Three Years of Hell to Become the Devil: Democrats, the Filibuster, and Theft

Not often can I say that I've scooped my local CLS blog-rival, the so-left-we-don't-blog-on-the-right-of-your-browser Filibuster. They've decided that the 'scoop of the year' must be this Boston Globe piece on how Republican's 'infiltrated' 'secret' files.

Of course, readers of this site will have been alerted quite a while ago that the 'hacking' consisted of nothing more than Democrats leaving their files on servers that hadn't been secured. By any reasonable definition of 'hacking' or 'intrusion' (and I'm sure my lefty-but-fair techie-blogger Len will back me up on this), taking a file from a folder you've been given access to just doesn't cut it. Furthermore, everyone agrees that the mistake was made because the Democrats hired their own technical consultants to revise the way the committee's computers worked, and those consultants screwed the pooch. [1]

This makes one ponder at the opening paragraph of the Boston Globe article:

Republican staff members of the US Senate Judiciary Commitee infiltrated opposition computer files for a year, monitoring secret strategy memos and periodically passing on copies to the media, Senate officials told The Globe.

You see, 'secret' here means 'put in a folder where anyone on the committee can see them, and not labelled secret anywhere thereon' and 'infiltrated' means 'opening up the shared folder of your workgroup' (which some of you might think of as your G: drive if you're at Columbia).

Of course, the Filibuster mentions the story twice, and claim that the GOP 'stole' these documents. Since the Filibuster and the Columbia Political Union are part of my university, I'm going to throw down that gauntlet: find me a statute, make me a case, and given a decent grasp of the technical competencies involved show me how this is theft. (Note that the Globe either had fewer cajones or more caution than to call this activity 'stealing.')

Update: The Boston Globe continues its coverage, pointing to the Committee for Justice's fact sheet arguing no rules were broken. I'm not sure I buy that: there may very well have been some ethical rules broken. But if so, theft seems pretty extreme.

[1] Full disclosure: I received every bit of my formal training in how to be a Systems Administrator from the U.S. Senate. If the mistake is what the papers have said it was, this was a basic error. No one who received Senate training should have made this mistake.

Comments

I just want to applaud the use of the phrase "screwed the pooch." It doesn't get used enough.

Posted by: michael | January 23, 2004 4:00 AM

I'm going to throw down that gauntlet: find me a statute, make me a case, and given a decent grasp of the technical competencies involved show me how this is theft. As a non-lawyer I'm not in a position to do so rigorously, but it occurs to me that there is potentially an issue of unauthorised copying of data here. Had the unsecured folder contained (for example) music tracks, it would have been illegal to take copies without permission. Why are memos different ? Also, as someone with a certain amount of knowledge of server administration, I'm not sure that something being 'secured' is even well defined (although that may not stop the law from pretending it is !) For example, I'm sure that I'm better at extracting files from computers than your average politician. Does that mean that it's OK for *me* to leak to the press any file I can get my grubby paws on ? If not, then at what particular level of skill does the copying of files become theft ?

Posted by: Bateleur | January 23, 2004 4:15 AM

I suspect you're right about the levels of incompetency involved. Still, the decent thing to do would have been to say 'hey buddy, your files are lying there where any unscrupulous so and so could read them, you might want to tidy them up a bit' Now we all know that's maybe asking a bit much of men who are selected at least in part for their moral standards, but hell, they've been caught with their hands in the till and now they're gonna have to say sorry. Not for their 3133t h8x0r skills, but for being shady buggers.

