lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40EA9D12.9070201@science.org>
Date: Tue, 06 Jul 2004 02:37:38 -1000
From: Jason Coombs <jasonc@...ence.org>
To: bugtraq@...urityfocus.com
Cc: isn@...rition.org, isn@....org, full-disclosure@...ts.netsys.com
Subject: Re: [ISN] E-Mail Snooping Ruled Permissible


Anyone who has not read this appeals court decision should do so now.

http://www.ca1.uscourts.gov/pdf.opinions/03-1383-01A.pdf

The stipulated facts make it clear that the government failed to hire an 
expert witness who knows how SMTP, POP3, sendmail, procmail, DNS, MTA, 
MUA, HTTP, Web browsers, computers, hard drives, software, RAM and the 
Internet actually work.

Take, for instance, page 3, where both parties stipulate that the 
following is true:

"Once the e-mail is accessible to the recipient, final delivery has been 
completed."

Every person who is reading this message should be able to stipulate 
that final delivery was not complete until a Mail User Agent retrieved 
it from temporary storage on the mail server. If you're using Webmail 
then your browser is your MUA and it speaks HTTP rather than POP3. That 
was the case with Interloc e-mail accounts.

Yet the court and the parties managed to agree that final delivery is 
complete any time the message is in the possession of an MTA that 
happens to consider itself to be the last hop in the delivery route. 
Never mind that there must be one more delivery step where an MUA under 
user control receives the message on behalf of the user.

The fact that the mail server may arbitrarily expire old messages and 
take other actions that disrupt the final delivery to an MUA was clearly 
of no concern to anyone in this case.

I can't imagine ever stipulating that once my mail messages are touched 
by procmail final delivery is complete. That's like saying once the 
incoming mail truck arrives at my local post office and the mail sort is 
done and my mail is placed in a stack with a rubber band around it that 
final delivery is complete. All I have to do now is go to the post 
office and remind them that they didn't bother to deliver my mail today 
and I'll be given access to the stack, right? Therefore final delivery 
is complete once the stack is created that has my name on it?

Nobody cares about getting the message delivered to a program that is 
under the control of the recipient, apparently.

The only storage location that can be considered to be final delivery of 
an e-mail message is a storage location that is under the control of the 
recipient. An inbox on the recipient's hard drive would be a fine 
indication of final delivery. To even approach a proper stipulation of 
facts with respect to the subtle distinction between Web-based e-mail 
services, which are closer to post office boxes, and POP3-based e-mail 
services, which are closer to conventional postal mail delivery to your 
home, requires mention of POP3 and the role of the MUA, both of which 
are missing from the stipulation made by the parties.

The dissenting opinion, page 18, includes discussion of MUA but it 
asserts that the MUA in this case was procmail. One would hope that the 
voice of reason would at least get its facts straight when everyone else 
was lost or confused. Too bad in this case the voice of reason was 
clueless, too.

The court correctly points out that Congress intentionally exempted 
stored electronic communication from the definition of "electronic 
communication" in section 2510(12) of 18 U.S.C. There is no other reason 
than this intentional exemption that the appeals court ruled as they did 
in this case, and given the facts as they were presented by the parties 
the ruling was proper.

However, an e-mail message goes from electronic storage on a hard drive 
to electronic storage in RAM and then back to electronic storage on a 
hard drive again by passing through wires. The government should have 
argued that the procmail program intercepted electronic communications 
by causing stored electronic communications to once again be transmitted 
over wires. But for stimulating that transmission over wires the 
procmail system would not have been able to access the second set of 
stored electronic communications THAT THE PROCMAIL PROGRAM ITSELF 
CAUSED. In reality the procmail program was creating an echo and 
capturing the echo. That you cannot do this in other wiretap scenarios 
and thereby avoid the Wiretap Act should have made the court examine 
this more closely.

This case should have set the precedent that causing a stored electronic 
communication to be transmitted over wires to a different electronic 
communication storage temporarily "on-demand" in order to circumvent the 
Wiretap Act is not acceptable. The exemption on stored electronic 
communications that came from Steve Jackson Games v. U.S. Secret Service 
should not be applied to "live" electronic communications systems that 
can be induced to "echo" stored electronic communications but rather the 
Steve Jackson Games precedent should apply only to "dead" storage that 
must be reactivated, powered up from an off condition and examined 
directly, without causing an echo, in order for the stored electronic 
communications to be accessed.

Steve Jackson Games should continue to exempt forensic investigators 
from prosecution or civil liability, and keep true "stored electronic 
communications" accessible to law enforcement and the prosecution in 
criminal cases. It is necessary for there to be some exemption otherwise 
it would be impossible for law enforcement to ever look at any hard 
drive without obtaining a wiretap authorization that specifically names 
every party whose stored communications are found on the drive when it 
is analyzed. However, the exemption that this court ruling suggests we 
must learn to live with is not an exemption that is sensible or that is 
consistent with the full truth of the matter.

The court in this case was not given the opportunity to consider this 
view because the technical stipulations of fact were so badly flawed. I 
would be satisfied with the outcome of this appeal had the technical 
stipulations and reasoning been proper, yet they were not. We still do 
not know how a court might rule if the correct and true technical 
stipulation is made in a similar case. We do know that it will be more 
difficult to get another appeal heard on the matter, as other courts 
will tend to defer to this appeal unless somebody intelligent manages to 
explain these issues clearly at just the right time.

It is disturbing to see how poor the quality of computer expert 
testimony is in court, and how little effort is put into clarifying the 
reality behind technical issues. When the parties stipulate to things 
that are not the truth, or when either side is technically inept, it 
causes courts to make errors. Then we end up with bad precedent.

Sincerely,

Jason Coombs
jasonc@...ence.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