From owner-freebsd-questions@FreeBSD.ORG Tue Feb 8 09:44:47 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 444BF16A4CE for ; Tue, 8 Feb 2005 09:44:47 +0000 (GMT) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6653643D48 for ; Tue, 8 Feb 2005 09:44:46 +0000 (GMT) (envelope-from tedm@toybox.placo.com) Received: from tedwin2k (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) j189igj08497; Tue, 8 Feb 2005 01:44:42 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Chuck Swiger" Date: Tue, 8 Feb 2005 01:44:41 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <42051F95.5020209@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Importance: Normal cc: gfoster9055@comcast.net cc: freebsd-questions@freebsd.org Subject: RE: FreeBSD 3.2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2005 09:44:47 -0000 > -----Original Message----- > From: Chuck Swiger [mailto:cswiger@mac.com] > Sent: Saturday, February 05, 2005 11:34 AM > To: Ted Mittelstaedt > Cc: gfoster9055@comcast.net; freebsd-questions@freebsd.org > Subject: Re: FreeBSD 3.2 > > > > Oh I always love these kinds of statements. Even if I am a lawyer > > (which I'll say I'm not, to save you from arguing that I am not) > > guess what - unless I'm retained by you or the OP for the purposes > > of giving legal advice, even as a lawyer, my advice has no legal > > significance whatsover. Yes, that's true - a lawyer's advice has > > no significance - unless paid for. > > You're simply wrong. Attorney-client privilege applies even > when a lawyer has > not been paid-- I said "unless I'm retained by you or the OP for the purposes of giving legal advice" Technically your correct on the paid for issue, it was a smartass comment of mine - every lawyer I've ever met doesen't give anyone dick unless he or she gets money for it, so from a practical standpoint the two statements are the same thing. But, I'm sure you could probably find a few exceptions to that if you looked hard enough. There must be somewhere at least 1 lawyer that gave someone something of value, by accident, without extracting his pound of flesh. > > > I am qualified here on this topis as an expert witness however, and > > as a matter of fact, lawyers pay people like me to explain how > > laws like this apply to the real world. > > Oh, I've served as an expert witness, too. I was paid to > evaluate software to > determine whether copyright infringement had occured because > the technical > skills required to evaluate software require skills which > people who are not > experts with computers don't have. > Whis is a simple way of saying you were paid to render an opinion, ie: advice on whether copyright law applied to an example in the real world. Jsut what I said. > > > And of course I'll also gloss over the whole issue that your implying > > that laws are uninterpretable by the average person unless they are > > a lawyer. Riiggghhttt. So I guess you get a lawyer every time you > > get a parking ticket, eh? ;-) > > The law applies regardless of whether the average person is > able to understand > a specific matter or not. However, for the sake of example, > if you are not an > accountant, then you probably [1] cannot be held guilty of *willfully* > violating accounting laws which are only comprehensible to an > accountant (or > to a lawyer specializing in that area of law). Accounting law is much more complex than what we are talking about here. > > Likewise, someone who has served as a legal expert on computer > matters is > expected to have a greater understanding of the ethics and > professional > responsibilities involved with computer usage. For example, > because I am a > network manager responsible for a network infrastructure > including electronic > mail systems, I know that I have a legal obligation to report child > pornography in spam (ie, an email containing pictures as a > MIME attachment, or > a link to a porn web site) if and when I become aware of such filth. > Yes, it is very unfortunate how many network managers out there somehow don't become aware of such illegal activities even when their own networks are stuffed with them. Makes you wonder how exactly they are managing their networks. > ------ > [1]: But this becomes more complicated when you are expected > to discuss > matters with your accountants as part of your > responsibilities: there are > several high-profile cases going on right now involving CEOs > who claimed to > know nothing about accounting or financial irregularities who > are still being > prosecuted.... > The rest of the industry knew Ebbers was running a Ponzi scheme years before it collapsed. What the courts in that mess are trying to do now is figure out how to make the obvious legally stick. It is a shame, though, that besides him the US government regulators aren't right up there with him, as their irresponsibility in failing to apply the anti-trust acts are what allowed the mess to get as big as it is. > >>See 18 USC 1030: > >> > >>http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_0000 > >>1030----000-.html > > > > > > Interesting cite, let's look a bit more closely though: > > > > (a)(1) "having knowingly accessed a computer without authorization" > > > > He has authorization to -access- the computer. Note that access is > > not spelled out as a definition in section (e) > > > > (a)(1) "or exceeding authorized access" > > > > OK, so here we have something - as you could argue that updating > > the system is exceeding the authorized access on the machine, right? > > > > Except that, continuing on in this section: > > > > "and by means of such conduct...unauthorized disclosure for > reasons of > > national defense" > > > > Ok, so section (a)(1) isn't applicable. So continuing on: > > > > (a)(2) "exceeds authorized access, and thereby obtains-... > > information from any department or agency of the United States" > > > > I'll skip (a)(2)(a) and (a)(2)(c) as they obviously aren't > applicable. > > So it sounds like you might have a