David Ritz, the veteran American spam-fighter, has been hit by $60,000 in fines plus lawyers fees after losing a civil suit that accused him of illegal hacking. Sierra Corporate Design, a North Dakota business run by alleged former spammer Jerry Reynolds, sued Ritz for hacking and trespass offences. Ritz was accused of …
The whole country just needs to an hero. Right now.
Judge Cynthia Rothe-Seeger should clearly be removed from the bench for gross incompetence. She has failed to seek competent technical expertise in order to understand the issues involved in the complaint.
I am aghast. I own and operate SPAMBLOCKED.COM and I routinely use WHOIS and zone transfers to determine what IP space to block when one of my customers is spammed. In the event that this case does not go forward and is not reversed on appeal, I will be left with simply blocking every /16 from which my customers receive spam, rather than using the surgical blocking techniques which prevail now.
Once again the courts prove their ignorance.
Yet another ruling in which the judge, obviously an ancient relic that is a flawed by-product of the state she holds office in, has a complete lack of understanding of many key elements of the suit she is presiding over.
Not that ignorance ever stopped a judge from ruling. I hope he appeals and wins.
The world in which we live, is horribly corrupt and the law is a weapon, not a shield.
Hands up who's surprised...
As my Dad used to say: Life isn't fair.
Findings of fact #31
#31. Ritz falsely stated in his interrogatory answers that his only name on the Internet was David Ritz, when be actually went by names including "s lewini" and "BOFH" ("Bastard Operator From Hell").
I don't get it
If he managed to do a zone transfer (assuming no other hack) then surely thats the filthy spammers fault for not configuring his filthy server correctly.
The devil in the details ...
The whole Zone Transfer business is sad. If the information was so important why didn't Sierra properly configure their server. Was there a banner saying stay out? I beleive that there are precedents for requiring one.
Reading http://www.spamsuite.com/node/351 the case also involves a lot more serious things than a zone transfer. The use of other systems, was there permission or evidence of use? Port scanning without permission. Email bombing. Ignoring an injuction.
I have less than zero sympathy for the spammers but it sounds like Ritz crossed a line. I for one want to hear what the criminal case holds.
I hope some of the findings regarding the zone transfer are disputed.
On another note, some of the findings are hilarious taken out of context:
18. Ritz was not an authoritative name server, a DNS server, nor any kind of computer at the time he accessed Sierra's computer. Ritz has never been an employee, agent, or network administrator for Sierra.
4. Ritz .... methods. He also disguised himself as a mail server.
I can't help thinking of Urban Camo
The latest in an increasing amount of stories that make me think that the "land of the free" (my arse) is going completely insane and outside the curve of the rest of the world.
So now an AXFR request is illegal?
If the spammer or their DNS host was negligent enough not to block access to zone transfer information, then the information could arguably be called public domain. What happens next? If I visit a spammer's website to gather evidence, that'll be illegal too?
So Reynolds ran a DNS server that allowed zone transfers from any T, D, & H on the internet, and it outraged when someone grabs his DNS records?
If Sierra had made any attempt to secure this service from unauthorised hosts, and Ritz had made any attempt to circumvent that security, there might be a case for hacking. But I smell a judge who still thinks the electricity leaks out of the plugholes if you don't put those little childproof covers on.
This is absurd! These are Internet Protocols. If you have an internet domain, you are required to support them. Well, the whois is supported by whoever you registered your IP range with. But a zone transfer is a requirement of the DNS protocol. You may configure your DNS to refuse a transfer, but you are required to provide software that, accepts, understands, and answers accordingly this request.
So how come use of something you have to provide is illegal?
"Judge rules standard tools wrong"
"Judge sends innocent man to death row"
"Judge sues for millions due to lost pants"
"Judge has sense, rules RIAA running illegal search-and-detain scams"
Only one of those are false, and only one is really honest. Guess which one?
And no, it's not the lost pants one.
Anyone shocked? Day by day, judges are showing that they have little respect for the common people (uhhhh you know, those people they're put on the bench to protect) in favor of big business.
Get over it.
Reading the phonebook is next hacking charge
Let's see if I have this straight: The guy was charged with hacking because he looked up publicly published information. That means if someone looks up a name in a phone book, its a hacking charge.
