[89876] in North American Network Operators' Group
Re: Open Letter to D-Link about their NTP vandalism
daemon@ATHENA.MIT.EDU (Robert Bonomi)
Tue Apr 11 16:00:51 2006
Date: Tue, 11 Apr 2006 15:00:14 -0500 (CDT)
From: Robert Bonomi <bonomi@mail.r-bonomi.com>
To: nanog@nanog.org
Errors-To: owner-nanog@merit.edu
> Date: Tue, 11 Apr 2006 14:29:02 -0400 (EDT)
> From: "Michael Froomkin - U.Miami School of Law" <froomkin@law.miami.edu>
> Cc: nanog@nanog.org`
> Subject: Re: Open Letter to D-Link about their NTP vandalism
>
> On Tue, 11 Apr 2006, Alexei Roudnev wrote:
>
> >
> > It's legal to have broken NTP server in ANY country, and it's legal in most
> > (by number) countries to send counter-attack (except USA as usual, where
> > lawyers want to get their money and so do not allow people to self-defence).
> >
>
>
> <law professor> I'd really suggest that readers confirm this claim (that
> intentional sending of false data with a malicious purpose is perfectly
> acceptable) with a local lawyer before trying it at home or at work.</law
> professor>
I'll suggest that there are several presumptions in that 'claim' that are
not fully supported by the facts of the matter, as previously described.
1) _Who_says_ it is 'false data'? *Who*knows* what that machines is 'supposed'
to provide TO WHOM? (The _published_ functionality is to provide time service
to queries from a specific address-range. This does *not* place any limits on
the 'expected behavior' when queried from _outside_ of that specific address-
range.)
2) *Who*says* there is 'malicious intent' involved? I'm going to be
travelling 'off network'(with the 'network' being defined as the one where
I have published that I'm providing time-server services to), and I happen
to have a recurring need for 32-bit units of a specifically transformed out-
put of a local hardware-based "/dev/random". So, I put up a server to deliver
that data when requested. For reasons of 'convenience' in my programming,
I choose to format the queries/responses like a particular 'well known'
protocol, and run it on the port associated with that well-known protocol.
Do I have any responsibility to 'announce' that I'm doing something like
that, for 'private' use?
*Am*I*responsible* if 'somebody else', _without_checking_with_me, and
=without=asking=my=permission=, queries that machine, and "assumes" that
the data that they get back is, in fact, from that 'well known' protocol?
In point of fact, if the server in question were located in the United States,
there is a colorable argument that can be advanced that the queries originating
from outside the address-space for which the owner declared he intended to
provide a specified service, constitute a violation of 18 USC 1030 (a) (2) (C).
(<http://www.law.cornell.edu/uscode/18/1030.html>, for those who need it :)
Note that that section applies _regardless_ of the 'truthfulness'/'accuracy'
of the data returned.
I submit that;
1) If the query originator is 'entitled' to make assumptions about what the
2) It would seem that the server operator is *equally* 'entitled' to make
assumptions about what the query means, and
3) to respond in a manner consistent with _his_ understanding of what the
query originater 'wanted'.
If the query originator fails to 'get what he wanted', due to his failure
to communicate _in_advance_ with the server operator, *WHO* is to blame?
Now, if the sever operator publishes that he will provide a certain type of
date, in reqponse to a certain type of query, and someone sends that type
of query, you do (potentially) have the elements the elements of a contract,
and the server operator might be commiting a civil tort *if* the server
returns 'something unexpected'.
> I also bet that the claim of widespread acceptability would fail badly if
> we weigh countries by population. Or even connectivity.
>
> Not to mention the fact that your packets might stray across borders
> sometimes.
>
There's a _whole_nuther_ can of of worms, as regards "who is responsible"
when a device is totally passive until 'directed' to act by an outside
party. Is the one that is 'responsible' the one who configured the 'possible'
actions of the device, or the one who issued the command to perform one
of those actions? Does it matter if, through not bothering to investigate
adequately, the command issued does _not_ do what the issuer intended?