|
Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFAA- By Jon Stanley, Esq. |
|
Friday, December 17 2004 @ 11:04 AM EST
|
We looked earlier at the Computer Fraud and Abuse Act from the standpoint of criminal law, and it seems to be pretty much off the table, from all I can see. But looking at the law from the civil side, the analysis is more complex. I noted several comments on the earlier article that made clear to me that a number of you don't yet understand the implications of the CFAA, so I encourage you to read this article closely.
I asked Jon Stanley, an attorney who is an expert on the CFAA, if he'd be willing to explain the statute to you, looking at the specific SCO v. IBM case as well. What, precisely, triggers a CFAA violation? Is SCO's request to throw out IBM's evidence valid, given the facts as we know them so far? Where did this law come from? Mr. Stanley's Masters Dissertation was on the United States Computer Fraud and Abuse Act and he has spoken about it at numerous panels and seminars, including the RSA Conference last year. He'll speak at their 2005 conference as well. I want to thank Mr. Stanley for taking the time to help us comprehend this statute, and I know you join me in that sentiment. He mentions two cases, EF Cultural v. Zefer and EF Cultural v. Expolorica, and here is where you can read the appeals court decision on EF Cultural v. Zefer and Explorica.
To acclimate you, you may wish to also read an article [PDF] by George L. Lenard, an attorney with the firm of Harris Dowell Fisher & Harris, who specializes in employment law and who examined the statute and case law around it, which was published in "St. Louis Lawyer" and who is
editor of George's Employment Blawg. He wasn't a bit surprised to see the "unclean hands" claim, and tells me that he expects to see such claims more frequently when other wrongdoing is alleged, because exceeding authorized access is relatively easy to prove compared to more conventional claims. Laws aren't written for no reason. Invariably they are drawn up because somebody has been doing something that is harming someone, or the lawmakers perceive it that way. "Due to extensive reliance on electronic information systems and the ever-improving speed and convenience of data copying and transmission, businesses today face a heightened danger that improper competition by former employees will be aided by electronic misappropriation of trade secrets and other confidential information," he writes.
Here are some of the benefits of the CFAA he writes about in his article, from the perspective of its normal use, protecting a company from trade secret theft by former employees, for example: "In litigating claims against disloyal departing employees, the CFAA typically does not stand alone, but serves as an adjunct to more conventional causes of action such as breach of covenant not to compete, breach of confidentiality agreement, trade secret misappropriation, tortious interference with contract or business expectancy, and breach of fiduciary duty. It is a useful addition because it has several significant advantages over such causes of action, including:-
"Availablity of federal jurisdiction. While other applicable claims involve state law, permitting federal jurisdiction only where diversity requirements are met, the CFAA provides a basis for federal question jurisdiction.
- "Availablity of a variety of relief, including criminal penalties as well as injunctive relief and damages.
- "Improved appeal to the fact finder’s sense of justice and fair play. To a judge or jury, improper conduct involving computers may appear more devious, culpable, and unjustifiable than merely going to work for a competitor, even in violation of a noncompete agreement.
- "Avoiding the need to prove that purloined information rose to the level of a trade secret -- which can be tough, particularly with non-technical information such as customer lists, pricing information, and business strategies.
- "Avoiding defenses such as the overbreadth or invalidity of a noncompete agreement."
If you are interested in case law on the CFAA, the article is a great resource. However, our interest is specificallly the use by SCO of this statute to claim that IBM's has "unclean hands" for the way it obtained evidence of SCO's copyright infringement. While we don't actually know what IBM saw, what it downloaded, what password protections, if any, were in place that day, etc., the essay will help you to understand the law better, and from my reading of the law, I think everyone needs to know how the statute works. It's very, very broad.
******************************************
Whose “Hands” are “Unclean?” --
SCO, IBM’s ‘Agents’, and The Computer Fraud and Abuse Act (CFAA)
By Jon Stanley. J.D. LL.M
In its Reply Memorandum, filed Nov. 30th, 2004, SCO presents a rather simplistic section titled “IBM’s Unauthorized Access Into SCO’s Website”. In doing so, SCO, understandably, from their legal perspective, skips over the nuanced and swiftly emerging world of cyberspace jurisprudence. CFAA case law, and particularly its employment of technological language and technological concepts, is not quite so certain, fixed, or agreed upon, as SCO lawyers would have us think.
SCO seeks to have IBM’s evidence thrown out as a result of IBM’s supposed “unclean hands” in obtaining the evidence. SCO’s claim, that agents’ of IBM “improperly” obtained evidence by accessing, in an allegedly unauthorized manner, SCO’s website. This claim illuminates a little known, but vitally important, legal and public policy question. That question is the simple (but by no means easy) query: what, precisely, triggers a CFAA violation? This essay will attempt to answer that question and, in doing so, attempt to ascertain whether SCO’s request to exclude evidence is a valid one.
Initially I focus on a central dynamic in CFAA case law; identifying the contractual ‘instrument’ permitting “authorized access” as that term is defined by CFAA case law. Next I will examine the particular subsection of the CFAA that SCO cites in its Reply Memorandum. Then I will scrutinize the origins of the legal theory enunciated in CFAA cases cited by SCO.
Finally I will examine the two CFAA cases I suggest are most relevant to the dispute here. This examination will reveal that SCO’s allegations, however superficially and simplistically, presented, raise legitimate legal issues that must be addressed by the court.
I have previously argued that, based upon a series of court decisions, the end user’s default status in the digital world, for all practical purposes, is ‘unauthorized’. By that I mean that legal access to ‘cyberspace’ is more often than not governed by some contractual (implicit or explicit) prerequisite that ‘grants’ access. Breech of this contract by the end user renders his or her access unauthorized for purposes of the CFAA.
Case law examples of some of the instruments in question are as follows:
1. Internet Service Provider Terms and Service Agreement
2. Employer Computer Use Guidelines
3. Institutional (i.e. schools, hospitals, library) Computer Use Guidelines
4. Website Terms and Service Agreements
5. “Reasonable expectations” of the website owner
In light of this it is worth examining the specific subsection of the CFAA SCO, apparently, alleges that IBM’s agents violated: (a)(2)(C) which reads:
Whoever;
(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…… (C) information from any protected computer if the conduct involved an interstate or foreign communication [can be liable for a violation of the CFAA]
Congress has, so far, refrained from defining what the word ‘obtains’ means when employed in (a)(2). However, in its Report on the 1996 amendments to the CFAA, the Senate noted that the “premise of this subsection is privacy protection”, which means, “in this context…mere observation of the data” is a violation of (a)(2). [emphasis added]
The Report went on to say that “removal” of the data, or “transcribing” the data need not be proven as an essential element of the violation. This is a unique finding because, as the Report noted, information is, essentially ‘stolen’ without “aspiration”.
