While some of the "hacking" was no more than calling into voicemail accounts with no pin/password set (though most instances would have involved at least caller-id spoofing), it will hopefully (yeah, right, says the cynic in me) make the tabloid rags more careful about overstepping their bounds in future.
The scandal, which blew up massively again after evidence was presented of them interfering with a missing-persons/murder enquiry and has only got worse after evidence that the families of bombing victims and those injured/killed in overseas conflicts were also subject to similar invasion of privacy, has caused significant activity in government and a large amount of embarrassment for News International - possibly to the point of threatening their attempt to buy the rest of Sky.
I wonder how many more phone and email hacking/monitoring scandals, involving the media or other organisations, will drop out of the woodwork following (or during the investigation of) this one...
edit: removed the quotes from "news"paper in the title. A tad hypocritical of me to editorialise like that while taking shots at a tabloid!
Not that you said otherwise, but for what it's worth: accessing someone else's voice mail is no less a crime if they don't have a PIN set.
A lot of nerds are under the very faulty impression that the severity of "hacking" crimes scales with the difficulty of the attack. No. It has nothing whatsoever to do with how hard these things are to pull off.
> accessing someone else's voice mail is no less a crime if they don't have a PIN set.
So by extension, you're saying if I setup a directory on my website called /admin and don't password protect it, then you could be committing a criminal offense if you decide to access it?
Personally I think there is a difference. If there is NO security, then it could be argued that it was intended to be public. If there is security, but it is bypassed, then obviously that is a violation.
So I'm with you that the difficulty of hacking isn't related to the severity. But in the particular case of having no PIN, no password protection, there is no hacking taking place. So it's a moot point IMHO.
Yes. If you browse to /admin and find it non-password-protected, and then deliberately use it to manipulate an application or gain access to information you reasonably know you shouldn't have access to, nobody making a prosecution decision is going to care about your nerdy protestation that there was no password.
You will be afforded the opportunity to argue that /admin was "intended to be public" in court. Depending on what you do with /admin, a judge or jury may even listen to you.
IANAL, but in the UK, according to the computer misuse act - yes that would be a criminal offence as the access is unauthorized, regardless of how access was gained. (guessing URL, phising, guessing password etc)
Yes, if someone goes to /admin on your site and starts to mess around even if it's not password protected, that's a naughty thing and should be (and will be) punished even if you should have known better and ensured that it's well protected. Just like stealing a car is a crime even if the owner left the key inside the car. Or burglarizing someone's home even if occupier has accidentally left the front door unlocked. Don't you agree?
At some point the analogy breaks down.. what if I typo "admin" trying to get to another page? Or, more realistically, what about spiders? What if it's linked and a human clicks the link?
I don't think the analogy breaks down. I think most of the people arguing here need to go re-read Wikipedia on mens rea vs. actus rea. Most of the counter-analogies seem to boil down to things like, "but then Google could one day decide nobody's authorized to visit WWW.GOOGLE.COM and half the US would become felons!"
I think we're talking at different points, I was saying that we don't have like literal robots walking the streets who might accidentally wander into your house, and you can't misclick your way into sticking up a liquor store.
Certainly if you have a whole set of willful misconduct associated with the act, like in this case, then it's illegal/wrong even if the page was wide open and prominently linked.
I guess I was just saying that you couldn't just hold someone culpable for a hit in the access log like you could for being in the wrong kitchen. The bar to prove bad intent is higher.
Sure. Who disagrees with that? If you accidentally stumble onto an /admin page, say "shit!", send an email to the site and then log off, who thinks you should be charged with a crime? Nobody does.
If you find someones wallet in the street. Take the cash then give it back. If it can be proven you took the money, you can be charged with theft. The famous saying 'possession is 9/10ths of the law' relates to proving who's possession something is, not what your rights are once you have it.
The laws regarding found property greatly vary between countries. In some places, if you find something and you it's not possible to determine who the owner is, the founder can keep the found property. In other places, if you cannot determine the ownership of a found property, you have to hand it over to the police, otherwise you could be charged with theft. It's a complicated matter.
However, generally, if you find, say for instance, a wallet in a public thrash can and you can determine the identity of the owner (because, for example, there is a driving license in it), you cannot keep it.
No, it doesn't work like that. Leaving your door unlocked doesn't mean your home is suddenly open to the public who can wander in. Leaving your computer without a password doesn't mean it's legal for someone to hack into it and use it for what they will. It also doesn't mean if you forget to password protect your FTP server that anyone and everyone are free to use it as they will.
