|
This is a spin-off of a discussion in the USPol Thread. The primary question being asked is : Did the actions of the Internet Archive Team qualify as "Hacking"? Context: punishedkissinger posted:Looks like the Parler data scraping was legal and the site is incredibly poorly built. Jealous Cow posted:https://www.vice.com/en/article/z4mn4x/weev-is-in-jail-because-the-government-doesnt-know-what-hacking-is And my opinion on this: Aramis posted:Anti-hacking laws are weird, but this is not outlandish. The law doesn't care how good of a job you do at securing your system, it only cares about whether someone intentionally bypasses whatever measures you have in place. It's kind of stupid from a technical level, but it at least makes things very clear from a legal standpoint. Someone expressed interest in doing a deeper dive on the subject, so let's have at it! Now, since this is "settled" law, what we can do to kick this off is revisit the decision in Weev's case that set the precedent that publicly accessible, but unlinked URLs is enough of a protection measure to qualify here. Aramis fucked around with this message at 21:42 on Jan 13, 2021 |
# ? Jan 12, 2021 16:49 |
|
|
# ? Apr 28, 2024 20:22 |
|
It’s pretty scary stuff, which is why rule number zero of pentesting is get permission, in writing, clearly stating what is and isn’t allowed. Pretty timely, some pentesters hired to audit a courthouse just got their charges dropped. The court system hired them, but apparently there was some friction with the sheriffs department who arrested them, and after the fact brought up some bogus charges say they exceeded the scope of their audit. The paperwork released later clearly said “limited physical bypass”, which the sheriff said they overstepped. https://www.secureworldexpo.com/industry-news/pentesters-jailed-arrested
|
# ? Jan 12, 2021 16:58 |
|
uninterrupted posted:It’s pretty scary stuff, which is why rule number zero of pentesting is get permission, in writing, clearly stating what is and isn’t allowed. Regarding hacking, it seems like there should be a mens rea defense available in cases where they are operating in situations like weev's case. It is stealing to walk into an open bank vault and take a stack of money, but is it hacking to walk into an open bank vault and write down the names on the safe deposit boxes?
|
# ? Jan 12, 2021 17:06 |
|
Shrecknet posted:I listened to the Darknet Diaries episode with these guys on it from last year, but it left off with the thread of their fate still in the air. Glad to hear they're OK. Do you mean mens rea in the sense of "I intend to do something nefarious", or "I know that I'm not supposed to be accessing this"?
|
# ? Jan 12, 2021 17:10 |
|
Bookmarking for later
|
# ? Jan 12, 2021 17:47 |
|
Aramis posted:Do you mean mens rea in the sense of "I intend to do something nefarious", or "I know that I'm not supposed to be accessing this"? The intent requirement doesn't really work like that - it's about whether you intended to carry out the process to access data. Simply running whatever program, script, or scrapper is enough, along with having known or should have known that you did not have permission to access the data. You could defend against the mens rea element by providing evidence that you had actual permission from the data owner, or a reasonable person based on the information available at the time of the action would have thought they had permission.
|
# ? Jan 12, 2021 18:49 |
|
Jealous Cow posted:Bookmarking for later I was going to post about this (generally how we use it and it's relationship to other issues with new threads) in the feedback thread, but you just have to click the Little Star at the top of the page or the top right of the app. Also bookmarking for later
|
# ? Jan 12, 2021 19:15 |
|
Aramis posted:Do you mean mens rea in the sense of "I intend to do something nefarious", or "I know that I'm not supposed to be accessing this"? If Colonel Sanders ran down the street yelling what the seven herbs and spices are, and I write down what he is yelling, that is not a corporate espionage invasion into KFC HQ. If a person could access a piece of data without bypassing any encryption or indeed even a No Trespassing sign, that cannot be considered hacking. The public has no duty to avert its eyes, in other words
|
# ? Jan 12, 2021 19:30 |
|
Shrecknet posted:I mean in the sense that it satisfies none of the four levels of mens rea required to establish a crime has occurred. Does it change if the information is self evidently sensitive, and isn't acquired passively? Like say if KFC had their employees' SSNs posted in large print in their offices. Big enough that you could make them out with binoculars. You couldn't be faulted for unintentionally noticing this when bird watching. But if you then proceeded to intentionally scope out and write down the SSN of every employee, are you maybe crossing a different line? Separate from the fact of KFC's negligence. (excuse the awful analogy)
|
# ? Jan 12, 2021 19:50 |
|
Shrecknet posted:I mean in the sense that it satisfies none of the four levels of mens rea required to establish a crime has occurred. Right, but there's a fine line between that and the "the door was unlocked" defense, which largely doesn't work. Probably comes down to a judge's willingness to insist on proving mens rea, and how much the government cares about prosecuting you.
