Hacker News new | ask | show | jobs
by d33 3689 days ago
I'm always worried about where is the line with this kind of pentests. I assume that it wasn't ordered by the site owner and even though the author clearly did the webmaster a favor... couldn't he get in a trouble by sqlmapping random sites?
2 comments
billyhoffman 3689 days ago
> Couldn't he get in trouble...

Yes. Exploiting a blind SQL injection vulnerability to dump database tables and rows of a website you don't control without permission is a crime in most jurisdictions.

It's still a crime even if you were trying to "help" the web master.

It's still a crime even if you were just dumping the tables to "prove" the vulnerability exists.

It's still a crime even you "disclose it responsibility."

Why is finding vulns in say, outlook.com a crime but finding vulns in the thick client version of Outlook not a crime? Because of where the software is running.

link
DanielShir 3689 days ago
That's absolutely right. I haven't disclosed vulnerabilities for several websites because of this exact reason. If there's no bug bounty program, then you're liable and can be criminally prosecuted (and I know cases where the person was sued in civil court as well).
link
cookiecaper 3688 days ago
Don't expect a bug bounty program to protect you. I'm not a security researcher, but if I wanted to be one, I would do what I could to conduct that business pseudonymously instead of trusting that the company would stick to the representations made in the bug bounty program.

Remember that the CFAA has both a civil and a criminal component; if the state decides to charge you, the opinion of the company whose computers you illegally accessed does not necessarily matter. JSTOR asked Carmen Ortiz to drop the charges against Aaron Swartz and she declined to do so.

link
cyphar 3688 days ago
A bug bounty acts as a legal agreement (read: implicit contract). The CFAA doesn't void contracts between two parties.
link
ajnin 3688 days ago
I'm not familiar with US law so I might be wrong but I believe in the case of crimes the perpetrators get prosecuted by the state, not the targeted company, so any implied contract would be irrelevant.
link
maxerickson 3688 days ago
The bug bounty authorizes access for the purposes of finding and reporting issues.

The relevant parts of the CFAA are aimed at unauthorized access.

link
cookiecaper 3688 days ago
Yeah, the law in the US forbids accessing any information in a way that is either unauthorized or "exceeds authorized access" from any computer protected by federal law (any computer connected to the internet). The existence of a bug bounty program probably puts this issue within the "exceeds authorized access" category, and there have already been spats between security researchers and companies over where exactly the line of demarcation between beneficial research and malicious exploitation lies.

This is not the kind of thing you want to risk having to depend on a jury to justly decide -- juries have an atrocious record with technical subjects, and if you can't afford a world-class lawyer (which, for reference, is going to cost around a million dollars), your chances are even worse.

If the company informs the US Attorney about the case as a scare tactic, there's no guarantee that the attorney will back off when/if the company and the researcher reach an understanding. It's somewhat unlikely that they would, in fact, as "cybercrime prosecution" seems to be a widely-desired bullet point for prosectors' resumes. This is surely the only motive that existed behind the prosecution of Aaron Swartz.

If the plan is to take advantage of bug bounty programs, I believe the wise thing is to conceal your real identity. Anything that could potentially result in a CFAA claim or charge is much safer that way.

link
cyphar 3685 days ago
Not if the contract states "this is authorized access". Then it's relevant.
link
CiPHPerCoder 3688 days ago
> That's absolutely right. I haven't disclosed vulnerabilities for several websites because of this exact reason.

Depending on how you learned of said vulnerabilities, you might still be culpable for the mere act of discovering them.

link
cookiecaper 3688 days ago
Under the CFAA, any access to a networked computer becomes a crime as soon as the owner decides that he doesn't want you to access it anymore. This includes stuff as simple as visiting a publicly-facing web page.

Judges have also ruled that if you visit a public-facing page that contains information the rightsholder doesn't want you specifically to see (everyone else on the internet is OK), the temporary "unauthorized" copy that exists in the RAM of your computer constitutes copyright infringement.

Our internet access laws are horrifically outdated.

link
MichaelBurge 3688 days ago
Those actually seem reasonable, despite the rhetorical way you've phrased them.

If Craigslist have sent you a letter by legally-certified mail telling you to stop scraping rent pricing information off their site, then it makes you both a jerk and a criminal if you keep doing it. Or you could be unintentionally denying their legitimate users service by overloading their servers.

Similarly, if they've sent you legally-certified mail telling you to stop stealing their information and reselling it for your hip new startup, then you're in copyright violation if you keep storing and reselling their data.

DEX throws these yellow pages on my porch every few months. If I decided to start scanning the pages to seed a competitor, they'd have every right to tell me to stop and sue me for copyright infringement. And yes, the 'temporary' copy in my camera's SD card would constitute copyright infringement. I don't see what it being a website has to do with anything; DEXes are just as public-facing as a website when they throw them on your porch.

