Re: CERT: the letter from CERT to berkeley.edu admin
Here, in its almost full glory, is the letter that CERT sent to the admin at berkeley. I've removed the addressee, since there's no need to involve that person. I have not, however, removed the name of the sender. Don't you just love that phrase "illegal trading of commercial software"? Based on what you sent out, I confess that I see nothing wrong with CERT's note. They're right -- anonymous ftp is abused that way. I've seen it happen on a fair number of sites -- folks upload packages for others to snarf. The pattern of some of the transactions I've seen suggests that folks are chatting anonymously via IRC or some such, and are using third-party machines as anonymous relay points. Other transaction patterns suggest the creation of sub rosa archives by folks who have no legitimate right to use the machine. Files distributed that way (and I'm speaking here of what I've seen personally, not just rumors from CERT or the net) include copyrighted PC software packages. Now -- there's a lot of room for disagreement about whether or not it's proper to charge for software, or whether or not algorithm patents are or should be valid. But I suspect that most people on the list would agree that if someone has written something that they don't want distributed that way -- as evidenced, for example, by a copyright notice -- their wishes should be respected. That's common courtesy, if nothing else. Similarly, if you want to distribute files, use your own machine. Don't abuse someone else's, when you know perfectly well that that's not a proper use of anonymous ftp. Again -- neither CERT nor I am talking about things like RSA software. That's a can of worms I'm not going to open in this forum. And they're probably not even talking about files that legitimate users are making available. They're talking about abuse of other folks' machines, almost always with neither the knowledge nor the consent of the system owner. And the outcome is predictable; I've seen a number of cases where anonymous ftp has been shut down, to the detriment of the entire community. --Steve Bellovin
Based on what you sent out, I confess that I see nothing wrong with CERT's note.
The issues that Steve raises are 1. use of ftp sites counter to the knowledge or desires of their owners a. for one time transmission b. for illicit archive 2. distribution of software contrary to the author's desires 3. abuse leading to shutdown of archives I do not wish to quarrel with these issues. The question is not one of the ethicality of these actions, but of the relationship that CERT should have to such actions. CERT's mission is computer security, not copyright enforcement. What the letter offers is hearsay that illegal activity is taking place on a particular machine in a particular place. Such a letter might properly be construed as slander, since there was no effort made to verify the accuracy of this information and the letter even says this itself! What CERT might properly do is first, verify that an ftp site is running. Julf's case where the ftp daemon was not even enabled is a particularly egregious case in point. Next they should verify that the permissions on the directories in question are set so that world read/write access is available. They could also do a tree search of the directories and look for suspiciously named directories. All these actions can be automated; there is little excuse for making not even the most cursory check. In any case, CERT's response should be limited to issues of computer security and not law enforcement. They might properly notify an archive owner that illegal activity has been known to take place on archives configured in such a way, but to spread hearsay is irresponsible. Unfounded allegations of illegal activiy are socially dangerous, especially when promulgated by a respected institution. In the fifties in the US in a similar context this was called "red-baiting". Now if CERT receives reports about the improper distribution of software and the archive site is properly set up, one might reasonably assume collusion on behalf of the maintainers of the archive. In this case direct investigation should take place by properly authorized law enforcement authorities. CERT is not so authorized to my knowledge, and as it is funded with military money it would be a bad policy to give it a law enforcement function. The FBI is responsible for copyright enforcement in this country, and they are the proper ones to do an investigation. Eric
steve, like eric, i feel that cert is overstepping their charter by engaging in law enforcement activities. what's your feeling on the matter? don't you agree that this could jeopardize their ability to do the work they are chartered to do? peter
participants (3)
-
Eric Hughes
-
peter honeyman
-
smb@research.att.com