[emidln]

I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.

[andrei_says_]

As anonymous as there are Miatas in your neighborhood parking in your driveway.

[mindslight]

It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.

I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.

(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))

[emidln]

If you can be prosecuted for guessing urls you can be prosecuted for sending garbage data in a way you know will be uploaded to a remote system.

[rockskon]

The DoJ lost the case they went after for someone guessing URLs.

[monerozcash]

They lost it because they charged in the wrong jurisdiction.

Also come on, you can't reasonable describe that case as being about "guessing urls". It's the associated chat logs that really make the case.

[red-iron-pine]

link me

[vkou]

You think criminalizing guessing URLs is unreasonable.

What about guessing passwords? Should someone be prosecuted for just trying to bruteforce them until one works?

[estimator7292]

Guessing passwords is an attempt to access privileged information you have no right to access, and could not otherwise access without bypassing security measures.

Guessing a URL is an attempt to access (potentially) privileged information which was not secured or authenticated to begin with.

A password is a lock you have to break. An unlisted URL is a sticky note that says "private" on the front of a 40" screen. It's literally impossible for that information to stay private. Someone will see it eventually.

[BobbyTables2]

Guessing URLs is equivalent to ordering an item not on the menu in a restaurant. The request may or may not be granted.

[monerozcash]

This same logic is easily extended to SQL injection, or just about any other software vulnerability.

How do you propose the line should be drawn?

[amypetrik8]

>How do you propose the line should be drawn?

there is a line drawn for such things. a fuzzy line. see:

https://en.wikipedia.org/wiki/I_know_it_when_I_see_it

same as this famous case, in which a supreme court justice is asked "what is and is not pronographie" - of course he realizes if he defines "what is not" people are going to make all kinds of porn right on the boundary (see: japanese pronographies where they do the filthiest imaginable things yet censor the sensitive books, making it SFW in the eyes of their law). this judge avoided that.

Anyways, parallel to the fact that filthy pronographies can be made a gorillion different ways, a "hack" may be manifested also a gorillion different ways. Itemizing such ways would be pointless. And also in the same vein, strictly defining a black and white line "this is legal, this is not" would cause hackers to freely exploit and cheese the legal aspect as hard as possible.. businesses and data miners and all these people would also freely exploit it, at massive scale and with massive funding, since it is officially legal. Thusly it must be kept an ambiguous definition as with pronographies, as with many things

[tavavex]

The question can be easily inverted for the other side: if any user accidentally damages a service's functionality in any way, can they always be criminally liable? Can this be used by companies with no security or thought put into them whatsoever, where they just sue anyone who sees their unsecured data? Where should the line be drawn?

To me, this is subjective, but the URL situation has a different feel than something like SQL injection. URLs are just references to certain resources - if it's left unsecured, the default assumption should be that any URL is public, can be seen by anyone, and can be manipulated in any ways. The exception is websites that put keys and passwords into their URL parameters, but if we're talking solely about the address part, it seems "public" to me. On the other hand, something like wedging your way into an SQL database looks like an intrusion on something private, that wasn't meant to be seen. It's like picking up a $100 bill of the street vs. picking even the flimsiest, most symbolic of locks to get to a $100 bill you can see in a box.

[tadfisher]

Probably somewhere short of incarcerating someone for what they typed in a browser's URL bar.

[pwndByDeath]

Cyber attacks are consentual, digital engineering is the only discipline where we have complete mastery of the media. If you make a system (or authorize it) what someone does with it is your fault.

[vkou]

Closer to trying the handle on random car doors.

[wakawaka28]

Passwords are different from URLs because URLs are basically public, whereas passwords aren't supposed to be. Furthermore, this is not 1995. Everyone who is in the industry providing IT services is supposed to know that basic security measures are necessary. The physical analogy would be, walking through an unlocked and unmarked door that faces the street in a busy city, versus picking a lock on that door and then walking through it.

[vkou]

> Everyone who is in the industry providing IT services is supposed to know that basic security measures are necessary.

And everyone who doesn't have wool for brains knows to not carry large rolls of cash around in a bad part of town, but we can still hold the mugger at fault.

[wakawaka28]

Nevertheless, URLs are as public as door knobs. If someone is merely observing that a door is unlocked and they have not stolen anything, they have done nothing wrong. People being prosecuted over discovery and disclosure of horrible design flaws based on URLs should never be prosecuted. If they use the information to actually cause damage, we can be in agreement that they are responsible for the damage.

[nkrisc]

How do I know which URLs of a website are legal to visit and which are illegal?

[vkou]

I can't say I've ever struggled to make this determination, but I don't make a habit of trying random ports, endpoints, car doors, or brute-force guessing URLs.

[sayamqazi]

But it was very tempting when i saw that my national exam results were sent to us in a mail as nationalexam.com/results/2024/my-roll-number. Why would i not try different values in the last part.

[Dylan16807]

It depends on stuff.

Sometimes a URL can have a password in it.

But when it's just a sequential-ish ID number, you have to accept that people will change the ID number. If you want security, do something else. No prosecuting.

[irilesscent]

I think criminalising both is unreasonable, what you do with the URL you accessed or the password you guessed however is different.

