"Sure, you can have a cookie, but you may not."

We all have had that discussion before -- either with our parents or our kids. A recent case from North Dakota reveals that the difference between those two concepts may lead not only to civil liability, but could land you in jail.

Spam King?

Since the "old" days of the Internet -- you know, the days of USENET postings and the like, there have been allegations that Jerry Reynolds and his company Sierra Corporate Design were responsible for distributing volumes of spam -- much of it pornographic. Anti spam activists, including Edward Faulk and David Ritz have been seeking information about Reynolds and Sierra in an effort to demonstrate that the company is responsible for this porn spam. Reynolds and Sierra responded not only with denials, but in the time-honored American tradition, by going to the courts. Lawyers were consulted, lawsuits filed, discovery taken, lawsuits dismissed, injunctions granted, etc. You know, the typical legal drill.

In one of these back and forth lawsuits, Reynolds and Sierra sued the anti-spam activists Faulk and Ritz in Reynolds home state of North Dakota, alleging among other things that Ritz "hacked" into Sierra’s computers and "stole" nonpublic information which he then allegedly gave to Faulk for publication. The suit against Faulk, who lives in California, was dismissed for jurisdictional reasons, but the suit against Ritz for "hacking" proceeded.

On January 11, 2008, a Fargo, North Dakota court ruled for Sierra and against Ritz, and ordered Ritz to pay Sierra $60,000 in actual damages, punitive damages, and to pay Sierra’s lawyer’s fees. Nothing unusual there. The problem is that the "hack" that Ritz is alleged to have committed against Sierra and Reynolds was nothing more than using simple UNIX and SMTP commands to look up domain addresses -- commands like host -l and vrfy. Can such simple things on a system configured to allow a zone transfer support not only result in civil damages but also a potential criminal conviction? How far can you go in probing and profiling a system before you are in danger of going to jail?

Findings of Fact -- Conclusions of Law

In the course of the lawsuit, the District Court Judge in Cass County North Dakota held hearings and came to certain "factual" conclusions. As with most factual conclusions issued by a court, what likely happened was that each party submitted a statement of what it thought the facts were, and the judge picked and chose from among those facts whatever the judge felt was correct. In some cases, the judge simply adopts one party’s "statement of facts." That’s just the system.

However, having not been there, and not having heard the testimony, we kind of have to take the judge’s word for what happened between Sierra and Ritz. Among the Court’s findings were:

• On February 27, 2005, Ritz connected to Sierra's DNS server, issued a host -l command and obtained a full zone transfer, providing Ritz with the network map showing all of Sierra's private domain names, private host names, and internal non-routable IP addresses. Of course, whether or not these domain names were "private" or "internal" is what is in dispute. In fact, recently the German data privacy commissioner stated that individual IP addresses, from which you can determine the Internet browsing activities of a third party, constituted "personal data" subject the German data privacy laws.
• Ritz issued UNIX commands like host -l, and the SMTP commands helo and vrfy which, according to the court "are not commonly known to the average computer user." Well, neither is ctrl-P to print a document -- seriously, the "average" computer user knows very little -- but that doesn’t make it unauthorized or suspicious.
• Ritz used proxies and shell accounts to "conceal his identity" and that he used the names "lewini" and "BOFH" ("Bastard Operator From Hell"), although he denied having used any names other than Ritz.
• Ritz was able to learn the internal DNS structure and host names of Sierra’s network. "[T]he private host names could not be ascertained from any publicly available source," and found the use of the host -l command by Ritz to learn information about Sierra’s structure was "unauthorized."
• Ritz had engaged in 18 USENET death penalties (UDP’s) and sent what the court called "Internet mail bombs." Ritz had hijacked computers of third parties like Verizon, had conducted port scans on computers of third parties and, the court inferred, of Sierra, and had caused damage to Sierra by doing so. It found that Ritz did these things out of malice.
• The court also found that Ritz "engaged in a variety of activities without authorization on the Internet ... includ[ing] port scanning, hijacking computers, and the compilation and publication of Whois lookups without authorization from Network Solutions."

Now anyone can do a Whois lookup, but Network Solutions’ term of use of the database does prohibit such use: "The compilation, repackaging, dissemination or other use of this [whois] Data is expressly prohibited without the prior written consent of Network Solutions" The Court concluded that Ritz’ actions violated the North Dakota Computer Crime Law (pdf), which makes it an offense to "intentionally and ... without authorization gain or attempt to gain access to ... any computer ..." The statute by its terms allows "the owner or lessee of a computer [to] bring a civil action for damages, restitution, and attorney's fees for damages incurred as a result of the violation of this section." The statue also makes "computer trespass" a criminal offense as well. Like most computer crime statutes, the North Dakota law attempts to define both "computer" and "access" by stating:

"Access" means to approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any resources of a computer, computer system, or computer network.

