Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 Feb 2005 01:44:41 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Chuck Swiger" <cswiger@mac.com>
Cc:        freebsd-questions@freebsd.org
Subject:   RE: FreeBSD 3.2
Message-ID:  <LOBBIFDAGNMAMLGJJCKNKEEMFAAA.tedm@toybox.placo.com>
In-Reply-To: <42051F95.5020209@mac.com>

next in thread | previous in thread | raw e-mail | index | archive | help


> -----Original Message-----
> From: Chuck Swiger [mailto:cswiger@mac.com]
> Sent: Saturday, February 05, 2005 11:34 AM
> To: Ted Mittelstaedt
> Cc: gfoster9055@comcast.net; freebsd-questions@freebsd.org
> Subject: Re: FreeBSD 3.2
>
>
> > Oh I always love these kinds of statements.  Even if I am a lawyer
> > (which I'll say I'm not, to save you from arguing that I am not)
> > guess what - unless I'm retained by you or the OP for the purposes
> > of giving legal advice, even as a lawyer, my advice has no legal
> > significance whatsover.  Yes, that's true - a lawyer's advice has
> > no significance - unless paid for.
>
> You're simply wrong.  Attorney-client privilege applies even
> when a lawyer has
> not been paid--

I said "unless I'm retained by you or the OP for the purposes
of giving legal advice"

Technically your correct on the paid for issue, it was a smartass
comment of mine - every lawyer I've ever met doesen't give anyone
dick unless he or she gets money for it, so from a practical
standpoint the two statements are the same thing.

But, I'm sure you could probably find a few exceptions to that if
you looked hard enough.  There must be somewhere at least 1 lawyer
that gave someone something of value, by accident, without extracting
his pound of flesh.

>
> > I am qualified here on this topis as an expert witness however, and
> > as a matter of fact, lawyers pay people like me to explain how
> > laws like this apply to the real world.
>
> Oh, I've served as an expert witness, too.  I was paid to
> evaluate software to
> determine whether copyright infringement had occured because
> the technical
> skills required to evaluate software require skills which
> people who are not
> experts with computers don't have.
>

Whis is a simple way of saying you were paid to render an opinion,
ie: advice on whether copyright law applied to an example in the real
world.
Jsut what I said.

>
> > And of course I'll also gloss over the whole issue that your implying
> > that laws are uninterpretable by the average person unless they are
> > a lawyer.  Riiggghhttt.  So I guess you get a lawyer every time you
> > get a parking ticket, eh?  ;-)
>
> The law applies regardless of whether the average person is
> able to understand
> a specific matter or not.  However, for the sake of example,
> if you are not an
> accountant, then you probably [1] cannot be held guilty of *willfully*
> violating accounting laws which are only comprehensible to an
> accountant (or
> to a lawyer specializing in that area of law).

Accounting law is much more complex than what we are talking about
here.

>
> Likewise, someone who has served as a legal expert on computer
> matters is
> expected to have a greater understanding of the ethics and
> professional
> responsibilities involved with computer usage.  For example,
> because I am a
> network manager responsible for a network infrastructure
> including electronic
> mail systems, I know that I have a legal obligation to report child
> pornography in spam (ie, an email containing pictures as a
> MIME attachment, or
> a link to a porn web site) if and when I become aware of such filth.
>

Yes, it is very unfortunate how many network managers out there
somehow don't become aware of such illegal activities even when
their own networks are stuffed with them.  Makes you wonder how
exactly they are managing their networks.

> ------
> [1]: But this becomes more complicated when you are expected
> to discuss
> matters with your accountants as part of your
> responsibilities: there are
> several high-profile cases going on right now involving CEOs
> who claimed to
> know nothing about accounting or financial irregularities who
> are still being
> prosecuted....
>

The rest of the industry knew Ebbers was running a Ponzi
scheme years before it collapsed.  What the courts in that mess
are trying to do now is figure out how to make the obvious
legally stick.  It is a shame, though, that besides him the
US government regulators aren't right up there with him, as
their irresponsibility in failing to apply the anti-trust acts
are what allowed the mess to get as big as it is.

