|
This is a spin-off of a discussion in the USPol Thread. The primary question being asked is : Did the actions of the Internet Archive Team qualify as "Hacking"? Context: punishedkissinger posted:Looks like the Parler data scraping was legal and the site is incredibly poorly built. Jealous Cow posted:https://www.vice.com/en/article/z4mn4x/weev-is-in-jail-because-the-government-doesnt-know-what-hacking-is And my opinion on this: Aramis posted:Anti-hacking laws are weird, but this is not outlandish. The law doesn't care how good of a job you do at securing your system, it only cares about whether someone intentionally bypasses whatever measures you have in place. It's kind of stupid from a technical level, but it at least makes things very clear from a legal standpoint. Someone expressed interest in doing a deeper dive on the subject, so let's have at it! Now, since this is "settled" law, what we can do to kick this off is revisit the decision in Weev's case that set the precedent that publicly accessible, but unlinked URLs is enough of a protection measure to qualify here. Aramis fucked around with this message at 21:42 on Jan 13, 2021 |
# ¿ Jan 12, 2021 16:49 |
|
|
# ¿ May 14, 2024 15:13 |
|
Shrecknet posted:I listened to the Darknet Diaries episode with these guys on it from last year, but it left off with the thread of their fate still in the air. Glad to hear they're OK. Do you mean mens rea in the sense of "I intend to do something nefarious", or "I know that I'm not supposed to be accessing this"?
|
# ¿ Jan 12, 2021 17:10 |
|
CyberPingu posted:
Also very telling is the fact that while insurance companies care to some degree that you have some security in place, what they REALLY care about is that a company has a recovery plan in place. The expectation is that it's basically impossible to protect a system against a motivated attacker without incurring hilariously excessive costs that very few companies are willing to actually fork out.
|
# ¿ Jan 17, 2021 22:16 |
|
GhostofJohnMuir posted:i randomly came across this post and it made me curious about some of the points brought up in this thread. based on what folks were saying, i'm assuming that guessing the url for something that is technically publicly accessible, but not intended for public viewing meets the legal definition of hacking? The answer (as far as I know, I'm no lawyer) is that it depends on the intent of the developper of the site. If I create a website where http://example.com/book_title leads to some information about said book, then it's pretty clear that someone guessing that http://example.com/the_three_musketeers leads to something is not hacking, and part of the intended interface of the site. On the flip side, if the url schema is http://example.com/insert_256_digit_random_number, then it's pretty clear that no one is expected to access the resource without being given the link. Obviously, it's not nearly as clear in cases like http://example.com/1, http://example.com/2, http://example.com/3. There's room to argue one way or another in that case. The rule of thumb is: if you went out of your way to access stuff that is behind enough protection that you would be aware that it was not meant for you, then you are in trouble. It doesn't matter how good or bad the protection is. In this specific scenario, I would say that something like http://example.com/reports/Q3_2020_Infographic.pdf is clearly in the first category as long as previous reports fits the same pattern, and whoever did it is probably fine. Aramis fucked around with this message at 16:42 on Jan 26, 2021 |
# ¿ Jan 26, 2021 02:40 |
|
uninterrupted posted:I don’t know about that, people have been charged and imprisoned on hacks involving forced browsing. You could probably make a case saying “if the earnings report wasn’t listed on the webpage with a list of earnings reports, why else would you have sent a request to that URL besides getting information the rest of the market doesn’t have?” At which point if the government has a vested interest in putting you in jail, the SEC comes out, and you need a small army of legal representation. If the url is /reports/QN_20XX_Infographics.pdf quarter after quarter, then it should be 100% expected that someone, if not a small army, will be F5'ing the poo poo out of that url. Assuming the naming is consistent, then putting the file online absolutely qualifies as making the information public. Obviously, none of that matters when you are up in court against the SEC and Intel, and if they want to throw the book at you, then good luck.
|
# ¿ Jan 26, 2021 03:32 |
|
|
# ¿ May 14, 2024 15:13 |
|
evobatman posted:The defendant then discovered that by changing an ID in the URL used by the website, one could retrieve other people's information. The accused then wrote a script that changed the ID continuously, and downloaded the Norwegian Public Roads Administration's customer register. That's a heck of a leap to conclusion. The hacker did a lot more than just access an unlisted URL. They wrote a script to systematically iterate through semantically empty ids in order to discover and access resources that they knew were not meant to be public. This idea that at the end of the day "all they did was access publicly available resources" removes several layers of context, and is only true in the strictest of technical sense. Aramis fucked around with this message at 14:27 on Jan 26, 2021 |
# ¿ Jan 26, 2021 14:21 |