|
# ? Jan 12, 2021 20:02 |
|
Worth noting that these laws are extremely broad because lots of companies are uniquely vulnerable to being hacked. Secure code is hard to write and often orthogonal to quickly written or performant or simple to maintain code, and especially companies that are small or don’t have a tech focus will have tons of vulnerabilities lying out in public. Legally it shouldn’t matter, but the wide scope of laws against hacking disincentivizes a lot of attacks.
|
# ? Jan 12, 2021 22:09 |
|
uninterrupted posted:Worth noting that these laws are extremely broad because lots of companies are uniquely vulnerable to being hacked. Secure code is hard to write and often orthogonal to quickly written or performant or simple to maintain code, and especially companies that are small or don’t have a tech focus will have tons of vulnerabilities lying out in public. There's also the issue that security is impossible to maintain without compliance of employees, most of which are thoroughly unqualified to understand what they're complying with. Hell is in fact other people.
|
# ? Jan 13, 2021 20:00 |
|
Blue Footed Booby posted:There's also the issue that security is impossible to maintain without compliance of employees, most of which are thoroughly unqualified to understand what they're complying with. Hell is in fact other people. And if you do try to test their compliance and send them for re-training (not termination) if they don't pass, you get called a heartless rear end in a top hat. GoDaddy sent a phishing email to their employees promising a Christmas bonus, and then got roundly criticized for "making the offer too inviting" as if that isn't the whole issue with phishing!
|
# ? Jan 13, 2021 21:39 |
|
Much like copywriter law, hacking laws have become load-bearing bubblegum in the us economy. Also, if anyone wants an accessible way to see exactly how insecure we are, I can’t stop recommending James Mickens. 30 minute video but he’s entertaining enough to stay engaged even without a technical background: https://vimeo.com/135347162
|
# ? Jan 13, 2021 23:19 |
|
In my ideal world, if the data is publicly accessible and it is intended to be that way as well, aka. a Parler post that is visible to anyone with an account, I don't think anyone should be charged for accessing and making a copy of it. If Parler in this case had taken even the slightest effort to encrypt or secure the data, then I think that should open up the hacker to chargers. The essence comes down to the intent of the data owner; if even the most rudimentary attempt is made to secure and keep private some specific data, then the attempt to get said data, no matter how insecurely it is being stored, is effectively breaking in and stealing. I see it as stealing Amazon packages, one of the easiest crimes ever, but it's still a crime and you shouldn't do it.
|
# ? Jan 16, 2021 19:25 |
|
Terebus posted:In my ideal world, if the data is publicly accessible and it is intended to be that way as well, aka. a Parler post that is visible to anyone with an account, I don't think anyone should be charged for accessing and making a copy of it. If Parler in this case had taken even the slightest effort to encrypt or secure the data, then I think that should open up the hacker to chargers. The essence comes down to the intent of the data owner; if even the most rudimentary attempt is made to secure and keep private some specific data, then the attempt to get said data, no matter how insecurely it is being stored, is effectively breaking in and stealing. I see it as stealing Amazon packages, one of the easiest crimes ever, but it's still a crime and you shouldn't do it. This kind of standard would also need actual penalties and charges for insecure companies that get hacked and expose peoples personal information. GDPR has done a lot for that in europe but in the US you’re basically hoping a lawsuit works out.
|
# ? Jan 17, 2021 02:04 |
|
The civil standard of negligence should be applicable. If I'm operating a business and I leave a bunch of credit card numbers lying around where anyone can see them, it's a crime to break in and steal them, but it's also negligent on my part to store them in an insecure fashion. If I kept them in a cardboard box that says "confidential!" that's still a bit poo poo, but slightly less negligent. If I stored them in a safe, and I didn't leave the key nearby, that's appropriate precaution on my part, even if the thief breaks into the safe.