Judges in the United States do a terrific job - especially at the higher courts. The one handling the Oracle vs. Google API case taught himself Java to better understand the case. I think it's far more likely that you're oversimplifying in a dishonest way.

link
cookiecaper 3688 days ago
No. In the United States, something must meet a standard of originality to qualify for copyright protection. [0] While certain arrangements of facts may be copyrighted, the factual information itself cannot be owned by anyone.

The facts in a list of facts, like the fact that there is a home for rent at a specific address and the landlord wants $x per month from potential tenants, cannot be copyrighted by anyone, certainly not a middleman like Craigslist. It is free information that anyone in the world may use as they like. The law is written that way, the courts have ruled that way. This is true of information in books, on billboards, flyers, CD-ROMs, whatever. It's only a technicality in the delivery mechanism that makes it any different when the information is read from a page retrieved by HTTP.

You gave the example of a phone book, which is unfortunate for you because that very example has been litigated in Feist Publications, Inc. v. Rural Telephone Service Co. [1] and the assertions you're making were ruled incorrect. It was ruled that it is perfectly legal to copy the facts out of a phone book, rearrange them, and republish the content. This was argued all the way up to the Supreme Court. Remember that you believe "judges do a terrific job, especially in the higher courts".

As you point out, there is no practical difference between copying out of a phone book or a web page for practical purposes. The reason one is legal and one is illegal is because of the obtuse wording of the CFAA and the technical ignorance of the judiciary, especially in the precedent-setting cases that were decided a decade or more ago, as the internet was still emerging as a force in American life.

>If Craigslist have sent you a letter by legally-certified mail telling you to stop scraping rent pricing information off their site, then it makes you both an asshole and a criminal if you keep doing it.

On what basis? We've already established there is no copyright interest in the factual data (though there may be in the exact wording of the ad, if only non-copyrightable factual data is extracted, there is no infringement).

Should it be illegal for me to read a book that I legally acquired just because the publisher sent me a letter and told me he didn't like what I was doing with the information I learned from it? Am I an asshole if I read a book by a politician and go on TV to talk about how I disagree with something he said therein? Should I be under either criminal or moral indictment for doing so?

The publisher must take responsibility for widely and publicly disseminating the information. If you don't want some people to know certain things, you shouldn't publish and then sell tens of thousands of books that contain that information. In the same way, if you're worried about what someone else may do when they learn that the house at 129 Main St is currently on the market, perhaps you shouldn't tell everyone.

Legally, the difference only exists because the internet works by pulling a copy of the web page from a server. That shouldn't matter most of the time, which, again, you already indicated.

>Or you could be unintentionally denying their legitimate users service by overloading their servers.

I agree that there should be reasonable civil liability for causing accidental DoS attacks. That's fine. The law should be amended so that it only covers this, not so that it covers normal information retrieval from the internet.

>And yes, the 'temporary' copy in my camera's SD card would constitute copyright infringement.

The correct analogy for a copy in RAM is the copy of the image that is reflected onto your retinas when you look at the copyrighted work, not a permanent storage device from which the content is eventually deleted. Every judge in the world would scoff if someone tried to claim that anyone who looked at his work owed him for the "infringing copy" that existed in their eyeballs, but because judges don't understand how computers or RAM work, they make decisions they'd scoff at if they knew what was really going on. [2]

[0] https://en.wikipedia.org/wiki/Threshold_of_originality

[1] https://en.wikipedia.org/wiki/Feist_Publications,_Inc.,_v._R....

[2] https://en.wikipedia.org/wiki/Ticketmaster,_LLC_v._RMG_Techn....

link
MichaelBurge 3688 days ago
I'll concede there's probably a way to extract non-copyrightable information from websites like Craigslist, though you should as a practical matter expect to fight an expensive court battle to determine that.

If somebody set up a Craigslist mirror[1], and people scraped that mirror instead, I wouldn't see any problem with that.

But I don't think Craigslist itself should be obligated to serve you their data, the same way a bookstore that tells you to never come back should be allowed to call the police for trespassing if you try to buy a book from them again. I would still maintain that they should be able to tell you to stop visiting their website.

They do have terms on their site saying that you agree not to scrape their website by accessing it. I don't know how enforceable those are since they're buried at the bottom, but if Craigslist changed their website to more easily track users(with persistent accounts) and made the terms opt-in, then I'd say they don't even need to send you a letter for you to be in violation.

The phone book doesn't get to use this because they flung it on my porch; if you had to visit them and sign an NDA before they gave you a copy, I bet that case would've turned out differently. If they printed an implicit NDA on the first page and threw that on your porch, it's less clear but my guess is it wouldn't fly.