Here is an example of how a violation might occur:
1. I access the internet pursuant to my Terms and Service Agreement with my ISP (that I agreed to but given that there are only 48 hours in a weekend, did not read]. This is the contractual instrument that allows my “access” to be “authorized”.
2. Then I violate this instrument’s conditions, and my access, is, at the very moment of the violation, “unauthorized”.
3. And since, given that I’m probably staring at the screen, I am therefore “obtaining”… (viewing) “information from a protected computer…”
4. In theory, we have, a violation of the CFAA.
Please don’t shoot the messenger. Yes, I think this conclusion is absurd and worrisome. And yes, it may very well mean that every time one checks the stock prices (or whatever) at one’s place of employment, and one does so in violation of one’s agreement to only access the internet for the employers’ purposes, technically one is in violation the CFAA. How did we get to this point? Glib answer? Spammers -- and lack of imagination, perhaps, on the part of the judiciary.
AOL v. LCGM, one of the cases SCO cites, is a good starting point on where this unique, and in my opinion, troublesome, theory of CFAA liability began.
LCGM, the defendant, was a purveyor of spam. AOL claimed the defendant sent out huge amounts of spam to AOL customers. AOL claimed this was a violation of AOL’s “Unsolicited Bulk E-Mail Policy”. The court found that this allegation was true. They further concluded that this finding satisfied the necessary elements for a violation of the CFAA, subsection (a)(2)(C). The court wrote that “Defendants’ actions violated AOL’s Terms of Service agreement, and as such was unauthorized” [emphasis added]
This holding was proffered absent any qualifying language addressing the issue of notice, and how it may, or may not pertain to an alleged CFAA violation, triggered by a “Terms of Service” violation.
If America Online, Inc, Plaintiff, v. LCGM, Inc, et al, Defendant heralded the beginning of the breach of contract equals “unauthorized access” theory, as defined in the CFAA, the two AOL v. National Health cases solidified it.
The judge in both those cases went to some detail demonstrating how a Terms of Service Agreement breech could equal a CFAA violation. Once again the defendant was a purveyor of spam. And once again the court held, in both cases, that the violation of AOL’s Terms and Service Agreement equaled a CFAA violation. Now we had three opinions articulating a legal theory that one astute critic called, with good reason, a: “dramatic and potentially unconstitutional expansion of criminal liability in cyberspace.”
And this leads us to the last two cases we will cover in this essay. EF Cultural v. Explorica Inc (EF ), and EF Cultural v. Zefer (Zefer) are cases that may exert the most impact on the dispute at hand. The two cases above are not cited by SCO but, I would argue, are the cases most on point given the fact pattern alleged by SCO.
It should not take much imagination to grasp that if you can have a CFAA violation by violating an ISP’s terms and services agreement you can have the same violation by violating other agreements that ostensibly grant access to networks or cyberspace. EF and Zefer confirmed this premise.
Again, it is beyond the scope of this essay to analyze in great detail, the respective cases. However, I suggest both cases are worth reading in their entirety. They will have, and have had, a significant impact in cyberspace jurisprudence.
EF and Zefer were companion cases.. A former employee (Gormely) of EF Cultural started his own rival company, Explorica. Gormely, in turn, engaged Zefer Inc. to create a scraper tool which Gormely used to search, query, and harvest data, from EF Cultural’s website. This data was intended to be used to allow Explorica to underbid EF Cultural on certain projects both sought.
EF Cultural sued, among others, Gormely, Explorica, and Zefer for, among things, “unauthorized access” to EF Cultural’s website by Gormely’s scraper. The district court granted a preliminarily injunction against Explorica on the grounds that the scraper was used in a manner that exceeded the “reasonable expectations” of EF Cultural, the website owner.
In a supplemental opinion issued by the district court on the controversy the court elaborated on further on its, heretofore, unknown test:
… by noting ‘…that copyright, contractual and technical restraints, sufficiently notified Explorica that its use of scraper would be unauthorized and thus would violate the CFAA.’ The district court first relied on EF’s use of a copyright symbol on one of the pages of its website and a link directing users with questions to contact the company, finding that ‘such a clear statement should have dispelled any notion a reasonable person my have the presumption of open access applied to information on EF’s website [emphasis added]
The 1st circuit court of appeals upheld the injunction but on much narrower grounds than the “reasonable expectations” test. The court decided not to the address the holding of the district court that use of a “warp speed device…” [the scraper] “circumvented the technical restraints” of the website. Nor, did the court express any opinion on the lower court’s holding that the copyright notice on EF’s website served as “clear notice” that any “reasonable person” regarding “open access” to the site. And so, the crucial issues implicit in the district court’s holding lingered; neither upheld nor repudiated. But they did not linger for long.
In the subsequent case it was the turn of maker of the software, defendant Zefer. Zefer, on a technicality, had been detached from EF. In Zefer the 1st circuit affirmed the preliminarily injunction of the district court on very narrow, procedural, technical grounds not relevant to this matter. Because of this finding the court did not have to address any of the vexing substantive issues -- relevant to the SCO allegations -- and raised in EF and in the district court’s injunction. However, that did not stop the Zefer court from leaping into the fray and articulating a legal position enormously critical to a citizen’s access, or lack of access, to information and navigation in the digital world.
The court was obviously uncomfortable with both the district court’s “reasonable expectations” test and the appeals court’s apparent reluctance to repudiate it in EF. The central issue, that the Zefer court wanted to address was “….whether use of the scraper” on EF’s website "exceeded authorized access." The court answer that question in the affirmative, and added, for future reference in these types of cases: “A lack of authorization could be established by an explicit statement on the website restricting access.”
So, it was with an “explicit statement” rule that the court seemed to think it had vanquished the “reasonable expectations” test. And then the court turned right around and brought much of “reasonable expectations test” right back. Because, the court acknowledged, it did agree with the district court that lack of authorization could be “implicit” as opposed to “explicit”.
For example, the court noted:
" . . .password protection itself normally limits authorization by implication (and technology), even without express terms. But we think that in general a reasonable expectations test is not the proper gloss on subsection (a)(4) and we reject it. However useful a reasonable expectations test might be in other contexts where there may be a common understanding underpinning the notion, cf. Terry v. Ohio, 392 U.S. 1, 9, 20 L. Ed. 2d 889, 88 S. Ct. 1868 (1968) (Fourth Amendment), its use in this context is neither [**11] prescribed by the statute nor prudentially sound." [emphasis added]
The court felt the need to further explain its rationale. It wanted to be clear that the basis for the rejection of “reasonable expectations” test is not “as some have urged, that there is a "presumption" of open access to Internet information”. There is not. (Some might call that astounding and disturbing news.)
