Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If your car runs me over, I'm going to sue you.


If my car runs you over, and you sue me, what does the court do? It tries to figure out my intent. Did I intentionally run you over? If yes, I'm guilty of vehicular assault (not my car). Or did the brakes fail and I had no intent to hurt you? If yes, I'm not guilty of anything.

Likewise, what the computer does is irrelevant, except insofar is it tells you about the owner's intent. So the question is not "did the computer let you access the file." But "what does how the computer let you access the file tell you about what the computer owner intended?"


The car is still a dumb object that you own that hurt me, and as a result someone is still paying my hospital bills. You might blame your mechanic, if he did a poor job of brake maintenance. When he attempts to defend himself, how is this "intent" mishmash going to fly? "Your honor, please ignore that there are several RFCs defining how one installs calipers, none of which I followed! It was clearly my intent for the brakes to work!"

Also, I'm not sure your analogy works at all. In the first paragraph, you seem to analogize the car to the accused "hacker", while in the second you're talking about the supposedly "hacked" host. To be clear, the point of the car example is that a machine's intelligence has no bearing on how its actions affect the duties of its operators.


The web server sends a response code with each response.

The best, and most accurate, way of determining if the resource you requested is meant to be accessible, is to check to see if you got a 200 OK response or a 403 Forbidden response.


Given the numerous articles about documents inadvertently being exposed through URL ID incrementing, clearly response codes do not accurately convey what people meant.


I didn't say it was perfectly accurate, just that it was the best.

So your argument is that a better way to check this is to crawl the entire web looking for links to a resource to determine if it was meant to be publicly accessible?


> Given the numerous articles about documents inadvertently being exposed through URL ID incrementing, clearly response codes do not accurately convey what people meant.

Your intent argument is really shallow. People do bad things with good intentions all the time. Doesn't mean their actions are good or legal.


> If my car runs you over, and you sue me, what does the court do? It tries to figure out my intent. Did I intentionally run you over? If yes, I'm guilty of vehicular assault (not my car). Or did the brakes fail and I had no intent to hurt you? If yes, I'm not guilty of anything.

Or you failed to follow the rules, were careless, and hit him by mistake. Was your intention to kill him? No. Was it your fault? Yes.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: