Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Debate & Discussion > What does Hacking even mean, anyways?
 
  • Post
  • Reply
uninterrupted
Jun 20, 2011
 It’s pretty scary stuff, which is why rule number zero of pentesting is get permission, in writing, clearly stating what is and isn’t allowed.

Pretty timely, some pentesters hired to audit a courthouse just got their charges dropped. The court system hired them, but apparently there was some friction with the sheriffs department who arrested them, and after the fact brought up some bogus charges say they exceeded the scope of their audit. The paperwork released later clearly said “limited physical bypass”, which the sheriff said they overstepped.

https://www.secureworldexpo.com/industry-news/pentesters-jailed-arrested

* # ¿ Jan 12, 2021 16:58
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 14, 2024 14:10
  • Quote
uninterrupted
Jun 20, 2011
 Worth noting that these laws are extremely broad because lots of companies are uniquely vulnerable to being hacked. Secure code is hard to write and often orthogonal to quickly written or performant or simple to maintain code, and especially companies that are small or don’t have a tech focus will have tons of vulnerabilities lying out in public.

Legally it shouldn’t matter, but the wide scope of laws against hacking disincentivizes a lot of attacks.

* # ¿ Jan 12, 2021 22:09
  • Quote
uninterrupted
Jun 20, 2011
 Much like copywriter law, hacking laws have become load-bearing bubblegum in the us economy.

Also, if anyone wants an accessible way to see exactly how insecure we are, I can’t stop recommending James Mickens. 30 minute video but he’s entertaining enough to stay engaged even without a technical background: https://vimeo.com/135347162

* # ¿ Jan 13, 2021 23:19
  • Quote
uninterrupted
Jun 20, 2011

Terebus posted:

In my ideal world, if the data is publicly accessible and it is intended to be that way as well, aka. a Parler post that is visible to anyone with an account, I don't think anyone should be charged for accessing and making a copy of it. If Parler in this case had taken even the slightest effort to encrypt or secure the data, then I think that should open up the hacker to chargers. The essence comes down to the intent of the data owner; if even the most rudimentary attempt is made to secure and keep private some specific data, then the attempt to get said data, no matter how insecurely it is being stored, is effectively breaking in and stealing. I see it as stealing Amazon packages, one of the easiest crimes ever, but it's still a crime and you shouldn't do it.

This kind of standard would also need actual penalties and charges for insecure companies that get hacked and expose peoples personal information. GDPR has done a lot for that in europe but in the US you’re basically hoping a lawsuit works out.

* # ¿ Jan 17, 2021 02:04
  • Quote
uninterrupted
Jun 20, 2011

Aramis posted:

The answer (as far as I know, I'm no lawyer) is that it depends on the intent of the developper of the site.

If I create a website where http://example.com/book_title leads to some information about said book, then it's pretty clear that someone guessing that http://example.com/the_three_muskeers leads to something is not hacking, and part of the intended interface of the site.

On the flip side, if the url schema is http://example.com/insert_256_digit_random_number, then it's pretty clear that no one is expected to access the resource without being given the link.

Obviously, it's not nearly as clear in cases like http://example.com/1, http://example.com/2, http://example.com/3. There's room to argue one way or another in that case.

The rule of thumb is: if you went out of your way to access stuff that is behind enough protection that you would be aware that it was not meant for you, then you are in trouble. It doesn't matter how good or bad the protection is.

In this specific scenario, I would say that something like http://example.com/reports/Q3_2020_Infographic.pdf is clearly in the first category as long as previous reports fits the same pattern, and whoever did it is probably fine.

I don’t know about that, people have been charged and imprisoned on hacks involving forced browsing. You could probably make a case saying “if the earnings report wasn’t listed on the webpage with a list of earnings reports, why else would you have sent a request to that URL besides getting information the rest of the market doesn’t have?” At which point if the government has a vested interest in putting you in jail, the SEC comes out, and you need a small army of legal representation.

Now I’m almost certain no ones getting prosecuted for this since there’s more negative PR prosecuting someone for the hack and having headlines about the trash security on Intel’s side. That said, if the leak was more damaging or sensitive I could have imagined it ending up in court.

* # ¿ Jan 26, 2021 03:15
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 14, 2024 14:10
  • Quote
uninterrupted
Jun 20, 2011

Aramis posted:

If the url is /reports/QN_20XX_Infographics.pdf quarter after quarter, then it should be 100% expected that someone, if not a small army, will be F5’ing the poo poo out of that url. Assuming the naming is consistent, then putting the file online absolutely qualifies as making the information public.

Obviously, none of that matters when you are up in court against the SEC and Intel, and if they want to throw the book at you, then good luck.

Totally agree, it’s a brain dead security breach, Intel poo poo the bed with the lights on.

I’m just considering from the pentest end, a spidering attack versus a forced browsing attack would have very different discussions with a customer as far as scope and ROE. I imagine similarly in court, especially in a world where plenty of newcomers to the internet could plausibly never type out a url in their lives, a forced browsing attack could be seen as subverting the way a website is meant to work.

Like, it’s obvious to some of us, but to a septuagenarian judge who just Altavistas up the Yahoo! Mail every day, explaining why you were manually going to a url that wasn’t on the intel page might not go well. Yeah, it’s easy to some of us, but it’s also easy to type in ‘ or ‘1’=‘1 into every text field you find and that can definitely get you charged.

Fake edit: wow, the code tag is pointless

* # ¿ Jan 26, 2021 03:44
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Debate & Discussion > What does Hacking even mean, anyways?