Skip navigation.
Home
Bill Moran's www world
Home » Blogs » wmoran's blog

Making Unix illegal

Submitted by wmoran on Tue, 2008-01-22 13:03

Here's my big complaint about precedent-based law: if a party of a lawsuit is incompetent, an unreasonable verdict can be reached that sets a precedent that's difficult to overturn.

Based on this article which contains the entire text of a legal "finding of fact", performing zone transfer could be considered illegal. This is complete nonsense.

When it becomes illegal to access publicly available information, we start to live in a scary world. In points 8, 9, and 10, the court correctly found the purpose and nature of zone transfers.

What they forgot to notice, which leads to a foolish conclusion, is how easy it would have been for the defendant to properly secure their network. Any DNS system worth its salt allows one to easily differentiate public zones from private, and control which systems can perform zone transfers. And that's not even taking in to account the simple logic of using basic security methods such as VPNs and the like. Published best practices dictate this.

Next, they called out a specific POSIX command as the culprit, which is unforgivable. Performing a zone transfer is a standards-defined activity, it is not limited to a single command. The action of specifying the actual command that was run, and therefore implying that said command is criminal in nature, sets an awful precedent for future law.

I'm sick and tired of incompetence on the Internet leading to easily committed crimes. And now I'm apparently sick of courts who don't understand computers making bone-headed rulings, as well as incompetent attorneys allowing such things to occur.

It's kind of like saying, "Kennywood put a "you are here" map up. The map clearly labeled locations where money safes exist. Defendant criminally used the map to compromise the security of Kennywood and thus steal."

The crime isn't in the use of the map, and such use doesn't belong in any legal document. Kennywood's stupidity in labeling locations for money safes on a public map isn't a crime either, but it's gross negligence. The only crime was the actual theft, and the data acquired to commit the theft was a result of the victim failing to follow common best practices.

Likewise, the DNS is a map. If you're foolish enough to publish your entire computer infrastructure on a public map, then you've been negligent. The thief who uses that information to steal from you is still a thief, but the use of the information, by itself, must not be a crime.

Otherwise, we'll all be liable any time someone accidentally publishes information they shouldn't.

»