case here - except for > one problem, > > that a backup-reformat-reinstall isn't accessing information in > > the computer over and above his authorized access. I'll admit this > > is a grey area and can be argued both ways - but bear with me and > > follow along. > > Computer people attempt to understand the law as if it were a > deterministic > construct which means exactly what it says, and as if a > specific section is > completely well defined in the absence of other laws. This > works for code > (well-written code, anyway), because software people try very > hard to provide > well-defined interfaces which are self-contained and do not > involve side > effects or hidden changes to global state. > > Unfortunately, this approach does not always work for the law; > and sometimes > it doesn't work at all. Legal terms sometimes have a specific > meaning-- what > we might call jargon-- which is not the same understanding of > the term that > average people have. > > What you fail to understand or take into account is that this > law, originally > designed to apply to atomic secrets held by top-security > government computers, > can also be applied to other protected information defined in > other laws. > > What kinds of other information? The three that come to mind > are financial > information, medical and healthcare records, and educational > records. Go look > up a few cases where a student hacked into a school computer > in order to > change grades and see for yourself what laws they were > prosecuted under. > What they were prosecuted under or found guilty of? Two very different things. The trend today among prosecutors is to create elaborate and rediculous justifications for applying as many charges as possible merely to get the thing ended with a plea bargain so it doesen't have to go to trial. So a student hacked into a computer and changed a grade, and somewhere on the network a computer that is tied to this one happens to contain some financial info of the school, well of course the prosecutor is going to use that to create a charge that has an extremely tenuous connection. It does not mean that a court is going to agree with this. A court will probably agree with other, more applicable, violations, though, so the defendant is going to be fucked anyway - but this way during a plea negotiation the offer to drop what would be an unwinnable charge may be enough to get the defendant to capitulate on the charge that he would be found guilty of. Thus convincing the defendent that he's actually getting something out of a plea bargain (even though he's not, he being just as screwed as if he went to court) which is necessary to get him to agree to doing it. Thus, avoiding a court case, saving everyone a lot of time and money, and life goes on. > > He obviously has permission for a certain level of access already > > on this machine. > > "Obviously?" If he was accused of breaking the law, and > claimed that "I > obviously had permission to do whatever I want to this > computer", just how > would he prove this supposedly obvious claim? > Well you are right this is an assumption on my part. But how could he possibly perform the job that he allegedly has volunteered for - administering this computer - without having a rather extensive e-mail trail back and forth with the school, that would easily establish that he had permission for a certain level of access. I did assume a certain minimum level of competence. But I'll go ahead and give you that point. Perhaps the OP is such an unbelievably incompetent network administrator that he has never once had any kind of e-mail exchange with the school regarding any matter of adminstering these servers. Perhaps in his own mind he thinks he was given permission to administer this server and these sites when in reality nobody who was any witness to the exchange between him and the school would possibly agree that such permission was given. This is why I cautioned him that: "You are just helping this person out by giving him a breather so he can work on windowizing some other system, once he gets done with that one your FreeBSD 3.2 system will be gone quicker than grapes through a goose" Because frankly the situation is very strange in that no sane network manager -wants- old, unsecured, systems on their network. I personally think the OP is being setup - which is why I told him to get out immediately and find some other place more grateful for assistance. And, I said all that because once I happened to be in that situation myself. Back in 1994 it was - I was asked at my employer at the time to setup a company support webserver. I said great, I have Unixware running on this test system here that would work great. I was told no, use Windows. I also had at the same time a Windows webserver running on a test Windows box. (which I did not elaborate on to my bosses) I did the old smile & nod, did nothing, and quit within a month. (mainly for other reasons, but this was one) I heard later on that they could never find anyone else to put up a Windows webserver, so they eventually were forced by the marketing group to give the project to another site - where the admin there who thought like me, promptly used Solaris on Sparc. I've learned from experience that micromanaging is the last refuge of the incompetent manager. If you stay and put up with it, your just helping the incompetent manager keep his job. If you leave and go elsewhere, the incompetent manager almost always suffers. Anyway, getting back to the OP's problem, he didn't ask for this kind of advice, he asked for how to beat the system, to get around their restrictions. My experience is that in the kind of toxic environment that he is in, nothing he can do is going to be liked. When your bosses start ordering you to do self-defeating things, they want you out of there, and are just too big a coward to tell you your fired. > In my last message, I gave a really good suggestion, which was... > > [ ...a lot of nonsense