way...
It doesn't matter if you set up your system to 'automaticly' share the files you just downloaded... people who accessed them did so without authorization. It can't be considered 'sharing' if you didn't authorize people to download them from you... could this ruling be a tool agaisnt the MAFIAA?
I don't think a judge should be expected to read through 10k pages of vindictive banter in order to decide how to split a marriage. I don't expect them to become an expert in the simple-yet-confusing DNS system either. The important facts should be presented in concise layman's terms.
:/
"Sir, a zone transfer is when you type 'dig google.com axfr'. It is a standard feature of the DNS protocol and software suite. The only way it can be abused is if it is left unprotected by the network administrator, much the same as a house can be abused if you leave your doors and windows unlocked."
J:"I get it. Plaintiff, you're an idiot! Case dismissed."
The fact that these simple truths can be irreversibly concealed through the one-way hash known as legalese, is just evidence that the legal system is broken beyond repair. At least you can brute-force RSA
-Billco, Fnarg.com
The admin in question is Reynolds' right-hand-man, Bradley Allison. And yes, he really is that stupid. In court, he testified [p.138] under oath that he didn't know what port 25 was, or whether or not you could use telnet to connect to a mail server.
You might try reading the actual content of the ruling, not just the article.
http://www.spamsuite.com/node/351
If you had, you would probably at least know that the Judge was a 'she' not a 'he'. If you did actually read the article, this might be a good indicator of how much you actually paid attention to what you were reading...
Several of the 'conclusions of law', as stipulated, are indeed seriously problematic. She did not specify her rulings upon the basis of an injunction. She specified them based upon the actions themselves. THAT is why technically savvy individuals consider her ruling to be badly flawed.
Her conclusions on Zone Transfer Queries, for starters, are seriously flawed. There are plenty of legitimate reasons to make DNS Zone queries when you are not an employee or someone else acting with the explicit permission of the entity who put the server in place. Many ISPs cache entire zones to cut down on excess DNS traffic for requests from their customers, for example.
For another, while it is difficult to say with certainty not knowing the exact details of the testimony of the defense's expert witness, a reading of her response by someone knowledgeable with DNS configuration suggests reasonably that he may have attempted to explain that there are specific methods that would be used to prevent zone transfers to unauthorized servers, that there were other methods that would be used to configure the server to provide zone information in response to external requests, and that by configuring their DNS server in such a way as to give the Zone information, the plaintiffs were authorizing the transfer of information and making the information publicly available. If their DNS server was configured to respond to external Zone Transfer requests, this information would in effect be public, as anyone at all, not just the defendant, who issued a perfectly normal host command would have received that information. If this was not their intent, the issue would be one of incompetence on the part of their technical staff, not one of 'hacking' on the part of the defendant.
Her suggestion that using a command switch for 'host' that is clearly documented to query information that was publicly available constitutes 'unauthorized use of a computer system' is unfounded, overly broad, and, to any technically knowledgeable individual, deplorable. She does not state that she reached her conclusion because of any injunction against the defendant. She states her finding is based upon the facility of the program itself, and her miraculous idea that somehow use of this normal function is somehow mystically, only intended for a specific subset of target users she has imagined. One that is, again, seriously flawed.
'Knowledge available to the average user' should NEVER be used as a yard stick for what constitutes the acceptable bounds of computer use. The 'average user' is ignorant of the actual function and capabilities of their systems to a point that is common to describe them, quite accurately, as largely 'computer illiterate'.
If no one knew more about any particular thing than an 'average' individual does, at any given point in time, we'd still be hunting and gathering. To suggest that this baseline should have anything to do with determination of what constitutes a potential criminal act, if applied to any other circumstance, would immediately render anyone of actual knowledge, rather than vague theories about a subject a criminal.
What do you know, for example, about repairing the engine of your car. Say you know quite a bit about it. Should you be considered a criminal if you make repairs on it, based upon knowledge you have, if you aren't a certified mechanic? How about if you repair your mother's car with that knowledge. Does that make you a criminal? By this Judge's logic, it would.
If you don't like that analogy, try this one. Let's say that the 'average person' knows that telephone bo