|
# ? Jan 17, 2021 02:44 |
|
PT6A posted:The civil standard of negligence should be applicable. If I'm operating a business and I leave a bunch of credit card numbers lying around where anyone can see them, it's a crime to break in and steal them, but it's also negligent on my part to store them in an insecure fashion. If I kept them in a cardboard box that says "confidential!" that's still a bit poo poo, but slightly less negligent. If I stored them in a safe, and I didn't leave the key nearby, that's appropriate precaution on my part, even if the thief breaks into the safe. What is the current law on affirmatively having to secure sensitive information? Are their minimum technical standards or safeguards that have to be employed, or is it a case by case, “if your poo poo gets stolen because your credit card company didn’t secure it enough, sue them and try your luck in court” kind of thing? An affirmative duty to securely store sensitive information seems like the only legal solution, similar to how some states require you to lock your gun in a safe, but it’s difficult to see how exactly you would legislate that.
|
# ? Jan 17, 2021 08:20 |
|
Still Dismal posted:What is the current law on affirmatively having to secure sensitive information? Are their minimum technical standards or safeguards that have to be employed, or is it a case by case, “if your poo poo gets stolen because your credit card company didn’t secure it enough, sue them and try your luck in court” kind of thing? Specifically as concerns credit card numbers, I believe the regulations are specified by the Payment Card Industry group, and if you are audited and found to be violating them, good luck having credit cards processed anymore! You might also be liable for any losses that result, subject to the terms of your contract with the credit card processor, but I'm not sure.
|
# ? Jan 17, 2021 16:32 |
Shrecknet posted:I mean in the sense that it satisfies none of the four levels of mens rea required to establish a crime has occurred. And this is why the term hacking has been so muddied and lost all meaning anymore (which I understand is the point of this thread). Unauthorised access doesn't always mean hacking. If you were to steal someone's front door key, and use that to get into their house. That's not hacking, it's Unauthorised access Kicking the door in or picking the lock is hacking in a sense as it's exploiting an unintended aspect of the security measure. I guess beyond that is something that's been mentioned earlier but as someone who works in Cyber Security, it's loving difficult and I don't think people realise how difficult it is. Companies generally don't give a poo poo unless something happens to them, and even then the people that take the blame are the head of security or the guys patching the systems. Which in reality it's rarely their fault. Most security and IT teams are understaffed and under budgeted. They aren't allowed to implement patches when they want as that would incur downtime for the systems which would mean loss of potential revenue. They are then asked to work overtime or be on call when something goes wrong. I also feel we as a security community don't do enough of the basics correctly and rely on automated systems and tools too much. Education is severely lacking for most companies beyond "Here's a 5 min video on phishing. Now remember don't click on poo poo".
|
|
# ? Jan 17, 2021 17:03 |
|
Still Dismal posted:What is the current law on affirmatively having to secure sensitive information? Are their minimum technical standards or safeguards that have to be employed, or is it a case by case, “if your poo poo gets stolen because your credit card company didn’t secure it enough, sue them and try your luck in court” kind of thing? depends where you are, the GDPR in the EU (and adjacent islands) covers this sort of thing: quote:Art. 32 GDPR so there's no "you must use x technology" which is good because that would be immediately out of date, and also not generally applicable.
|
# ? Jan 17, 2021 20:27 |
|
CyberPingu posted:
Also very telling is the fact that while insurance companies care to some degree that you have some security in place, what they REALLY care about is that a company has a recovery plan in place. The expectation is that it's basically impossible to protect a system against a motivated attacker without incurring hilariously excessive costs that very few companies are willing to actually fork out.
|
# ? Jan 17, 2021 22:16 |
Aramis posted:Also very telling is the fact that while insurance companies care to some degree that you have some security in place, what they REALLY care about is that a company has a recovery plan in place. The expectation is that it's basically impossible to protect a system against a motivated attacker without incurring hilariously excessive costs that very few companies are willing to actually fork out. Cyber insurance is a loving scam. It is basically impossible to cover all your bases and even then unless you are rolling everything in house (don't roll your own cryptography) you are at the mercy of 3rd parties keeping their poo poo up to date too.
