Hacker News new | past | comments | ask | show | jobs | submit login

So, if somebody has SSH open on port 22, root password login enabled, and a root password of Pa$$w0rd, and I guess that and log in, should that be legal? If so, what about a more complex password? Should we legalise other remote attacks on systems?

It could very reasonably be argued that in the case of AT&T's system, device IDs count as passwords for accessing the system.

Simplifying things a little, there was an API, which looked somewhat like this:

    GET http://example.com/get-email?device-id=123456
    > example@example.com
Now, if we replaced that with some sort of bespoke raw socket interface that somebody would have to reverse-engineer:

    CONNECT example.com:4567
    > <somemessage>123456<somemessage>
    < <someresponse>example@example.com<someresponse>
Would you still be arguing "it's on the web"?

What if I added a field named "password" which always had to be the same value, which was distributed to all devices?

What if it wasn't email addresses, but instead credit card data, or sensitive data such as your race, religion, sexuality, political leanings, medical information...?

I'm not attacking you, simply stating that in my opinion, it's not as simple as "if you can access it, it's public". There's an expectation of privacy for many types of data, especially when the data owner is not explicitly intending to publish the data.




Also, both SSH and HTTP have defined authentication mechanisms built into the protocol.

The HTTP spec has a response code, 403, for indicating that a request (potentially without authentication information) is unauthorized. SSH has a similar defined response.

If there's _no authentication around it_, I would argue that it's published to the public web, regardless of the protocol in use to deliver it.


The expectation of privacy covers the company, not the hacker who downloads the information. What differentiates hooking up an insecure, password-authentication-based system to the Internet, and leaving a plaintext copy of the data on a hard drive on a park bench somewhere? Holding companies responsible, and more responsible than hackers, would improve the state of computer security in short order (to everyone's benefit).


I would hold both responsible quite happily and independently of each other. AT&T obviously did not heed the user's expectation of privacy in this case - they could've done so using a challenge-response authentication system with the response algorithm protected by DRM on the iPad - but in addition, Weev could reasonably be expected to understand that this was not supposed to be public data.

Additionally, the expectation of privacy, in my opinion, covers the data owners (the people who gave the company the data), not the company who is merely holding and processing the data. Although the US has rather messed up data laws compared to the EU, so I am not sure whether this would be true over there.


A perfect implementation of what AT&T did is this service: http://www.mailinator.com/

As you can see all emails are accessible without a password, just a username. This is what was required to get the customers' data from AT&T, serial numbers which are by definition serial and obvious to predict, just like anyone visiting http://www.mailinator.com/ would punch in their own name to see what was there and then try some other people's names.

To make Weev's access illegal there must be at least some form of security like a password that he should circumvent. That would be illegal. Placing data accessible through usernames without passwords is not an obstacle or security measure and should NOT be criminalized because it weakens the law and makes anyone a criminal.


Ah, but AT&T did not publicise the endpoint in any way either, unlike Mailinator.

More to the point, users using Mailinator do not have an expectation of privacy regarding the data they gave Mailinator (or that they told other services to give Mailinator). This is, therefore, a different situation.

If I find someone's personal information in Mailinator, that is most likely because a user agreed to allow a service to send their personal information there. In most cases, I wouldn't have any reason to believe any of this data was not intended to be there, unless there were other clues.

In the case of the AT&T breach, two things lead me to believe that Weev violated the privacy of the users:

* It is quite unlikely that users intended to have their email addresses published to the public through this endpoint, and it can easily be shown that Weev understood that - he would not otherwise have chosen the course of action he took.

* AT&T have never publicised this endpoint.

I am not holding AT&T as the victim here, but rather the customers of AT&T whose data was breached. AT&T and Weev were equally complicit in the breach, and AT&T should be held separately responsible.


Just because there's an expectation of privacy doesn't mean that such an expectation is reasonable.

It is not reasonable to have an expectation of privacy if your root password is "password" and you have ssh open to the world, no.


False. There is an expectation of privacy in a public bathroom even if it doesn't specify that cameras are not allowed.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: