01.29.07

On the nature of “disclosure”

Posted in Law at 21:59 by Wormwood

In this post at the Volokh Conspiracy, Prof. Eugene Volokh raises the question of what could happen to Insecure.org owner Fyodor Vaskovich in regards to the recent GoDaddy/Myspace/Seclists fiasco. While I’m not advocating the disclosure of passwords to any account on any service, no matter the perceived “importance” or “sensitivity” of the account information or that on the service, I think it’s important to discuss what, exactly, is meant by “disclosure”.

Let me break down the case as I see it so far.

What I (Supposedly) Know:

• Vaskovich runs Insecure.org, which is also the hosting site for the Seclists.org list archive.
• Seclists.org archives the fulldisclosure list.
• Vaskovich has stated, in the posting on his site regarding this scenario, that he deletes posts from the archive that he finds to be illegal, irrelevant to the list at hand, or objectionable.
• The “fulldisclosure” mailing list, like many others Vaskovich archives, is intended to be a discussion forum for security vulnerabilities among the “white-hat” hacker community. Members are cautioned in the list charter about the potential unethicality or illegality of utilizing any exploits or tools discussed in the list.
• Vaskovich does not run the fulldisclosure list (this list is run by grok.org.uk)
• A poster on the fulldisclosure list posted a list of “phished” MySpace account names and passwords.
• This list is a “public secret”; the poster apparently was not the person who performed the phishing exploit, and the list can be found via simple Google searches.
• MySpace complained to GoDaddy about the list being available on Seclists.org due to the fulldisclosure posting.
• GoDaddy immediately changed the DNS servers for seclists.org to their “suspended for spam and abuse” servers.
• GoDaddy did not inform Vaskovich up front as to the nature of the supposed “violation”.
• Vaskovich was initially met with a verbal (”abuse doesn’t take calls”) and temporal (”expect a response within one to two business days”) stonewalling when attempting to discern the reason for the action on GoDaddy’s part.
• GoDaddy’s ToS states that they can refuse further service for “morally objectionable activities” when GoDaddy decides that a domain name is being used for activities “designed for” certain illegal or unethical activities.
• GoDaddy’s ToS also states that they may choose to inform a client of a suspected breach of contract before taking action against them, with a grace period of up to ten (10) days.

What I Interpret:

• Vaskovich’s admission that he moderates his archives of certain lists indicates that he does not knowingly or willfully participate in any activity specifically designed for the purpose of facilitating any illegal or unethical activities.
• Vaskovich’s specific archiving of the fulldisclosure list does not indicate a willful attempt to cause harm to MySpace or its users, or (more broadly speaking) a willful attempt to cause harm to anyone who might be harmed by any of the exploits available via any of the lists his site archives.
• GoDaddy’s decision to not inform Vaskovich of a suspected “morally objectionable activity” indicates undue pressure was placed by MySpace on GoDaddy to take action against Vaskovich.

My Opinion:

• The phished account/password list on MySpace really doesn’t have any practical merit. It’s the result, not the method, of a “social engineering” tactic, not an exploit against an actual secure system (since humans are notoriously insecure on their own), and has no immediately visible meritorious use beyond serving as a warning to those who fail to notice continued warnings to never give your password to anyone, at any time, for any reason. As such, the posted list seems to have fallen under the same “illegal or irrelevant content” guidelines Vaskovich claims to use when monitoring his own archives of these lists.

So that’s my opinion on the case as it actually happened. Prof. Volokh has asked a question in his own article that’s rather interesting:

If one of the states [in a list of states that criminalize unauthorized password disclosure] had jurisdiction over Seclists.org, and Vaskovich had kept the password list on the computer even after he knew it was there, would he be guilty under the relevant statute? Would the First Amendment protect his continued retention of the data on his computer? (I tend to think that the First Amendment would not protect this, for reasons discussed in Crime-Facilitating Speech, 57 Stanford Law Review 1095 (2005), but courts have not yet confronted the question.)

In my own comments on the aforementioned Volokh post, I asked:

I’m wondering if my question on the matter is the same as yours - does “knowingly having/archiving/retaining the already-disclosed data publicly” equate to “disclosing the data”?

Of course, now I realize that in my undercaffeinated state, I was asking an entirely different question than Prof. Volokh was asking, but I think there’s something to be said for this. If I run a website on which someone posts (directly or indirectly) a username/password pairing, am I disclosing the data by willfully allowing it to remain on my system? I’d argue yes. It’s a passive disclosure, and I’m not the reason that the data exists on my site, but by willfully retaining the data in a publicly-accessible manner, I am in fact causing the information to be further disseminated. There’s another twist, however, that Prof. Volokh didn’t bring up. Before I get to that, I highly recommend you at least scan the Prof’s paper I linked to above.

In Vaskovich’s recounting of the whole fiasco (linked again here), he gives a pair of strings that, when used as search terms in Google (singly or jointly), bring forth links to various stories covering the leak and the actual fulldisclosure posting on another archive. Does this count as “dsiclosure”? I’d argue no. Just like Prof. Volokh’s URLs of potentially crime-facilitating websites in his paper, I’d say that Vaskovich is merely giving a method by which people can find the actual document from which this fiasco sprung, fully-formed, like Minerva. One might as well claim that there is a measure of “crime-facilitating speech” involved simply by speaking the name of The Anarchist’s Cookbook or other similar actual crime-facilitating texts.

Reaction Summary (Pure Opinion):

• Vaskovich shouldn’t be held responsible for the content of posts made to unmoderated mailing lists which he archives but does not control unless he is aware of the content thereof.
• Deletion of the relevant post from his archive indicates that Vaskovich in no way intends his site to be used or unethical or illegal activities.
• Posting the method by which one can find this list is no different than giving URLs of potentially-criminal websites.
• Since the list has no known use other than unauthorized use of MySpace accounts, it has no non-criminal merit (it is not, as Prof. Volokh would call it, dual-use) and thus raises no First Amendment questions.
• Overall Reaction:
  • Mr. Vaskovich would do well to find himself a better registrar with better Refusal of Service guidelines.
  • GoDaddy should probably try to find some better phrasing for their ToS than “It’s morally objectionable because we say so”.
  • Final Thought:
  • I’m curious how many registrars, ISPs, hosts, and websites MySpace attempted to bully over the leak.

Permalink