A North Dakota judge issued a ruling in Sierra Corporate Design v. Ritz that has some pretty stunning implications about the use of the "host -l" command when accessing DNS records. In the judgment (which was prepared by the plaintiff's counsel and sent to the judge), the use of the "host -l" command is tantamount to computer hijacking and hacking. For the uninitiated, when using the "host -l" command on a DNS server, the user will receive a list (hence the "l") of all information pertaining to the domain's zone file, assuming it has not been protected. The same way WHOIS returns information on the owner of a domain, "host -l" returns information about hosts on that domain.
And although this was a civil matter, this ruling could (and we stress could, no need getting ahead of ourselves) lead to "unauthorized" "host-l" usage to be deemed a criminal act, per North Dakota's computer crime statute.
Before even discussing the merits (or lack thereof) of the case in question, this judgment just strikes us as uninformed, bizarre and wrong. The "host -l" command when accessing DNS records does not reveal any information that is not set for public display. The plaintiff's contention in this case was that the information obtained by "host -l," non-routable IP addresses, host names and domain registrations was not meant to be publicly accessible. Because the defendant was able to procure this information and published it in various USENET groups, the plaintiff claims that the act was a violation of the computer crime statute.
Here's the problem: "host -l" will only show information that the administrator has allowed to be public. Just because it is a DNS command that many computer users are unaware of does not mean that leaving information that one wishes to remain undisclosed is safe.
Some background on the case:
Jerry Reynolds and his company Sierra Corporate Design has been a target of anti-spam crusaders, who were able to unearth proof that servers under his operation were responsible for (at the time) the majority of spam on the Internet. Reynolds response has been to sue his accusers for defamation (those lawsuits have been dropped due to lack of jurisdiction control of the defendant).
In 2005, he filed a lawsuit against David Ritz, an anti-spam crusader, alleging that by publishing Reynold's server information, Reynolds business was compromised. Today's judgment awarded Reynolds (via his company) the full amount of actual damages (nearly $3000) and an additional $50,000.00 in exemplary damages.
Again, even without discussing the merits of the actual lawsuit in the first place, ruling that using a command to access public information constitutes "hacking" if the command is unauthorized is completely and utterly wrong.
While we can understand that it would be upsetting for information you think is private to be made public, ultimately it is the administrators responsibility to make sure that the information released under host lookup is information they want to be open to the public.
Reader Comments (Page 1 of 1)
1-17-2008 @ 9:19PM
Jo said...
Hmm...this is interesting. I was once in the computer lab at the school I got my undergraduate degree from and a cute girl sat down at a unix terminal. Since I knew the names of the terminals I was able to use a combination of the GREP command and FINGER command to get the cute girls name. A friend of mine felt this was an invasion of privacy. We've argued this for years (and will continue to do so).
At least I now know that if I am ever sitting at a unix terminal in a north dakota school I'd best not do the same thing.
Reply
1-17-2008 @ 9:38PM
Michael said...
So America...
You like some clueless judge legislating from the bench on technical issues?
You must, since you vote these obsolete, liberal boobs, or in most cases, the boobs who appoint them, into office.
Reply
1-18-2008 @ 5:30AM
Abscissa said...
You're making the dumbass assumption that there is an intelligent person running in every election.
1-18-2008 @ 12:44PM
Andrew said...
Abscissa said, "You're making the dumbass assumption that there is an intelligent person running in every election."
In fact, in this country, intelligent people know better than to get into politics. It's a easier for them to just become wealthy and powerful, and then buy stupid politicians.
1-17-2008 @ 10:26PM
phoenix said...
This is NORTH DAKOTA. There's nothing liberal about that state, or the boobs in office there. Honestly, you could read a little about American politics before slamming them. In all honesty the judge probably was appointed, not even elected.
At the same time, gg North Dakota.
Reply
1-18-2008 @ 8:21PM
meh said...
I like boobs.
1-18-2008 @ 11:44AM
DDayDawg said...
This is becoming a common problem in the US because some cases going to court are becoming more and more technical and it seems that the judges just aren't equipped to handle the new material. This isn't a curiosity, it's idiotic. You have a judge ruling on something they clearly have no understanding of at all.
The judicial system in the US has some severe problems because everyone involved is too arrogant to admit they don't have a clue about the information being discussed. If they could admit they were ignorant then the could receive some help. In this particular case this is no different than the guy plastering the information on a wall behind the window in front of his store. We have a judge, clearly out of their depth, saying it was illegal to look through the window and tell people what information you saw. It's a sad statement on the legal system.
Reply
1-18-2008 @ 12:01PM
Mantari said...
This reminds me of the backwards interpretation of 'hacking' or 'stealing' a public/open Wi-Fi connection.
Reply
1-18-2008 @ 1:07PM
shadedmagus said...
This case brings up an interesting problem. How is a judge to make a fair decision based on a situation that is esoteric in nature? Both sides of the case can bring in professional witnesses, but those can be biased anyway.
How was the judge supposed to know that the IP list could have been made private? I don't know if that would have changed his decision, but it might have made a significant difference in how he saw the actions taken.
Reply
1-18-2008 @ 4:13PM
defcon said...
im supprised dnsstuff.com hasnt been sued.. lol
http://www.ubuntu-unleashed.com
Reply
1-19-2008 @ 4:29PM
Dulles said...
ANOTHER 65-YEAR-OLD CLUELESS MORON
This case reminds Americans of the serious problems of having men over the age of 65 in charge of government, corporations, or even courtrooms.
They call them "babies" because they were born in the 1940s, and they've become a serious problem in the modern world (they think TV is a "boob tube").
What's scary is these old men are not only clueless and ignorant, but they actually believe we landed men on the moon several times (they're senile)!
Reply
1-19-2008 @ 6:33PM
Epikur Libr said...
It's clearly wrong to FINGER your way into a girl's privacy.
Reply
1-20-2008 @ 12:31AM
starkiller said...
I just wanted to point this out to AcidVirus
http://www.networksecuritytech.com/viewtopic.php?p=28677&sid=a04ce9e5bc0bd43aab6d4b658b266628
How do you know he had internal access?
Your assumption is incorrect.
22 On this page
http://www.spamsuite.com/node/351
States that he did it through a zone transfer from a public DNS transfer, not and internal computer.
Reply