> >>See 18 USC 1030:
> >>
> >>http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_0000
> >>1030----000-.html
> >
> >
> > Interesting cite, let's look a bit more closely though:
> >
> > (a)(1) "having knowingly accessed a computer without authorization"
> >
> > He has authorization to -access- the computer.  Note that access is
> > not spelled out as a definition in section (e)
> >
> > (a)(1) "or exceeding authorized access"
> >
> > OK, so here we have something - as you could argue that updating
> > the system is exceeding the authorized access on the machine, right?
> >
> > Except that, continuing on in this section:
> >
> > "and by means of such conduct...unauthorized disclosure for
> reasons of
> > national defense"
> >
> > Ok, so section (a)(1) isn't applicable.  So continuing on:
> >
> > (a)(2) "exceeds authorized access, and thereby obtains-...
> > information from any department or agency of the United States"
> >
> > I'll skip (a)(2)(a) and (a)(2)(c) as they obviously aren't
> applicable.
> > So it sounds like you might have a case here - except for
> one problem,
> > that a backup-reformat-reinstall isn't accessing information in
> > the computer over and above his authorized access.  I'll admit this
> > is a grey area and can be argued both ways - but bear with me and
> > follow along.
>
> Computer people attempt to understand the law as if it were a
> deterministic
> construct which means exactly what it says, and as if a
> specific section is
> completely well defined in the absence of other laws.  This
> works for code
> (well-written code, anyway), because software people try very
> hard to provide
> well-defined interfaces which are self-contained and do not
> involve side
> effects or hidden changes to global state.
>
> Unfortunately, this approach does not always work for the law;
> and sometimes
> it doesn't work at all.  Legal terms sometimes have a specific
> meaning-- what
> we might call jargon-- which is not the same understanding of
> the term that
> average people have.
>
> What you fail to understand or take into account is that this
> law, originally
> designed to apply to atomic secrets held by top-security
> government computers,
> can also be applied to other protected information defined in
> other laws.
>
> What kinds of other information?  The three that come to mind
> are financial
> information, medical and healthcare records, and educational
> records.  Go look
> up a few cases where a student hacked into a school computer
> in order to
> change grades and see for yourself what laws they were
> prosecuted under.
>

What they were prosecuted under or found guilty of?  Two very
different things.  The trend today among prosecutors is to
create elaborate and rediculous justifications for applying as
many charges as possible merely to get the thing ended with a
plea bargain so it doesen't have to go to trial.

So a student hacked into a computer and changed a grade, and
somewhere on the network a computer that is tied to this one
happens to contain some financial info of the school, well of
course the prosecutor is going to use that to create a charge
that has an extremely tenuous connection.  It does not mean
that a court is going to agree with this.

A court will probably agree with other, more applicable,
violations, though, so the defendant is going to be fucked
anyway - but this way during a plea negotiation the offer to
drop what would be an unwinnable charge may be enough to
get the defendant to capitulate on the charge that he would
be found guilty of.  Thus convincing the defendent that he's
actually getting something out of a plea bargain (even though
he's not, he being just as screwed as if he went to court)
which is necessary to get him to agree to doing it.  Thus,
avoiding a court case, saving everyone a lot of time and money,
and life goes on.

> > He obviously has permission for a certain level of access already
> > on this machine.
>
> "Obviously?"  If he was accused of breaking the law, and
> claimed that "I
> obviously had permission to do whatever I want to this
> computer", just how
> would he prove this supposedly obvious claim?
>

Well you are right this is an assumption on my part.  But how could
he possibly perform the job that he allegedly has volunteered for -
administering this computer - without having a rather extensive
e-mail trail back and forth with the school, that would easily
establish that he had permission for a certain level of access.
I did assume a certain minimum level of competence.

But I'll go ahead and give you that point.  Perhaps the OP is such
an unbelievably incompetent network administrator that he has never
once had any kind of e-mail exchange with the school regarding any
matter of adminstering these servers.  Perhaps in his own mind
he thinks he was given permission to administer this server and
these sites when in reality nobody who was any witness to the
exchange between him and the school would possibly agree that
such permission was given.

This is why I cautioned him that:

"You are just helping this person out by giving him a breather so he can
work on windowizing some other system, once he gets done with that one
your FreeBSD 3.2 system
will be gone quicker than grapes through a goose"

Because frankly the situation is very strange in that no sane
network manager -wants- old, unsecured, systems on their network.
I personally think the OP is being setup - which is why I told
him to get out immediately and find some other place more
grateful for assistance.

And, I said all that because once I happened to be in that situation
myself.  Back in 1994 it was - I was asked at my employer at the
time to setup a company support webserver.  I said great, I have
Unixware running on this test system here that would work great.
I was told no, use Windows.  I also had at the same time a Windows
webserver running on a test Windows box.  (which I did not elaborate
on to my bosses)  I did the old smile & nod, did nothing,
and quit within a month. (mainly for other reasons, but this was
one)  I heard later on that they could never
find anyone else to put up a Windows webserver, so they eventually
were forced by the marketing group to give the project to another
site - where the admin there who thought like me, promptly used
Solaris on Sparc.

I've learned from experience that micromanaging is the last refuge of
the incompetent manager.  If you stay and put up with it, your just
helping the incompetent manager keep his job.  If you leave and
go elsewhere, the incompetent manager almost always suffers.

Anyway, getting back to the OP's problem, he didn't ask for this
kind of advice, he asked for how to beat the system, to get around
their restrictions.  My experience is that in the kind of toxic
environment that he is in, nothing he can do is going to be liked.
When your bosses start ordering you to do self-defeating things,
they want you out of there, and are just too big a coward to tell
you your fired.

