Two points:

One, I disagree with the conclusion about the -l option of host, and about the HELO and vrfy commands. My analogies:

You walk into the lobby of an office building, and you see a directory by an elevator. I suppose that looking at the directory might be considered valid, where copying it down or taking a photograph might be frowned upon, or even considered trespass by a high school part-timer working as an assistant night guard, but the directory is necessarily public information, and attempting to find either criminal or civil liability in collecting public information is messing with fundamental law in a country that Constitutionally recognizes and supports individual freedoms.

If the directory is supposed to be restricted access and the building operators are too, erm, thrifty to post a guard instead of posting the directory itself, it has to put the elevator in question in a controlled section of the building. True?

Recent court rulings are attempting to define "terms of use" as equivalents of such things as signs saying, "No unauthorized persons beyond this point!" But that's kind of like saying a visitor to the building has to read and remember the map in the guardsman's desk that shows authorized and unauthorized sections of the building. The newspaper carrier, the pizza delivery person, the document courier, the job-seeker coming in for an interview and thinking about making a cold call or two while there, the office supplies salesman, the concerned citizen wanting to check up on the legality of actions of one of the occupants, all have to read the terms of access and remember it. Even if they have twenty other buildings that look almost exactly the same to make deliveries to.

And the map is in the guard's desk, which is by the front door, not by the elevator in question.

There are three problems here. One is that private information simply should not be on the publicly accessible directory posted by the elevator. Period. And that is what the commands in question should be compared to.

Another is that the terms of access are not the method the protocol specified for controlling this kind of thing. Resorting to this kind of terms of access is very much like a cheap building operator providing a guard's office by the front door, putting a map on the guard's desk, and failing to employ a guard. If failing to notice restriction signs is no excuse for the visitor, ignorance of the protocol is no excuse for the operator. (At bare minimum, the building operator is setting up an attractive nuisance.)

The third is that the protocols were intended to be used by those who maintain the internet, not the general public accessing the internet. This is obvious when you consider how the terms of use tend to be posted at the bottom (fine print position) of (if your lucky) the front page, and they are supposed to control access to urls containing six or seven levels of sub-paths.

I know it's considered inflammatory to point the finger at Microsoft, but they led the charge. Others in the community have also behaved indefensibly in bringing a technology which was not intended for the public to the public, and saying, "Go ahead! It's FUN! and PROFITABLE!", and then trying to cover the holes in the tech (relative to public access) with out-of-band "legal notices".

Which leads to the second point. Try to apply the same legal concepts of "trespass" uniformly in the US, Japan, India, China, and New Zealand. Go ahead.

It's not a good thing that the industry is pushing an impossible plan of internationalization, but that's not what I'm talking about here. (I mean it's not my second point.)

When it comes down to the fine lines on questions like trespass, the customs of the community have to be brought into play. When a community is too new to have customs and we try to lay out too fine a distinction, the results are necessarily arbitrary.

And that is what has happened here. The honorable judge is attempting to force a community of technicians to follow the rules of a community of, well, whatever community you want to call Sierra a member of. And that is just plain arbitrary, whatever her intentions were.

Those who build and maintain the infrastructure have to have a separate set of rules. They "get to" do certain things, but they also have heavier responsibilities than those who merely use the infrastructure. Unfortunately, the internet protocols have only been defined well for the technical community. Those making boatloads of money are in serious breach of many of those customs. Sierra is especially in breach.

The cause of the problems here is that the infrastructure is in use before it is ready. Comparing it to the freeway system, it would be as if we have people trying to drive Ferraris on highways before the construction crew gets a chance to lay asphalt. (Where I sit, I tend to say that it's like trying to drive a Ferrari on a road that has been surveyed, but hasn't even seen a load leveler yet. But maybe that's just me.)

Evidence of my assertion? Possibly the most obvious -- I get between one and three hundred unsolicited commercial e-mail messages every day, and I have no easy way to clear it out that doesn't have false positives.

Even if my assertion that the terms of use that can be accessed when doing dns queries are not sufficient notice when the system provides technical ways to actually put up the equivalent of "No Access" signs is found not justifiable, the courts have to give the volunteers a little leeway when they go after known aggressors.

I'll post this at GrokLaw, as well. (No, I'm not checking your terms of use to see whether you're going to claim copyright on anything I post. There's another hole in the infrastructure for you.)



[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/463/34877#34877