[KLUG Members] City of Battle Creek Vs. ORBZ

Paul VandenBosch members@kalamazoolinux.org
Sat, 23 Mar 2002 11:44:53 -0500
Previous message: [KLUG Members] City of Battle Creek Vs. ORBZ
Next message: [KLUG Members] City of Battle Creek Vs. ORBZ
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Acting with intent and acting with knowledge are important factors in liability law.

I don't know any more about this case than what was in the article, so I 
agree that I am working on incomplete information.  

If someone sends a script to a server with the knowledge that it will 
likeley crash the server, then that person is a h4ck3r in the negative sense 
of the term.  "Just making the admin aware of vulnerabilities" is the usual 
excuse.

On Saturday 23 March 2002 08:51 am, you wrote:
> >I wouldn't be so quick to jump on the City of Battle Creek.  Gulliver knew
> >his software crashed Lotus Domino servers and continued to use it.  Was he
> >trying to point out a weakness in that type of server?  Sounds like a
> > hacker rationalization to me.
>
> Laws should not attempt to consider "intent".  A mail message should not
> be able to crash a mail server, period.  Rationalization or not, the
> response by the City is foolish.  Intent is far to fuzzy a concept and
> interpreted ultimately through the prejudices of law enforcement and
> even judges.
>
> >"It seems one of Gulliver's tests to validate whether a server is really
> > an open relay or not was causing Lotus Domino machines to crash.  One of
> > 10 or so e-mail tests routinely conducted, the code in one was causing
> > Domino SMTP servers to enter an endless mail loop, consuming 100 percent
> > of the CPU and putting it out of commission.
> >Laura Atkins, newly installed president of the non-profit anti-spam outfit
> >SpamCon Foundation, said the code changes needed to correct the bug was
> >"trivial" but one Gulliver, for one reason or another, was unwilling to
> >correct."
> >http://www.internetnews.com/bus-news/article/0,,3_995251,00.html
>
> I've seen this Lotus bug mentioned on several other anti-spam sites,
> which apparently didn't see fit to incorporate a
> oh-please-protect-Lotus-Notes patch either.  I'd like to see a response
> from Gulliver on this issue and not a "for one reason or another"
> pejorative.  Does this patch perhaps weaken the test, etc...?
>
> The above is very sloppy journalism as there is not rebuttal.  It drones
> on into a quote from some lawyer (who is associated with this case how?)
> "Incidences such as this just create animosity that makes it harder for
> the process to work the way it was intended. Blacklist owners have to
> assess what their real motivations are, and if their motivation is not
> to assist they need to take a look at what makes the process work."
>
> Asking someone to access their "real" motivations?  Come on!  This is
> clearly a prejudicial statement.  Translated: 'Hackers are bad,  we need
> to be suspicious of them.'
>
> Again,  laws should try to avoid dealing with "motivations".  Either it
> is legal to transmit messages to someones mail server or it is not.
>
> >I would criticize Battle Creek for continuing to use a server with known
> >vulnerabilities.  But just because Gulliver wears a white hat doesn't mean
> >that he can write buggy code,
>
> We don't know his code is buggy.  We haven't heard from him on that
> issue.  We've only heard from this lady elected head of SpamCon, who
> having been elected to such a position, I'll wager is *NOT* technically
> proficient.  Management types mostly say what their lawyers tell them to
> say.
>
> >know about problems that cause a server to
> >crash, and continue to use the code on servers owned by others.  He
> >should pay the City for the time it took to get the server back up, and
> > for any losses incurred.
>
> So if my mail message crashes your server you have to determine if I
> "knowingly" sent the message?  What if I know about a bug in Exchange,
> send a message that happens to exploit the bug but was meant to actually
> be delivered to an user (clearly normal usage),  but I didn't know you
> used Exchange?  What if the mail server I sent it via wrote the message
> headers in that way but my company has no IT staff?  What if I didn't
> know that the mail server wrote the headers that way?  But then again I
> didn't bother to check to make sure it didn't?
>
> Pretty soon we will need to outfit every courtroom with crystals,
> candles, and symbols of power so the resident psychic can probe the
> unconscious mind of the "perpetrator".
>
> If they want to exist in a technological world then organizations need
> to take responsibility for their infrastructure.  All this banter about
> intent, motives and what not simply falls apart in a complex
> environment.  The world has changed,  technology distributes power.
> People and their corporations need to evolve and not depend upon the
> nebulous authority of government to protect them from all possible
> consequences of the world as it is today.  Appointing a group of guys to
> patrol the camp at night and keep a look out for wolves and bandits (an
> original form of government) is a concept that simply cannot be
> translated into the world of technology.  What does a bandit look like?
> The exact same way as everyone else: 01101001000101001000101110......
>
> _______________________________________________
> Members mailing list
> Members@kalamazoolinux.org
>
Previous message: [KLUG Members] City of Battle Creek Vs. ORBZ
Next message: [KLUG Members] City of Battle Creek Vs. ORBZ
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]