Hacker News new | past | comments | ask | show | jobs | submit login

It is a terrible decision

    curl http://domain.com/showdocument?[00000-99999]
should not be a crime!!



What if doing so killed a person for each ID at showdocument? Ok, that's pretty absurd. What if it wiped out their bank account?

Don't you think that the consequences should depend on what the action actually accomplished, rather than the action itself? Flicking a lighter is generally pretty innocuous, but if done to light a house on fire, it means it's a bit different - right?

Yes, it's their fault too for leaving it open, but you had a choice when you decided to access it N000 times, rather than saying "oops, that does something bad, I think I'll stop".

I don't think the punishment fits the crime in this case, but I don't think he's entirely innocent either. Once you've shown that someone stupidly left their door open, the polite thing is to let them know, rather than walking around in their house looking at all their things to show them the error of their ways. IMO a fine would more than suffice as a punishment, though.


"What if doing so killed a person for each ID at showdocument? Ok, that's pretty absurd. What if it wiped out their bank account?"

Shouldn't you hold the people who created that system responsible, rather than the person who used it? If I rig up my cell phone to a gun, so that every time someone calls it it shoots at a crowd of people, should the people who call it go to prison while I walk free?


If they know what happens when they call, yes, they should go to jail too.

He knew what he was doing once he'd pulled down a few records.

Also, yes, ATT should be held responsible for implementing lame security.


I think that the problem with this thinking is:

(a) Even altering a parameter once in the address could be considered illegal under the current laws.

(b) The access of information in and of itself would not be illegal alone. Say I kept a bunch of people's information in paper files in file cabinets. Then I gave you access to retrieve yours from the file drawer yourself. It is sleazy, but not necessarily illegal to look at other files in the drawer, as I have given you access to their container.

(c) Even if you want to make the action in (b) illegal, the reasonable punishment is almost certainly not a double digit prison sentence.


Sure, but my point is that he has no greater responsibility than AT&T does. Why are we acting like AT&T is an innocent victim?


> Why are we acting like AT&T is an innocent victim?

No one here is. I'm not sure why no one has done anything to them, legally. It'd be interesting if someone who actually knows what they're talking about in terms of the legal system about could comment on it.


This analogy has been flawed from the beginning, but to extend it just for the fun of it, that's like pulling the trigger of a gun and then blaming the gun for having the mechanics to turn that trigger pull into a fired bullet that kills someone. The action being done is on your end, and the system, though possibly flawed, is not the cause of the results. It may be a factor and it may enable those results, but the actor is the cause in that situation.

I honestly don't even know where I stand on the actual discussion point, but I do know where I stand in the weird analogy tree we've made.


It is more like blaming the owner of the gun, who loaded the gun, aimed it, set up the shot, and then left it up to the trigger man whether or not to pull the trigger.

Bringing things back to reality here, AT&T was entrusted with personal information but failed to properly secure it. They set up a system that automatically responded to requests for personal information. They gave unauthorized people access to that system. We should be blaming AT&T and making them pay punitive damages for their irresponsible behavior, not whining about how terrible Weev is for using the system they gave him access to. The fact that AT&T can just shrug it off is what allows the sorry state of security to persist.


GET method should be Safe ( and Idempotent). The implementation is not respecting the RFC 2616.

The RFC says at the point 9.1.1 that: "Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the effects, so therefore cannot be held accountable for them."


That would be a crime, because then the email addresses would've been "possessed" or "transferred" "in connection with" another distinct and separate crime.

But giving them to a responsible journalist for whistle-blowing purposes is not a crime. It's a public service.


> I don't think the punishment fits the crime in this case, but I don't think he's entirely innocent either.

In this case there is no crime. And I repeat this again, AT&T was behaving like http://www.mailinator.com/


Should I be allowed to brute force passwords then?


Yes, because organizations that use simple password-based authentication to secure important things (bank accounts, private messages, etc.) should be held responsible for the outcomes of such attacks. In such a world the state of computer security would not be so pitiful.


You and sneak seem to be proposing a legal regime under which no "hacking" of any kind is illegal. If the system will perform action B given request A, issuing request A, no matter the intent, cannot be a crime?

If I'm missing an important distinction you'd make, I'd very much like to hear what it is.


I would prefer if the system punished people for what they did with their access to data, not simply for having that access; organizations that hold private or sensitive information should be punished if unauthorized people can access it by any means. Having email addresses or credit card numbers should not be the crime, regardless of how you obtained that information. Committing credit card fraud or selling credit card information to other unauthorized people should be crimes (or failing to secure your computer where you store said information).

So Weev should not be punished for downloading the email addresses. AT&T should be punished for making the list available to him (and likewise, if Weev made the list available to others, he should be punished for that).


Apologies for crossing threads, but aren't you pretty upset that the NSA simply has Verizon phone records, despite a lack of evidence they're planning on doing anything nefarious with them?

