Date: Sat, 5 Feb 2005 01:31:43 -0800 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Chuck Swiger" <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: RE: FreeBSD 3.2 Message-ID: <LOBBIFDAGNMAMLGJJCKNKEECFAAA.tedm@toybox.placo.com> In-Reply-To: <4203C014.8040104@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chuck Swiger > Sent: Friday, February 04, 2005 10:34 AM > To: Ted Mittelstaedt > Cc: gfoster9055@comcast.net; freebsd-questions@freebsd.org > Subject: Re: FreeBSD 3.2 > > > Ted Mittelstaedt wrote: > > [ ... ] Seriously - from a legal perspective you > > have absolutely no obligation to follow their restrictions unless of > > course they were smart enough to have you sign a piece of > paper before > > they let you in the door. No contractual relationship exists between > > you and them now, you can ignore what they tell you to do > with impunity > > as long as you don't break any civil laws, ie: theft, > malicious mischief, > > etc. All they can do is tell you your not welcome in the > door anymore. > > Ted, it's better to give no advice than bad advice. This is > especially true > when the issue is a legal matter, and you are not a lawyer. Oh I always love these kinds of statements. Even if I am a lawyer (which I'll say I'm not, to save you from arguing that I am not) guess what - unless I'm retained by you or the OP for the purposes of giving legal advice, even as a lawyer, my advice has no legal significance whatsover. Yes, that's true - a lawyer's advice has no significance - unless paid for. I am qualified here on this topis as an expert witness however, and as a matter of fact, lawyers pay people like me to explain how laws like this apply to the real world. And of course I'll also gloss over the whole issue that your implying that laws are uninterpretable by the average person unless they are a lawyer. Riiggghhttt. So I guess you get a lawyer every time you get a parking ticket, eh? ;-) > See 18 USC 1030: > > http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_0000 > 1030----000-.html > Interesting cite, let's look a bit more closely though: (a)(1) "having knowingly accessed a computer without authorization" He has authorization to -access- the computer. Note that access is not spelled out as a definition in section (e) (a)(1) "or exceeding authorized access" OK, so here we have something - as you could argue that updating the system is exceeding the authorized access on the machine, right? Except that, continuing on in this section: "and by means of such conduct...unauthorized disclosure for reasons of national defense" Ok, so section (a)(1) isn't applicable. So continuing on: (a)(2) "exceeds authorized access, and thereby obtains-... information from any department or agency of the United States" I'll skip (a)(2)(a) and (a)(2)(c) as they obviously aren't applicable. So it sounds like you might have a case here - except for one problem, that a backup-reformat-reinstall isn't accessing information in the computer over and above his authorized access. I'll admit this is a grey area and can be argued both ways - but bear with me and follow along. He obviously has permission for a certain level of access already on this machine. If he's administering it, as he says he is, then he has permission to access stuff like the root account that controls all settings and configuration of the system, ie: the environment of the system. Now here is the catch. The OP as administrator of the system has permission to access all the bits he needs to be able to effect a backup, reformat and install of a new version of FreeBSD. He has this because it's the same dataset of information that as administrator he already has permission to access. He does not really need to know anything about the data inside the FreeBSD environment. In short, the OP hasn't actually "obtained information" here. He's just taken the information inside the environment and shoved it aside, did some administrative things (the reformat) then brought the information back. Just like a blind man moving eggs around in a box, he's obtained no information about what's inside the eggs. Now you may argue this, but clearly the intent of the law of section (a)(2)(b) is that the person has obtained information for some sort of use. Maybe he wants to sell it, maybe he wants to just look at it. However you slice it, the law appears to intend that the information obtainer once they have obtained the information, they actually know what the information is. The OP when doing a reformat operation to update the system, he doesen't actually know what the information really is. So, I don't see how you can argue that he obtained information, so that this section applies, but feel free to do so. So, (a)(2) isn't applicable either. Let's continue on: (a)(3)"without authorization to access any nonpublic computer ... such conduct affects that use by or for" OK, so you could argue that a repair operation would "affect the use by or for" And that is true - it could. However, a good repair