"Computer" means an electronic device which performs work using programmed instruction and which has one or more of the capabilities of storage, logic, arithmetic, communication, or memory and includes all input, output, processing, storage, software, or communication facilities that are connected or related to such a device in a system or network.

So did Ritz make an "unauthorized access" to a "computer" by issuing a command to do a zone transfer? If so, are forensic and computer security examiners at risk in doing what they do every day? To understand this you need to know a bit about the common-law crime, or tort, of trespass and a bit about UNIX.

Forgive Me My Trespasses

One of the most ancient common law actions was that of "trespass" which in its oldest form related to any unlawful interference with one’s person, property or rights. Thus, unauthorized use of a website is sued as "trespass to chattels." However, in its most common modern form, "trespass" generally refers to "trespass to land" -- the "unauthorized" entry onto, or remaining on the land of another. You don’t have to physically enter the property to be guilty of trespass -- throwing a rock onto someone else’s property is trespass, as is undermining it by blasting.

At common law, all "unauthorized" entries to someone else’s property would be a "trespass" even if no harm is done to the property, although it may be difficult to prove "damages." As one commentator noted:

... a mail carrier has a privilege to walk up the sidewalk at a private home but is not entitled to go through the front door. A person who enters property with permission but stays after he has been told to leave also commits a trespass. Moreover, an intruder cannot defend himself in a trespass action by showing that the plaintiff did not have a completely valid legal right to the property. The reason for all of these rules is that the action of trespass exists to prevent breaches of the peace by protecting the quiet possession of real property.

In a trespass action, the plaintiff does not have to show that the defendant intended to trespass but only that she intended to do whatever caused the trespass. It is no excuse that the trespasser mistakenly believed that she was not doing wrong or that she did not understand the wrong.

In the early 1980’s, as legislatures first began to pass computer crime laws, they attempted to correct a perceived "loophole" in the law of trespass. If I broke into your house and looked at your files, I committed the crimes of "trespass" and possibly theft of property and burglary. If, on the other hand I did the same thing with your computer, I committed no offense at all, except possibly wire fraud. Merely "breaking in" to your computer was not necessarily an offense. Thus, most modern "computer crime" statutes contain at least a misdemeanor "computer trespass" provision, which prohibit "access" that is "unauthorized."

What is "authorized?"

The problem with these computer trespass provisions is the fact that they are vague. Like North Dakota’s, they prohibit computer "access" that is "without authorization" or "in excess of authorization" of the "owner" of the computer. The problem comes when computer users enable a function or feature of a computer which permits access to the computer or network. Is this "authorizing" people to use or even exploit that feature?

At this point, one is tempted to start using "real world" analogies -- you know, if a window is open, are you "authorized" to climb in? If the door is unlocked, are you "permitted" to go in? If the keys are left in the car, are you allowed to drive off with it?

And that’s the problem. The law deals with new situations by analogy, and all analogies are imperfect. If a Wifi connection is left unencrypted with no password, are you "authorized" to access it? Alternatively, if your neighbor is having a party to which you are invited, and the front door is unlocked, are you "permitted" to just come on in?

The term "access" is very broadly defined. Even issuing a command to a computer may be termed "access." As Professor Orin Kerr has pointed out (pdf):

Imagine a user wishes to log on to a password-protected computer, and sends a request to the computer asking it to send back the page that prompts the user to enter a username and password. The computer complies, sending the page back to the user. This would not access the computer from a virtual perspective, as it would be something like walking up to a locked door but not yet trying the key. From a physical-world perspective, however, the request would be an access; the user sent a command to the computer and received the desired response. Similarly, consider whether sending an e-mail accesses the computers of the recipient’s Internet service provider. From a virtual perspective, the answer would seem to be no; a user who sends an e-mail to the ISP does not understand herself to have "entered" the ISP. From a physical perspective, however, the answer seems to be yes; the user has in fact sent a communication to the ISP that its servers received and processed.