This case needs to be appealed. The precedent is very bad.
right... so being a sysadmin is illegal?
bad judge... no cookie
When you read the court papers
It sure looks like the court got it right.
The guy was persistently hitting the other companies systems and publishing private information. Even if they are spammers you still have to obey court orders... If we had the world's stupidest file sharer a few weeks ago this sure looks like the world's stupidest anti spam campaigner...
Electronic delegation of consent
If you leave your DNS server open to Zone Transfer, then you've made that information public, and implicitly given consent for people to download all your records. Likewise, if you have an unencrypted WIFI connection, with DHCP *actively* assigning IPs to strangers, then you've publicly granted consent for people to use your network.
It is high time we stop this stupid litigation, and hold people responsible for the actions computers take on their behalves. There is such a thing as tacit consent in other legal circles; I don't understand why people are unable to apply it to networking.
BTW, before I get a lot of buffer overflow flames, I think it is fairly obvious that buffer overflows and other security flaws don’t constitute tacit consent, because it is not the way the program was intended to operate. Zone Transfers are designed as part of the protocol, and you can hardly say that the functionality was unintended.
close to home
I work with a woman who lives across the road from this guy (Reynolds, the spammer). He's got a nice house on about 17 acres of land and used to drive a big yellow Hummer (his website - http://www.yellowh2.com/) and a modded Viper, but he wrecked that over in Europe in the Gumball Rally (http://www.torquenstein.net/theCarsTheTeam.htm). Guess I picked the business. The woman I work with says that he and his wife are extremely nice, but she never brings up his line of "work".
@close to home
Please take care of the guy for me, as he's stealing my time every single morning.
@ Brent Gardner - er, no.
"Likewise, if you have an unencrypted WIFI connection, with DHCP *actively* assigning IPs to strangers, then you've publicly granted consent for people to use your network."
Er, no. Not in any jurisdiction I can think of. If you leave your home windows unlocked when you leave, you have merely been bloody stupid, you have NOT granted consent for the public to rob your house. Intruders are still intruders; your insurance might not cover the loss though.
I'm not supporting this guy...
According to that transcript, he lied to the judge repeatedly, violated injunctions repeatedly, "hacked" into other systems, and generally behaved poorly. I don't think the alleged spammers are in the right here, but this guy was certainly in the wrong.
"The guy was persistently hitting the other companies systems and publishing private information."
Are you out of your fscking mind? The "private" information published was the information *REQUIRED* to be made public under ICANN rules to operate a server on the Internet.
You as well sue someone for handing you a telephone directory and telling you, "your name, address, and phone number are on Page 3." Or better yet, sue the telco for publishing that information.
@Adrian Esdaile - er, no too.
While I kinda agree with you this is not a perfect analogy...
If you left your home windows open and I breathed in and accidentally sucked in some of your fresh oxygen that you were piping round your house and you get pissed off at me then I'd say that's your fault for leaving your windows open and letting our precious oxygen out.
This is also a somewhat dodgy analogy but as machines are typically configured to reach out and ask anything and anyone for a IP address (i.e. DHCP clients) much like humans are typically configured to breathe in several times a minute then I think it's a somewhat more accurate comparison.
Stupid old judge?
Possible, but just as likely she's a fresh judicial appointment selected specifically for her religious rejection of evolution, etc. The American legal system has gone beyond unwell to quite sick.
As regards the anti-spammer's aggressive tactics, you have to be careful when you fight fire with fire. Knowing your enemy is one thing, but you must not become as aggressive and evil as your enemy. However, its really hard for me to blame him for being contaminated by the cursed spammers. Sometimes you need to have a few nasty guys working the line between good and evil, and I have *NO* doubt which side of the line the spammers are on.
OK, from the sounds of things, the anti-spam guy has done a few things wrong, like disobeyed a court order. But that court order, from the sounds of things, was incorrectly issued to protect what is basically an organised crime.
So then this case comes up, which revolves around him hacking into the original guy's network. He didn't, which says the case should have been chucked out, and the previous court order should not have come into it.
Time to subscribe that judge to a lot of promotional lists...
Or leave her email dangling around on sites where it can be mined by countless bots.
See how she'll like it.
@ morely dotes
My mind is just fine. Did you read the court document, not the summary? I did. The guy did a whole host of things, and continued doing them *after* he'd been given an injunction. Amongst them seems to have been was publishing the spammers *internal* dns records on the net. You may not be aware of this, but often internal DNS is quite different from external. Sure the guys left their windows open, so that it was possible to query the server for internal DNS from outside, but as the man says its still not legal to go on and do it.