Posted by: martin | January 23, 2004 5:20 AM

FYI, the Boston Globe's follow-up story (GOP Downplays Reading of Memos) is at: http://www.boston.com/news/nation/articles/2004/01/23/gop_downplays_reading_of_memos/

Posted by: Zev | January 23, 2004 6:55 AM

Bateleur: I'm not fully aware of the relevant law, but unauthorized copying of music is violation of copyright. While sometimes called 'theft,' it's somewhat different. As for someone of greater skill at 'extracting files': wouldn't you say that a good dividing line for 'skill' would be whether the administrator of the system had assigned permissions to you to view those files? Can you steal something to which you've been assigned permissions? As the fact sheet put out by the Committee for Justice points out: "The documents were disclosed through the window labeled 'My Network Places.'" What lower level of skill are you going to assign? ;)

Posted by: A. Rickey | January 23, 2004 9:57 AM

OK, there are two ways of looking at network share permissions. You can explicitly allow permission to access or you can explicitly deny permission to access. In this case, the snoopers in question were not specifically denied permission to access to the share in question but they were also not specifically allowed persmission to access the files. Its obviously an open and shut case of electronic trespass IF they were explicitly denied permission to access the files and they managed to circumvent the access control mechanism, but this is NOT the case. While it may be unethical to view these materials given that they weren't explicitly allowed permission to do so, it certainly is no violation of any law that I am aware of. Think of the web server example, if I post files (non copyrighted material) to a directory on my web server that I don't tell anyone about, but I don't explicitly deny access permissions, I have no case against someone who finds and downloads that material. Hey, I am as left leaning as you can find on many topics, but in this case, 1) whoever set up that share does not deserve the title of network administrator, and 2) does anyone really think that if the roles were reversed that the dems wouldn't be reading the material on an open share? This is a non issue. A sysadmin needs to get fired, end of story. A MINOR ethical lapse, but one that could be expected give the situation. I really hate the Globe's coverage of this as if its Watergate... sheesh

Posted by: Chris | January 23, 2004 11:09 AM

"[L]efty-but-fair", eh? A Greater Compliment I cannot possibly receive. :-) Much as I would like to whip myself into a righteously indignant fury and quote Henry L. Stimson's famous comment that "Gentlemen do not read each other's mail" (or confidential memos, talking points papers, draft briefings etc., etc., ad nauseam), the fact o'the matter is that if the Dems left sensitive information on an unprotected directory/folder on a server which staffers for both parties had read access (at minimum; I'll wager that the sysadmins left permissions at the default NT/2K permissions, which is basically Full Control for Everyone), then they got what was coming to them. Absent some statute or other rule that specifically defines that kind of behavior as "cracking"/"hacking", I wouldn't think of this as cracking/hacking. Windows NT/2000 has allowed file and directory level access control all the way back to Windows NT 3.5 (which is when I got involved in NT system administration), and any reasonably competent NT/2K sysadmin knows that. There's no excuse for what's happened here. The front door was left completely unlocked. Quoth Anthony: "everyone agrees that the mistake was made because the Democrats hired their own technical consultants to revise the way the committee's computers worked, and those consultants screwed the pooch." You're being too kind, methinks. The consultants screwed a whole pack o'pooches. Sensitive partisan documents should have been kept on a separate server to which only members of the relevant party should be given access. Putting such documents on a shared server was asking for trouble, even with proper file/directory level access controls.

Posted by: Len Cleavelin | January 23, 2004 1:35 PM

Ah, Len, thanks for the confirmation. Now no one will doubt that I'm being partisan in my administrative position. (However--a whole pack of pooches? PETA already dislikes me, Len, there's a limit to what I can get away with.) The only reason I can see for not having separate servers for each part of the committee is lack of resources--which are more scarce than one might expect in the Senate. There may only be the one file server. Personally I'd consider adequate permissions on the same server to be sufficient: unless the average technical acumen of Senate staffers has risen dramatically since I was there, I doubt there's a huge hacking risk.

Posted by: A. Rickey | January 23, 2004 1:46 PM

Here is an interesting paper from NYU Law Review (Nov. 2003) which dicusses the legal meanings of "authorization" and "access" as it applies to computer crime, and how those meanings are still being fleshed out in the courts. Personally, I think the staffers' behavior was rude, but not illegal.

Posted by: falconred | January 23, 2004 6:50 PM

8307 black jack is hot hot hot! get your blackjack at http://www.blackjack-dot.com

Posted by: play blackjack | August 16, 2004 5:26 PM