> In my last message, I gave a really good suggestion, which was...
>
> [ ...a lot of nonsense removed, tired of detailed response... ]
> >> US-government-owned computer without getting written
> >> permission first.
> >
> > Absolutely nothing in that section you cited said anything
> > about written permission, I have no idea where your getting
> > that from at all.
>
> ...getting written permission means that the changes you make
> in good faith to
> a computer system owned by someone else are "authorized".
>
> And you can prove it if you needed to.
>

No, you can't prove it any better than if it's verbal with a
few witnesses - unless the written permission is so incredibly
detailed that it runs to 2 dozen pages and specifies things so
narrowly that you practically have set times to go to the bathroom.
And you need one of these for every single project.  It's
impractical and rediculous in a volunteer situation.  Any sane
volunteer would rightfully conclude that they don't want his
services and tell them to stuff it.

For example, the OP said he was in charge of administering this
server, and he could do anything he wanted to do except upgrade it.
Assume he has a piece of paper from the network manager saying just that.

There is a need in the network for an HTTPS server.  The network
manager knows that the FreeBSD system could do this - if upgraded -
but he secretly wants to force the school to spend money on a
new Windows box, thus he issues the "no upgrade" restriction, thinking
that this will block use of the FreeBSD system as an HTTPS server,
yet at the same time not put him on record as deliberately saying
NO to use of the FreeBSD server as an HTTPS server.

Our OP then goes out and digs up some hoary old SSL code that he
compiles, and some hoary old apache-ssl code that builds with this,
and presto - instant HTTPS server on the FreeBSD server.

This shoots the scheme of the network manager to get a new Windows
box funded to pieces, since the school is never going to spend
the money for one since they now have an HTTPS server on the
FreeBSD system.

The network manager then tries arguing using your logic, that
the OP is an irresponsible cracker that exceeded his authority
on the server and is guilty of computer crime.  The OP pulls out
his paper, and the network manager argues that upgrades obviously
mean installing a 'new' https server.

So much for the written permission.

> > EXCEPT, I have it - you are probably saying this because you
> > have a high expectation that him updating the system will break
> > things - resulting in justifyable anger and annoyance of the
> > owner - resulting in possible legal actions where a piece of
> > paper might get his ass out of the sling.
>
> Very good.  Only you've got it backwards.
>
> I didn't evaluate his chances of breaking the system because
> my concern was
> that he should obtain permission before reinstalling because
> that is the right
> thing to do.  The fact that having written authorization might
> well "keep his
> ass out of the sling" if there was a problem is a secondary
> concern, albeit
> still very important.
>

And also your missing that even with a written piece of permission
good enough to keep him from being successfully sued, the fact of
the matter is that his putting a nice new server in there which
destroys justifications for wastin.. I mean spending money, is going
to create enemies.

It won't create enemies of the administrators of the school who
are probably scraping to keep every penny possible funneled to the
students.

It will create enemies of the network admins who are getting their
jollies out of scrapping a cheap but perfectly workable Open Source
network that they are too goddam lazy to understand, and replacing it
with an expensive shiny toy that they can use to polish up their
MCSE cerifications on, and build their Resumes with, so they can quit
in 6 months and get more money elsewhere.

Your missing this because you are assuming that everyone in the
school other than this volunteer is of a unified mind, and all of
them - from the top administrator of the school all the way down to
the janitor - doesen't want the server updated.  I think your getting
carried away with this assumption because the law prefers to treat
organizations as unified things.

In reality it is very likely that the top administrators of the school
neither know or care what their IT systems are running, all they care
about is how much money they must toss into them.  The OP said
as much when he said that "updating is out of the question at the
momment because of policy and budget", well you know perfectly well
that all schools think they never have enough money, so the real
operative portion of this statement is the heads of the school
don't want to spend more money than they are already.  Yet, the
OP said "they are moving to winblows"

Well there is no such thing as a migration from Open Source to Windows
that
saved money.  Such an animal doesen't exist except in the tortured
minds of Microsoft's marketing department.  People only migrate from
an installed and operating Open Source network to Windows because
they don't understand Open Source and are too pigheaded to bother
spending time learning it.

There's an excellent chance this school is in a situation where the
heads of the school had a FreeBSD network probably put together by the
previous admin, that person left, they couldn't find anyone else, and
ended up
hiring some incompetent graduate out of a Windows training program,
who doesen't understand the existing network, and pretty much told
the school head that everything they have needs to be scrapped.
In that case the school administrators have little choice but to
go with the recommendations of the network person they hired,
even though they know it's going to be more costly.

If this is the real issue, and I will bet that it is, no matter how
much the network admin hates this volunteers guts for skewering his
plans to spend large amounts of money on Microsoft software, there is
going to be zero support from the top for going after the OP in any
legal sense.

Ted



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNKEEMFAAA.tedm>