Comment by watusername

Comment by watusername a day ago

5 replies

View on Hacker News

> Dumping data from the memory of your phone can't be unauthorized.

> just dumping the diagnostics for regular phone calls should be fine

IANAL, but computer hacking laws like the CMA in the UK and CFAA in the US are written in a manner so vague that even pressing F12 to view the source of a web page could be a violation [0]. From O2's perspective, they could argue that the OP has accessed their internal diagnostic data in an unauthorized manner. What we (technical people) think is irrelevant.

[0]: In the US, the DOJ has revised its policy to not prosecute defendants pursuing "good faith security research," which you may trust at your own risk: https://www.justice.gov/archives/opa/pr/department-justice-a...

andix a day ago

I don't have a lot of knowledge about US and UK law, but I hear a lot of bad things.

"good faith security research" is a different ballpark though. Some laws catch all unauthorized access, even if the intent is not in a bad faith (which is probably a very bad idea, but that's how it is). But it also makes sense to some point: if your neighbor has a really bad lock that can be opened just by hitting the door frame a few times, you're also not allowed to break in just to disclose their bad security.

Usually some deliberate action needs to be taken that qualifies as unauthorized access. Something like adding a malformed header to a HTTP request could be enough. Or logging in with credentials that are clearly not yours (even if it's just admin/admin). But logging the traffic of regular and authorized usage patterns shouldn't be enough.

Reply View 1 reply
  • immibis 8 hours ago

    Legally, using any tool that allows you to view raw cellphone traffic from your own phone is already unauthorized access (probably).

    Famously, in Germany, it's illegal to be carrying a laptop on which nmap is installed. Everyone (who has a laptop and knows how to use nmap) still does it. It's one of those crimes which they get you for if they don't like you but you didn't commit any actual crime.

    Reply View 0 replies
mrjeeves a day ago

It's tough, but when the people don't respond what do you do?

Do you just sit on the info, hoping noone else sees it and exploits it?

Or do you try and get them to fix it somehow?

Reply View 2 replies
  • watusername 21 hours ago

    First of all, thank you for trying to resolve this with the carrier and finally bringing it up to everyone's attention here. Perhaps public attention is what's needed to push them to address the problem.

    To be honest, I personally would be scared to report such vulnerabilities with my real identity to begin with. With big tech companies, no matter how poorly their bug bounty programs are run, I still have this naive expectation that they won't shoot the messenger. At worst they could ban my accounts and maybe send threatening letters, but they probably won't ruin my life as long as I abide by the norms (agreed by technical people).

    However, I do not feel the same naive optimism towards "legacy" institutions like telecoms and public services. At best it's thankless work, at worst I get sued [0] or become a scapegoat so some official could score some political points [1]. It's unfortunate - I am acutely aware that this is chilling effect at work, and our systems are collectively less secure because of it.

    [0]: https://www.cnbc.com/2024/09/15/dark-web-expert-warned-us-ho... [1]: https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-...

    Reply View 0 replies