Indeed, the court goes on to note: “The CFAA, after all, is primarily a statute imposing limits on access and enhancing control by information providers”. And the “website provider can easily spell out explicitly what is forbidden” [emphasis added]. A statement, one might add, that conveys great faith in the drafters of website terms and service agreements.
It is this alleged violation of an “explicit statement”, or “implicit”, as the case may be, that SCO is presenting as a “hack” into a website.
It will be crucial for the court hearing SCO’s claim to ascertain what, if any, terms and conditions governed access to SCO’s site on the day, and time, in question. And depending on what those terms were, SCO’s claims of the “hack”, however farcical in an actual sense, may have more than a grain of validity if the Zefer reasoning stands the test of time.
This observer thinks that Zefer, to the extent it is a precedent, should be overturned. A breach of a contract based access provision should never be the basis for a CFAA violation. It should be the basis for a contract breach. Rather, the basis for CFAA violation should be intentional circumvention of specific, delineated, code based restrictions.
Kathleen Bennett’s Declaration makes no mention of how she accessed the SCO files in question other than to declare she downloaded them from specific SCO sites. However, I have been told by people familiar with Groklaw and familiar with the specific issue in question here that it may have been possible to access at least some of the relevant files by using anonymous as your user id and your email address as your password.
This, so I am told, is a common practice by companies that wish to make their applications, websites, and information available to the public. Further, without having first-hand knowledge of the facts, I have seen posted comments on Groklaw that indicate the relevant files were placed in “public directory”.
If this information and assumption is correct, SCO’s claim that Kathleen Bennett exploited a "bug" and “hacked” into SCO’s computers is specious and should be repudiated by the court on the grounds that what Kathleen Bennett did was exactly what SCO intended an end user to be able to do and what is a common and normal practice in the digital world. It should not been seen as a CFAA violation or as something “improper”.
Jon Stanley is a graduate of University of Maine Law School. He is also a graduate of the University of Strathclyde Law School, UK, where he was granted a Masters of Law in Information Technology and Telecommunications Law. His Masters Dissertation was on the United States Computer Fraud and Abuse Act and is presently being edited and updated for publication. He practices law in Maine, focusing on information security, as well as privacy, cybercrime, cyberspace insurance, and intellectual property issues. Mr. Stanley represented the state of Maine in the Attorney General’s Case against the tobacco industry. Mr. Stanley recently completed a project for the Japanese Government examining the potential liability issues raised by downstream viruses, and information security system breakdowns. He has spoken about the Computer Fraud and Abuse Act at numerous panels and seminars including the RSA Conference 2003, RSA 2004, RSA 2005 (scheduled), Computer Security Institute Conference 2004 and the Maine State Bar Association 2002.
© Copyright 2004 Jon Stanley
|
|
Authored by: blacklight on Friday, December 17 2004 @ 11:12 AM EST |
"" . . .password protection itself normally limits authorization by
implication (and technology), even without express terms. But we think that in
general a reasonable expectations test is not the proper gloss on subsection
(a)(4) and we reject it. However useful a reasonable expectations test might be
in other contexts where there may be a common understanding underpinning the
notion, cf. Terry v. Ohio, 392 U.S. 1, 9, 20 L. Ed. 2d 889, 88 S. Ct. 1868
(1968)"
I guess this pretty much takes out any notion that anonymous ftp access is
hacking.
[ Reply to This | # ]
|
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Anonymous on Friday, December 17 2004 @ 11:25 AM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: jaja on Friday, December 17 2004 @ 11:49 AM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: ssavitzky on Friday, December 17 2004 @ 12:02 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: MathFox on Friday, December 17 2004 @ 12:11 PM EST
- incorrect email addresses? - Authored by: Christian on Friday, December 17 2004 @ 03:23 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: minkwe on Friday, December 17 2004 @ 03:40 PM EST
- even more interesting - Authored by: Alan Bell on Friday, December 17 2004 @ 05:08 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Anonymous on Friday, December 17 2004 @ 08:23 PM EST
- Looks Like Authorization from Here - Authored by: Rodrin on Friday, December 17 2004 @ 02:36 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: DL on Friday, December 17 2004 @ 04:10 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Anonymous on Friday, December 17 2004 @ 04:29 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Minsk on Friday, December 17 2004 @ 12:50 PM EST
- Even more so: - Authored by: Anonymous on Friday, December 17 2004 @ 04:00 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Anonymous on Friday, December 17 2004 @ 04:09 PM EST
- This is why I read Groklaw - Authored by: Kevin Ross on Friday, December 17 2004 @ 04:13 PM EST
- Legal Question -- innocent until proven guilty? - Authored by: bstone on Friday, December 17 2004 @ 07:01 PM EST
- Even under a 'reasonableness test' IBMs actions appear justified - Authored by: Anonymous on Saturday, December 18 2004 @ 11:49 AM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Anonymous on Sunday, December 19 2004 @ 09:07 AM EST
|
Authored by: Anonymous on Friday, December 17 2004 @ 11:19 AM EST |
PJ,
Is CFFA (whatever that is) a mispelling of CFAA?
Bob[ Reply to This | # ]
|
|
Authored by: Ted Powell on Friday, December 17 2004 @ 11:20 AM EST |
"A breech of a contract based access provision should never be the basis
for a CFAA violation. It should be the basis for a contract breech."
I think he probably meant "breach".
---
The cost of a Windows-to-Linux conversion is irrelevant over the longer term,
because you only have to do it once.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 11:37 AM EST |
I believe that the title on the home page should refer to CFAA and NOT to CFFA.
The body of the text provided by the Distinguished Attorney certainly uses that
abbreviation.
I suspect it was another long night for PJ...[ Reply to This | # ]
|
|
Authored by: AllParadox on Friday, December 17 2004 @ 11:41 AM EST |
---
All is paradox: I no longer practice law, so this is just another layman's
opinion. For a Real Legal Opinion, buy one from a licensed Attorney[ Reply to This | # ]
|
|
Authored by: AllParadox on Friday, December 17 2004 @ 11:48 AM EST |
Main posts in this thread may only be made by senior managers or attorneys for
"The SCO Group". Main posts must use the name and position of the
poster at "The SCO Group". Main posters must post in their official
capacity at "The SCO Group".
