[news.sysadmin] woops, boy am I dum.

mjranum@gouldsd.UUCP (Marcus J Ranum) (04/22/87)

	Re my previous assertions that E-mail was protected as if it were
*REAL* mail:
		
	I guess I wholly deep-throated my foot, there. I can't quote a 
source, and don't recall where I got the information that led me to
make that posting. What can I say ? When I made my posting, I *KNEW*
I had read it somewhere. Afterwards, I thought about it, and can't
remember where I read it. I am forced to doubt myself, finally. I
am still looking, by the way. It's like, one of those things when
you get to work on a Monday morning, and try to shoot your mouth off,
and find you forgot and left your head at home.

	Hell, I'm really sorry. Sorry I flamed when I was only half-baked.
On the other hand, if I DO manage to find my source, then I reserve
the right to crow insufferably. 

	In the meantime, while I am still suffering the slings and arrows
of foot-facedness, I'd like to mention that whether it *IS* law now,
or is not, the status of E-mail *IS* going to become a serious problem.
I suspect that the "net"s are going to become a major "USsnail" 
substitute. People already carry on more private business than is
advisable.

	On one hand, we have the people who claim: "What's on my machine 
is mine" and on the other, "What's my private business is mine". While
the first approach is frequently most convenient for sysadmins, I feel
it should be fought as much as possible. If it becomes a legal precedent,
as net/E-mail traffic becomes more and more important, it will be
easier for the (insert yours) NSA/Gov't/IRS/CIA/Commies/DrugFreeks/Lawyers
to monitor our activities. For those of you who have been keeping track
of the cellular radiophone biz, there is a big deal currently about
protection of person's cellular radio transmissions. Currently it is
illegal to monitor cellular communications. (I *CAN* get you a ref for
*THAT*!).

	Are you willing to give your right to secure communications away ?
Never mind enforceability, it would be nice to know there is a legal
recourse if someone snoops my mail, and sees something that can hurt
me.
-- 
Copyright, 1987 -  Anarchist Software Foundation - ALL RIGHTS RESERVED
In reproducing this document in any form, the licensee (you) agrees to
pay the ASF  5$/copy distributed,  and to admit that software law is a
subject better left for lawyers and slimy nerds.    Live Free or die !

res@sdiris1.UUCP (04/24/87)

In article <496@gouldsd.UUCP>, mjranum@gouldsd.UUCP (Marcus J Ranum) writes:
> to monitor our activities. For those of you who have been keeping track
> of the cellular radiophone biz, there is a big deal currently about
> protection of person's cellular radio transmissions. Currently it is
> illegal to monitor cellular communications. (I *CAN* get you a ref for
> *THAT*!).
> 
The law protecting Electronic Mail is the same one which "protects"
cellular phones from eavsdropping.. The Electronic Privacy Act.

I don't have a copy at hand, so take the following with caution:

The law does make interception of "E-Mail" criminal... but the question
here is, is UUCP/Usenet passed "mail" E-Mail in the definition of the law?

The Privacy Act requires that the user have a reasonable belief in the
privacy of his data for it to be protected... that is, if you post to
a newsgroup, you know it isn't private... but the key fact in UUCP comms
is the fact documented in the manuals that ALL intersystem traffic is
handled in PUBLIC access files, and can be intercepted/tampered with/faked
by anyone, with fair ease.  If your own system administration tells you in
the agreement you have with them to use the system that your mail is
private, it may be qualified as E-Mail within your own system.. but inter-
system traffic cannot be presumed private.

Note that the closest approach to the Usenet which this has come up on
was the Mog-Ur BBS in Los Angeles, in which the courts ruled that a system
OWNER is totally responsible for everything on his system, and is required
to monitor all traffic for illegalities to protect himself/herself/itself
from legal liability.
(even if that means reading megabytes a day of traffic)

Thus, current case law indicates a requirement for admins to monitor/police
their systems for illegal activities, though it might be wise not to state
publicly what was found, other than a simple "we found irregularities"
justifying removal from access.

"Opinions? Me? Nah, I got no offical opinions... and am NOT a lawyer..)



-- 
Skip Sanders :  sdcsvax!ucsdhub!jack!man!sdiris1!res
Phone : 619-273-8725 (evenings)

david@ms.uky.csnet (David Herron, Resident E-mail Hack) (05/02/87)

In article <574@sdiris1.UUCP> res@sdiris1.UUCP (Robert Sanders) writes:
>In article <496@gouldsd.UUCP>, mjranum@gouldsd.UUCP (Marcus J Ranum) writes:
>.. but the key fact in UUCP comms
>is the fact documented in the manuals that ALL intersystem traffic is
>handled in PUBLIC access files, and can be intercepted/tampered with/faked
>by anyone, with fair ease.  If your own system administration tells you in
>the agreement you have with them to use the system that your mail is
>private, it may be qualified as E-Mail within your own system.. but inter-
>system traffic cannot be presumed private.

Please get your facts straight on this.  (at least) for the Berkeley
versions of UUCP (4.2 and 4.3) the files are kept in directories
whose mode is 0755, but the files themselves are all owned by uucp
and mode 0600.  If you stop and think about it, all the programs
which deal with the spooling areas are setuid to uucp, meaning that
they can easily deal with the files being at 0600 (etc).

Other parts of the system are public... /usr/spool/uucppublic (or
your local equivalent) for instance.  File transfers have to be into
a globally writable place.  etc

and yes you can easily fake e-mail.  but you can also easily fake
e-mail on the arpanet (telenet host 25; start talking to the remote
smtp daemon), and on bitnet (make a bsmtp format file and punch
it to some bsmtp daemon somewhere; be on a urep site and be listed
in /usr/lib/rscs/PRIVUSERS and you can override the apparent from-user
and from-site to make it appear as if the mail came from anywhere).



-- 
-----   David Herron,  cbosgd!ukma!david, david@UKMA.BITNET, david@ms.uky.csnet
-----  (also "postmaster", "news", and the Usenet map maintainer for Kentucky.)
-----                 "Doodle, doodle, dee;                Wubba, wubba, wubba"
/*