Hacker News new | ask | show | jobs
by billyhoffman 3692 days ago
> Couldn't he get in trouble...

Yes. Exploiting a blind SQL injection vulnerability to dump database tables and rows of a website you don't control without permission is a crime in most jurisdictions.

It's still a crime even if you were trying to "help" the web master.

It's still a crime even if you were just dumping the tables to "prove" the vulnerability exists.

It's still a crime even you "disclose it responsibility."

Why is finding vulns in say, outlook.com a crime but finding vulns in the thick client version of Outlook not a crime? Because of where the software is running.
2 comments
DanielShir 3692 days ago
That's absolutely right. I haven't disclosed vulnerabilities for several websites because of this exact reason. If there's no bug bounty program, then you're liable and can be criminally prosecuted (and I know cases where the person was sued in civil court as well).
link
cookiecaper 3692 days ago
Don't expect a bug bounty program to protect you. I'm not a security researcher, but if I wanted to be one, I would do what I could to conduct that business pseudonymously instead of trusting that the company would stick to the representations made in the bug bounty program.

Remember that the CFAA has both a civil and a criminal component; if the state decides to charge you, the opinion of the company whose computers you illegally accessed does not necessarily matter. JSTOR asked Carmen Ortiz to drop the charges against Aaron Swartz and she declined to do so.

link
cyphar 3692 days ago
A bug bounty acts as a legal agreement (read: implicit contract). The CFAA doesn't void contracts between two parties.
link
ajnin 3692 days ago
I'm not familiar with US law so I might be wrong but I believe in the case of crimes the perpetrators get prosecuted by the state, not the targeted company, so any implied contract would be irrelevant.
link
maxerickson 3692 days ago
The bug bounty authorizes access for the purposes of finding and reporting issues.

The relevant parts of the CFAA are aimed at unauthorized access.

link
cookiecaper 3692 days ago
The CFAA forbids both "unauthorized" access and "exceeding authorized" access. A CFAA case involving a bug bounty program, either criminal or civil, would allege that the accused exceeded authorized access if it was thought that the existence of the bug bounty program was authorization.

There are other factors that come into play here too depending on the specific wording of the site's ToS and the bug bounty participation agreements/whatever. Access may be totally unauthorized, if, for example, one uses an automated scanning tool like sqlmap, as most sites have a ToS that bans any "automated access".

And there is the first factor, which is that if you're being sued by someone who is big enough for a bug bounty program, no normal person is going to be able to fight it, and if that company tells the prosector's office about you, you're going to have a hard time shaking them off as well.

link
cookiecaper 3692 days ago
Yeah, the law in the US forbids accessing any information in a way that is either unauthorized or "exceeds authorized access" from any computer protected by federal law (any computer connected to the internet). The existence of a bug bounty program probably puts this issue within the "exceeds authorized access" category, and there have already been spats between security researchers and companies over where exactly the line of demarcation between beneficial research and malicious exploitation lies.

This is not the kind of thing you want to risk having to depend on a jury to justly decide -- juries have an atrocious record with technical subjects, and if you can't afford a world-class lawyer (which, for reference, is going to cost around a million dollars), your chances are even worse.

If the company informs the US Attorney about the case as a scare tactic, there's no guarantee that the attorney will back off when/if the company and the researcher reach an understanding. It's somewhat unlikely that they would, in fact, as "cybercrime prosecution" seems to be a widely-desired bullet point for prosectors' resumes. This is surely the only motive that existed behind the prosecution of Aaron Swartz.

If the plan is to take advantage of bug bounty programs, I believe the wise thing is to conceal your real identity. Anything that could potentially result in a CFAA claim or charge is much safer that way.

link
cyphar 3689 days ago
Not if the contract states "this is authorized access". Then it's relevant.
link
CiPHPerCoder 3692 days ago
> That's absolutely right. I haven't disclosed vulnerabilities for several websites because of this exact reason.

Depending on how you learned of said vulnerabilities, you might still be culpable for the mere act of discovering them.

link
cookiecaper 3692 days ago
Under the CFAA, any access to a networked computer becomes a crime as soon as the owner decides that he doesn't want you to access it anymore. This includes stuff as simple as visiting a publicly-facing web page.

Judges have also ruled that if you visit a public-facing page that contains information the rightsholder doesn't want you specifically to see (everyone else on the internet is OK), the temporary "unauthorized" copy that exists in the RAM of your computer constitutes copyright infringement.

Our internet access laws are horrifically outdated.

link
MichaelBurge 3692 days ago
Those actually seem reasonable, despite the rhetorical way you've phrased them.

If Craigslist have sent you a letter by legally-certified mail telling you to stop scraping rent pricing information off their site, then it makes you both a jerk and a criminal if you keep doing it. Or you could be unintentionally denying their legitimate users service by overloading their servers.

Similarly, if they've sent you legally-certified mail telling you to stop stealing their information and reselling it for your hip new startup, then you're in copyright violation if you keep storing and reselling their data.

DEX throws these yellow pages on my porch every few months. If I decided to start scanning the pages to seed a competitor, they'd have every right to tell me to stop and sue me for copyright infringement. And yes, the 'temporary' copy in my camera's SD card would constitute copyright infringement. I don't see what it being a website has to do with anything; DEXes are just as public-facing as a website when they throw them on your porch.