Sub-posts will also be allowed from non-"The SCO Group" employees or
attorneys. Sub-posts from persons not connected with "The SCO Group"
must be very polite, address other posters and the main poster with the
honorific "Mr." or "Mrs." or "Ms.", as
appropriate, use correct surnames, not call names or suggest or imply unethical
or illegal conduct by "The SCO Group" or its employees or attorneys.
This thread requires an extremely high standard of conduct and even slightly
marginal posts will be deleted.
PJ says you must be on your very best behavior.
If you want to comment on this thread, please post under "OT"
---
All is paradox: I no longer practice law, so this is just another layman's
opinion. For a Real Legal Opinion, buy one from a licensed Attorney[ Reply to This | # ]
|
|
Authored by: AllParadox on Friday, December 17 2004 @ 11:50 AM EST |
---
All is paradox: I no longer practice law, so this is just another layman's
opinion. For a Real Legal Opinion, buy one from a licensed Attorney[ Reply to This | # ]
|
- ADTI web site update - Authored by: gbl on Friday, December 17 2004 @ 12:44 PM EST
- O/T This is what the UK government says about SW patents, what do our MEPs say. - Authored by: Brian S. on Friday, December 17 2004 @ 01:06 PM EST
- O/T: Linux in Government: Security Enhanced Linux - The Future is Now - Authored by: Anonymous on Friday, December 17 2004 @ 02:54 PM EST
- O/T, Off Topic, here, please - Authored by: Anonymous on Friday, December 17 2004 @ 04:44 PM EST
- M$ pays attendees to come to their scientific meeting!?! - Authored by: ossworks on Friday, December 17 2004 @ 05:54 PM EST
- RE: New Class of Virus and Security Enhanced Linux - Authored by: Anonymous on Friday, December 17 2004 @ 09:39 PM EST
- O/T Nearly half of companies in Argentina are using Linux. - Authored by: Brian S. on Saturday, December 18 2004 @ 12:42 AM EST
- O/T The World according to Forbes? - Authored by: Brian S. on Saturday, December 18 2004 @ 02:27 AM EST
- O/T, Flaky claim of Yarro lead from building - Authored by: jdg on Saturday, December 18 2004 @ 03:33 AM EST
|
Authored by: swmcd on Friday, December 17 2004 @ 11:56 AM EST |
There was a case in Oregon about 10 years ago having to do with
"unauthorized" access to a computer. See
http://www.lightlink.com/spacenka/fors/
Some commentary on the Oregon Computer Crime law:
http://world.std.com/~swmcd/steven/rants/merlyn.html[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 12:03 PM EST |
How widely applicable is this precedent?
MSS[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 12:40 PM EST |
Suppose that I there is a well trod path across my property. There is a faded
fifty year old sign warning that trespassers will be shot but every day hordes
of students use the path as a shortcut to school. A drunken hobo sees this
happen a couple of times and observes that I seem not to object to this
trespass. He steps onto the path and I shoot and wound him.
I think I will have trouble getting a trespass charge to stick and I think the
hobo has a strong case against me.
(Yes I realize that in most, but not all, of the civilized world, you go to jail
for shooting trespassers.)
In the present case, if someone is aware that people are downloading content
that they don't want downloaded, and they take no action to stop it, then it
seems that they should not be able to selectively prosecute 'trespassers.'
[ Reply to This | # ]
|
|
Authored by: AMc on Friday, December 17 2004 @ 12:42 PM EST |
IBM was a licensed 'partner' developer for OpenServer, UnixWare, and United
Linux at least until early 2003. They developed and supported drivers for SCOG
products that were sold preinstalled on several server lines manufactured by
IBM. Could this:
a) Negate the CFAA claim by basis of IBM having license and need to download
updates from SCOG?
b) Effect the CFAA claim by process of already having the code in house due to
the dev license?
Also interesting that the CFAA precedents as they exist now would place adware
companies in violation of the act.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 12:45 PM EST |
If access to a web site is UNauthorized by default, how is one supposed to
access anything on the site to gain permission? Servers (http, and FTP) were all
assumed to be public access well before this stupid law was created. And yes, I
do mean stupid - as in: Whoever crafted it does not have a clue and should not
be making laws. Allowing "anonymous" ftp access means you're open to
the public - this has always been the standard interpretation. Any law that
attempts to make this not so may just as well dictate that we all call the sky
green from now on until the public comes to realize they've been mistaken about
the names of colors all along.[ Reply to This | # ]
|
|
Authored by: webster on Friday, December 17 2004 @ 12:50 PM EST |
This CFFA law establishes a crime or a criminal "violation." It then
adds a civil provision to remedy such violations. Here it is:
***
(g) Any person who suffers damage or loss by reason of a
violation of this section may maintain a civil action against the
violator to obtain compensatory damages and injunctive relief or
other equitable relief. A civil action for a violation of this
section may be brought only if the conduct involves 1 of the
factors set forth in clause (i), (ii), (iii), (iv), or (v) of
subsection (a)(5)(B). Damages for a violation involving only
conduct described in subsection (a)(5)(B)(i) are limited to
economic damages. No action may be brought under this subsection
unless such action is begun within 2 years of the date of the act
complained of or the date of the discovery of the damage. No
action may be brought under this subsection for the negligent
design or manufacture of computer hardware, computer software, or
firmware.
*****
All crimes in the United States are prosecuted under a standard articulated in
all jury instructions as "beyond a reasonable doubt."
One can not invoke a criminal violation or a crime under this statute until such
allegation has been proven to a jury of one's peers who decide unanimously by
the standard of "beyond a reasonable doubt" that someone is guilty.
The civil remedy for this crime would then proceed in court by the traditional
civil standards variously described as by "clear and convincing
evidence" or by "a preponderance of the evidence."
So it is a mystery to me how SCO can allege this crime and invoke the civil
remedy until a crime has been proven by the criminal standard. It appears to be
a way to invoke a crime with an insufficient standard of proof. Used like this
one must question its constitutionality.
You shouldn't be able to make this allegation in a civil suit until it has been
proven in a criminal court.
***Sidenote rave: This law may be another example of political pandering and
campaign fund influence. Politicians like to be perceived as working and
responding to societal needs. Many crminal laws are passed that are total
window dressing and meaningless. Laws on hate crimes, school zones, chronic
offender, etc. almost always unreasonably duplicate or specify laws that are
already on the books. They rarely have any influence other than allowing
political candidates to claim them. Does an unused law punishing a criminal
with 5 lifetimes when one is plenty always lead to a superficial yet effectual
politacal appeal?
