[akersten]

We desperately need a law that says (or at least need people in power to understand that) if your server sends it (as an agent working on behalf of your interests), you decided it was ok for me to receive it! For HTTP this understanding is literally conveyed in the status code (200-OK). Once data is sent to the client, you can't say they are breaking the law by looking at it[0]. Anyone with a text-based browser would have seen this data right away without even having to use the Powerful Hacking Tool view source.

A law like this would also prevent the grave injustice of being considered a criminal for incrementing a query parameter to iterate through different records (weev/AT&T, I think). That also should never have been considered "hacking". Companies need to fix their damn auth instead of relying on the CFAA being overly generous to financially/politically-endowed interests. That law needs a neuter.

[0]: notwithstanding an actually-compromised server, which is no longer an agent working in its owners interest. We'd have to be very careful to word this law, but I believe we can do a lot better than what we've got today.

[smhenderson]

Powerful Hacking Tool view source

Even the FBI agent quoted in the article got it wrong, stating “allowed open source tools to be used to query data that should not be public.” - as if proprietary browsers don't provide a View Source feature, only "evil" open source tools. Maybe I'm reading too much into it and it's a minor mistake but given the context even a potentially innocuous statement like that rubs me the wrong way for being incorrect.

[ta3927590]

As anyone could probably guess, LEOs that do actual technical work are rarely the same ones talking to the public about that technical work. Thus what gets said to or published for the public is rarely reflective of the actual internal understanding.

[sblom]

Totally possible that an FBI agent would be using the intelligence community sense of "open source" meaning "publicly available", rather than the sense of "open source" that's the mode around here.

[Buttons840]

I like to point out that the Governor installed that powerful hacking software on his own computers!

[nsotelo]

I read this as a failure of the state for publishing information that "should not be public".

[kuroguro]

I agree that both of those shouldn't be punished. I'm not sure how one would properly define the law tho - for ex. an SQL injection could also be "just a query parameter" and the server would haply reply with a 200.

[milkytron]

That would make a lot of companies responsible for the data they keep and should be responsible for protecting.

SQL injection can be (and probably is) malicious though, so I suppose it becomes a unclear line for that example. Maybe punishment of both parties would be appropriate but I'm not a lawyer so don't have expertise in law punishments. But I could see this as incentivizing data security. Even if a 0 day is discovered, companies will be less inclined to drag their feet for a patch when one becomes available.

[MereInterest]

Honestly, I'd want to see strict liability for data breaches, with revealing of personal information included as a type of injury, and not merely something that must be shown to have led to other forms of injury. Right now, the most I can do is reduce the amount of personal information that is collected about me, and I have no ability to ensure that it is stored in a secure manner. Companies that record personal information about me (e.g. Google, Equifax, Facebook, etc) have the ability to improve their security, or to reduce the scope of collected data, but have no incentive to do so. By placing the liability on the same entity as makes the decisions, it creates that incentive.

[after_care]

I’m not sure I believe in 100% strict liability. Imagine if someone were to perform a B&E or armored robbery at a physical location to steal hard copies of records.

Clearly if someone uses a zero day to steal personal information from an otherwise secure server than the server’s owners were not negligent.

In addition, often times the only people that know there was a data breach is the organization that had their data breached and the attackers that stole the data. None of the parties could report the data breach without violating their 5th amendment rights if they both had legal liability.

[mindslight]

It would make the most sense to define software as a legal agent of those who deploy it.

If an HTTPS server prints OK and returns a document for a straightforward request, then it's manifestly obvious that the owner's agent intended to give you that information. If the owner did not intend that to happen, the issue is between them and their agent. (Think: a customer service rep who didn't follow policy)

Supplying a SQL injection to an HTTPS server would be akin to fraud or false pretenses - like if you walked up to a customer service rep, showed them a fake ID, and asked for information about your account.

(Furthermore, copyright trolls wouldn't be able to wriggle out of their fraudulent DMCA requests by blaming it on software that they themselves deployed)

[underwater]

If you socially engineer an employee to access data or steal money it's still a crime.

[mindslight]

Yes, that was my point about SQL injection. By knowingly performing an SQL injection, you're deceiving the software agent webserver. Whether you're guilty of a crime then depends on your intent for why you did that. If you do this to find and report a bug, and don't do much else with the ill-gained information, you're demonstrating good intent. If you use the information to make further compromises or otherwise profit by it, then not so much.

But in the larger scenario here the software-agent webserver was not tricked at all, making it hard to argue that the person accessing the willfully-published information did something improper regardless of their intent.