removed, tired of detailed response... ] > >> US-government-owned computer without getting written > >> permission first. > > > > Absolutely nothing in that section you cited said anything > > about written permission, I have no idea where your getting > > that from at all. > > ...getting written permission means that the changes you make > in good faith to > a computer system owned by someone else are "authorized". > > And you can prove it if you needed to. > No, you can't prove it any better than if it's verbal with a few witnesses - unless the written permission is so incredibly detailed that it runs to 2 dozen pages and specifies things so narrowly that you practically have set times to go to the bathroom. And you need one of these for every single project. It's impractical and rediculous in a volunteer situation. Any sane volunteer would rightfully conclude that they don't want his services and tell them to stuff it. For example, the OP said he was in charge of administering this server, and he could do anything he wanted to do except upgrade it. Assume he has a piece of paper from the network manager saying just that. There is a need in the network for an HTTPS server. The network manager knows that the FreeBSD system could do this - if upgraded - but he secretly wants to force the school to spend money on a new Windows box, thus he issues the "no upgrade" restriction, thinking that this will block use of the FreeBSD system as an HTTPS server, yet at the same time not put him on record as deliberately saying NO to use of the FreeBSD server as an HTTPS server. Our OP then goes out and digs up some hoary old SSL code that he compiles, and some hoary old apache-ssl code that builds with this, and presto - instant HTTPS server on the FreeBSD server. This shoots the scheme of the network manager to get a new Windows box funded to pieces, since the school is never going to spend the money for one since they now have an HTTPS server on the FreeBSD system. The network manager then tries arguing using your logic, that the OP is an irresponsible cracker that exceeded his authority on the server and is guilty of computer crime. The OP pulls out his paper, and the network manager argues that upgrades obviously mean installing a 'new' https server. So much for the written permission. > > EXCEPT, I have it - you are probably saying this because you > > have a high expectation that him updating the system will break > > things - resulting in justifyable anger and annoyance of the > > owner - resulting in possible legal actions where a piece of > > paper might get his ass out of the sling. > > Very good. Only you've got it backwards. > > I didn't evaluate his chances of breaking the system because > my concern was > that he should obtain permission before reinstalling because > that is the right > thing to do. The fact that having written authorization might > well "keep his > ass out of the sling" if there was a problem is a secondary > concern, albeit > still very important. > And also your missing that even with a written piece of permission good enough to keep him from being successfully sued, the fact of the matter is that his putting a nice new server in there which destroys justifications for wastin.. I mean spending money, is going to create enemies. It won't create enemies of the administrators of the school who are probably scraping to keep every penny possible funneled to the students. It will create enemies of the network admins who are getting their jollies out of scrapping a cheap but perfectly workable Open Source network that they are too goddam lazy to understand, and replacing it with an expensive shiny toy that they can use to polish up their MCSE cerifications on, and build their Resumes with, so they can quit in 6 months and get more money elsewhere. Your missing this because you are assuming that everyone in the school other than this volunteer is of a unified mind, and all of them - from the top administrator of the school all the way down to the janitor - doesen't want the server updated. I think your getting carried away with this assumption because the law prefers to treat organizations as unified things. In reality it is very likely that the top administrators of the school neither know or care what their IT systems are running, all they care about is how much money they must toss into them. The OP said as much when he said that "updating is out of the question at the momment because of policy and budget", well you know perfectly well that all schools think they never have enough money, so the real operative portion of this statement is the heads of the school don't want to spend more money than they are already. Yet, the OP said "they are moving to winblows" Well there is no such thing as a migration from Open Source to Windows that saved money. Such an animal doesen't exist except in the tortured minds of Microsoft's marketing department. People only migrate from an installed and operating Open Source network to Windows because they don't understand Open Source and are too pigheaded to bother spending time learning it. There's an excellent chance this school is in a situation where the heads of the school had a FreeBSD network probably put together by the previous admin, that person left, they couldn't find anyone else, and ended up hiring some incompetent graduate out of a Windows training program, who doesen't understand the existing network, and pretty much told the school head that everything they have needs to be scrapped. In that case the school administrators have little choice but to go with the recommendations of the network person they hired, even though they know it's going to be more costly. If this is the real issue, and I will bet that it is, no matter how much the network admin hates this volunteers guts for skewering his plans to spend large amounts of money on Microsoft software, there is going to be zero support from the top for going after the OP in any legal sense. Ted