---
webster[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 12:57 PM EST |
If sco released the code under the GPL doesn't making this
charge amount to a violation of the GPL? I.E. how can
they make this charge against code placed in the GPL since
the license states they can't place restrictions on the
distribution? [ Reply to This | # ]
|
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Simon G Best on Friday, December 17 2004 @ 01:39 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Anonymous on Friday, December 17 2004 @ 01:49 PM EST
- So - Authored by: DaveAtFraud on Friday, December 17 2004 @ 02:24 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Tyro on Friday, December 17 2004 @ 02:38 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: Anonymous on Friday, December 17 2004 @ 02:48 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: kbwojo on Friday, December 17 2004 @ 03:15 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFFA - By Jon Stanley, Esq. - Authored by: micheal on Friday, December 17 2004 @ 10:51 PM EST
|
Authored by: rsteinmetz70112 on Friday, December 17 2004 @ 12:58 PM EST |
IBM was authorized to access the site, even under SCOG's version of reality, by
virtue of having a valid SCO Linux copy and was probably following instructions
printed in SCO Linux documentation.
Remember SCOG changed the rules, after they decided that IBM stole their stuff.
There are more than a few details missing of what actually transpired.
As usual SCOG made an assertion without providing any evidence that IBM or their
employee who actually accessed the site was unauthorized.
---
Rsteinmetz
"I could be wrong now, but I don't think so."
Randy Newman - The Title Theme from Monk[ Reply to This | # ]
|
|
Authored by: whoever57 on Friday, December 17 2004 @ 01:07 PM EST |
I believe SCO's claim may refer to the time that donwloads could be accessed
only via an HTTP site. The site caused a password request, but accepted a blank
password.
Perhaps SCO did this as a deliberate trap? It seemed to make no sense at the
time. [ Reply to This | # ]
|
- Bookmarks? - Authored by: Weeble on Friday, December 17 2004 @ 01:52 PM EST
- Bookmarks? - Authored by: Anonymous on Friday, December 17 2004 @ 03:58 PM EST
|
Authored by: Anonymous on Friday, December 17 2004 @ 01:13 PM EST |
Kathleen Bennett’s Declaration makes no mention of how she accessed
the SCO files in question other than to declare she downloaded them from
specific SCO sites. However, I have been told by people familiar with Groklaw
and familiar with the specific issue in question here that it may have been
possible to access at least some of the relevant files by using anonymous as
your user id and your email address as your password.
This, so I am
told, is a common practice by companies that wish to make their applications,
websites, and information available to the public. Further, without having
first-hand knowledge of the facts, I have seen posted comments on Groklaw that
indicate the relevant files were placed in “public directory”.
If this
information and assumption is correct, SCO’s claim that Kathleen Bennett
exploited a "bug" and “hacked” into SCO’s computers is specious and should be
repudiated by the court on the grounds that what Kathleen Bennett did was
exactly what SCO intended an end user to be able to do and what is a common and
normal practice in the digital world. It should not been seen as a CFAA
violation or as something “improper”.
We need to clarify that
one site was accessed through anonymous ftp, and another site was accessed by
clicking OK on an http authentication dialog that had no security behind it.
SCO was less than clear in their accusation, but it is apparent that the "bug"
that IBM "exploited" refers to the unsecured http site. There's no way that IBM
can be faulted for using anonymous ftp, and SCO knows that very
well.
There is one key question here: What could IBM reasonably
construe from the fact that SCO's http authentication had no security behind
it?
As an internet user, I would construe that SCO was intending,
or at least allowing, public access. The biggest contributing factor in
this impression is the following fact: SCO had no reason to restrict access
to its Linux files other than to conserve bandwidth. It's reasonable to
assume that SCO didn't have any bandwidth problems, and therefore didn't care
that their site was openly accessible.
IBM was not raiding the cookie
jar. They were simply making reasonable assumptions.
[ Reply to This | # ]
|
|
Authored by: mrpeach on Friday, December 17 2004 @ 01:19 PM EST |
What I don't understand about the referenced AOL case is, how was the spammer
bound to the AOL Terms Of Service? Was there a contractual relationship between
them? Was one implied by the simple act of access?
---
"The very powerful and the very stupid have one thing in common. Instead of
altering their views to fit the facts, they alter the facts to fit their
views... wh[ Reply to This | # ]
|
|
Authored by: mikebmw on Friday, December 17 2004 @ 01:21 PM EST |
Question:
What's to stop people distributing others copyrighted material from their web
site being able to hide behind the CFAA. For example, one creates a website
distributing music files with copyrights owned by the RIAA. On that web site
post an authorized access statement "claming the RIAA, agents of, etc., are
unauthorized to access this web site ...."
Under the CFAA any evidence collected could be thrown out due to unclean hands,
and the RIAA could possibly be prosicuted for attempting to protect their
copyrights. Would the RIAA have to get law enforcement to get a warrent to
inspect to site? It seems a sticky mess if you ask me.
-mikebmw[ Reply to This | # ]
|
|
Authored by: rao on Friday, December 17 2004 @ 01:30 PM EST |
If the premise of the relevant section of the CFAA is privacy protection, as
the article says, it's a little hard to understand how downloading GPL'd code
could be a violation. What privacy claims can SCOX make on GPL'd code?
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 01:33 PM EST |
If all I have to do is put a term on my website, what is to keep me from going
after google for caching it?
I understand the argument of robots.txt, but this seems like a very grey area.
It seems like congress needs to define "reasonable protection".
[ Reply to This | # ]
|
|
Authored by: Simon G Best on Friday, December 17 2004 @ 01:53 PM EST |
This is just another speculation, but it occurred to me that maybe IBM was
already one of the authorised, registered users (as others have suggested), and
had previously entered their login details, with the browser storing
the relevant stuff as browsers sometimes do. If so, I can imagine that Kathleen
Bennett may not have witnessed the authentication steps, as they could have been
performed on a previous occasion, and were subsequently performed automatically
by the browser, including on the occasion(s) that Kathleen Bennett witnessed.
It could give the impression to such a witness that no authentication
was required, even if it was, and was being given by the browser on the user's
behalf.
Just a thought :-)
--- Open Source - open and honest?
Not while the political denial continues.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 02:06 PM EST |
Either: 1. SCO is (still, even) making the sources available to their
customers to whom they distributed binaries, in which case, they can only do it
by fully complying with the GPL, or 2. They stopped making sources available to
their customers to whom they distributed binaries, in which case, they violate
the GPL, and their distributions were unlicensed or in violation of a license
they agreed to.
