On Friday 31 October 2003 11:38 am, Tango Echo wrote:

> > Well, I am not a resident of Illinois, therefore,
> > this particular criminal
> > code does not apply to me.
>
> Good, but you might want to check these states too:
> http://www.eff.org/IP/DMCA/states/

I might check the laws, not someone's interpretation of those laws.  The EFF 
has shown itself to being apt to adopt very questionable opinions about a 
variety of digital issues that I strongly diverge from.
>
> > Also, as written, it is
> > not usable against a
> > honeypot.
>
> I didn't see that - where is it?  And how does this
> pertain to a tar pit?

Well, a tar pit is basically a SMTP honeypot that just responds really slowly 
to slow down a spammers connection attempts and data transmission.  Basically 
a metered SMTP server that pretends to be an open relay but actually is not.

There is no contract with the spammer to deliver his mail and he is 
voluntarily using your server.  You have no contractual obligation to 
actually deliver the mail, nor are you contractually or otherwise obligated 
to indicate to him that you are not actually going to deliver his mail.  
Since there is no agreement between you and him, there is no enforceable 
provision under which he can hold you liable for not actually delivering his 
mail.

The quote provided said that:

defines an
"unlawful communication device" as "any communication
device which is capable of... facilitating the
disruption... of a communication service without the
express consent or express authorization of the
communication service provider..."

Now, this might be interpreted to mean that any mail server, DNS server or 
basically any computer at all is an unlawful device because all of them are 
actually capable of disrupting a communication service.  However, any 
prosecutor that actually walked into court and attempted to enforce that type 
of interpretation would be laughed out of it and ruin his career in the 
process.  Prosecutors are not apt to throw away their career and make 
themselves out to be a laughing stock lightly.  Unless someone can cite a 
case where that was tried, I would argue that such an interpretation borders 
on the "extreme paranoid fantasy" that I spoke of.

However, if you attach the express consent or express authorization clause, it 
would appear that this section only applies to a machine that is actually 
used to disrupt communication without express consent or authorization and if 
you are running your own mail server, for your own domain, then you are the 
service provider and have obviously given yourself authorization and consent.

Therefore, this law does not apply to an SMTP honeypot, nor to one setup to 
tarpit unauthorized users.

> > If you are running the honeypot, you are
> > the communication service
> > provider, therefore, you have given yourself express
> > authorization.
>
> As I understand it, the laws are writen losely so that
> "communication service provider" is left open for
> interpretation.  The ISP is also a communication
> service provider.  Wouldn't you agree?

If you are running a mail server for your own domain, the ISP is merely a 
network provider or common carrier, much the way the phone company provides 
connectivity but does not control your activity.  They do not expressly 
consent or authorize any activities, they merely provide a specific 
connection point under their contract terms to you.  Short of some type of 
contract that actually expressly grants consent or authorizes activity, I 
would say that the provision does not apply.

Even as a dial-up or broadband customer, my ISP does not expressly authorize 
or consent to any particular activity that I perform with my connection.  
They do and may expressly deny certain activities, but do not consent or 
authorize any activities.  So, again, i would say that the ISP is not a 
service provider, except where there own machines are concerned.  They are a 
service provider for their own mail server, news server, etc and they can act 
against someone who disrupts their communications without their express 
consent or authorization.

> > I think that you need to reread the "for the
> > commission of a theft of a
> > communication service" portion again.  A spammer, by
> > definition is committing
> > a theft of service and meets all the definitions of
> > this act.  So, he is
> > going to press criminal charges against you for
> > committing an act identical
> > to his own?  A drug dealer pressing charges against
> > another drug dealer for
> > dealing drugs?  Not only that but criminal charges
> > must be prosecuted by the
> > State, not by a private entity, so there is no way
> > that a spammer can sue you
> > for a violation of criminal law, only for a tort.
>
> The underlying problem isn't "theft of data" but
> rather running an "a unlawful communication device"
> (program) tht "distrupts communication and conseals
> origin of data".

Again, reread the actual wording:

"possesses, uses, manufactures, assembles,
distributes, leases, transfers, or sells" an "unlawful
communication device... for the commission of a theft
of a communication service or to receive, disrupt,
transmit, decrypt, or acquire... any communication
service without the express consent or express
authorization of the communication service provider,
or to conceal or to assist another to conceal from any
communication service provider or from any lawful
authority the existence or place of origin or
destination of any communication"

To paraphrase what is written here, it is illegal to possess an unlawful 
device for the commission of a theft of service.  It is illegal to possess an 
unlawful device to disrupt a service without the authorization of the service 
provider.

Construct this together and you must meet all the elements for the law to be 
enforced.  You must have a communication service provider, that is the person 
who owns and operates the server, you must have an unlawful device, that is a 
device capable of disrupting communications without the permission of the 
owner, and you must steal or disrupt a service.  The elements do not all 
exist where a SMTP honeypot or tarpit are concerned.  Since the provider 
themselves are disrupting the communication, it does not match.  

I could also argue, and I think make a pretty good argument about it, that a 
tarpit is expressly excluded from being an illegal device.  Because it 
accepts connections instead of seeking them out, it can NOT be operated 
without the consent of the service provider.  Now, something like SATAN, 
NESSUS, nmap, etc. actually can be used without the providers consent, but a 
honeypot can not.

> > Someone's paranoid reading of the law in a way that
> > suits their fantasy.
>
> I agree with you that it may simply be paranoid
> interpretation...  But then again, who's providing
> goods/serveices/etc and isn't at least slightly
> paranoid of lawyers?  

Well, at some point it is easy to allow things to go to the level where we 
become paralyzed by imaginary fears.  I would hold that this particular 
interpretation falls into that camp.  If others disagree, good luck trying to 
conduct any day to day activities.

> It's almost like you need to 
> adapt the security mentality - "don't assume the
> probable but rather the possible".  Contrary to what
> it sounds, this isn't a rant on the US legal system.
> Instead, I'm just tying to get the facts straight
> here.  I've considered implmenting such software in my
> organization.  Fortunately, the orgainization has a
> lawyer that may be  resourceful in this situation.

Understood.  I am trying to contribute my particular reading of those facts, 
but we need to keep in mind that there are some people in our community who 
always look for the worst and often find exactly that.
-- 
Bryan Phinney
Software Test Engineer


Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Reply via email to