June 13, 2008

How "alex.kozinski.com" worked (Judge Alex Kozinski "Porn Site" Follow-up)

[Original research! Not an echo!!!]

Following up the "Porn Site" of Judge Alex Kozinski kerfuffle, and all the discussion of private vs. public norms, I've been trying to figure out exactly how the web site was configured. We know the controversial material was in a directory called "stuff", hence it was http://alex.kozinski.com/stuff/

I've found a key piece of evidence. In June 2004, Alex Kozinski sent a public letter in HTML, humorous nominating himself as part of a "Judicial Hottie contest":

Courthouse Forum: The Hot. Alex Kozinski

This letter contains various links, and one sentence in particular is:

* I bungee jump. [Ed. note: Click on the link to play this very fun little video clip--and make sure your sound is turned on!]

There, "bungee jump" is linked to: http://alex.kozinski.com/stuff/jump.avi

Again, that's the key directory.

This shows that Judge Kozinski knew the general public could retrieve specific material from that directory, and in at least one case, invited the public to do so.

I speculate that he did not know that his server was configured with a feature which lists all files in that directory when the directory name was given. That is, he may have thought that the only way to know what files were there, was if one was given filenames.

Moral: Security By Obscurity - Isn't.

Note regarding the search engine restriction file "robots.txt":

Yahoo had a cached copy of that directory (seems uncached now) with an entry at least as late as:

25.minutes.to.go.wmv 28-May-2008 12:18 6.3M movie

This strongly indicates there was no search engines prohibition for that directory. Further evidence is at the Internet archive, which shows many versions e.g.:

http://web.archive.org/web/20070629190035/http://alex.kozinski.com/robots.txt

having only entries:

User-agent: *
Disallow: /jurist-l/

[Disclaimer: Do read the letter. Alex Kozinski is impressive and a very cool guy, and those who are trying to have him removed from his position because of this tempest-in-a-teapot should avail themselves of some of the acts portrayed in the files in that directory]

[Update - see my column "Don't blame the judge for falling through the web's open doors" ]

By Seth Finkelstein | posted in infothought | on June 13, 2008 07:18 PM (Infothought permalink)
Seth Finkelstein's Infothought blog (Wikipedia, Google, censorware, and an inside view of net-politics) - Syndicate site (subscribe, RSS)

Subscribe with Bloglines      Subscribe in NewsGator Online  Google Reader or Homepage

Comments

Seth,

AMAZING WORK.

Email me or call me directly (see my calbar.org entry for my contact details). I want to get your discovery more widely distributed.

Cyrus Sanai

Posted by: Cyrus Sanai at June 13, 2008 08:47 PM

Great work, Seth. (I followed over from Lessig.) I've shared this with Solosez. I hope this gets wider traction (including the cautionary note about prematurely jumping to conclusions regarding his character).

Posted by: Sheryl Sisk Schelin at June 14, 2008 07:19 PM

Thanks for digging into this. I wondered if it was a matter of directory indexes being turned on without Kozinski knowing the implications of that decision.

In his latest blog post, Lawrence Lessig mentions that his own server is immune to directory browsing.

He's wrong:

http://lessig.org/images/

Posted by: Rogers Cadenhead at June 15, 2008 10:52 AM

Rogers: good find. In fact, here are other open directories:

http://lessig.org/images/_notes/
http://lessig.org/news/2008/
http://lessig.org/news/2007/
http://lessig.org/news/2006/
http://lessig.org/news/2005/
http://lessig.org/news/2004/
http://lessig.org/news/2003/
http://lessig.org/news/2002/
http://lessig.org/news/2001/

There might be others but I'm going to stop there. However, here's what's so funny. If you try this URL,

http://lessig.org/news/2000/

his web server will note that it doesn't exist---but will list many of the above directories as *suggestions* for what you might have meant to type!

Clearly, none of these directories contains private content. In fact, I'm fairly sure that all of the content in the news directories is linked to on the site itself. But it does point out the promiscuity of a web server whose default behavior has not been changed from its default.

Posted by: mcg at June 16, 2008 12:41 PM