It matters not at all whether SCO password protects it.
As long as they distribute it to any customer, they could only be doing it under
the rights of the GPL, and then only if they continue to make the sources
available upon request (to those to whom the original distribution did not
contain source), but they can only do this if they comply with GPL and do not
restrict further use.
By ever distributing in a medium that does not
always include source, they are bound to continue distributing source upon
request for a significant amount of time or they are in violation, but they can
only continue to distribute by continuing to accept the same license they
originally accepted.
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 02:43 PM EST |
So, if you put up a main page that said "Access to this site is permitted
under the condition that you not disclose any of the site's contents or nature
of those contents to anyone for any reason. Click [OK] to continue", you
could then distribute illegal MP3s, pirated software, etc. and the files
downloaded as evidence could be thrown out as they were obtained with
"unclean hands"? That would seem to protect and encourage illegal
behavior. That's an unbelievably stupid law. What am I missing?[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 02:50 PM EST |
Can't IBM just say ok if that was not proper how about hand
over the source code that was or still is on that server?[ Reply to This | # ]
|
- Ok fine - Authored by: Anonymous on Friday, December 17 2004 @ 03:43 PM EST
- Ok fine - Authored by: Darkside on Saturday, December 18 2004 @ 06:56 AM EST
|
Authored by: Anonymous on Friday, December 17 2004 @ 02:53 PM EST |
Wouldn't this law apply the other way around? If I am providing information to
a website in agreement with the TOS or privacy policy, and the company then
ignores their obligations under the contract can I use this law against them?
The spyware companies were recently found to not be in violation of their
privacy agreements becuase they are non-binding (crazy). But this isn't a claim
for breach of contract so I'm not sure that matters.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 03:06 PM EST |
The entire basis of this law comes down to the word "protected".
Anonymous ftp by definition "unprotects" the system, or sets up an
unprotected area in an otherwise protected system. I also think the word
"password" is confusing everyone. Many anonymous FTP's require a
password, many don't. But that doesn't mean the system is protected, it is still
public and unprotected.
I am not an attorney, but I am a computer security expert, and for SCO to claim
that there was a bug or that the computer was indeed protected is just simply
lying to the court.[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 03:16 PM EST |
Whatever happened with that Schwartz interview you asked us to provide questions
for?
link
Or did it happen and I missed it?
[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 03:24 PM EST |
Can anyone provide definitive answers to the following:
- Did SCO Linux shrinkwrap boxes include a username and password?
- If so, was it the same username and password for all customers?
- Did the customer have to agree not to share the username and password with
others?
- Did the SCO website contain any text indicating that the site was for
customers only?
Inquiring minds want to know.[ Reply to This | # ]
|
|
Authored by: Lazlo Nibble on Friday, December 17 2004 @ 03:27 PM EST |
I access the internet pursuant to my Terms and Service Agreement
with my ISP (that I agreed to but given that there are only 48 hours in a
weekend, did not read]. This is the contractual instrument that allows my
“access” to be “authorized”.
It's clear to me that an ISP
has a right to control access to their own systems and resources, and
that if an individual violates an ISP's TOS in a way that terminates that
individual's contractual agreement with the service provider, there's an
argument to be made that the customer's further use of that ISP's systems and
resources is a CFAA violation. But under what legal theory would an ISP be
empowered to "authorize" (or un-"authorize") an individual's "access" to
materials not under the ISP's physical or contractual control (e.g., the
contents of an arbitrary web or ftp site on the open Internet)? Surely the issue
is not the downloaded content itself, but the fact that the individual
downloaded that content using resources they no longer had permission to
use?
This would be like charging someone with credit card fraud for
placing a phone order using their own valid credit card, because they made the
call from a house they'd broken into. [ Reply to This | # ]
|
|
Authored by: minkwe on Friday, December 17 2004 @ 03:44 PM EST |
SCO claims that they "only" knowingly distributed IBM's copyrighted
works to their customers.
Is it relevant if IBM hacked into their website or not? They have admitted in
their defence that they did distribute it. They are not denying that. So this
"hacking" accusation does not (I think) have relevance with respect to
IBM's PSJ.
---
"Corporate views on IP law might be described as similar to a 2-year-old's
concept of who gets to play with all the toys regardless of who brought them" --
PJ[ Reply to This | # ]
|
- Two year old? - Authored by: Anonymous on Friday, December 17 2004 @ 03:57 PM EST
- Relevance? - Authored by: Christian on Friday, December 17 2004 @ 04:34 PM EST
|
Authored by: Anonymous on Friday, December 17 2004 @ 04:16 PM EST |
By my reading of the complaint it appears that SCO is contending that the
website as a whole was protected via an 'authorised customer' login.
Now lets us extrapolate that a little and go for this concept. We authorise the
website as a whole to google so that our customers, and potential customers, can
google to the authorised pages. As part of this google picks up a link to a ftp
site that is not publicly available on any public link. I go into google, find
the FTP site directly. Did I breach the authorisation that SCO put in place?
Did google breach authorisation by publishing that link, I bet no because it was
authorised to provide search facilities.
This goes further to the centre of the problem. If website owner puts a
diclaimer on the first page (the contract) that this website may not be
processed electronically without authorisation (google is OK) and I never get
there. Am I bound by that contract?
This is an interesting legal question. For example the horse breading pages had
the ability to query a single horse to find pedigree. The company sold the
database as a whole. SOmeone came in and slowly scraped all the pedigrees off
the website one by one building a pedigree database, directly from them.
Morally I would call this wrong but if we do not have a clear cut rule then this
may constitute fair use.
I for one support the idea that this whole concept should be carefully
considered.
Finally the GPL is the ultimate authorisation. Your right to the source code
from the distributor. Since SCO has not repudiated the GPL I can guarantee that
IBM has a SCO server or caldera license somewhere in the organisation and is
therefore authorised to obtain that software.[ Reply to This | # ]
|
|
Authored by: jim Reiter on Friday, December 17 2004 @ 04:17 PM EST |
Something I would need to know is "had IBM previously
requested this information in discovery?"
The fine point being that if IBM obtained the information
it was already entitled to, it would be hard to have it
excluded. My impression is that TSG has not been
forthcoming in furnishing information on what is in their
code. [ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 04:18 PM EST |
I ftp'd into SCO's FTP server, and read the legal notice they have, SCO only
allows linux downloads by existing customers (according to the Legal Notice).