by definition would not result in the affecting of the use by or for, we aren't talking he nukes FreeBSD and reloads Windows which would substantially affect the use of the machine, we are talking he nukes FreeBSD and reloads FreeBSD. So once again I think we are drawing a blank with this section. Let's move on to the next: (a)(4) "knowingly and with intent to defraud," not applicable, no evidence of intent to defraud here either. Next: (a)(5)(a)(i) "result of such conduct, intentionally causes damage" A successful repair operation doese not cause damage - not applicable, (a)(5)(a)(ii) "of such conduct, recklessly causes damage" Replacing a buggy insecure version of FreeBSD is responsble, not reckless. This is as inapplicable as you can get. (a)(5)(a)(iii) "result of such conduct, causes damage" A successful repair operation does not cause damage, it cures it. (a)(5)(B) All these state damage results of some kind, once again a (successful) repair effort causes no damage (a)(6) "knowingly and with intent to defraud" No intent to defraud, next: (a)(7) "with intent to extort" No intent to extort. And that's the last of them. So, I think we have a bit of a problem here. No violation EXCEPT if he muffs the update operation and destroys the server's data as a result. And then yes, all your horror stories could come true. I'll grant you that much. > US-government-owned computer without getting written > permission first. Absolutely nothing in that section you cited said anything about written permission, I have no idea where your getting that from at all. EXCEPT, I have it - you are probably saying this because you have a high expectation that him updating the system will break things - resulting in justifyable anger and annoyance of the owner - resulting in possible legal actions where a piece of paper might get his ass out of the sling. Sounds suspiciously like your saying that the reason that a mechanic gets your signature on a piece of paper before he repairs your car is because the mechanic is expecting to not actually fix the car, and needs a way out of you suing his ass for wasting your money!!! :-) > And > yes, even a computer owned by your local school counts... > Let's try another tack here. The OP has been given some directives by the organization. One is that he's responsible for some of the websites on the BSD server. Another is that he's been told that he's in charge of supporting the Linux and BSD machine. At least, that's what I got. Now, any reasonable definition of supporting these servers would mean he's responsible for securing them. In short, he's not to be reckless and leave passwords laying around - sound a bit familiar here? In short, another interpretation is that he's responsible to make sure there's not gaping holes in the server for people to steal passwords or data from the server. Leaving a FreeBSD 3.2 server in operation, on the Internet, is making a reckless exposure of the system's data to the public. It could actually be construed as a violation of (a)(5)(A)(i) of that section you cited, let me repeat it: "knowingly causes the transmission of a program, information, code, or command" He's responsible for the website on the server, so he is definitely causing the transmission of information.. "and as a result of such conduct, intentionally causes damage without authorization" Deliberately not patching the computer when you know it has a gaping security hole in it, and you have left it in an environment (the public Internet) where you know that there are at least 100 security attacks on the server a day, is, in my opinion, intentionally causing damage to it. So, far from your assertation that the law supports the idiots at the school district that told him he can't upgrade, it looks to me like he's already breaking the law by NOT updating the computer. I think that you need to rethink your approach to arguing with me about this. I think your approach of casting fear that there's some kind of criminal violation if the OP goes ahead and updates the system to FreeBSD 4.11 - successfully that is of course - is pretty much a load of dingos kidneys. So if there's no criminal violation it falls back into the civil realm. And therein you have another problem - because now the burden of the school district is to go into a civil court and show that this guy's updating of their server to a nice, secured, copy of FreeBSD 4.11 from an old buggy, security-holed FreeBSD 3.2 version has somehow caused them damages. Sure, if the OP doesen't know what he's doing and muffs the upgrade - sure that's easy. But, if the OP does in fact know what he's doing and does the upgrade and no damages result then the school has no basis for a civil case against him. And the fact that they already gave him permission to access the system, and in fact to even administer the system - heck, any judge is going to toss the case out and yell at the school district for wasting the court's time!! Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNKEECFAAA.tedm>