|
|
# ? Jan 17, 2021 22:40 |
|
Cyberinsurance is a scam, largely because most cyberinsurance plans have stuff in fine print that actually requires to do some basic infosec stuff otherwise they won't pay out. Also: Most companies Disaster Recovery plans are never tested, if they exist at all. Part of why it was laughable when Pompeo was discussing outlawing paying raonsomware, as it would likely impact American business interests more than it would harm ransomware groups Source: I do Infosec consulting for Incident Response and Security Engineering
|
# ? Jan 18, 2021 05:57 |
CommieGIR posted:Cyberinsurance is a scam, largely because most cyberinsurance plans have stuff in fine print that actually requires to do some basic infosec stuff otherwise they won't pay out. Even with basic infosec stuff they sometimes don't pay out. Some companies won't pay out if info was stolen or downtime occured via a phishing attack. Also most companies do not have a good incident response plan either. The previous place I worked was basically "Well we will phone the on call IT guy and see if he answers or not"
|
|
# ? Jan 18, 2021 08:35 |
|
CyberPingu posted:Even with basic infosec stuff they sometimes don't pay out. Some companies won't pay out if info was stolen or downtime occured via a phishing attack. Yup, I've had a couple clients this happened to. Was not a pretty sight.
|
# ? Jan 18, 2021 15:19 |
|
Platystemon posted:
i randomly came across this post and it made me curious about some of the points brought up in this thread. based on what folks were saying, i'm assuming that guessing the url for something that is technically publicly accessible, but not intended for public viewing meets the legal definition of hacking?
|
# ? Jan 26, 2021 02:12 |
|
GhostofJohnMuir posted:i randomly came across this post and it made me curious about some of the points brought up in this thread. based on what folks were saying, i'm assuming that guessing the url for something that is technically publicly accessible, but not intended for public viewing meets the legal definition of hacking? The answer (as far as I know, I'm no lawyer) is that it depends on the intent of the developper of the site. If I create a website where http://example.com/book_title leads to some information about said book, then it's pretty clear that someone guessing that http://example.com/the_three_musketeers leads to something is not hacking, and part of the intended interface of the site. On the flip side, if the url schema is http://example.com/insert_256_digit_random_number, then it's pretty clear that no one is expected to access the resource without being given the link. Obviously, it's not nearly as clear in cases like http://example.com/1, http://example.com/2, http://example.com/3. There's room to argue one way or another in that case. The rule of thumb is: if you went out of your way to access stuff that is behind enough protection that you would be aware that it was not meant for you, then you are in trouble. It doesn't matter how good or bad the protection is. In this specific scenario, I would say that something like http://example.com/reports/Q3_2020_Infographic.pdf is clearly in the first category as long as previous reports fits the same pattern, and whoever did it is probably fine. Aramis fucked around with this message at 16:42 on Jan 26, 2021 |
# ? Jan 26, 2021 02:40 |
|
Aramis posted:The answer (as far as I know, I'm no lawyer) is that it depends on the intent of the developper of the site. I don’t know about that, people have been charged and imprisoned on hacks involving forced browsing. You could probably make a case saying “if the earnings report wasn’t listed on the webpage with a list of earnings reports, why else would you have sent a request to that URL besides getting information the rest of the market doesn’t have?” At which point if the government has a vested interest in putting you in jail, the SEC comes out, and you need a small army of legal representation. Now I’m almost certain no ones getting prosecuted for this since there’s more negative PR prosecuting someone for the hack and having headlines about the trash security on Intel’s side. That said, if the leak was more damaging or sensitive I could have imagined it ending up in court.
|
# ? Jan 26, 2021 03:15 |
|
uninterrupted posted:I don’t know about that, people have been charged and imprisoned on hacks involving forced browsing. You could probably make a case saying “if the earnings report wasn’t listed on the webpage with a list of earnings reports, why else would you have sent a request to that URL besides getting information the rest of the market doesn’t have?” At which point if the government has a vested interest in putting you in jail, the SEC comes out, and you need a small army of legal representation. If the url is /reports/QN_20XX_Infographics.pdf quarter after quarter, then it should be 100% expected that someone, if not a small army, will be F5'ing the poo poo out of that url. Assuming the naming is consistent, then putting the file online absolutely qualifies as making the information public. Obviously, none of that matters when you are up in court against the SEC and Intel, and if they want to throw the book at you, then good luck.
