Hasn't unauthorized access of a server with weak or no security measures been proven illegal many times in court already, though? Admittedly, I'm not a legal expert of any kind, but I could swear that's a common thing.
The analogy is a little twisty, but yeah, seeing the files in the directory is probably like looking in through the door, and actually opening them is probably more like trespassing.
An ftp client downloads a list of files as soon as you connect.
It's the same as fat fingering a website in your browser. Are you saying I should go to jail if I type the wrong website, it loads, and it turns out that site was supposed to be "private"? My browser downloaded the home page and all the files on it.
What if I click the wrong wifi network and use it all day without noticing? Should I get charged for "unauthorized access"?
There needs to be a reasonable standard for security above "so insecure you could do this by accident" to send people to jail. Whoever set up the server that shitty should be charged with negligence.
See, the legal system has this thing called “intent” and courts are decently adept at figuring it out. If you actually did fat finger something, you could probably prove that. Maybe you only connected once for a quick second. But if you connected multiple times over several days, and forensic evidence showed you deliberately downloaded things, well, that’s intent.
I see this all the time in technology: people come up with contrived counterexamples to expose some non-existent flaw in the legal system that they get really defensive about. The legal system isn’t like a computer. If you really did make a mistake, that should become obvious in the ideal case.
Some graphical FTP clients might download a list of files, but certainly not all. It's not a standard part of the protocol to immediately execute 'LIST'.
You may have fat fingered a URL, but your browser still asked for it and any content located there.
I don't agree with prosecution on things like this, but the reality is the best analogies are still doors and locks: My front door is connected to a walkway, which is connected to the public sidewalk. You may see my door is open and unlocked, but you're still trespassing if you walk in. If you did, I may decide not to press charges, but that's my choice. And I'd be mad as hell at anyone who created a law that said I couldn't just because my door is open.
I think the best solution is for people to treat others with a little more goodwill, and find other ways to make society less litigious overall. Unfortunately, corporations drive a lot of that because a corporation's only goal is to make money. People, however, can make different choices.
The "doors and locks" analogy is not perfectly applicable in this case.
In the cases of house front doors in the suburbs, the overwhelming expectation is both that the door is intended to be locked and that the public is not intended to freely come and go from the interior of the residences. This is a custom so well-established that it is essentially universal, and a house with the door open and unlocked is an obvious outlier.
In the case of fileservers on the public internet, the overwhelming expectation is that anyone may connect to them, and if anonymous logins are accepted, access the files on the server. Again, this is well-established custom.
Because the customary behaviour in the two situations are so different, the analogy is inapplicable.
After walking away from this I thought of an analogy to fit the other side: Attractive Nuisance
Maybe a security researcher/group/company could sue on behalf of customers affected by an open FTP server because it's an "Attractive Nuisance" on the Internet. Affecting a company's bottom-line is about the only way to get some to take notice.
> Are you saying I should go to jail if I type the wrong website
No, I'm not saying anyone should go to jail. The person in question did not do this by mistake though.
In general I'm in agreement with you. I'm just making sure we don't mix analogies. Looking through an open door is not the same as connecting to an FTP server and getting list of files.
I'm saying that unauthorized access shouldn't apply to things that are trivial to access even by mistake.
The law needs to be at the same standard as real life. For example the police can search your belongings unless they're locked, then you need a warrant. If you've got a service wide open on the internet with no security it shouldn't be a crime just because somebody found it.
The difference between doors and locks is that going through real life doorways is a lot different than connecting to a service. On the internet the act of connecting to it gives you access to the inside, there's no second act of walking in.
It's like an open door that throws a copy of it's contents at anyone that finds it.
Sure, that's one way to look at it. But also, since you have to actually interact with the server in order to discover such vulnerabilities in it, it could also be viewed as similar to walking in through an unlocked door and looking around. That, at least, is trespassing, I believe.
Alright if we want to get specific it's like being blind and touching a home's open front door. Incredulous that the door is open you feel around inside for a second and feel a set of keys on the hook. You leave at this point and a week later are arrested for B&E because your fingerprints are on the keys (or you were stupid enough to tell the owner their door was open)
> It's like telling your neighbor his door is open.
I think it's more like your neighbors door being open and you going in side and seeing that the refrigerator is open. Therefore proving that you trespassed on private property. Not legal. Of course in most cases you wouldn't be prosecuted for that I would imagine unless you tramped around the house.
Article says:
"he'd come across an FTP server operated by another dental software company, Patterson Dental, which makes "Eaglesoft," a dental practice management software product. Shafer had discovered an openly available anonymous FTP server with patient data"
In order to determine it had patient data he would have to see the patient data not just connect to the server at the root level and then exit. So at the very least (in theory) he would have cd'd a few directories and perhaps downloaded a few files or noted the directory structure and names. That is entering and looking around.
Occam's Razor would say he logged in, saw a patient_data directory or something similar, and logged out. We don't know anything really about how his perusal or lack thereof had him come to that conclusion. If it was running batch job processing that places like Epic and others do, it could have a recognizable directory structure that would give it a clear fingerprint.
First, I don't believe it is against the law to simply connect to a public FTP server. And I'm certain that I wouldn't bother to notify somebody that their public FTP server was... public. However, if I saw something that clearly wasn't supposed to be public.
It's more like looking across the street and seeing a private act through an open window, and going to the front door and knocking and telling them that the window is open.
There are laws against leaving patient data in the public. There are laws against public indecency.
There are also laws against unauthorized access and laws against being a peeping Tom.
Which one is going on is not necessarily easy to determine.