Thursday, January 17, 2008

Armchair Legal Analysis of Sierra v. Ritz

You may have heard about the case of Sierra Corporate Design, Inc. v. David Ritz.

There has been lots of griping and complaining about the fact that doing zone transfers might be illegal. I thought I'd try to give the quick analysis of the case. I'm sure I'm missing a few things here and I'm not a lawyer, but I am a little tired of "hackers" complaining about their rights to do whatever they want being trampled... You can read the judgment here.

In this case David Ritz is being punished for performing unauthorized DNS zone transfers of Sierra Corporate Design's network.

The problem at the federal level is that the CFAA (Computer Fraud and Abuse Act). North Dakota's statute appears to have roughly the same language.

The CFAA has relatively consistently been interpreted so that "Accessing a computer without authorization" hinges on whether the owner of the computer wanted you to perform your action or didn't. The presence or absence of controls to prevent access being generally irrelevant. They have relied on the traditional definition of trespass and attempted to apply it to the electr0nic world.

In the physical world trespass is relatively easy to understand, police, etc. There are obviously corner cases where you can trespass onto unmarked land, not realize you're trespassing, etc. There is a lot of case law for these. At the same time though, if you see a house, you know it isn't your house, and you walk into it, you're trespassing whether or not they locked the door. It is quite clear that you weren't invited and not locking the door doesn't remove the rights of the home owner to prevent trespass.

In the electronic world for example it gets a lot murkier. If I mistype a URL into a tool and attempt to access someone's machine, its pretty clear from both intent and network traffic what was going on. At the same time though, let's say I send a ton of traffic at you, or I start fingerprinting your system. Intent is really the key question here.

Did I knowingly attempt to access your computer without authorization? What was my intent? It is generally the answers to these questions that would be at play in court.

In this specific case a DNS zone transfer isn't the sort of thing you mistakenly do. It isn't isn't the type of data that people generally try to get from other sites as part of browsing the net, etc. In general, and in this case its pretty apparent, you're trying to get data that you wouldn't ordinarily be expecting people to let out. Whether the DNS server was configured to prevent zone transfers isn't really the issue here.

Obviously where this gets tricky is determining whether this is like trespassing onto unmarked land, or walking into someone else's house when they had the door unlocked.

This isn't to say I necessarily agree with the decision, but there is a lot more nuance to this issue than I've seen posted.

9 comments:

Andrew said...

The appropriate analogy in this case would be, you walk into the lobby of an office building. There is a directory listing everyone in the building. You then proceed to copy the listing, and publish it elsewhere.

Sierra had to enable DNS zone transfers, which amounts to publishing that data.

Security Retentive said...

Just like I'd have to install a lock on a door but I might forget to lock it. Like it or not a 100% burden on the provider won't ever work. We'd be blaming victims for not having done enough to secure themselves.

There wasn't any way to assume that Sierra wanted everyone to be able to do zone transfers. In fact, its highly unlikely. And, based on the other facts in the case its pretty clear what the defendant was doing.

I read your other discussion on this (seems like you might have posted a comment on Rasch's piece) and I simply don't buy it. We should in general err on the side of keeping private data private, not putting the burden on people to secure things. Sure, if Sierra disclosed someone else's data its then a tricky case to determine whether they had a duty to secure the data, and whether they were negligent for not having configured the server in a more secure fashion. This however wouldn't make the person who stole the data any less culpable.

Would setting up a webserver and accidentally publishing files with names like "My banking info" entitle you to download those files if they weren't password protected?

That said, Orin Kerr's paper which I reference in my note about Mark Rasch's article is quite a good read and does offer some better ways of structuring current cybercrime laws such as the CFAA (which ND's law roughly mirrors in language) to make better sense of the meaning of the words "access" and "authorization." I encourage you to read it, and Mark Rasch's

Andrew said...

I haven't posted anywhere else on this topic (Must be another Andrew) I did read Mark Rasch's "Mother May I" but I didn't read even read through the comments there.

By your analogy...
If I take out an ad in a newspaper and include personal information like my Social security number, Birthdate, Credit Card numbers, etc then anyone who reads that paper is guilty of identity theft, and I can sue and press criminal charges against them.

They set up a server and configured it to broadcast information, they ARE responsible for distributing that information.

I think I'll go back to Mark's blog and read the comments (find out what the other Andrew said) "Mother May I" was how I first learned of this case, and at first I agreed with both Mark and you, then I read the findings of fact and conclusions of law and they changed my mind. The 2nd conclusion of law basically states that host -l is illegal without express authorization, and frankly thats just crazy.