|
# ? Jan 26, 2021 03:32 |
|
Aramis posted:If the url is /reports/QN_20XX_Infographics.pdf quarter after quarter, then it should be 100% expected that someone, if not a small army, will be F5’ing the poo poo out of that url. Assuming the naming is consistent, then putting the file online absolutely qualifies as making the information public. Totally agree, it’s a brain dead security breach, Intel poo poo the bed with the lights on. I’m just considering from the pentest end, a spidering attack versus a forced browsing attack would have very different discussions with a customer as far as scope and ROE. I imagine similarly in court, especially in a world where plenty of newcomers to the internet could plausibly never type out a url in their lives, a forced browsing attack could be seen as subverting the way a website is meant to work. Like, it’s obvious to some of us, but to a septuagenarian judge who just Altavistas up the Yahoo! Mail every day, explaining why you were manually going to a url that wasn’t on the intel page might not go well. Yeah, it’s easy to some of us, but it’s also easy to type in ‘ or ‘1’=‘1 into every text field you find and that can definitely get you charged. Fake edit: wow, the code tag is pointless
|
# ? Jan 26, 2021 03:44 |
|
Aramis posted:The rule of thumb is: if you went out of your way to access stuff that is behind enough protection that you would be aware that it was not meant for you, then you are in trouble. It doesn't matter how good or bad the protection is. lol 20 years ago me would've been in trouble looking at a website's directory. It was fun finding files that were hosted but not linked anywhere on their html pages.
|
# ? Jan 26, 2021 08:47 |
Freakazoid_ posted:lol 20 years ago me would've been in trouble looking at a website's directory. It was fun finding files that were hosted but not linked anywhere on their html pages. Reminds me of 14-year old me being thrilled to discover a major gaming forum didn't actually validate if a user was permitted to upload a custom avatar if they pasted the javascript command to open the upload form window into the adresse bar.
|
|
# ? Jan 26, 2021 10:28 |
|
Remember anti-piracy rootkits on music CDs? Holding your Shift key wile inserting the disc in order to stop them from autorunning could be considered illegal hacking. Changing the URL in your web browser to access publicly available data IS illegal hacking, and this guy got convicted for it: https://translate.google.com/transl...url-er/72187300 quote:The Norwegian Public Roads Administration ruling:
|
# ? Jan 26, 2021 13:24 |
|
evobatman posted:The defendant then discovered that by changing an ID in the URL used by the website, one could retrieve other people's information. The accused then wrote a script that changed the ID continuously, and downloaded the Norwegian Public Roads Administration's customer register. That's a heck of a leap to conclusion. The hacker did a lot more than just access an unlisted URL. They wrote a script to systematically iterate through semantically empty ids in order to discover and access resources that they knew were not meant to be public. This idea that at the end of the day "all they did was access publicly available resources" removes several layers of context, and is only true in the strictest of technical sense. Aramis fucked around with this message at 14:27 on Jan 26, 2021 |
# ? Jan 26, 2021 14:21 |
|
Aramis posted:That's a heck of a leap to conclusion. The hacker did a lot more than just access an unlisted URL. They wrote a script to systematically iterate through semantically empty ids in order to discover and access resources that they knew were not meant to be public. Not to mention that applying for access to the information shows he knew access was restricted, and that anything he came up with after being rejected wasn't intended.
|
# ? Jan 26, 2021 16:31 |
if good guys aren't allowed to access public-but-unpublished URLs, only bad guys are going to be accessing those pages
|
|
# ? Jan 26, 2021 21:50 |
|
Delta-Wye posted:if good guys aren't allowed to access public-but-unpublished URLs, only bad guys are going to be accessing those pages This is party of why a lot of Ethical Hackers, including me, push hard against anti-hacking laws that are overly broad. We work a lot with the EFF and others on that. Blue Footed Booby posted:Not to mention that applying for access to the information shows he knew access was restricted, and that anything he came up with after being rejected wasn't intended. Yup, that's the line. If you tell the group they have a vuln and demonstrate it, that's the limit of your responsible disclosure. If you exploit it, you may be setting yourself up for legal charges. There's still a lot of legal grey areas in ethical hacking, so you have to be careful. If you don't know what you are touching, stop while you are ahead. Its important too that you have access to a good lawyer who can help you review your responsible disclosures as well to protect yourself. CommieGIR fucked around with this message at 21:56 on Jan 26, 2021 |
# ? Jan 26, 2021 21:53 |
|
|
# ? Apr 28, 2024 20:22 |
|
Freakazoid_ posted:lol 20 years ago me would've been in trouble looking at a website's directory. It was fun finding files that were hosted but not linked anywhere on their html pages. I remember lots of paid sites that if you just switched from http to ftp everything was there sorted out. I in no way consider that hacking, they should have had a password on ftp. If I find $5 somebody set on a bench it's not stealing, they shouldn't have set it there expecting it to be there the next day.
|
# ? Jan 29, 2021 16:24 |