There is a reasonable expectation of privacy in these cases. The actual severity might be different depending on the circumstances, but it's still fairly obvious if what you are doing is wrong or not. Obviously, their are grey areas. Does a husband have the right to access his wife's voice mail? What about her computer? What if they share a computer or accounts?
A good example I've always heard concerns banking on public computers. If you accessed your bank account on a public computer, and then left without logging out, would it be okay for someone to then transfer money to their account and keep it? No hacking was involved. No security was breached.
> If you accessed your bank account on a public computer, and then left without logging out, would it be okay for someone to then transfer money to their account and keep it? No hacking was involved. No security was breached.
That's not hacking, but it is theft. How about this: If you accessed your bank account on a public computer, and then left without logging out, would it be okay for someone to glance at the screen, see your account balances, and log you out?
It depends. If it can be established that you accessed someone else's bank balance purposefully or knowingly, understanding it was meant to be private, you can be on the hook for a crime. A classic nerd mistake here is to look only at the computer-related act in isolation; a real prosecution looks at the totality of circumstances. What did you do with the information? What prompted you to access it?
I think it's a stretch to call reading something "access". If someone leaves their private banking documents face up on a table, I'd expect it to be legal to read them.
Please read my comment in the context of the thread. You've agreed with me: It's a crime. The parent post was suggesting this:
> If there is NO security, then it could be argued that it was intended to be public.
You then go on to this:
> If you accessed your bank account on a public computer, and then left without logging out, would it be okay for someone to glance at the screen, see your account balances, and log you out?
You really think things are black and white. Trying to tidy things up into a neat little package.
No, the intent, or motive of the person is to close the sessions. However, if I'd closed the browser window and left, and someone came and opened and then browsed the bank's site, and then made note of some information, and use it in some manner (perhaps, a PI or something), this is more likely criminal in nature.
You cannot simply say: "This is bad" and "This is good." However, it's absurd to think that just because someone forgets to secure something that it's free for public consumption. There is a reasonable expectation of privacy in certain cases. Just because it's easily accessible doesn't mean you have free reign to do what you will with whatever it is.
In physical 'hacking' if you don't make any effort to secure your valuables, you can't claim they were stolen. I wonder why it is different with virtual valuables?
That's also not legal. You can't simply walk into someone's house, regardless of whether it's locked. It's unlawful trespass, it's a gross violation of privacy (especially since you took a picture), and it may be legally deemed breaking and entering, burglary, or some other felony depending on jurisdiction.
Also, I believe that the voicemail "hackers" also deleted some voicemails, and in that case something was indeed taken.
I don't think the analogies are doing justice. Nobody's house, not even a virtual one, was involved. An open-to-the-public voicemail system was used. The 'victim' was sympathetic and folks reacted emotionally. Its not clear to me this was espionage, or even a misdemeanor.
You're still trying to link "unlocked" and "open to the public". The fact that you don't lock something does not mean that it's legally open for anyone to use/take/whatever. If your front door is unlocked, it's still a crime for me to enter. If you leave your voicemail unlocked, it's still a crime for me to access it.
These comparisons are getting pretty tenuous, don't you think?
If you run foo.com, and you open it to the public, then you have made the decision to allow the public to use it. You've got a DNS record that tells the world they're welcome to access your site. On the other hand, if I sit outside your house and use your open WiFi to scan for computers inside your house with open ports, I'm probably committing a crime. If you have not made your desktop machine public, my accessing it is almost certainly against your wishes.
I'm thinking that voicemail is pretty public. Not as public as a web site, but more so than your desktop machine - after all, its available 24X7 from any phone in the universe.
The difference is only expectation. Some folks have the expectation that voicemail is as private as, for instance, an answering machine. Which is clearly not the case if you are technically savvy, which I'm thinking a judge is not.
To access my voicemail, you have to enter my pin. If I have not set a pin, there's still a default one. The way around this is to spoof my number (on a phone that uses pinless voicemail access) and pretend to be me. In no case is my voicemail public, either in practice or in intention.
I'm not sure how you think an answering machine is different from voicemail. I can access my answering machine from any phone in the universe, too, or at least I could if this was still 1995. Voicemail is just an answering machine than handles a lot of telephone lines.
It wasn't open to the public. Her voicemails, my voicemails, your voicemails are in no sense published. In the Milly Dowler case, the PI raked through the bins of the dead girl's family a few days after she went missing to find leads on what her phone number was.
Edit: bins == trash (sorry was thinking in anglicisms)
No, but if you don't lock up corporate secrets, or put passwords on computers, then it isn't industrial espionage when I walk off with a copy of same. This is why everybody carries cardkeys - not because they work very well (folks circumvent ours with a coathanger when they forget their badge) but because the act of having cardkeys makes taking stuff a crime.