Did this condition of downloading exist at the date of IBM's access/download to
SCO'd linux? And if so, was IBM an SCO customer at the time?[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 04:19 PM EST |
It seems to me that there is little doubt that this issue will eventually be
decided in IBM's favor. The question in my mind is how long, if at all, it can
further delay the proceedings? If the judge will have to address this issue in
order to preclude an appeal, it seems that that he will need more evidence to do
so. Will the judge have to get more evidence, and if so, how is this likely to
be done, and in what time frame?
Thanks to PJ and everyone else here. I love this site.
Mark[ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 04:47 PM EST |
OK, so it seems to me like the issue here is whether or not this evidence (the
SCO linux code that included IBM's copyrighted material) is allowed or
not....and nothing else.
What would stop IBM from posting a note to this Groklaw (or anywhere else for
that matter) that said "We are looking for someone who has purchased SCO
United Linux [or whatever] and would allow us to view the source code? You do
not have to worry about violating license terms because Linux is open source and
sharing the source code is NOT a violation of the GPL. Thank you and good
day."[ Reply to This | # ]
|
|
Authored by: jim Reiter on Friday, December 17 2004 @ 05:08 PM EST |
When TSG learned that The GPL would put "their" code under
the GPL license, they claimed they stopped distributing
it.
TSG had the option of recalling the product. This is not
what TSG did. TSG kept the money and continued to support
the software. In effect, TSG continued to operate under
the GPL. [ Reply to This | # ]
|
|
Authored by: kberrien on Friday, December 17 2004 @ 05:21 PM EST |
>by virtue of having a valid SCO Linux copy and was probably
>following instructions printed in SCO Linux documentation.
In true IBM fashion, I would expect during oral arguments IBM will provide
instructions, from SCO in published form instructing users/owners where, and how
(even if anonymous ftp/wb) to get updates off their website. I would also
expect there to be a reciept for the purchased SCO software.
Given IBM's performance of crossing the i's, and dotting the T's, I assume they
have already thought of this SCO trick.[ Reply to This | # ]
|
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFAA- By Jon Stanley, Esq. - Authored by: John Hasler on Friday, December 17 2004 @ 06:42 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFAA- By Jon Stanley, Esq. - Authored by: Ninthwave on Friday, December 17 2004 @ 07:20 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFAA- By Jon Stanley, Esq. - Authored by: minkwe on Saturday, December 18 2004 @ 03:13 PM EST
|
Authored by: Anonymous on Friday, December 17 2004 @ 06:30 PM EST |
This is meant more to illustrate broadness than just me being pedantic.
If I put Terms of Use on my website that read "You are not authorized to
read this document," is anyone who reads the Terms of Use or uses the site
potentially in violation of the CFAA?
It seems that the lack of any damages in the civil statute invites silly
interpretations like this.
[ Reply to This | # ]
|
|
Authored by: Gothic`Knight on Friday, December 17 2004 @ 06:43 PM EST |
Tho nothing is ever certain when courts and the law is involved it appears to me
that this is yet another SCOX delay tactic. It really shows the near desperation
level that they are getting to and is now at the stage having no facts or law to
pound it is time to pound the table.
When all others around you are losing their head; duck![ Reply to This | # ]
|
|
Authored by: Anonymous on Friday, December 17 2004 @ 06:50 PM EST |
IANAL but shouldnt there be some room in the legal system for common sense? eg.
It was open to the public so it was authorized anyway?
What happens when a nonsensical law is enacted? Do the courts just follow it
anyway?
[ Reply to This | # ]
|
|
Authored by: seantellis on Friday, December 17 2004 @ 06:51 PM EST |
I just did a very quick test over at ftp.sco.com.
Anonymous access was
granted with no password requested.
All of the Linux download directories
contain only a text file called "Legal Notice", file date 27/10/03 (although I
doubt this date is legally binding), which directs the user to re-register for
access to an alternative site.
However, in folder
ftp://ftp.sco.com/pub/opensource/ (note the "pub" - traditionally the publicly
accessible folder on ftp servers), we find a couple of subdirectories and a
readme which states, in part:
README - This
file
nkfs/ - nkfs source code released under GPL
aim-suite7/ - GPL
Version of the AIM Multi user Benchmark Suite VII
aim-suite9/ - This is the
GPL version of the AIM Independent Resource
Benchmark--Suite
IX
So it would appear that, as of 17 December 2004, SCO is
still offering GPL'd software for download via anonymous FTP, with no password
restrictions, in the conventional space used for public access.
This is
clearly contrary to its previous position on the GPL, and may be an explicit GPL
violation depending on the position taken by the AIM suite
developers. --- Sean Ellis (sellis@geo-removethis-cities.com) [ Reply to This | # ]
|
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFAA- By Jon Stanley, Esq. - Authored by: Ninthwave on Friday, December 17 2004 @ 07:22 PM EST
- Whose Hands Are "Unclean"?-- SCO, IBM's 'Agents', and the CFAA- By Jon Stanley, Esq. - Authored by: hrvatska on Friday, December 17 2004 @ 08:25 PM EST
- You'll find lots more, both source and binary, at ftp2.sco.com - Authored by: fudisbad on Friday, December 17 2004 @ 10:20 PM EST
- Lots of 3 year old ximian stuff - Authored by: capgadget on Saturday, December 18 2004 @ 12:11 AM EST
|
Authored by: Anonymous on Friday, December 17 2004 @ 09:31 PM EST |
Ok, suppose it is true that IBM's access of SCO's site violates the CFAA. Then
it would appear that it is legal for a company, any company, to create a
publically accessible web site and then claim, after the fact, that anyone they
did not like who accessed the site had committed a criminal act. This would be
so because they would not "authorize" those they did not like to
access the site's information.
So, it now appears clear that SCO may demand criminal prosecution of PJ, and
probably 2/3 of the Groklaw community, for "unauthorized access" to
their web site, in contravention of the CFAA.
Did I get that right?
[ Reply to This | # ]
|
|
Authored by: marbux on Friday, December 17 2004 @ 10:13 PM EST |
In an earlier post, I suggested that the
doctrine of unclean hands may not provide a viable legal theory for SCO because
I thought it only applied to conduct underlying the claims for relief, and could
not arise from conduct after litigation commenced. I was apparently
wrong.
Checking SCO's citations on that issue was infeasible during the time
I had available because only one, a Supreme Court decision, is available online
without access to a commercial legal database. That decision did not stand for
the proposition SCO was espousing.