[chrsig]

With a sql injection, you have to willfully provide an input with the hope that it results in injection

my understanding is that the reporter looked at the source that was being sent as intended -- no manipulation of input by the client

[dtgriscom]

You send a query string to a server with the hopes that the server will give you what you want. Isn't that the World Wide Web?

Proving "intent" is much harder than proving action. And, to me it seems bad for the law to enforce based on whether the server's authors "wanted" to provide a specific piece of information.

[chii]

Intent is something that is considered in murder homicide cases, so why not in these cases too?

[_y5hn]

Because murder is a crime, intent is not.

[chii]

To differentiate between murder and manslaughter (say, due to negligence), the idea of intent (or state of mind) is taken into account.

[egberts1]

Intent to murder is now a misdemeanor… in Maryland.

[Supermancho]

> With a sql injection, you have to willfully provide an input with the hope that it results in injection

If I send you a link that happens to include arguments that happen to be a SQL injection (or my cat steps on my keyboard in just the right way), there was no intent.

[wvenable]

Your intent by crafting such a link was clear.

[Supermancho]

Thats a third party. Youre mixing responsibility and ascribing it to an innocent party. That was the obvious point, with an incidental mention of another (random input) case where innocence is a reasonable deduction. Therefore, it is not necessary for an sql injection attack to be connected with the intent of the actor. Period.

From US caselaw, theres a little history about the not chasing after infected botnet hosts as bad actors.

[wvenable]

If you commit wire fraud through an innocent intermediary, you're still guilty of wire fraud. If you give someone a link that's an attack and they unknowingly run it, then you're the one at fault not the person clicking the link.

I think it's pretty straight forward.

[chrsig]

You're kind of just describing why it's hard to prosecute based on intent though.

For the purposes of distinguishing between if something is an exploit or not, it doesn't seem too relevant

[jdavis703]

SQL injection is probably malformed input in lots of cases and should return a 400 Bad Request. If you are returning a 200 maybe you really did want to take SQL (think of Mode or PHPMyAdmin).

[underwater]

That's the entire point of hacking, circumventing protections that the server has in place to get a response you were not supposed to get. The status code is irrelevant.

The same applies in the real world too. If I perform a social engineering hack and get you to pay a fake invoice, it's still theft (or fraud), even though someone willingly and deliberately sent you money.

[Tagbert]

That assumes that the server recognized it as invalid. It it had, then it should take measured to block the input, but if the attack succeeded then the server would not be recognizing the attach and would respond with a 200

[dramatica_una]

As someone who was thoroughly and intimately familiar with both the person weev was/is and the details surrounding the AT&T disclosure case, there is absolutely NO question that weev deserved to be incarcerated and for far longer than he ended serving. Multiple people are in federal prison on his account, multiple lives have been stained and essentially ruined on account of weev surrendering ("snitching") information, sometimes true and sometimes false, about other criminal events.

Don't believe what you have heard, I know it seems very hacker-y and noble, and he tried to do the right thing and disclose, so we should just cut him a break, blah blah blah. There's MILES of evidence against him seeing free life. He's been involved in financial fraud, harassment cases against minors, illegal pornography against minors, threats of harms against strangers on the internet, there's even (unfounded, though somewhat plausible) claims that he's developed spyware for profit. I don't want to be doxxed, so I'll leave it at that. I've known weev for a long time, and I'm sure glad he doesn't know me.

To clarify, I am in favor of laws defending those who receive data from a sender having immunity. It seems common-sense. If you give me a ten dollar bill, and ask for it back, I can just decline, and walk away. It's rude and wrong, but it's legal, and it ought to be. CFAA has put a lot of bright, young minds in jail, and they are subsequently extorted and abused by multiple state agencies in the name of "cyber defense." It's grotesque.

But don't make weev a hero. He's not.

[chc4]

I feel dumb for even having to make this argument, but people can be bad and guilty of other crimes and that doesn't mean they should be found guilty for things unrelated to those other crimes. Everything you listed in this comment is unrelated to the weev v. at&t case, which was (imo) a sham of a lawsuit, irrespective of whatever other heinous things he did.

[anigbrowl]

We desperately need a law

Why not just have a law against subverting the intent of existing laws, or against making bad-faith arguments? Laws are only as good as people's willingness to accept impartial assessment thereof. Absent that, they will just be exploited selectively for strategic leverage.