At home? In a bar? They are completely different. In a bar, it becomes the property of the bar owner. Who is very likely to give it back, but in no way obliged to do so by law.
Covered adnauseum in the 'iPhone prototype left in a bar' thread. Sorry, I haven't learned to search HN history for articles.
It does seem bizarre, doesn't it? Sometimes petty legal issues are resolved using precedent and it can seem arbitrary, probably because it is.
For instance, its accepted in the US that in a rear-end collision its the car in back that is at fault. In Austria I've been told the car in front is at fault!
Both sides could be argued. But like in baseball with the infield-fly rule, a rule gets made to settle it once and for all, and it is really arbitrary.
> Covered adnauseum in the 'iPhone prototype left in a bar' thread.
What on Earth are you talking about? That phone was still the property of Apple. Gizmodo's blogger was investigated for involvement in felony theft. Leaving your property does not stop it from being your property. If someone finds your property and refuses to return it (or in some cases simply neglects to turn it into the police), they are guilty of a crime.
Dont forget all the stuff about helping people under suspicion of murder spy on the police officer investigting them! And extensive bribing of high level police officers!
Oh yeah and all the links these people had right to the highest level of our government.
WRT more scandals: every newspaper does this. It is standard industry practice. Why do you think they never gave notw a hard time over it, all these years? The same reason political parties never attack each other over funding. Because they all stink.
> WRT more scandals: every newspaper does this. It is standard industry practice.
Which is one of the reasons we might see a few more scandals become public, either because people in the know see the opportunity to milk a few quid out of the momentum built up by the current publicity or because people currently getting the sack don't want to go down without taking a few rivals out on the way. Or, less cynically, just because any public investigation (one of which is promised by the government) into NoTW uncovers significant evidence of the wider issue.
I think (assume) he wasn't questioning the link between what they did with illegality/immorality, just that "hacking" implies something a little more technical.
Aye. The difference between taking a laptop left on a train and breaking into a house to take one. No less theft in either case, but one takes (a little at least) more effort than the other and is less dependent on carelessness on the part of the victim.
Take a laptop left on the train isn't a very good analogy. The train is essentially a public space (for anyone holding a ticket, at least) and people have a right to be there.
Getting in to PIN-less voicemail boxes is like walking down a street and checking which doors are unlocked, and then assuming a lack of security means the owner is permitting you to take whatever you can find inside.
I think his point was not it didn't rise to the legal definition of hacking (of course it did), but whether it rose to the Hacker News definition of newsworthy hacking (hardly).
That's still a bad analogy, and you've used it way too many times in this thread.
Whether or not accessing anything on a webserver is illegal depends partly on your intentions while doing so. That's a basic function of most court trials--to discern your intentions. For example, see the differences between the various degrees of murder, and the way such trials often hinge on "preconceived intent."
If my intention in accessing "/admin" was to access your server without your authorization to access some protected piece of information, damage computers, or defraud you, that may indeed be a crime. See http://www.law.cornell.edu/uscode/18/1030.html . It doesn't matter whether it was password protected or not. If I went there by accident, however, it probably was not a crime, although depending on what I accessed I may wind up having to go to court to prove that my intentions were benign.
You absolutely can call it hacking, and people have been prosecuted for things like that. How much simpler can I say it? The difficulty of an attack has nothing whatsoever to do with the severity of the resulting offense. Difficulty is just one measure that can be used to establish your purposefulness in exploiting unauthorized access.
No, it's not a grey area. The "public accessibility" of a URL may serve as evidence that you had no criminal intent (because you didn't have to "jimmy the lock" to get in), but if you then do things with that access, you're criminally liable.
Voicemails were deleted from the missing girl's phone.
One - they could have been evidence (apparently killers often leave sympathetic messages to try and deflect attention), and two - it made the parents and the police think she was still alive when she was in fact already dead.
According to the NYT article summarizing this, the reporters (or PIs hired by them) not only accessed messages in the murder case, they also deleted some to make room for more.
Assuming this is true, it makes irrelevant a lot of gedanken experiments in the thread here.
The scandal, which blew up massively again after evidence was presented of them interfering with a missing-persons/murder enquiry and has only got worse after evidence that the families of bombing victims and those injured/killed in overseas conflicts were also subject to similar invasion of privacy, has caused significant activity in government and a large amount of embarrassment for News International - possibly to the point of threatening their attempt to buy the rest of Sky.
I wonder how many more phone and email hacking/monitoring scandals, involving the media or other organisations, will drop out of the woodwork following (or during the investigation of) this one...
edit: removed the quotes from "news"paper in the title. A tad hypocritical of me to editorialise like that while taking shots at a tabloid!