FreeBSD 3.2

[Ted Mittelstaedt]

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Chuck Swiger
> Sent: Friday, February 04, 2005 10:34 AM
> To: Ted Mittelstaedt
> Cc: gfoster9055 at comcast.net; freebsd-questions at freebsd.org
> Subject: Re: FreeBSD 3.2
>
>
> Ted Mittelstaedt wrote:
> > [ ... ]  Seriously - from a legal perspective you
> > have absolutely no obligation to follow their restrictions unless of
> > course they were smart enough to have you sign a piece of
> paper before
> > they let you in the door.  No contractual relationship exists between
> > you and them now, you can ignore what they tell you to do
> with impunity
> > as long as you don't break any civil laws, ie: theft,
> malicious mischief,
> > etc.  All they can do is tell you your not welcome in the
> door anymore.
>
> Ted, it's better to give no advice than bad advice.  This is
> especially true
> when the issue is a legal matter, and you are not a lawyer.

Oh I always love these kinds of statements.  Even if I am a lawyer
(which I'll say I'm not, to save you from arguing that I am not)
guess what - unless I'm retained by you or the OP for the purposes
of giving legal advice, even as a lawyer, my advice has no legal
significance whatsover.  Yes, that's true - a lawyer's advice has
no significance - unless paid for.

I am qualified here on this topis as an expert witness however, and
as a matter of fact, lawyers pay people like me to explain how
laws like this apply to the real world.

And of course I'll also gloss over the whole issue that your implying
that laws are uninterpretable by the average person unless they are
a lawyer.  Riiggghhttt.  So I guess you get a lawyer every time you
get a parking ticket, eh?  ;-)

> See 18 USC 1030:
>
> http://www.law.cornell.edu/uscode/html/uscode18/usc_sec_18_0000
> 1030----000-.html
>

Interesting cite, let's look a bit more closely though:

(a)(1) "having knowingly accessed a computer without authorization"

He has authorization to -access- the computer.  Note that access is
not spelled out as a definition in section (e)

(a)(1) "or exceeding authorized access"

OK, so here we have something - as you could argue that updating
the system is exceeding the authorized access on the machine, right?

Except that, continuing on in this section:

"and by means of such conduct...unauthorized disclosure for reasons of
national defense"

Ok, so section (a)(1) isn't applicable.  So continuing on:

(a)(2) "exceeds authorized access, and thereby obtains-...
information from any department or agency of the United States"

I'll skip (a)(2)(a) and (a)(2)(c) as they obviously aren't applicable.
So it sounds like you might have a case here - except for one problem,
that a backup-reformat-reinstall isn't accessing information in
the computer over and above his authorized access.  I'll admit this
is a grey area and can be argued both ways - but bear with me and
follow along.

He obviously has permission for a certain level of access already
on this machine.  If he's administering it, as he says he is, then
he has permission to access stuff like the root account that controls
all settings and configuration of the system, ie: the environment of
the system.

Now here is the catch.  The OP as administrator of the
system has permission to access all the bits he needs to be able
to effect a backup, reformat and install of a new version of FreeBSD.
He has this because it's the same dataset of information that
as administrator he already has permission to access.  He does not really
need to know anything about the data inside the FreeBSD environment.
In short, the OP hasn't actually "obtained information" here.  He's
just taken the information inside the environment and shoved it
aside, did some administrative things (the reformat) then brought the
information back.  Just like a blind man moving eggs around in a box,
he's obtained no information about what's inside the eggs.

Now you may argue this, but clearly the intent of the law of section
(a)(2)(b) is that the person has obtained information for some
sort of use.  Maybe he wants to sell it, maybe he wants to just
look at it.  However you slice it, the law appears to intend that
the information obtainer once they have obtained the information,
they actually know what the information is.

The OP when doing a reformat operation to update the system, he
doesen't actually know what the information really is.  So, I don't
see how you can argue that he obtained information, so that
this section applies, but feel free to do so.

So, (a)(2) isn't applicable either.  Let's continue on:

(a)(3)"without authorization to access any nonpublic computer ...
such conduct affects that use by or for"

OK, so you could argue that a repair operation would "affect the
use by or for"  And that is true - it could.  However, a good
repair by definition would not result in the affecting of the
use by or for, we aren't talking he nukes FreeBSD and reloads
Windows which would substantially affect the use of the machine,
we are talking he nukes FreeBSD and reloads FreeBSD.