But more to the point it was mind bogglingly stupid to go and access the spammers systems *after* he'd been given a court injunction not to. Once the injunction was there then as soon as our thick friend went anywhere near the spammers servers then he was just walking into a trap with a target painted on his chest and a big label saying shoot me. Courts have a rooted objection to their orders being breached, and it doesn't matter whether you think the order was right or wrong, its still only going to end the same way.
...make decisions based on the arguments before them. It is not for them to make enquiries to find out whether the arguments are right or wrong.
I haven't read the judgment, but if its effect on the security industry is as suggested above, then that is no one's fault other than the bloke who didn't tell the judge the way things work.
Some details on the Hon. Rothe-Seeger
Maybe someone could provide a suitable explanation of how WHOIS and DNS works.
@ Misha Gale
Well it leaks out of light fittings with no bulb in!
Get past the spin, read the judgement ....
the PDF (not the annotated version which has some digitization errors). There are something like 35 findings, about 6 deal with (partially) disputable DNS issues, another 6 or so deal with what looks like more serious intrusion behaviour, and several others deal with violating a court injunction and lying about his activities.
Or check coments here http://www.liquidmatrix.org/blog/2008/01/17/judge-rules-some-dns-requests-illegal-in-nd/
The case seems to go on way to much about the DNS side, but downplaying the more serious findings and playing up the DNS Zone Transfers is just spin.
@Shannon Jacobs - good point about being careful when you choose to fight fire with fire.
@Brent Gardner - good point about the idea of tacit consent.
@Ben Parr-Ferris - if you're the bloke doing the telling and the judge has found you previoulsy lied and violated court injunctions ... well ... your goose is pretty well cooked
Now here's a thought ....
It's been bugging me why this case seems to obsess on the DNS issue. Then it occurred to me. Just how sensitive are IP addresses and host names anyway?
Wait, and think about it.
Lots of people get upset at the idea of IP addresses getting 'out' yet they have no idea of the distinction between internal and external IPs, nor what is or is not actually out there. The number of times I've seen clueless people who want NDA's when you are talking about public information is amazing!
What is the average sysadmin or manager's reaction when they discover their DNS leaks? How far up the panic and react scale does it really go? And when they close the whole, do they renumber and name their IP space? None that I've heard. Ask yourself on a scale of 1 to 5 with 1 being ho-hum. Honestly, would you really rate it more than a 2?
So what happened here?
Sierra probably didn't give a rat's a** that their DNS was showing. But it was just the stick they needed to beat on Ritz! With that they got him into court where it seems he was his own worst enemy. They dragged in third party hacking (which they can't collect on), injunctions, and violation of injunctions, got the matter in front of a criminal court, and picked up a tidy award.
Spiteful, but well played.
My mum used to say, "don't run with sharp objects" and "people who live in glass houses shouldn't throw stones". Both of these seem to apply here.
he deserves it!
anti spammers goto great length and do very malicious things from death threats, to forcing people off hosting providers, ddos and other damaging attacks in attempt to bring suspected spammers down
the truth is they usually dont have all the facts and they make assumptions
take it from somebody who has never sent a bulk e-maik but i am listed on the worlds top 100 spammers at http://www.spamhaus.org/rokso/listing.lasso?-op=cn&spammer=Matt%20Leppala
do you see any evidence that i spam there? they claim i sell servers to spammers, and the truth is i havent sold servers for the last 6 months and im still listed as a spammer
may anti spammer organizations fall hard to the ground as they are costing legitimate businesses thousands of dollars a month. let the authorities handle the spammers and quit trying to play insepctor gadget
also i get spam all the time to my box, its not hard to delete it :)
Let's get real, here
1. "Force people off hosting providers?"
How? By providing evidence of abuse to the provider resulting in the provider (the responsible ones, anyway) terminating the account under the provider's TOS?
I have yet to see evidence that an anti-spammer was able to terminate anyone's account without the consent and cooperation of the account's provider, exercising its right to decide how their own services can and cannot be used.
2. DDoS and death threats?
Well, you'll find a handful of out-of-control renegades in any cause, whatever its merit.