Thus, in cases like State v. Allen in Kansas in 1996, the court threw out an indictment of someone who merely attempted to log in to a password protected account, even though he technically "accessed" the computer. In the civil and threatened criminal prosecution of Georgia computer researcher Scott Moulten, whose was charged with conducting an unauthorized port scan on a computer network, the analogy between physical trespass and electronic unauthorized use breaks down. In the Robert Morris Internet worm case, Morris used, among other techniques, a feature in the sendmail protocol to propagate his worm. The Court of Appeals in that case, (disclosure: I prosecuted and handled the appeal) had to deal with the fact that Morris was authorized to send mail, but not necessarily "authorized" to make an exploit. The court concluded:

The evidence permitted the jury to conclude that Morris's use of the SEND MAIL and finger demon features constituted access without authorization. While a case might arise where the use of SEND MAIL or finger demon falls within a nebulous area in which the line between accessing without authorization and exceeding authorized access may not be clear, [the statute has since been modified to prohibit both] Morris's conduct here falls well within the area of unauthorized access. Morris did not use either of those features in any way related to their intended function. He did not send or read mail nor discover information about other users; instead he found holes in both programs that permitted him a special and unauthorized access route into other computers.

Thus, under the Morris analogy, if you use a program or command in a way that it is not intended to be used, you run the risk of this being an "unauthorized" access.

But what about Ritz? He used the zone transfer precisely as it was intended to be used, but it appears that Reynolds and Sierra had not configured their network to prevent a zone transfer. Does failing to prevent something constitute "authorization" to do it? Is the rule, anything is permitted unless expressly prohibited, and even so, unless technology is deployed to prevent it? Or is the rule, you aren’t allowed to do anything unless the website operator says you can? In one case, subpoenaing e-mail was considered an unauthorized access to a computer!

There are no hard and fast rules here. Do we look at what the property owner intended (I never expected anyone to use my wireless connection), what the alleged trespasser thought (hey, there was no sign, and it was configured to allow it), or some hybrid (what would a reasonable computer user have thought?) Obviously, the trespasser should have some knowledge that their actions were in some way "wrongful" although common law trespass did not always require this.

This situation is not easy in the real world, and is infinitely more complicated in the virtual world.

In the real world, we have centuries of experience with boundaries. We know without being told about the difference between a sidewalk and a street and a house. We know almost all the time about the difference between a private residence and a commercial establishment. Even in an establishment like a hotel, we know the difference between the lobby, the business offices and the guest suites. Even within the guest suites, we fundamentally understand the difference between the desk drawers and the luggage. These invisible lines of "authorization" come from common and shared experiences.

Shades of gray

Even with these experiences, the law of "trespass" or authorization is tricky. Can you enter your neighbor’s house because the door is open? What if you smell smoke? There is actual authorization ("Go ahead, c’mon in."), implied authorization by circumstances (for example, you may access a public website), and emergency implied authorization. Even authorized access can become a trespass if you do something that is not permitted.

Under the Morris "intended functionality" test, a "cookie" or applet or active x control may be "authorized" to run on a computer, but it is not a stretch to say that a program designed to look like a cookie, but which runs malicious programs or is designed to do damage, may constitute "trespass." It’s OK to send mail but not OK to send mail bombs, even though both "access" your computer.

On the other hand, there is a huge difference between ability to access and authorization to access. And that’s where David Ritz got into trouble.

Are you the admin?

The North Dakota court made a factual finding that Ritz used certain UNIX commands including host -l to accomplish a "zone transfer." The court noted that zone transfers are primarily used to create a redundant domain structure or for troubleshooting in the event of problems with the domain structure. The court observed that "in those instances, however, the person conducting the diagnosis acts with the authorization of the operator of the system and is usually the network administrator for the system." The court also noted that there were no other purposes of a zone transfer, and that "Microsoft itself, as well as various other, authorities all refer to zone transfers conducted by an individual other than the network administrator or an authoritative name server as unauthorized."

While my independent research on the subject indicates that the judge has overstated the issue, the clear purpose of the zone transfer is to allow the authorized system administrator to replicate the DNS structure. As one web posting by venerable security guru D.J. Bernstein -- of the crypto case Bernstein v. United States fame -- noted:




AXFR is also sometimes used by unauthorized third parties who want to sneak a peek at a site's data. Many years ago, these peeks were practically always successful, because almost all sites had promiscuous AXFR servers; these days, however, promiscuous AXFR servers are widely discouraged and increasingly uncommon.

(From a snoop's perspective, the difference between AXFR and normal queries is that normal queries force the snoop to guess the relevant domain names, while AXFR reveals the domain names for free. The notion that DNS data is entirely public does not match the reality of private high-entropy domain names at many sites.)

Thus there is a disconnect between the concepts of "accessible by a member of the public" and "intended to be public." The court also noted that, at least on the issue of damages resulting from the unauthorized access, the information Ritz obtained about the Sierra internal domain structure "in the hands of outsiders with malicious intent, threatens the integrity of Sierra's computer system."