I think you could make a case that AFTER he received the results of the zone transfer he should have realized that the information was intended to be private and shouldn't have published it, but normally one would expect the results of a host -l to only return public information (which means that just sending the command should NOT be illegal)

Ok, that was rambling and not well structured, but I hope you can see my point anyway... :)

Security Retentive said...

Publishing an article in a newspaper takes both an explicit act, and it is extremely clear what was meant to be published.

Putting up a server doesn't immediately confer access rights to anyone who tries to access it. Admittedly this is a tricky matter in the electronic world where trespassing isn't as clear, and the rules are murkier.

If I have a site up and you hit it with a web browser either by typo of name, IP, or even directly hitting my site intentionally, this generally wouldn't constitute unauthorized access. Even clicking through publicly accessible links on my site wouldn't constitute unauthorized access generally understood.

However, let's say I'm running SSH and my root account has no password. Let's say you're trying to log in somewhere else and you typo the IP and instead log into my system. Would you be entitled to look around since obviously I hadn't put a password on root, I must have authorized you to access the system, right?

I think its fairly clear that in this SSH example you'd be out of line accessing the system, regardless of whether I put up a warning banner or not.

Zone transfers aren't meant for public consumption. Almost no one sets them up that way. The norms of access say that full DNS zone information isn't public, isn't meant to be shared, and that your default assumption should be that it is someone else's property.

Just like if you find a wallet lying in the street your default assumption shouldn't be that its yours for the taking.

Andrew said...

Sorry I didn't reply sooner, been busy...

Setting up a DNS or web server to publish information is also an explicit act, and how simple it is to accidentally publish data should have no bearing on the legality of accessing published information.

Lets revisit your webserver/banking files example because there was a flaw in the earlier analogy. Lets say you run a website dedicated to game mods. You want to post your most recent mod for the world to see, you do so by selecting the folders containing the mod and compressing it into a zip file, but when you do so you accidentally select the folder holding all your private banking data. Would I be guilty of hacking your computer if I access that compressed file, labeled as a game mod, but containing your private data?

If I use that data for any purpose then yes I'm guilty of a crime, but not for just retrieving what could reasonably assumed to be public information.

This is a more apt analogy, because anyone who has read the Split-Horizon DNS FAQs and walkthroughs that I have (Read the top google result for "split horizon dns" at http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-split-horizon.html) would conclude that any data in a DNS server that responds to requests from public addresses on the internet is public.

(Continued next post...)

Andrew said...

The key element here is what result does the party requesting the information expect to retrieve. Everyone agrees that Sierra made a mistake by including private data on that server. If thats true then isn't it reasonable to expect that private data wouldn't be included?

BTW the ssh example is entirely moot because the whole ssh protocol is built for authentication, authorization, and encryption. The whole thing SCREAMS private.

Oh pretty much ditto on the wallet analogy.

Oh, the "Zone transfers have no intended purpose purposes beyond DNS redundancy" (Paraphrasing the court's findings of fact) statement is utter B.S. I've personally used them (although only on servers I administer) for diagnostic purposes.

Security Retentive said...

That's right, they do have a purpose other than for redundancy, but they aren't generally considered public.

I think your underlying premise is correct that we don't have a good definition of authorization and access and consequently the way the law is interpreted (for better or worse) is that the one being accessed gets to define whether it was authorized. An unfortunate but quite consistent interpretation in case law.

How we change that in a way that doesn't allow hacking with the "if you didn't want me logging in you should have prevented it" defense is a tricky business. We're too far on the one side right now.

At the same time, I don't know any serious computer knowledgeable person who would believe they are entitled to try to do zone transfers. Its pretty clearly out of bounds. Ritz knew this pretty clearly. Norms say full zone data (whether just the public info, or if it includes some other data) isn't intended for general consumption. Just because the commands make transfers easy, and because he could do it, didn't authorize it. We can come up with all sorts of other examples that don't fit this mold clearly and where the court would have to rule, we'd have other arguments, etc.

Full zone data is private data. End of story.

Andrew said...

Full zone data is NOT private data because ALL the data in the zone could be accessed by other queries.

Disabling zone transfers is at best security through obscurity(which doesn't really work) and at worst deluding yourself into thinking you're secure. You should never put private data on a public DNS server.

It used to be common practice to leave zone transfers enabled just to provide directory listing (Heck check out RFC 1296, it's about using zone transfers to track the early growth of the internet)

Nobody would reasonably expect a zone transfer request to return private data period.

Andrew said...

BTW None of my arguments imply that the "If you didn't want me logging in you should have prevented it" is a reasonable argument. Anyone who authenticates as someone they're not is guilty of fraud at least. Like I would be if I'd accidentally ssh'd into your computer as root (You're earlier moot a analogy)

DNS is by it's very nature a system for distributing information to everyone. Authorization to access the data is implied by using the protocol.