« Ind. Gov't. - "Some ideas on improving the legislature" | Main | Ind. Decisions - More on: Legal filings indicate Office of Attorney General and the Indiana Gaming Commission to be somewhat at odds »
Sunday, July 05, 2009
Courts - More on: "A lesson for every Internet user: Nothing is private"
On June 15, 2008, the ILB quoted from an editorial in the Seattle Times:
THE roiling water in which Judge Alex Kozinski finds himself should be a lesson for every Internet user: Nothing is private.More than a year later, Scott Glover had this story July 3rd in the LA Times. The headline: "Alex Kozinski admonished for raunchy Internet files: The 9th Circuit's chief judge showed 'poor judgment,' panel finds." From the story:Kozinski, the chief judge of the 9th U.S. Circuit Court of Appeals, last week suspended a trial on a Los Angeles obscenity case when the sexually explicit contents of his own Web site were reported by the Los Angeles Times. That this learned man, one of the highest-ranking federal judges, sometimes mentioned as a worthy candidate for the U.S. Supreme Court, would be stung by an all-too-common pitfall of the online world should make everyone rethink their online habits.
A 2006 Career Builder survey found that a little more than half of hiring managers who used Internet searches to screen job applicants eliminated candidates based on what they found. The rate was 63 percent for those using searches of social-networking sites.
School districts and law-enforcement officials, including Washington Attorney General Rob McKenna, repeatedly try to drive home the point about the vulnerability, especially of children, when too much is revealed on the Internet.
A panel of federal judges admonished Alex Kozinski, chief judge of the U.S. 9th Circuit Court of Appeals, on Thursday for being "judicially imprudent" and "exhibiting poor judgment" by placing sexually explicit photos and videos on an Internet server that could be accessed by the public.The story includes a link to the 41-page June 5, 2009 Memordanum Opinion of the Judicial Council of the 3rd Circuit. It sets out the minimum information that anyone who makes files available, either from a home-server, or via a web hosting company, MUST KNOW going in.Kozinski's conduct had "created a public controversy that can reasonably be seen as having resulted in embarrassment to the institution of the federal judiciary," according to the panel's opinion, written by Anthony J. Scirica, chief judge of the U.S. 3rd Circuit Court of Appeals.
The judges ruled, however, that Kozinski's actions did not constitute judicial misconduct. The disciplinary proceedings should end with the public admonishment, they wrote, noting that in testimony in a closed-door hearing, Kozinski had stated that he had "caused embarrassment to the federal judiciary," had apologized and had "committed to changing his conduct to avoid any recurrence of the error."
The opinion quoted Kozinski as acknowledging that some of the material he maintained on his server was "highly offensive," "gross," and "demeaning." * * *
The proceedings stemmed from a Los Angeles Times article published in June 2008 when Kozinski was presiding over a high-profile obscenity trial in Los Angeles. The Times article reported that Kozinski had "maintained a publicly accessible website featuring sexually explicit photos and videos" but had intended it to be private.
The Times story described several of the files, including a photo of two nude women posed on all fours and painted to look like cows.
After being interviewed for the article, Kozinski immediately blocked public access to the site. Two days after the story was published, he declared a mistrial in the obscenity case and called for an investigation of his own actions. Because Kozinski is chief judge of the 9th Circuit, the case was transferred to the 3rd Circuit.
Here are some quotes from the opinion:
[Judge Kosinski had] a personal computer in his home, which had been connected to the Internet using web server software.From footnote 6:Through a combination of improper security configuration and carelessness on the part of the Judge, the aggregation of retained files became accessible to the public. Uninvited visitors to the web server who knew the name of the specific subdirectory on the Judge’s computer could access the files, including the sexually explicit material. At least one Internet search engine catalogued the contents of the subdirectory containing the sexually explicit material, with the consequence that Internet searchers could locate the material. The Judge eventually became aware that members of the public could access the files, although he did not know about the search-engine cataloguing. Despite some small steps to remove offensive material from potential public view, the Judge neglected to complete this task or to disconnect the computer from the Internet. The consequence of the Judge’s possession of sexually explicit offensive material combined with his carelessness in failing to safeguard his sphere of privacy was the public controversy in June 2008. * * *
In 2002, the Kozinski family decided to connect the family server to the Internet as a convenient means to access personal files while away from home. Through the use of web server software, the Judge could access the files and subdirectories in the alex directory using a web browser via the Internet at http://alex.kozinski.com.[6] This access was enabled by Apache server software.
