Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Debate & Discussion > What does Hacking even mean, anyways?
 
  • Post
  • Reply
Aramis
Sep 22, 2009



 This is a spin-off of a discussion in the USPol Thread. The primary question being asked is : Did the actions of the Internet Archive Team qualify as "Hacking"?

Context:

punishedkissinger posted:

Looks like the Parler data scraping was legal and the site is incredibly poorly built.

https://twitter.com/atomicthumbs/status/1348730590074294272?s=19


Jealous Cow posted:

https://www.vice.com/en/article/z4mn4x/weev-is-in-jail-because-the-government-doesnt-know-what-hacking-is

Noted edgelord and white nationalist Weev got convinced of computer fraud crimes for basically doing exactly the same thing.

Edit: I used Vice’s story because I agree that while Weev is nazi gently caress he shouldn’t have been charged with fraud.


And my opinion on this:

Aramis posted:

Anti-hacking laws are weird, but this is not outlandish. The law doesn't care how good of a job you do at securing your system, it only cares about whether someone intentionally bypasses whatever measures you have in place. It's kind of stupid from a technical level, but it at least makes things very clear from a legal standpoint.

A site using an encryption method that is known to be easily breakable does not cancel the criminality of breaking that encryption. What matters is the intent. This is just that principle taken to its extreme and I, personally, do not trust the legal system to make decisions based on technical considerations like strength of encryption, or what constitutes encryption at all.


Someone expressed interest in doing a deeper dive on the subject, so let's have at it!

Now, since this is "settled" law, what we can do to kick this off is revisit the decision in Weev's case that set the precedent that publicly accessible, but unlinked URLs is enough of a protection measure to qualify here.

Aramis fucked around with this message at 21:42 on Jan 13, 2021

* # ¿ Jan 12, 2021 16:49
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 14, 2024 15:13
  • Quote
Aramis
Sep 22, 2009

Shrecknet posted:

I listened to the Darknet Diaries episode with these guys on it from last year, but it left off with the thread of their fate still in the air. Glad to hear they're OK.

Regarding hacking, it seems like there should be a mens rea defense available in cases where they are operating in situations like weev's case. It is stealing to walk into an open bank vault and take a stack of money, but is it hacking to walk into an open bank vault and write down the names on the safe deposit boxes?

Do you mean mens rea in the sense of "I intend to do something nefarious", or "I know that I'm not supposed to be accessing this"?

* # ¿ Jan 12, 2021 17:10
  • Quote
Aramis
Sep 22, 2009

CyberPingu posted:


I guess beyond that is something that's been mentioned earlier but as someone who works in Cyber Security, it's loving difficult and I don't think people realise how difficult it is.

Companies generally don't give a poo poo unless something happens to them, and even then the people that take the blame are the head of security or the guys patching the systems. Which in reality it's rarely their fault. Most security and IT teams are understaffed and under budgeted. They aren't allowed to implement patches when they want as that would incur downtime for the systems which would mean loss of potential revenue. They are then asked to work overtime or be on call when something goes wrong.

Also very telling is the fact that while insurance companies care to some degree that you have some security in place, what they REALLY care about is that a company has a recovery plan in place. The expectation is that it's basically impossible to protect a system against a motivated attacker without incurring hilariously excessive costs that very few companies are willing to actually fork out.

* # ¿ Jan 17, 2021 22:16
  • Quote
Aramis
Sep 22, 2009

GhostofJohnMuir posted:

i randomly came across this post and it made me curious about some of the points brought up in this thread. based on what folks were saying, i'm assuming that guessing the url for something that is technically publicly accessible, but not intended for public viewing meets the legal definition of hacking?

The answer (as far as I know, I'm no lawyer) is that it depends on the intent of the developper of the site.

If I create a website where http://example.com/book_title leads to some information about said book, then it's pretty clear that someone guessing that http://example.com/the_three_musketeers leads to something is not hacking, and part of the intended interface of the site.

On the flip side, if the url schema is http://example.com/insert_256_digit_random_number, then it's pretty clear that no one is expected to access the resource without being given the link.

Obviously, it's not nearly as clear in cases like http://example.com/1, http://example.com/2, http://example.com/3. There's room to argue one way or another in that case.

The rule of thumb is: if you went out of your way to access stuff that is behind enough protection that you would be aware that it was not meant for you, then you are in trouble. It doesn't matter how good or bad the protection is.

In this specific scenario, I would say that something like http://example.com/reports/Q3_2020_Infographic.pdf is clearly in the first category as long as previous reports fits the same pattern, and whoever did it is probably fine.

Aramis fucked around with this message at 16:42 on Jan 26, 2021

* # ¿ Jan 26, 2021 02:40
  • Quote
Aramis
Sep 22, 2009

uninterrupted posted:

I don’t know about that, people have been charged and imprisoned on hacks involving forced browsing. You could probably make a case saying “if the earnings report wasn’t listed on the webpage with a list of earnings reports, why else would you have sent a request to that URL besides getting information the rest of the market doesn’t have?” At which point if the government has a vested interest in putting you in jail, the SEC comes out, and you need a small army of legal representation.

Now I’m almost certain no ones getting prosecuted for this since there’s more negative PR prosecuting someone for the hack and having headlines about the trash security on Intel’s side. That said, if the leak was more damaging or sensitive I could have imagined it ending up in court.

If the url is /reports/QN_20XX_Infographics.pdf quarter after quarter, then it should be 100% expected that someone, if not a small army, will be F5'ing the poo poo out of that url. Assuming the naming is consistent, then putting the file online absolutely qualifies as making the information public.

Obviously, none of that matters when you are up in court against the SEC and Intel, and if they want to throw the book at you, then good luck.

* # ¿ Jan 26, 2021 03:32
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 14, 2024 15:13
  • Quote
Aramis
Sep 22, 2009

evobatman posted:

The defendant then discovered that by changing an ID in the URL used by the website, one could retrieve other people's information. The accused then wrote a script that changed the ID continuously, and downloaded the Norwegian Public Roads Administration's customer register.

[...]

This, ladies and gentlemen, boils down to one simple thing: it is clearly not allowed to change URLs on the internet to access data. Unless the service adds up to it.

That's a heck of a leap to conclusion. The hacker did a lot more than just access an unlisted URL. They wrote a script to systematically iterate through semantically empty ids in order to discover and access resources that they knew were not meant to be public.

This idea that at the end of the day "all they did was access publicly available resources" removes several layers of context, and is only true in the strictest of technical sense.

Aramis fucked around with this message at 14:27 on Jan 26, 2021

* # ¿ Jan 26, 2021 14:21
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Debate & Discussion > What does Hacking even mean, anyways?