Hacker News new | ask | show | jobs
by nickpsecurity 3342 days ago
"The text of the CFAA forbids "unauthorized access" or "exceeding authorized access"."

BOOM! And they've been harsh on hackers for a long time. So, the vulnerability must not require violating access controls or system integrity to be safest. Hackers should be in the clear if it was simply noticing something in HTML/HTTP or whatever that indicated insecurity. An example might be a breakable cipher-suite or handling sessions improperly.
1 comments
emodendroket 3342 days ago
It sounds awfully close to what got weev sent to jail.
link
cookiecaper 3341 days ago
This is a good parallel and you're definitely right. However, weev was charged [0] on 2 counts:

1. conspiracy to access a computer without authorization

2. fraud in connection with personal information

This is because Goatse Security not only noticed the vulnerability itself, but because they wrote and executed a script called the "iPad 3G Account Slurper" to iterate over ICC-IDs, returning the associated email address for each one.

Executing the script against AT&T's servers probably is a bona fide violation of the CFAA, not just a conspiracy, but I would guess it's simpler to bring the conspiracy charge since you don't have to get into the nitty gritty of actual requests made, etc.

According to the complaint, they proceeded to email a handful of notable people whose emails had been harvested, including someone on the Board of Directors at News Corp. All of these contacts appear to be media outlets. The Gawker article also lists some of the people whose email addresses were extracted this way (without disclosing their emails).

I'm assuming this direct communication to journalists and/or execs at journalism outlets gives rise to the fraud with personal information charge.

Overall, I don't think that weev did anything that I wouldn't have necessarily have done if I were in that situation (trying to drum up attention and make a name for his consulting firm), but it's different from this disclosure because as far as we know, this researcher did not actually exploit the vulnerability and he has not obtained or disclosed any information from doing so.

Again, not a lawyer.

[0] https://www.eff.org/document/criminal-complaint

link