Aristotle observed that laws tend to multiply under tyrannical regimes, as rulers impose ever more onerous conditions upon their subjects; I think it's also true that an excess of laws creates opportunity for tyranny in the sense of creating a much larger attack surface for a malicious or cynical actor to exploit. To my mind, the growth of the US and state codes* is a bug rather than a feature, and pruning such complexity highly desirable.

* https://arxiv.org/pdf/1003.4146.pdf

[fivre]

This approach is inherently unclear. Intent is never completely recorded because doing so is fundamentally impossible--there's far too much minutiae and unwritten context to guarantee that jurists are following intent, and consistency is important in law (ideally, anyway--this ignores the real and present issues in US jurisprudence where consistency is thrown out the window for partisan benefit).

You can't have laws whose interpretation is "don't do things you shouldn't" because parties in legal disputes clearly disagree about what "shouldn't" means, else they wouldn't fucking be resolving them through expensive and lengthy legal action.

There's a meaningful distinction between clarification of and expansion of the law. Legislators are responsible for both. OP may not have phrased it precisely, but they're saying the CFAA needs to be _clarified_. This doesn't mean it expands in scope--if anything, its scope would be narrowed.

[iypx]

I believe what we've got today in most countries is pretty ok, maybe ambiguous but it does the job as far as an ethically concerned person would go.

In my country they classify it as "unauthorized access". That's perfectly fine with me.

In other words, if your server sends it, and you intended to send it, then I can have a look at it. If your server sends it, but you never intended (sysadmin, programmer error, bureaucracy, unsecured servers etc), and it's clear for me the information was never meant to be public, then I'm committing unauthorized access.

You could say a transparent window is literally made for the purpose to be able to see through, but I'm certain I'd be breaking the law if I started taking pictures of people undressing in their homes.

[trs8080]

> If your server sends it, but you never intended (sysadmin, programmer error, bureaucracy, unsecured servers etc), and it's clear for me the information was never meant to be public, then I'm committing unauthorized access.

So if your server sends privileged data and I "View Source" to see how you implemented some unrelated part of your site and accidentally see that data, I'm now guilty of unauthorized access and should be prosecuted?

How about we shift the burden back to the people who have been entrusted to keep this data secure in the first place?

[iypx]

So if you left open the front door of a police station and I enter to see how an unrelated part of the building is built, and accidentally grab a gun I see on somebody's desk.. then I would most certainly expect to be prosecuted.

I understand you want to punish whoever forgot to close the door, and obviously the guy who abandoned his gun, I agree... but I have no business of being there whatsoever!

[Kim_Bruning]

We don't need to get this creative.

Say I mail a dead tree letter to the Department of Elementary and Secondary Education. And say in that letter I put a request for information on a particular teacher.

They send me a bit of a heavy envelope back. Which is a bit funny for my simple query but eh, I've gotten heavy envelopes before . The first page actually has the answer to my query, and then there seems to be a large number of pages of small print.

Normally people don't really read the small print, but today I'll do it anyway (maybe I'm suspicious due to the large packet) . What I find is that there's some normal legalese for a page or two I guess, and then on say page 5 through 100 it's actually a table with row after row of teacher's names and social security numbers. Ok, that's not good.

So the letter is addressed to me, and it landed on my doormat. It's pretty clear I'm the intended recipient.

In THAT case, I don't think it would fly for the state to go "But you were only supposed to read the first page, you were never supposed to read small print". I think that might be going a bit too far.

* If we assume the letter was printed by a computer, and

* And we assume the same knuckleheads who wrote the website also wrote the letter printing code.

Then it's not so much an analogy as it is very nearly the same thing (but now in terms a lawyer can understand, hopefully). All we've done is changed the underlying protocol and representation.

[trs8080]

Except in your analogy, I didn't "grab" anything -- I asked a question about paying a parking ticket at the front desk and as an answer they handed me a loaded gun. When I tried to give it back, they prosecuted me for theft.

[zaphod4prez]

There is a very big difference here. In your example, you've clearly entered into someone else's property; in the case of reading the info sent to your computer... I am reading a thing you sent me!

A more accurate version of your analogy is if I asked to hold a police officer's tazer and he handed me his gun by accident... or even if I asked to see his gun and he handed it to me thinking it was empty, but it was in fact loaded.

Point being, the website essentially put that information on my computer! I am asking for something from them, but what they give me is 100% their business! They don't have to obey my request but they do have to not-send-private-data-to-random-people-who-ask-for-it

[c1ccccc1]

Let's say I'm viewing a webpage, and I'm curious about some aspect of how it's implemented. I click "view source", and see something that isn't supposed to be there. Is the conclusion "whoops, guess I'm a criminal now"? Shouldn't there be some way for people to avoid committing a crime besides knowing in advance that a website is going to send them private data?

