First published: 31st January 2008
Anti-spam activist David Ritz used the host -l
command to effect a zone transfer from the servers of Sierra Corporate Design, a North Dakota business run by Jerry Reynolds, and subsequently published the information, along with whois
data. Sierra sued Ritz for unauthorized access, trespass to chattels and publication of the information obtained.
In a civil case, Judge Cynthia Rothe-Seeger found that the use of the "unauthorized" because it was not performed by a secondary authoritative domain name server or a network administrator for the system, and was therefore outside the intended use of the command. The zone data included the internal zone structure of Sierra, with private host names, that could not be obtained from any (other) public source. Judge Rothe-Seeger found that Ritz publishing the information "created a grave security risk for Sierra". The Judge noted that Ritz had ill-will and malice against Sierra, as a suspected spammer, but found, "those suspicions do not justify violations of the law nor trespass". She awarded Sierra $2930 in actual damages, $50000 in exemplary damages, allowed Sierra to recover lawyers fees and fined Ritz $10000 for an associated contempt charge. Ritz may also face criminal charges over the alleged offences.
The focus of attention for system administrators will be that Judge Rothe-Seeger has found that using an ordinary Unix tool, host
, with an ordinary switch, -l
, to access unprotected information on a publicly-accessible server without specific authorisation is illegal. The Judge found that the information was not "publicly accessible" because it was not the intended use of a zone transfer. Think carefully before you touch a command-line!