[mindslight]

As a strictly logical assertion, I do not agree. Guessing URLs is crafting new types of interactions with a server. The built in surveillance uploader is still only accessing the server in the way it has already been explicitly authorized. Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.

As a pragmatic matter, I do completely understand where you're coming from (my second paragraph). In a sense, if one can get to the point of being convicted they have been kind of fortunate - it means they didn't kill themselves under the crushing pressure of a team of federal persecutors whose day job is making your life miserable.

[monerozcash]

>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

If your goal is to deliberately "poison" their data as suggested before, it's kind of obvious that you are knowingly causing the transmission of information in an effort to intentionally cause damage to a protected computer without authorization to cause such damage.

>Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.

This has very little to do with the TOS though, unless the TOS specifically states that you are in fact allowed to deliberately damage their systems.

And no, causing damage to a computer does not refer to hackers turning computers into bombs. But rather specifically situations like this.

[mindslight]

A computer being supplied with false data which it then stores is not damaging the computer - hence there being a provision about fraud. But for this case it's not fraud either, as the person supplying the data is not obtaining anything of value from the false data.

[monerozcash]

>the term “damage” means any impairment to the integrity or availability of data, a program, a system, or information;

Deliberately inserting bad data to mess with their analytics does in fact fit that definition.

[Xss3]

Any reasonable programmer (a peer) would say an unencrypted system that doesnt validate data is an unprotected system.

[monerozcash]

It's a legal term, has nothing to do with technical protections.

Practically any device connected to the internet is a "protected computer". The only case I can think of where the defendant prevailed on their argument that the computer in question was not a "protected computer" was US v Kane. In that case the court held that an offline Las Vegas video poker machine was not sufficiently connected to interstate commerce to qualify as a "protected computer".

[cameldrv]

It might be interesting for an enterprising lawyer to try to flip this around. Suppose you send a letter to your car manufacturer saying that, as the owner of the car, you are prohibiting them from accessing the location of the car or performing unauthorized software updates and that any attempt to circumvent this will result in criminal prosecution for unauthorized access to your computer.

[monerozcash]

Prosecuting someone for deliberately injecting garbage data into another persons system hardly seems totalitarian.

> You own the device, so anything you do within that device is authorized

You're very clearly describing a situation where at least some of the things you're doing aren't happening on your own device.

>I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law

FWIW this is simply not true. The essence of the CFAA is "do not deliberately do anything bad to computers that belong to other people".

The supreme court even recently tightened the definition of "unauthorized access" to ensure that you can't play silly games with terms of service and the CFAA. https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf

[elzbardico]

My device. I generate whatever the fuck the data I want. If you log it, kiss my ass.

[monerozcash]

Sure, I have the same attitude when it comes to the government telling me that I'm not allowed to use drugs. Doesn't mean I'm in the clear from a legal point of view.

However, it's worth clarifying that the important detail isn't generating the data, but sending it. Particularly the clearly stated malicious intent of "poisoning" their data.

This seems like exactly what the lawmakers writing CFAA sought to criminalize, and is frankly much better justified than perhaps the bulk of things they tend to come up with.

>(A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

Doesn't seem exactly unfair to me, even if facing federal charges over silly vandalism is perhaps a bit much. Of course, you'd realistically be facing a fine.

[Xss3]

Could you argue the computer was unprotected? No encryption is wild.

[monerozcash]

No, "protected computer" refers to computers protected by the CFAA.

>(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

>(B) which is used in interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States.

[ponector]

If you paid for a device it doesn't mean you have no rules set up on how you can operate it. I'm sure the is an EULA you agreed to.

As anecdote, while buying a new car I signed a statement that I'm not going to resell it to russia.

[elzbardico]

And you think it is all fine and dandy?

[JuniperMesos]

No it does in fact seem totalitarian. I support repealing the CFAA.

[monerozcash]

I would absolutely love to hear the arguments behind this.

[AngryData]

If you were to purposefully try to poison/damage their dataset and admitted as such you probably wouldn't win without spending an unreasonable amount of money on lawyer fees. Without admitting anything though and claiming ignorance it would probably be pretty easy to get dismissed, provided you are able to spend atleast some money on a lawyer.

[culi]

Then do the opposite. Poisoned data that can improve your insurance rates

[MisterTea]

if(velocity > 55) velocity = 55;

[micromacrofoot]

they use the data mostly to charge you more, you can't really get the price all that lower

I've had a clean driving record for 30 years and I'm still paying the junk rates most other people get

[tavavex]

So, it's like credit scores, basically? Advertise a happy, meritocratic future for consumers, where the "better"/more responsible ones will reap massive rewards at the expense of the "worse" consumers, and then keep adjusting the brackets until the system is only used punitively - you don't really get anything from a high score nowadays, your only goal is clearing a certain low bar to avoid negative consequences.

[micromacrofoot]

Yeah exactly... it's stick or no stick, the carrot is the razor thin margin only used to keep you away from the competitors.

At this point car insurance has gotten so bad that it's becoming normal that you can save hundreds of dollars by switching providers every 6 months. These companies are probably making millions on people who are just too exhausted to switch constantly.