You could say, "obviously stumbling across the data is fine, as long as you then responsibly report the issue, or ignore it and go on with your day. It's only illegal if you then go on to do nefarious things with it." But this is exactly what the current system is failing at by prosecuting this reporter.

Getting the hacking issue right should not be this hard. In practice, it's pretty obvious what's hacking/unauthorized access and what isn't.

In the hacking category: SQL injection. Breaking DES. Cross site scripting attacks. Tracking cookies and browser fingerprinting, arguably.

In the not-hacking category: Incrementing integers in the URL. "Breaking" rot13. Using "view source".

[aidenn0]

> You could say a transparent window is literally made for the purpose to be able to see through, but I'm certain I'd be breaking the law if I started taking pictures of people undressing in their homes.

Disclaimer: IANAL. Also, don't take creepy photos of your neighbors through their windows regardless of the legality of doing so.

In many parts of the US at least, the law is less clear-cut than you might think. In many jurisdictions you would have to argue that the photos were of a sexual nature (probably not hard for pictures of people undressing, but it's not an automatic win depending on context). In some states and/or localities there are explicit laws preserving privacy when in ones residence, but in many others, a photograph taken through an unshaded window is legal as long as it doesn't violate other laws.

[edit]

I guess all of the above strengthens your point that such simplistic laws as "a 200 response means you are authorized to do what you want with it" are not in any way analogous to the way laws for other systems work.

[riffic]

Context on the AT&T thing (which was overturned on an appeal):

https://www.wired.com/2014/04/att-hacker-conviction-vacated/

https://arstechnica.com/tech-policy/2013/03/auernheimer-aka-...

[kokanee]

I agree that this would be an improvement, but I see two problems:

1) This would require law enforcement, attorneys, judges, and juries to learn how the Internet works. For most people, what a server sent is what you can see in a web page. Concepts like server and client aren't ubiquitous.

2) This doesn't account for vulnerabilities. If I use an open source package that has a security flaw, and that flaw is exploited causing my server to send sensitive data, did I still implicitly authorize this because the server was acting as an agent of my interests? I probably need to be held accountable, but surely the attacker is not innocent. If we agree on this, then how do we craft a law that draws the line between incrementing a query parameter and remote code execution?

[dionidium]

> We desperately need a law that says (or at least need people in power to understand that) if your server sends it (as an agent working on behalf of your interests), you decided it was ok for me to receive it!

No, this is a bad idea for a law. It's appealing to nerds (like myself), but it's not how the law does (or should) work. It's very easy to imagine scenarios where you could get a server to send you an HTTP 200 even though you knew you were accessing data you weren't supposed to. That should clearly be illegal. (It's not what happened here, though. This case is much sillier.)

[tshaddox]

Yes, this should be pretty obvious. If you kidnap someone and force them to log in to a computer system they have access to so that you can steal information or resources using that computer system, obviously that would be illegal (on top of the kidnapping) even though the computer system is working entirely as intended.

[shrimpx]

Even if we had a law like that, you could still get "prosecuted", i.e. sued by the govt for whatever reason. Depending on the DA, they may even bring prosecutions to "make a point," knowing it won't go anywhere.

That said, this case seems to be tossing into a gray area any plugin or browser or browser version that alters the "expected rendering" in any way. So if I wrote my website and only tested with IE, and you opened it in Firefox which due to a rendering difference reveals something I didn't intend to be revealed, this government would presumably try to sue you...

[dfxm12]

I think existing laws are OK, if not enforced properly (laws are different jurisdiction to jurisdiction, so I don't know what exact law this guy is being accused of breaking). Usually, though, in court, you do have to prove intent in a criminal case. That this case is against the state, though, is probably unlucky. The governor doesn't want to appear to have egg on his face, even if it would be better for the good people of Missouri if he would just say "thank you" and delegate the responsibility of fixing the issue to the right person.

[nixpulvis]

Still need to make illigal tricking the server into thinking it's OK. This area of law seems rather difficult to codify perfectly, but it's clear that "view source" shouldn't be a problem, since no trickery is involved. Generally, this should be called Honest but Curious behavior.

[tshaddox]

> This area of law seems rather difficult to codify perfectly

Sure, but law doesn’t function by codifying things perfectly. There is no perfect codification of the physical ways one can move one’s fist, but clearly some such ways constitute an illegal act while others don’t.

[ezoe]

Or stop using common law system? Follow strict Nulla poena sine lege?