1993-06-08 - CERT: the letter from CERT to berkeley.edu admin

Header Data

From: Eric Hughes <hughes@soda.berkeley.edu>
To: smb@research.att.com
Message Hash: 1e8a6ac6abc7cf31fec85041bd6bfc5de9090cc0b5f660ec87f1ad1ffa56359d
Message ID: <9306081926.AA17119@soda.berkeley.edu>
Reply To: <9306081814.AA22615@toad.com>
UTC Datetime: 1993-06-08 19:30:12 UTC
Raw Date: Tue, 8 Jun 93 12:30:12 PDT

Raw message

From: Eric Hughes <hughes@soda.berkeley.edu>
Date: Tue, 8 Jun 93 12:30:12 PDT
To: smb@research.att.com
Subject: CERT: the letter from CERT to berkeley.edu admin
In-Reply-To: <9306081814.AA22615@toad.com>
Message-ID: <9306081926.AA17119@soda.berkeley.edu>
MIME-Version: 1.0
Content-Type: text/plain


>Based on what you sent out, I confess that I see nothing wrong with
>CERT's note.  

The issues that Steve raises are 
  1.  use of ftp sites counter to the knowledge or desires of their owners
    a. for one time transmission
    b. for illicit archive
  2.  distribution of software contrary to the author's desires
  3.  abuse leading to shutdown of archives

I do not wish to quarrel with these issues.  The question is not one
of the ethicality of these actions, but of the relationship that CERT
should have to such actions.

CERT's mission is computer security, not copyright enforcement.  What
the letter offers is hearsay that illegal activity is taking place on
a particular machine in a particular place.  Such a letter might
properly be construed as slander, since there was no effort made to
verify the accuracy of this information and the letter even says this
itself!

What CERT might properly do is first, verify that an ftp site is
running.  Julf's case where the ftp daemon was not even enabled is a
particularly egregious case in point.  Next they should verify that
the permissions on the directories in question are set so that world
read/write access is available.  They could also do a tree search of
the directories and look for suspiciously named directories.  All
these actions can be automated; there is little excuse for making not
even the most cursory check.

In any case, CERT's response should be limited to issues of computer
security and not law enforcement.  They might properly notify an
archive owner that illegal activity has been known to take place on
archives configured in such a way, but to spread hearsay is
irresponsible.  

Unfounded allegations of illegal activiy are socially dangerous,
especially when promulgated by a respected institution.  In the
fifties in the US in a similar context this was called "red-baiting".

Now if CERT receives reports about the improper distribution of
software and the archive site is properly set up, one might reasonably
assume collusion on behalf of the maintainers of the archive.  In this
case direct investigation should take place by properly authorized law
enforcement authorities.  CERT is not so authorized to my knowledge,
and as it is funded with military money it would be a bad policy to
give it a law enforcement function.  The FBI is responsible for
copyright enforcement in this country, and they are the proper ones to
do an investigation.

Eric










Thread