[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [dvd-discuss] Hang the RIAA in their own noose.




> -----Original Message-----
> From: Scott A Crosby [mailto:crosby@qwes.math.cmu.edu]
> Sent: Thursday, October 18, 2001 10:52 AM
> To: Richard Hartman
> Cc: 'dvd-discuss@eon.law.harvard.edu'
> Subject: RE: [dvd-discuss] Hang the RIAA in their own noose.
> 
> 
> On Thu, 18 Oct 2001, Richard Hartman wrote:
> 
> >
> > You can also password protect information on the web server
> > running on port 80 (which would actually be better than attempting
> > to hide it on a non-standard port anyway...)
> >
> 
> Close, I have access restrictions to certain IP's. The intent of those
> restrictions is that only I can use them. But, there may be a mistake.
> 
> >
> > I am not.  I am claiming that certain ports are "well known".  Which
> > is to say that certain services are assigned certain ports 
> by a central
> > governing body (IANA, I think).  If you are running those 
> services on
> > those ports, you can _expect_ access by all and sundry.  If you want
> > privacy, you take steps.
> >
> 
> I have taken steps that are intended to restrict access.
> 
> Your claim that if a computer is offering a port implies that 
> that access
> should presume to be granted is not correct, unless you 
> assume that every
> computer has perfect configuration.

No, I claim that intent can only be discerned from the configuration.
If you were to pursue a claim of trespass against the RIAA, you would
have to show that you _attempted_ at least to restrict access.  The
fact that you misconfigured (perhaps the netmask was wrong) would not
negate the fact that you tried.  But if you had _not_ attempted to
restrict the access, then the open permission would have to be assumed.

> 
> >
> > Again, we can only judge intent by configuration.  (Or perhaps by
> > a posted disclaimer ...)   If you are running a standard service
> > on a standard port, the best presumption of intent is that you
> > are intending to provide that service.
> >
> 
> You had said:
> 
> > On Wed, 17 Oct 2001, Richard Hartman wrote:
> >
> > >
> > > Maybe, but I'm not sure.  The entire _purpose_ of a web
> > > server is public access.  An FTP server, it might be argued,
> 
> You are assuming that perfection exists, that everyone 
> configures their
> computer so that the configuration matches their intent.

Which is the only thing the courts would have to go by.
If you walk into court saying "yeah, I never bothered to
configure any sort of access protection but I never intended
anybody but myself to have access" I don't think it would
fly very well.  

> 
> This ignores the reality that people misconfigure computers, 

Again, misconfiguring is different than NOT configuring.  Misteaks
can be made, but if it clear that you tried you have at least some
leg to stand on when you make your claim that the intrusion was
in fact an intrusion.

...
> IMHO, whether or not access was intended should be judged 
> based on what
> level of access was granted. Access to private information 
> can be assumed
> to be unintended, no matter what the protocol. Access to 
> information that
> appears intended to be public should be consider to be intended.

But how are we to judge what is private information?  Maybe
some people are proud of their bank balances ...


-- 
-Richard M. Hartman
hartman@onetouch.com

186,000 mi./sec ... not just a good idea, it's the LAW!