Anyway, as I understand it, weev did speculate about selling the information. And would you be so sanguine if this were health records or private photographs? I'm not seeing a plausible guiding principle here.


We hold the government to a different standard. I am free to forbid atheists from entering my home, and nobody can complain about it beyond calling me an asshole. The government cannot ban atheists from its buildings. Many people have pointed out that the NSA was collecting information that privacy industry already had -- yet we are still angry about the NSA having it.

I also draw a line between what makes me upset and what should be a crime. I do not think that everything that makes me upset should be illegal. Frankly, while I would be angry at Weev if he downloaded hospital records, I would be much more angry at the hospital that failed to secure those records. I believe that the law should draw the line at how the information is secured and how it is used, not how it is obtained.


@betterunix-- seriously? It's OK with you if they get your private data, no matter how they acquire it? Spoken like someone who has never had exposure of private data used as a THREAT... something weev is known for. If someone uses illegal means to obtain your private data, they can exploit/weaponize that acquisition without having to then use the private data to commit a different crime. (different from the crime -- usually fraud -- in how they obtained it).

Weev has taught many of us that acquiring your private data is enough to make you wonder when, exactly, he will decide to use it. Or in my case, to publish it and encourage the whole WORLD to use it. And don't get me started on medical records... If you honestly believe that acquiring private data shouldn't be illegal until it is used in a crime, you have obviously never been threatened with exposure from someone who did just that. (but again, I don't think this applies to the AT&T case) -- Kathy Sierra


Blackmail and harassment are both crimes, you know. If someone is threatening to expose your private data, it makes no difference how they acquired it -- it is a crime regardless of whether or not they were authorized to have it.

The problem with charging hackers for having information they are not supposed to have is that it takes the responsibility to keep data secure away from those who are entrusted with it. Take medical records as an example. Yes, we want them to be kept private, but that should be the responsibility of hospitals, doctors, etc. If some hacker downloads those files, the hospital should be punished for their failure to keep the files secure. If we want to believe that hackers are magicians and that any Internet-connected system can be compromised, don't connect systems with medical records to the Internet.

What is wrong with making it the responsibility of anyone who has private information to keep that information private? If a hacker downloads a hospital's records, I think it is fair to expect that hacker to keep those records private, and to prosecute the hacker if they are revealed to anyone for any reason (even if the hacker is himself a victim of another hacker).

People should not have to be afraid to run a web crawler out of their own house. Yes, a web crawler is going to find private information that was not properly secured. That should not make the person running the crawler a criminal.


Hacking as a crime is almost entirely an economic crime. So it is pretty easy to distinguish hacking that deserves to be a felony from hacking that, at worst, should be a low-grade misdemeanor, by requiring actual profit for the criminal or actual loss from loss of data or exploitation of data acquired by hacking (not what it costs to fix incompetent security).


WRONG!

"Brute force" is literally an attack. However what AT&T did was only use the equivalent of usernames just like http://www.mailinator.com/ does.


We know how to stop brute force attacks; we have known for years how to stop them. I see brute force attacks on my SSH servers all the time, and I ignore them. I am comfortable ignoring brute force attacks because I do not allow password authentication at all. The attacker would have to try to guess one of the users' secret keys -- and that is beyond just a long shot.

So why have we not deployed this "amazing" technology, or similar technology, everywhere? A lack of incentive. If a hacker successfully carries out a brute force attack, the company running the systems does not suffer at all; they just pass it off as "some dark wizard hacker pwned us, sorry!" Nobody is spending the money to deploy smartcards far and wide because nobody has any reason to. It is less expensive to pay the pittance required to clean up after a hack than to stop hacks in the first place. If banks had no legal recourse when some script kiddie hacked a customer account, they would be far more likely to give customers smartcards and use more secure authentication mechanisms.

To put it another way, making a brute-force attack a crime is placing responsibility for securing the system on the people who want to attack it. It should be obvious why that makes no sense.


Yes. You can't use force or coercion to rob a server of data, all you can do is ask nicely (or repeatedly).

In a just world, we would let full responsibility lie with those who deployed the machines without understanding the consequences of, e.g., no login failure rate limiting.


an exploit is asking nicely, all I did was GET /????\n\n\n\nfjasdfuisdjflkwenuadfnwerAAJLKJFIEFSEIFJSDLFKJERIWERRISLDKJLDKJF and then I connected to a shell on port 8118? I mean, it just answered the request ...


Passwords are hashed in an attempt to conceal them.

Websites are served in an attempt to disseminate them.

There's a big difference here.


I wasn't saying passwords and websites are the same (I'm not even sure what that means) but was pointing out that saying it's fine to throw random stuff at a webserver would mean that it's fine to repeatedly throw user/pass combinations at a webserver.



Couldn't we draw a line between retrieving information and modifying it?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: