Comment by monerozcash
Comment by monerozcash 3 days ago
This same logic is easily extended to SQL injection, or just about any other software vulnerability.
How do you propose the line should be drawn?
Comment by monerozcash 3 days ago
This same logic is easily extended to SQL injection, or just about any other software vulnerability.
How do you propose the line should be drawn?
Do you think the current line, where it's based on you "knowingly" exceeding your access or deliberately damaging the operation of a computer system, is excessively vague?
The question can be easily inverted for the other side: if any user accidentally damages a service's functionality in any way, can they always be criminally liable? Can this be used by companies with no security or thought put into them whatsoever, where they just sue anyone who sees their unsecured data? Where should the line be drawn?
To me, this is subjective, but the URL situation has a different feel than something like SQL injection. URLs are just references to certain resources - if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways. The exception is websites that put keys and passwords into their URL parameters, but if we're talking solely about the address part, it seems "public" to me. On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen. It's like picking up a $100 bill of the street vs. picking even the flimsiest, most symbolic of locks to get to a $100 bill you can see in a box.
>The question can be easily inverted for the other side: if any user accidentally damages a service's functionality in any way, can they always be criminally liable? Can this be used by companies with no security or thought put into them whatsoever, where they just sue anyone who sees their unsecured data? Where should the line be drawn?
I don't think the question can be inverted like that, not meaningfully anyway. The CFAA specifically requires one to act knowingly. Accidentally navigating to a page you're not supposed to access isn't criminal.
>To me, this is subjective, but the URL situation has a different feel than something like SQL injection.
I don't think the url below is necessarily that different.
> GET wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+user_pass+FROM+wp_users+WHERE+ID=1)
> if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways
It can be, but not lawfully so. It's not possible to accidentally commit a crime here, for example in the IRC logs related to the ATT case the "hackers" clearly understood that what they were doing wasn't something that AT&T would be happy with and that they would likely end up in court. They explicitly knew that what they were doing was exceeding authorized access.
> On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen
I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.
Lets say those files are discoverable by guessing some URL in your browser, but not accessible to normal users just clicking around the website. If you start scraping the files, I think it's pretty obvious that you're intruding on something private that wasn't meant to be seen. Any reasonable person would realize that, right?
> GET wordpress/wp-content/plugins/demo_vul/endpoint.php?user=-1+union+select+1,2,3,4,5,6,7,8,9,(SELECT+user_pass+FROM+wp_users+WHERE+ID=1)
This is why I tried to make the clarification that I was referring to the address part of the URLs only, not the parametrized part. In my mind, something like /users?key=00726fca8123a710d78bb7781a11927e is quite different from /logins-and-passwords.txt. Although, parameters can also be baked into the URL body, so there's some vagueness to this.
> I think you've reached the essence of it. Now, let's say you just accidentally find an open folder on a bank's website exposing deeply personal KYC information of their customers. Or even better, medical records in the case of a clinic.
I guess if I try to distill my thoughts down, what I really mean is that there should be a minimum standard of care for private data. At some point, if being able to read restricted data is so frictionless, the fault should lie with the entity that has no regard for its information, rather than the person who found out about it. If a hospital leaves a box full of sensitive patient data in the director's office, and getting to it requires even the minimal amount of trespassing, the fault is on whoever did so. But if they leave that box tucked away in the corner of a parking lot, can you really fault some curious passer-by that looked around the corner, saw it and picked it up? Of course, there's a lot of fuzziness between the two, but in my mind, stumbling into private data by finding an undocumented address doesn't clear the same bar as bruteforcing or using a security vulnerability to gain access to something that's normally inaccessible.
So if I deliberately exploit a bug on your website and download your customer database by typing things in my browsers URL bar, I should not be prosecuted?
No, and I would support a law explicitly making it illegal for prosecutor to prosecute you for this.
Cyber attacks are consentual, digital engineering is the only discipline where we have complete mastery of the media. If you make a system (or authorize it) what someone does with it is your fault.
>How do you propose the line should be drawn?
there is a line drawn for such things. a fuzzy line. see:
https://en.wikipedia.org/wiki/I_know_it_when_I_see_it
same as this famous case, in which a supreme court justice is asked "what is and is not pronographie" - of course he realizes if he defines "what is not" people are going to make all kinds of porn right on the boundary (see: japanese pronographies where they do the filthiest imaginable things yet censor the sensitive books, making it SFW in the eyes of their law). this judge avoided that.
Anyways, parallel to the fact that filthy pronographies can be made a gorillion different ways, a "hack" may be manifested also a gorillion different ways. Itemizing such ways would be pointless. And also in the same vein, strictly defining a black and white line "this is legal, this is not" would cause hackers to freely exploit and cheese the legal aspect as hard as possible.. businesses and data miners and all these people would also freely exploit it, at massive scale and with massive funding, since it is officially legal. Thusly it must be kept an ambiguous definition as with pronographies, as with many things