3. From your site: " SpamHaus is a power-controlling website that has servers set up and blocks a large percentage of spam through out the internet."
Spamhaus does not block anything. As your words are suggesting, that is not physically possible; nothing can reach out onto the Internet beyond its own systems to disturb what others are doing. The only way anything is blocked by being listed on Spamhaus is when someone CHOOSES to use Spamhaus' data to block connections to his/her OWN systems, which is their prerogative, or use filtered BGP feed, again, by choice, applied to their own domains only.
4. "also i get spam all the time to my box, its not hard to delete it :)"
Looking at the mail log on my primary MX, I see that over the past three days, zen.spamhaus.org has recognized 12,975 connection attempts from known spam sources, which were blocked because I chose to do so. And that's just the primary MX. I have yet to encounter any evidence of a false positive in the time I've used it. And I'm just a guy hosting a half-dozen domains for friends, gratis, no mega-operation, and even my pipsqueak network still gets that many bogus connection attempts.
My personal spam load, AFTER that blocking, is on the order of 400-700 items PER DAY. It IS "hard to delete it." I have much better things to do with my time.
5. "let the authorities handle the spammers..."
I can understand such notions from net newbies and non-savvies, but you don't appear to be among that number. Do you really think anyone is going to buy that?
I'm afraid you're doing more here to advance the case against yourself than anything else.
(For the record, I have no association with Spamhaus other than that I'm a satisfied and grateful user.)
Some items from the ruling
1. (3) "...Ritz issued a variety of commands, including host-l, helo and vrfy."
HELO? And of what kind of nefarious use is VRFY here?
2. (4) "Ritz...accomplished his access...accessing the servers via a Unix operating system and using a shell account..."
Use UNIX, go to jail. It's the law. (And it's life without parole if you use a shell account.)
"...disguised himself as a mail server..."
Meaning he conducted SMTP dialogues by hand? Machines do it; it's legal. Fingers on a keyboard do it, and it's a sin.
(5) and (6) are a bit smelly, though I don't see what kind of evil use that internal information could be used for.
(7) is mostly redundant, saying nothing new except that he acted intentionally, as if anyone might suspect he did it under control of extraterrestrials or while sleepwalking.
(8) describes the typical use of zone transfers and suggests that, since what Ritz did was not that kind of typical use, it must be bad.
(9) expands on (8) and tries to make law out of intentions: if something wasn't designed for a particular purpose, using it for that purpose must be evil.
(10) "...the literature available on the subject refers to access attempts such as the host-l command...as 'unauthorized'"
What literature? I suppose that information is available somewhere, but whatever it is, I question its validity. ESPECIALLY considering the next part of the paragraph:
"...Microsoft itself, as well as other authorities, all refer to zone transfers as...unauthorized"
"Microsoft itself?" Microsoft is an "authority," ostensibly a particularly dependable authority as implied by the "itself?" If that's this court's idea of where to look for reliable guidance in a case like this, its clue supply is woefully deficient.
Other things in this ruling are more worthy of consideration, although the description of the UDP includes three elements of which two only apply if another party is persuaded to take action at its own discretion. The sending of USENET cancel messages is more substantial.
Overall, even given the parts of this that make sensible claims against the defendant, the ignorance that pervades this ruling is appalling.
More on the ruling ...
@Ray - as I understand such rulings, some findings are used to support other items. Not all are violations of law. I also agree with you that there are large parts of the ruling which show poor understanding of how computers are legitimately used.
Now, I'm the author of
- The devil in the details ...
- Get past the spin, read the judgement ....
- Defendants ...
- Now here's a thought ....
From the comments on Liquid Matrix and my own read of the findings...
- The most troubling findings are: 13, 14, 15, 16, 23, and 24. I expect that these will figure in the criminal trial. It looks like Ritz crossed the line.
- 'Findings 6, 8, 9, 10, 21, and 22 are arguable. Unfortunately, there was “available literature” describing unauthorized the use of Zone Transfers. (Even my very dusty old copy of "DNS and BIND” refers to “Unauthorized Zone Transfers” - lesson careful what you write).'
Also the comments of various posters which mirror the sentiment here
Laywers have an expression, something about "disctinctions without differences". If the errors in the ruling would have made a difference, then it is a bad ruling. If they wouldn't then it is just a ruling with inconsequential errors. I think that's what has happened here.