So once again I think we are drawing a blank with this section.
Let's move on to the next:

(a)(4) "knowingly and with intent to defraud,"

not applicable, no evidence of intent to defraud here either.  Next:

(a)(5)(a)(i) "result of such conduct, intentionally causes damage"

A successful repair operation doese not cause damage - not applicable,

(a)(5)(a)(ii) "of such conduct, recklessly causes damage"

Replacing a buggy insecure version of FreeBSD is responsble, not
reckless.  This is as inapplicable as you can get.

(a)(5)(a)(iii) "result of such conduct, causes damage"

A successful repair operation does not cause damage, it cures it.

(a)(5)(B)  All these state damage results of some kind, once again
a (successful) repair effort causes no damage

(a)(6) "knowingly and with intent to defraud"

No intent to defraud, next:

(a)(7) "with intent to extort"

No intent to extort.  And that's the last of them.

So, I think we have a bit of a problem here.  No violation EXCEPT
if he muffs the update operation and destroys the server's
data as a result.

And then yes, all your horror stories could come true.  I'll
grant you that much.

> US-government-owned computer without getting written
> permission first.

Absolutely nothing in that section you cited said anything
about written permission, I have no idea where your getting
that from at all.

EXCEPT, I have it - you are probably saying this because you
have a high expectation that him updating the system will break
things - resulting in justifyable anger and annoyance of the
owner - resulting in possible legal actions where a piece of
paper might get his ass out of the sling.

Sounds suspiciously like your saying that the reason that a
mechanic gets your signature on a piece of paper before he
repairs your car is because the mechanic is expecting to not
actually fix the car, and needs a way out of you suing his
ass for wasting your money!!!  :-)

> And
> yes, even a computer owned by your local school counts...
>

Let's try another tack here.

The OP has been given some directives by the organization.  One is that
he's responsible for some of the websites on the BSD server.  Another
is that he's been told that he's in charge of supporting the Linux and
BSD machine.  At least, that's what I got.

Now, any reasonable definition of supporting these servers would mean
he's responsible for securing them.  In short, he's not to be reckless
and leave passwords laying around - sound a bit familiar here?  In
short, another interpretation is that he's responsible to make sure
there's
not gaping holes in the server for people to steal passwords or data
from the server.

Leaving a FreeBSD 3.2 server in operation, on the Internet, is making
a reckless exposure of the system's data to the public.  It could
actually
be construed as a violation of (a)(5)(A)(i) of that section you cited,
let me repeat it:

"knowingly causes the transmission of a program, information, code, or
command"

He's responsible for the website on the server, so he is definitely
causing
the transmission of information..

"and as a result of such conduct, intentionally causes damage without
authorization"

Deliberately not patching the computer when you know it has a gaping
security hole in it, and you have left it in an environment (the public
Internet) where you know that there are at least 100 security attacks on
the server a day, is, in my opinion, intentionally causing damage to it.

So, far from your assertation that the law supports the idiots at the
school district that told him he can't upgrade, it looks to me like he's
already breaking the law by NOT updating the computer.

I think that you need to rethink your approach to arguing with me
about this.  I think your approach of casting fear that there's some
kind of criminal violation if the OP goes ahead and updates the system
to FreeBSD 4.11 - successfully that is of course - is pretty much a load
of dingos kidneys.

So if there's no criminal violation it falls back into the civil realm.
And therein you have another problem - because now the burden of the
school district is to go into a civil court and show that this guy's
updating of their server to a nice, secured, copy of FreeBSD 4.11 from
an old buggy, security-holed FreeBSD 3.2 version has somehow caused
them damages.  Sure, if the OP doesen't know what he's doing and muffs
the upgrade - sure that's easy.  But, if the OP does in fact know what
he's doing and does the upgrade and no damages result then the school
has no basis for a civil case against him.  And the fact that they
already gave him permission to access the system, and in fact to even
administer the system - heck, any judge is going to toss the case out
and yell at the school district for wasting the court's time!!

Ted