Thursday, January 17, 2008

North Dakota Judge Rules DNS Zone Transfers Illegal

Via CircleID Blog -

Ever been prosecuted for tracking spam? Running a traceroute? Doing a zone transfer? Asking a public internet server for public information that it is configured to provide upon demand?

No? Well, David Ritz has. And amazingly, he lost the case.

Here are just a few of the gems that the court has the audacity to call ”conclusions of law.” Read them while you go donate to David’s legal defense fund. He got screwed here, folks, and needs your help.

“Ritz’s behavior in conducting a zone transfer was unauthorized within the meaning of the North Dakota Computer Crime Law.” You might not know what a zone transfer is, but I do. It’s asking a DNS server for all the particular public info it provides about a given domain. This is a common task performed by system administrators for many purposes. The judge is saying that DNS zone transfers are now illegal in North Dakota.

“The Court rejects the test for “authorization” articulated by defendant’s expert, Lawrence Baldwin. To find all access “authorized” which is successful would essentially turn the computer crime laws of this country upside down.” That’s untrue. The judge is trying to hang David out to dry, even when provided evidence of what actually constitutes hacking or cracking. Accessing a server on the public internet that is set up to provide that public info is not a crime, and saying that it is not a crime doesn’t suddenly damage computer crime law. The judge just amended the definition of “unauthorized” to include public internet servers that were expressly configured to provide info to anybody who asks for that info.

“Ritz has engaged in a variety of activities without authorization on the Internet. Those activities include port scanning, hijacking computers, and the compilation and publication of Whois lookups without authorization from Network Solutions.” I’m not touching the “hijacking computers” statement—who knows what the judge means, and I don’t think it’s wise to assume that the judge’s definition matches the common one. But what really jumps out here is this: Publication of WHOIS information. You know, business records. Who owns a domain. Public information. The judge has arbitrarily decided that it is illegal to take information from WHOIS data—necessary information when compiling a report on a company or activity, to make sure you’re talking about the right person—and put it in a spam report or on a website.

Mickey Chandler calls the court documents in this case “12 pages of bad law,” and I couldn’t agree more.

-------------------------

Ummmm, this is all types of wrong. Woudln't this make it illegal to access a public website? You are downloading data from an internet server...essentially, you are "unauthorized” in the court's view.

I am just glad that I don't live in North Dakota. I could get in trouble for posting WHOIS information about AQIM's website.

2 comments:

  1. Anonymous5:15 AM

    This is just plain WRONG. I mean, if your DNS data are thatvaluable and highly classified, you can elect not to allow any transfers.
    Perhaps the judicial system needs a bit more of computer education?
    To draw a real life analogy, I could be hanging in the street outside your business checking it out. While I could be a thief sizing things up (as XFER transfer are one of the first steps in targeted cracker attacks), this is not illegal, so the real life equivalent would be for me to get arrested by just looking at the building.
    I am glad I am not living in North Dakota too.

    ReplyDelete
  2. I agree TK.

    Looking over the court docs, it would appear that David Ritz was doing some stuff that he shouldn't have been doing...so I am not suggesting you throw money into his court fund, but when you look at just the DNS stuff, the judge has it wrong.

    ReplyDelete