So, is doing a zone transfer the same as, for example issuing a "ping" command or a "whois" lookup? Are you entitled to "look around" at any computer and computer network and see whatever it is you can see?

Let’s try more real-world analogies.

Walking around a house, and noting things like your street number, house color, or other "publicly observable" facts is not trespass, provided I don’t enter the property. Walking to the front door and ringing the doorbell is probably OK too.

But what if I jiggle the doorknob on the front, back, and side doors, and then check all the first floor windows to see if they are locked? What about looking through a window? If you didn’t configure the window to prevent me from peering in, then you must have "authorized" me to look in your house, and therefore whatever I see is "public," no? What about climbing on a ladder and looking in a window? Merely being able to do these things does not mean that I am permitted or "authorized" to do them. And even if I am authorized to do them for some purposes, I may overstep my authorization by trying to do them for other purposes.

Say you go to a lengthy, but publicly accessible link, or uniform resource locator (URL), and are greeted with a 404 error message. You truncate the URL and are taken to a root file directory, which gives you access to files, folders or a directory structure which the owner may not have intended to make available, but by configuration (or lack thereof) made accessible to anyone who typed the correct URL. Is your access "unauthorized?"

In the real world, say you go to a movie theater and notice next to the ticket line that there is an open side door which you can enter and watch the movie for free. You suspect that the movie theater operator is unaware of the open door, but then again, maybe -- just maybe, they left it open for you to see the movie for free. How do we settle any ambiguity in the issue of "authorization?"

Ultimately the question is, what are you authorized to do on someone else’s machine without their authorization? Certainly there are "public" and "private" areas of their website or even parts of their domain exposed to the Internet. Merely being "exposed" to the Internet does not make the site "public" or even "publicly accessible." And the mere fact that a configuration (or misconfiguration) "exposed" the information does not make the access "authorized."

One commentator on Slashdot has noted that:

What the judge has done is, effectively, to say that each person who asks a public server for information that it is explicitly designed to provide to all and sundry needs to get specific permission for that content from that publisher. This is completely at odds with how the Internet works. The Internet is designed in such a way that servers provide content to anyone who asks, unless the owner has configured the server not to do so.

Sierra could easily have prevented zone transfers from their name servers if they so chose. If they did not do so, then the presumption is that they intended to allow it. There are many very good reasons why a service provider would want their zone to be transferrable, and by configuring their nameservers in that way, they were, in effect, doing the same thing as someone leaving a stack of maps out in public, for all to take at their leisure.

Again, is failing to prevent something the same as authorizing it?

Often we speak of a program or service being "allowed" to run, as if the owner of the system authorized the program to be run, when as many times as not, the owner simply failed to prevent the program from being run. Indeed, virtually all exploits take advantage of poor security, misconfigurations, bad implementations, default logins or passwords, or failures to prevent access to obtain access or information that the operator did not intend to create. A buffer overflow or a SQL injection attack merely issues commands to a server to get it to provide content that anyone who knows how to issue the command can get it to provide and does so unless the owner has configured the server not to do so. This does not mean that the program was "authorized." If we take an exclusive "blame the victim" approach, then all bets are off, and we are back to the cyber frontier.

Policy violations not hacking

However, this does not mean that the website operator can civilly or even criminally prosecute any use of their domain, website, or electronic information with which they disagree. In a disturbing trend, companies have been using computer crime statutes to sue each other for "trespass" simply for violating each other’s "Terms of Use." Thus, competing travel agencies wound up in court because of a contract dispute which led to an alleged "unauthorized access" to a website. Terms of Use then become the electronic equivalent of a "no trespassing" sign.

I remember in the 1960s the New York City Parks Department began putting up signs in all the parks saying, "No spitting, eating, chewing, etc." with a host of prohibited conduct in the parks. Did enjoying a piece of Bazooka in Van Courtland Park then make me a trespasser? Under the cyber analogy, just violating the Terms of Use makes your access "unauthorized."

All told, I have to agree with the Cass county court under the specific facts here. Put aside the questions of whether you agree with Ritz’ anti-spam motives it appears that the goal of the host -l command was to get access to a part of Sierra’s network that Ritz reasonably knew was not intended to be exposed to the public, and to obtain information about Sierra’s network that Ritz likely knew was not intended to be public.

Again, it’s a close call. Under other circumstances, a court could easily conclude that the use of a particular command was, in fact implicitly authorized. Security researchers use publicly available and widely used tools to probe Internet accessible computers all the time. Courts in the future are likely to look both at the motives of these researchers and the impact of what they do in deciding whether or not their actions give rise to civil or potential criminal liability. So we need to learn to play nice with other children.

And now you may have the cookie.