http://alex.kozinski.com was the Internet location, or uniform resource locator (URL), of the alex directory. Subdirectories of the alex directory could be located by adding an extension to the end of the alex directory’s URL. For example, the stuff subdirectory was accessible at http://alex.kozinski.com/stuff.This should set off red flags for those you who do much work on the internet. (When I read the initial stories that someone had "hacked" into the Judge's computer, it was clear to me what actually had happened.) If you set up a web-accessible directory of files, without inserting into the directory an html "index" page (such as a page saying "welcome" or "you are not authorized," then when a user types in the address, most systems will return a list of all the files in the directory. In the Kosinski case, when one typed in "http://alex.kozinski.com/stuff," they got the directory list of all his personal files, linked to viewing. More from the opinion:
Although the Judge did not intend to provide uninvited public access to alex.kozinski.com, he did use it to share links to personal photographs with family and “a very close circle of friends” (numbering about two dozen) — all “people [he] knew very well” — or to share links to legal writings with fellow judges from around the world. * * *More:No username or password was required to access alex.kozinski.com and/or to view a list of the files and directories on the Kozinski family server. The Judge testified that when the server was first connected to the Internet in 2002, he “did not give any thought to security” because he considered alex.kozinski.com to be “just a private — a way of privately accessing [his] files.” The Judge relied on not distributing the name of alex.kozinski.com and its subdirectories other than to family or close friends — a method known as “security through obscurity” — as a means of protecting against uninvited public access to that material.
In 2004, the Judge sent a link to a video of himself bungee jumping as part of a tongue-in-cheek message for posting on Underneath Their Robes, a blog about the federal judiciary. The video was located in the stuff subdirectory, and the link sent by the Judge had the URL http://alex.kozinski.com/stuff/jump.avi. * * * Internet users who visited the page of the Underneath Their Robes blog containing the posting about the Judge and clicked on the jump.avi link, or examined the HTML code for that page of the blog, could see the URL http://alex.kozinski.com/stuff/jump.avi. The posted link therefore revealed the URL for the jump.avi file as well as the name of the stuff subdirectory, compromising its “security through obscurity.” Accordingly, any person who viewed the relevant page of the Underneath Their Robes blog could learn of the existence of the stuff subdirectory and could gain access to it and its files by typing the URL http://alex.kozinski.com/stuff into a web browser.The opinion goes on to detail how the Judge gradually, over a period of years, discovered that people could access his files, culminating with the LA Times story on June 11, 2008. Only then did the Judge take the site off the interest. Before that time, his security efforts were minimal. Never was there an effort to password protect the site or any of the sub-directories.The Judge was not aware at the time that the public could gain access to his subdirectories in this manner.
"Security through obscurity" became a thing of the past years ago, when Yahoo and then Google began scanning the entire internet and indexing its contents for searching, but the Judge was seemingly unaware. Again, as the Seattle Times wrote a year ago: "The roiling water in which Judge Alex Kozinski finds himself should be a lesson for every Internet user: Nothing is private." Know what you are doing.
Wider Implications. Is truncating a website illegal "hacking"? If it is, many of us are guilty of doing what some readers of Underneath Their Robes did after viewing the bungy jumping video the Judge had sent the link to: http://alex.kozinski.com/stuff/jump.avi. Using their browsers, they truncated the link to http://alex.kozinski.com/stuff/ to see what else was in the directory. They were rewarded, because the Judge did not put an index page in the directory.
But an entry I read some years ago on Phillip Greenspun's Weblog shows that Harvard business school, at least in 2005, considered truncating a website addess to be "hacking" that would result in denial of admission to the school:
[The Harvard business school admissions setup was such that truncating] the URL in the “Address” or “Location” field of a Web browser window would result in an applicant being able to find out his admissions status several weeks before the official notification date.More here, via Google.This would be equivalent to a 7-year-old being offered a URL of the form http://philip.greenspun.com/images/20030817-utah-air-to-air/ and editing it down to http://philip.greenspun.com/images/ to see what else of interest might be on the server.
Someone figured this out and posted the URL editing idea on the BusinessWeek discussion forum, where all B-school hopefuls hang out and a bunch of curious applicants tried it out.
Now all the curious applicants, having edited their URLs, are being denied admission to Harvard. * * *
Thanks to Harvard Business school the term now means “people of average IQ poking around curiously by editing URLs on public servers and seeing what comes back in the form of directory listings, etc.”
Posted by Marcia Oddi on July 5, 2009 10:43 AM
Posted to Courts in general