Additionally, if you lived right next door to Craigslist, and your requests never crossed state lines, I would tend to think that the federal government doesn't have the authority to regulate your request in the first place, and that it'd be up to the state.

[1] These archive the front page, but not the results. There's a robots.txt preventing that. If someone else ignored that request and mirrored everything, they would be doing something wrong but the scrapers of the mirror wouldn't be.

https://web.archive.org/web/20160503013529/http://portland.c...

http://webcache.googleusercontent.com/search?q=cache:craigsl...

link
NotSammyHagar 3688 days ago
M Burge, there are literally many court cases saying that you can copy compendiums of facts, and exactly phone books are copyable. https://www.peoplesmart.com/blog/how-the-supreme-court-paved...
link
jvehent 3689 days ago
Sites operators should reward responsible disclosure, not get researchers into trouble. Bug bounties are a good way to do that. Unfortunately, there are still people out there who don't understand their true value.
link
billyhoffman 3688 days ago
You run a high profile website. Going through your logs you see someone used a blind SQL injection vulnerability to enumerate the data tables and exfiltrate a few hundreds rows from some of the tables.

Is this person a just "friendly" pentester who "did you a favor" by finding a problem and just hasn't gotten around to telling you about it yet? Or was this an attacker who found a hole into your organization and is either hacking you further, selling the knowledge about your site's vulnerability to others, or monetizing this information in some other way?

You have no way to know. All you know is someone committed a crime.

link
dwild 3688 days ago
What you say have seriously nothing to do with what the previous comment say. In fact it's an argument for what he say.

If someone disclose you a security hole, you reward him.

2 reasons why: - You now know what's the issue and that there's one. He may have sold the whole private data of your organization to some other guy, but that's a constant in your situation. The only difference is knowing the source of the hole. If it help getting disclosure, even if it's from a black hat and he did committed something unethical, he still gave you something to fix.

- It give white hat a way to find hole in your security. Without that, they have no incentive to work on it. Again I will work on constant, black hat are a constant in the situation, either way they will try it, but without a bug bounty, you will only have black hat.

So what knowing if it's a black hat or a white hat change to you? Nothing, you still should have a bug bounty that reward disclosure because that's the only way to increase your odds of fixing theses security holes (the only thing that matter the most, whatever happens).

(I'm not saying not doing anything though if you see a SQL injection in your log, you fix it either way)

link
billyhoffman 3688 days ago
I'm describing how it looks from the other side. I have no way of knowing if you are "good". I have no way of knowing anything other than someone used an automated attack tool against my property. This is why exploiting SQL injection you find on some random site is dangerous, Even if you have the best intentions
link
user_0001 3689 days ago
I broke into your house whilst you were on holiday. Didn't you realise that I could smash your window and climb in?

Here is a box of all your valuables. Reward please

link
cayal 3689 days ago
To continue your analogy, 1000 other potential robbers are trying to get in every day, you are virtually always on holiday or otherwise outside the house, and the window was voice-activated. The intruder said a well-known special phrase which caused it to open. The expectation is that you've checked the windows, door, lock, and any other potential openings yourself to make sure they can't be entered like that. So yes, I'd say the person who doesn't take the valuables and run is doing you a huge favor.
link
jalada 3689 days ago
I can't think of an alternate analogy but I don't think breaking in to a person's house by smashing their window is equivalent to penetration testing.

But I get your point.

link
seanc722 3689 days ago
Agree, I think it is more that you left the door unlocked when you meant for it to be locked and the mailman opened the door to yell "Hello??" but no one was home, so he let you know the door is unlocked. :)
link
dwild 3688 days ago
> Didn't you realise that I could smash your window and climb in?

I did realize, which is why I don't keep your private information in there. They are in a safe hided somewhere.

That website clearly didn't realize that they had a window right there. Thanks to this guy, they now replaced it by a wall.

You accept the risk of that window, the people that goes into your house or do stuff in your house accept that risk while being near that window because they know the risk. On a website, you deal with other people stuff, not only there's an expectation of security, you won't have the luxury of knowing where's there's a window like that.

link
dumbfounder 3689 days ago
And he setup a camera to make sure your wife was showering correctly.
link
corobo 3688 days ago
As someone just starting out - Is there a decent alternative to cash bug bounties for the penniless webmaster? I could probably afford to chuck someone a tenner or so if they helped out but to be honest that sounds a bit pitiful of a bounty

Basically I'd like to say "Hey, we wont sue you if you report security problems" but I feel that due to other available bug bounties with wealthier pockets out there I'd just look like a cheap SOB rather than managing to make the original point of not suing for responsible disclosure

link