Date: Tue, 11 Apr 2006 14:29:02 -0400 (EDT) From: "Michael Froomkin - U.Miami School of Law" <froomkin@law.miami.edu> Cc: nanog@nanog.org` Subject: Re: Open Letter to D-Link about their NTP vandalism
On Tue, 11 Apr 2006, Alexei Roudnev wrote:
It's legal to have broken NTP server in ANY country, and it's legal in most (by number) countries to send counter-attack (except USA as usual, where lawyers want to get their money and so do not allow people to self-defence).
<law professor> I'd really suggest that readers confirm this claim (that intentional sending of false data with a malicious purpose is perfectly acceptable) with a local lawyer before trying it at home or at work.</law professor>
I'll suggest that there are several presumptions in that 'claim' that are not fully supported by the facts of the matter, as previously described. 1) _Who_says_ it is 'false data'? *Who*knows* what that machines is 'supposed' to provide TO WHOM? (The _published_ functionality is to provide time service to queries from a specific address-range. This does *not* place any limits on the 'expected behavior' when queried from _outside_ of that specific address- range.) 2) *Who*says* there is 'malicious intent' involved? I'm going to be travelling 'off network'(with the 'network' being defined as the one where I have published that I'm providing time-server services to), and I happen to have a recurring need for 32-bit units of a specifically transformed out- put of a local hardware-based "/dev/random". So, I put up a server to deliver that data when requested. For reasons of 'convenience' in my programming, I choose to format the queries/responses like a particular 'well known' protocol, and run it on the port associated with that well-known protocol. Do I have any responsibility to 'announce' that I'm doing something like that, for 'private' use? *Am*I*responsible* if 'somebody else', _without_checking_with_me, and =without=asking=my=permission=, queries that machine, and "assumes" that the data that they get back is, in fact, from that 'well known' protocol? In point of fact, if the server in question were located in the United States, there is a colorable argument that can be advanced that the queries originating from outside the address-space for which the owner declared he intended to provide a specified service, constitute a violation of 18 USC 1030 (a) (2) (C). (<http://www.law.cornell.edu/uscode/18/1030.html>, for those who need it :) Note that that section applies _regardless_ of the 'truthfulness'/'accuracy' of the data returned. I submit that; 1) If the query originator is 'entitled' to make assumptions about what the 2) It would seem that the server operator is *equally* 'entitled' to make assumptions about what the query means, and 3) to respond in a manner consistent with _his_ understanding of what the query originater 'wanted'. If the query originator fails to 'get what he wanted', due to his failure to communicate _in_advance_ with the server operator, *WHO* is to blame? Now, if the sever operator publishes that he will provide a certain type of date, in reqponse to a certain type of query, and someone sends that type of query, you do (potentially) have the elements the elements of a contract, and the server operator might be commiting a civil tort *if* the server returns 'something unexpected'.
I also bet that the claim of widespread acceptability would fail badly if we weigh countries by population. Or even connectivity.
Not to mention the fact that your packets might stray across borders sometimes.
There's a _whole_nuther_ can of of worms, as regards "who is responsible" when a device is totally passive until 'directed' to act by an outside party. Is the one that is 'responsible' the one who configured the 'possible' actions of the device, or the one who issued the command to perform one of those actions? Does it matter if, through not bothering to investigate adequately, the command issued does _not_ do what the issuer intended?