However, since then I have found another
case online that does support SCO's theory. In Aptix Corp. v. Quickturn Design, (broken HTML alert), the
Federal Circuit found that a pattern of repeatedly producing fraudulent evidence
in response to discovery requests, plus a later refusal to testify about the
circumstances based on the right against self-incrimination, was sufficient to
apply the doctrine of unclean hands to bar proceeding with a patent infringement
claim. The decision cites several supporting authorities on that point.
Why
SCO's lawyers relied on old case decisions and did not cite the 2001
Aptix case is not apparent.
So it appears that the court may have to
reach the issues posed by the Computer Fraud & Absue Act and SCO's
supporting evidence in order to determine whether SCO's unclean hands argument
raises a genuine dispute over a material fact.
I apologize for suggesting
that the doctrine of unclean hands was inapplicable. --- Retired lawyer [ Reply to This | # ]
|
|
Authored by: Anonymous on Saturday, December 18 2004 @ 02:54 AM EST |
I have a serious problem with the claim, made in this article, that access is by
default unauthorized. I have a problem on several levels.
First, it
takes an act of the poster to make information publicly available, whether or
not it is publicly advertized. If you put up a web site and then claim that
certain people are not allowed to see the information, but that others are,
without telling everyone about these policies explicitly, and in an interruptive
manner, you can't claim that the content was in any way limited.
This is
like publishing a newspaper and stating in the fine print on page 3, that
blondes (or some other arbitrary group) can't see the info.
Second, do we
expect the publisher to do anything at all to maintain their security?
Seriously! If you want to limit distribution, do so. Don't just expect that
people will do what you want. This is like blaming a coffee maker for making
coffee that is hot and burns you.
Third. SCO is required to disclose the
code they are distributing to pretty much all comers. This is GPL. By virtue
of the original license agreement, IBM can have a copy of whatever SCO is
distributing, so the very idea that ther are unclean hands is
laughable.
-----Didn't Login lofdev[ Reply to This | # ]
|
|
Authored by: Ian Al on Saturday, December 18 2004 @ 07:59 AM EST |
If IBM used anonymous ftp to obtain evidence with clean hands, is this
inadmissible if the same evidence was also obtained with unclean hands by a
different method? That would mean that all the evidence obtained in discovery
was inadmissible if just one other piece of evidence was obtained with unclean
hands. I would expect the court to dismiss this theory as 'silly' (see PJs
previous article on unclean hands).
So, even if SCOG prevail with respect to the http sites, they would be caught by
the evidence obtained via ftp.
Considering the evidence obtained via http sites, it appears from the IBM
deposition that the original files were viewed via an unprotected site. It also
seems that when IBM rechecked (in August?) that the URLs they went to
(bookmarked?) were, again, unprotected. Looking at the detail of the accusation,
IBM are claimed to have,
(2) intentionally accessed a computer without authorization or exceeds
authorized access, and thereby obtains??
(C) information from any protected computer if the conduct involved an
interstate or foreign communication [can be liable for a violation of the CFAA]
The current password protection displays the following in the Login screen,
Server linuxupdate.sco.com
Message SCOUpdate Service for valid SCO users only
Even that does not make it clear who is a non-valid SCO user and that non-valid
users are prohibited from accessing the material. Is it an unreasonable
expectation that it is OK to download the files and install Linux under the GPL
and thus become a valid SCO user? So, was the site protected and was IBM
unauthorised or exceeding their authorisation?
When IBM accessed the http sites, were there any clear warnings that they were
exceeding authorised access by viewing the materials? If not, SCO had no
reasonable expectation that anyone would not access the materials.
Also, as was mentioned in the previous thread, both as licencees of Unix
products and partners in Open Linux, IBM may have authorisation, ids and
passwords that make access authorised.
I assume that SCOG are trying to demonstrate a fact over which controversy
exists and that might stand a chance in front of a jury (See, I have been
listening!). However, they have provided no evidence of the facts they claim.
They don't show that the sites were protected when IBM accessed them, nor that
there were stated authorities required for access, nor that IBM were
unauthorised, nor that any sort of 'hacking' was necessary to get to the
information. Neither did they provide expert evidence that the accesses actually
took place and that they were unauthorised. Personal information gained by
reading the court documents does not count (told you I was listening). Remember
the case of the lawyer giving 'phone' records in evidence? Giving the reason for
the site and indicating who was authorised to access it in the response to a PSJ
does not put IBM in the wrong.
In general, although the experts tell me that this could be serious, on
reflection it is not going to spoil my Christmas.
---
Regards
Ian Al[ Reply to This | # ]
|
|
Authored by: StLawrence on Saturday, December 18 2004 @ 03:49 PM EST |
According to SCO's current website, here are the names of
the individuals
responsible for the management and direction
of The SCO
Group:
Darl C. McBride, President & CEO,
Director
Chris Sontag, Senior VP & GM of SCOsource
Division
Bert Young, CFO
Ryan E. Tibbetts, General
Counsel
Jeff Hunsaker, Senior VP & GM of UNIX Division
Reg
Broughton, Senior VP
Alan Raymond, VP
Ralph J. Yarro
III, Chairman of the Board
Edward E. Iacobucci,
Director
Darcy Mott, Director
Thomas P. Raimondi, Jr.,
Director
R. Duff Thompson, Director
K. Fred Skousen,
Director
Daniel W. Campbell, Director
Inquisitive Googlers are
referred to http://www.groklaw.net
for
complete information on the results of the
management of TSCOG by
these individuals.
The Internet has a long memory.
[ Reply to This | # ]
|
|
Authored by: johnwren on Saturday, December 18 2004 @ 10:04 PM EST |
In 1998 I purchased "Hands-On Linux" by Mark G. Sobell, published by
Addison Wesley, ISBN 0-201-32569-1. The book has a Caldera imprint on the front
cover design, and contained a CD which features Caldera Openlinux Lite. In the
supplementary license at the back (which makes a very clear statement about the
GPL "Nearly all of the compentns that make up the OpenLinux Lite product
are distributed under the terms of the GNU General Public License..." but
covers some additional products included by Visix, Caldera and Vital; is found
the following invitation:
NOTICE: OpenLinux Lite is provided without technical support of any kind, though
we invite you to browse the technical resources at our Web site:
http://www.caldera.com".
I'm a language teacher, not a lawyer, but this sounds to me like an implict
invitation to download updates off their site, given that the licese also says
elsewhere that the GPL "permits free and unrestricted redistibution."
I would be willing to bet IBM can find a copy of this book in their library.
(I have been reading Groklaw for more than a year, but this is the first time I
thought I might have something to contriubute.)
[ Reply to This | # ]
|
|
|
|
|