Digg this story   Add to del.icio.us   (page 1 of 7 ) next 
Mother, May I?
Mark Rasch, 2008-01-23

"Mommy, can I have a cookie?"

"Sure, you can have a cookie, but you may not."

We all have had that discussion before -- either with our parents or our kids. A recent case from North Dakota reveals that the difference between those two concepts may lead not only to civil liability, but could land you in jail.

Spam King?

Since the "old" days of the Internet -- you know, the days of USENET postings and the like, there have been allegations that Jerry Reynolds and his company Sierra Corporate Design were responsible for distributing volumes of spam -- much of it pornographic. Anti spam activists, including Edward Faulk and David Ritz have been seeking information about Reynolds and Sierra in an effort to demonstrate that the company is responsible for this porn spam. Reynolds and Sierra responded not only with denials, but in the time-honored American tradition, by going to the courts. Lawyers were consulted, lawsuits filed, discovery taken, lawsuits dismissed, injunctions granted, etc. You know, the typical legal drill.

In one of these back and forth lawsuits, Reynolds and Sierra sued the anti-spam activists Faulk and Ritz in Reynolds home state of North Dakota, alleging among other things that Ritz "hacked" into Sierra’s computers and "stole" nonpublic information which he then allegedly gave to Faulk for publication. The suit against Faulk, who lives in California, was dismissed for jurisdictional reasons, but the suit against Ritz for "hacking" proceeded.

On January 11, 2008, a Fargo, North Dakota court ruled for Sierra and against Ritz, and ordered Ritz to pay Sierra $60,000 in actual damages, punitive damages, and to pay Sierra’s lawyer’s fees. Nothing unusual there. The problem is that the "hack" that Ritz is alleged to have committed against Sierra and Reynolds was nothing more than using simple UNIX and SMTP commands to look up domain addresses -- commands like host -l and vrfy. Can such simple things on a system configured to allow a zone transfer support not only result in civil damages but also a potential criminal conviction? How far can you go in probing and profiling a system before you are in danger of going to jail?

Findings of Fact -- Conclusions of Law

In the course of the lawsuit, the District Court Judge in Cass County North Dakota held hearings and came to certain "factual" conclusions. As with most factual conclusions issued by a court, what likely happened was that each party submitted a statement of what it thought the facts were, and the judge picked and chose from among those facts whatever the judge felt was correct. In some cases, the judge simply adopts one party’s "statement of facts." That’s just the system.

Story continued on Page 2 

Mark D. Rasch is an attorney and technology expert in the areas of intellectual property protection, computer security, privacy and regulatory compliance. He formerly worked at the Department of Justice, where he was responsible for the prosecution of Robert Morris, the Cornell University graduate student responsible for the so-called Morris Worm and the investigations of the Hannover hackers featured in Clifford Stoll’s book, "The Cuckoo’s Egg."
    Digg this story   Add to del.icio.us   (page 1 of 7 ) next 
Comments Mode:
Thanks Mark 2008-01-23
Andy S.
Mother, May I? 2008-01-23
Anonymous (1 replies)
Re: Mother, May I? 2008-01-24
Mark D. Rasch
You're overlooking some issues. 2008-01-23
Anonymous (2 replies)
Re: You're overlooking some issues. 2008-01-24
Mark D. Rasch
Mother, May I? 2008-01-23
Erik N
OS utilities and public "keys" 2008-01-23
Ole Juul (1 replies)
Re: OS utilities and public "keys" 2008-01-28
Mark D. Rasch (1 replies)
Be careful what you ask for 2008-01-23
Mother, May I? 2008-01-24
Thomas Downing (1 replies)
Internet as Commons 2008-01-28
Mark D. Rasch (1 replies)
Re: Internet as Commons 2008-01-29
Jon Hash (1 replies)
Re: Re: Internet as Commons 2008-02-01
Mark D. Rasch
Mother, May I? 2008-01-24
Not much of a cheese shop, is it? 2008-01-24
Mitch Smith (2 replies)
Re: Not much of a cheese shop, is it? 2008-01-28
Mark D. Rasch (1 replies)
Mother, May I? 2008-01-27
Anonymous (1 replies)
Re: Mother, May I? 2008-02-01
Mark D. Rasch
Mother, May I browse your public server? 2008-01-28
Anonymous (1 replies)
It's Like a Phone Book 2008-01-30
Mother, May I? 2008-02-07
Victor (1 replies)
Re: Mother, May I? 2008-02-07
Mark D. Rasch


Privacy Statement
Copyright 2010, SecurityFocus