Judges in the United States do a terrific job - especially at the higher courts. The one handling the Oracle vs. Google API case taught himself Java to better understand the case. I think it's far more likely that you're oversimplifying in a dishonest way.

link
cookiecaper 3692 days ago
No. In the United States, something must meet a standard of originality to qualify for copyright protection. [0] While certain arrangements of facts may be copyrighted, the factual information itself cannot be owned by anyone.

The facts in a list of facts, like the fact that there is a home for rent at a specific address and the landlord wants $x per month from potential tenants, cannot be copyrighted by anyone, certainly not a middleman like Craigslist. It is free information that anyone in the world may use as they like. The law is written that way, the courts have ruled that way. This is true of information in books, on billboards, flyers, CD-ROMs, whatever. It's only a technicality in the delivery mechanism that makes it any different when the information is read from a page retrieved by HTTP.

You gave the example of a phone book, which is unfortunate for you because that very example has been litigated in Feist Publications, Inc. v. Rural Telephone Service Co. [1] and the assertions you're making were ruled incorrect. It was ruled that it is perfectly legal to copy the facts out of a phone book, rearrange them, and republish the content. This was argued all the way up to the Supreme Court. Remember that you believe "judges do a terrific job, especially in the higher courts".

As you point out, there is no practical difference between copying out of a phone book or a web page for practical purposes. The reason one is legal and one is illegal is because of the obtuse wording of the CFAA and the technical ignorance of the judiciary, especially in the precedent-setting cases that were decided a decade or more ago, as the internet was still emerging as a force in American life.

>If Craigslist have sent you a letter by legally-certified mail telling you to stop scraping rent pricing information off their site, then it makes you both an asshole and a criminal if you keep doing it.

On what basis? We've already established there is no copyright interest in the factual data (though there may be in the exact wording of the ad, if only non-copyrightable factual data is extracted, there is no infringement).

Should it be illegal for me to read a book that I legally acquired just because the publisher sent me a letter and told me he didn't like what I was doing with the information I learned from it? Am I an asshole if I read a book by a politician and go on TV to talk about how I disagree with something he said therein? Should I be under either criminal or moral indictment for doing so?

The publisher must take responsibility for widely and publicly disseminating the information. If you don't want some people to know certain things, you shouldn't publish and then sell tens of thousands of books that contain that information. In the same way, if you're worried about what someone else may do when they learn that the house at 129 Main St is currently on the market, perhaps you shouldn't tell everyone.

Legally, the difference only exists because the internet works by pulling a copy of the web page from a server. That shouldn't matter most of the time, which, again, you already indicated.

>Or you could be unintentionally denying their legitimate users service by overloading their servers.

I agree that there should be reasonable civil liability for causing accidental DoS attacks. That's fine. The law should be amended so that it only covers this, not so that it covers normal information retrieval from the internet.

>And yes, the 'temporary' copy in my camera's SD card would constitute copyright infringement.

The correct analogy for a copy in RAM is the copy of the image that is reflected onto your retinas when you look at the copyrighted work, not a permanent storage device from which the content is eventually deleted. Every judge in the world would scoff if someone tried to claim that anyone who looked at his work owed him for the "infringing copy" that existed in their eyeballs, but because judges don't understand how computers or RAM work, they make decisions they'd scoff at if they knew what was really going on. [2]

[0] https://en.wikipedia.org/wiki/Threshold_of_originality

[1] https://en.wikipedia.org/wiki/Feist_Publications,_Inc.,_v._R....

[2] https://en.wikipedia.org/wiki/Ticketmaster,_LLC_v._RMG_Techn....

link
MichaelBurge 3692 days ago
I'll concede there's probably a way to extract non-copyrightable information from websites like Craigslist, though you should as a practical matter expect to fight an expensive court battle to determine that.

If somebody set up a Craigslist mirror[1], and people scraped that mirror instead, I wouldn't see any problem with that.

But I don't think Craigslist itself should be obligated to serve you their data, the same way a bookstore that tells you to never come back should be allowed to call the police for trespassing if you try to buy a book from them again. I would still maintain that they should be able to tell you to stop visiting their website.

They do have terms on their site saying that you agree not to scrape their website by accessing it. I don't know how enforceable those are since they're buried at the bottom, but if Craigslist changed their website to more easily track users(with persistent accounts) and made the terms opt-in, then I'd say they don't even need to send you a letter for you to be in violation.

The phone book doesn't get to use this because they flung it on my porch; if you had to visit them and sign an NDA before they gave you a copy, I bet that case would've turned out differently. If they printed an implicit NDA on the first page and threw that on your porch, it's less clear but my guess is it wouldn't fly.

Additionally, if you lived right next door to Craigslist, and your requests never crossed state lines, I would tend to think that the federal government doesn't have the authority to regulate your request in the first place, and that it'd be up to the state.

[1] These archive the front page, but not the results. There's a robots.txt preventing that. If someone else ignored that request and mirrored everything, they would be doing something wrong but the scrapers of the mirror wouldn't be.

https://web.archive.org/web/20160503013529/http://portland.c...

http://webcache.googleusercontent.com/search?q=cache:craigsl...

link
NotSammyHagar 3692 days ago
M Burge, there are literally many court cases saying that you can copy compendiums of facts, and exactly phone books are copyable. https://www.peoplesmart.com/blog/how-the-supreme-court-paved...
link