Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

Summary of the David Ritz case

Summary of the David Ritz case

  • Comments 4

As I wrote in an earlier post, a judge in North Dakota recently ruled against David Ritz.  Ritz is an anti-spammer who was sued by Sierra Corporate Design, Inc.  The full judgment is here, I will attempt to summarize it. 

The basis of the case is that Ritz believed that Sierra was a spamming company and gained unauthorized access to Sierra's computers.  Ritz conducted zone transfers to get this information.  Zone transfers are the means by which a primary authoritative domain name server copies the domain structure to a secondary authoritative domain name server for the purpose of redundancy.  So, basically, Ritz got access to IP address and domain information from Sierra.  He used basic Unix tools to do it, but in the judge's words, this access was unauthorized since Ritz was not a network administrator.

The court then further found that Ritz was guilty of malice by what he did with the information.  Allegedly, he pressured some Usenet ISP's to cancel some messages posted to through its service and convincing others to de-peer with it.  Basically, the court says he stole information, concealed his identity while doing it (thereby confirming his guilt - why conceal what you are doing if it's legit) and blackmailed others with the information he acquired.

Among the court's findings:


The Court rejects the test for "authorization" articulated by defendant's expert, Lawrence Baldwin. To find all access "authorized" which is successful would essentially turn the computer crime laws of this country upside down. Any backer could allege that any form of access was authorized because he was able to penetrate the system, regardless of whether the commands utilized were well-formed.

This is difficult for me to comment on because I am not a lawyer, but used to want to be one when I was back in high school (I could have been a great lawyer).  According to the above statement, Ritz's expert said that if you try to get the information and it's given to you, then you are authorized to access the information.  The judge has rejected that statement and is saying that unless you are explicitly authorized to receive it, then by default you are not authorized.  Among the findings of fact, the judge says that Microsoft itself, as well as various other, authorities all refer to zone transfers conducted by an individual other than the network administrator or an authoritative name server as "unauthorized."

I'm not sure about this.  This seems to be a gray area within the law.  In the United States Constitution, it explicitly lists the powers of the Executive.  If it's not mentioned, then there this room for debate (which explains why the powers of the Executive and Legislative branches have expanded since Confederation).  In other words, simply because Microsoft says zone transfers are only to be conducted by network administrators, unless the criminal code explicitly defines what is authorized access and what is not unauthorized access, the judiciary will continue to create law from the bench.

Leave a Comment
  • Please add 2 and 5 and type the answer here:
  • Post
  • PingBack from http://www.biosensorab.org/2008/02/10/summary-of-the-david-ritz-case/

  • "I could have been a great lawyer"

    No you couldn't.  In order to be a great lawyer, you have to overcome your natural inclination to think with logical logic, and learn to think with legal logic.  You would have to do more than believe that judge when she talks, you'd have to have the same programming yourself that she has.

    Your post yields a second reason too:

    "In the United States Constitution, it explicitly lists the powers of the Executive."

    Even if that part of the US constitution hasn't been overthrown yet, it still has nothing to do with operations by private parties.

    The law says that if you politely ask an entity to do something for you and the entity does it, then it's legal if you've just finished tricking the entity through the use of lies and the entity is human, but it's illegal if you've just finished using the entity's protocol properly and the entity is electrical.  Another example:  in several countries, if a company tricks a person into working but doesn't pay the person then it's legal, but if a company tricks another company into lending use of computer time but doesn't pay then it's illegal.  Computers have more human rights than humans have.

  • Bah, being a lawyer is just like having to attack any other system, except instead of security holes in code and API abuse, you're just looking for loopholes in (obtuse) English.

    So the ruling is basically saying that using

    nslookup and running ls is illegal? With "anti-hacking tools" laws, that'd make MS responsible for arming dangerous hackers, eh?

    If the zone was not configured to block, and all he had to do was issue a zone transfer command, then it's pretty clearly implicit. Sure, the test for authorization, as quoted, is silly and makes no sense. I don't know if the judge was implying the opposite (all access is unauthorized).

    If no security measures were in place, then things should be explicitly allowed. Otherwise, what's the difference from doing a zone tx versus visiting a webpage? Just becase most people don't know what a zone tx is, is that the criteria for making it "unauthorized"?

  • P.S.

    "which explains why the powers of the Executive and Legislative branches have expanded since Confederation"

    Oops.  In the US, Federation occured in 1776, the Constitution was rewritten in 1791 (and gradually amended and gradually overthrown after that), and Confederation is a non-word.

Page 1 of 1 (4 items)