[rcknight]

The article states

"Weev and a fellow hacker who originally uncovered AT&T’s mistake and collected the e-mails didn’t ask the company for permission to access the Web addresses that shared iPad users’ private information"

I really don't see how this argument holds up.

From a technical point of view the very nature of HTTP includes asking for permission. You send a request "Please can I see the information at this URL" If the organisation running the server does not give that permission, it should not serve the data.

These charges seem pretty odd to me, hopefully it gets resolved in a sensible manner.

[maratd]

> From a technical point of view the very nature of HTTP includes asking for permission.

A web server isn't an agent of the company and has no capacity to grant or deny permission.

Think of it as a security system you install in your home. Now, if the security system is malfunctioning and you notice that it is malfunctioning ... do you call up the owner and let them know or do you go inside and look through their stuff? If you go inside and look through their stuff, it's trespassing.

Obviously the two scenarios aren't the same, but I'd imagine that's the logic used in the argument.

[freehunter]

As an information security professional, I see two different issues at play here. First, they got access. They were granted access by the admin who did not lock down the server. I am not a lawyer, but I see the unauthenticated web server, no matter how much of a mistake, as being implicit permission to access the site. A house, by default, implies privacy. A web server is more of a business in this metaphor. If the door is open and the lights are on, it's implied you can come in and look around. Machines accessible over the web are by default open to everyone unless permission is revoked. The "unauthorized access" charge, in my opinion, should be struck down. When a site is made accessible from the unauthenticated Internet an admin implicitly granting you permission to visit the site.

The second issue at play is the fact that the guy apparently collected some email conversations to use as proof. Using my business metaphor, walking into a closed business that to a layman appears open is a simple mistake. Anyone could reasonably assume the business is open. However, collecting their merchandise even just to prove they forgot to lock up would still be stealing. In this situation, it's unauthorized copying. Most reasonable people would consider this to be unacceptable.

The second situation is muddied a bit further by my wording "most". Websites accessible when unauthenticated are able to be scraped easily. What if the Googlebot crawled the site and collected the information due to a poor robots.txt? What if you walked into the business and tried some free samples (unauthenticated websites are implicitly free samples)? Data privacy comes into play on this one though, and I would argue that any reasonable person would understand these as private communications. While they are accessible to view, any reasonable person would understand it is unethical to read them and unacceptable to copy them.

The fatal flaw of the defendant was copying the emails. Up to that point, he was completely within reasonable practice in my opinion. Here's a takeaway for any startups: security isn't a joke. It's a career ender, it's a business ender, and it could be a career ender for your customers who trusted you. You hire the best programmers, but budget a little aside for an external penetration test, and take the results seriously. Don't lose your company and your reputation because of a caffeine-fueled oversight.

[maratd]

You don't live in a world governed by machines and pure logic. You live in a world governed by human beings and their nature.

You have the capacity to recognize where you should be and where you shouldn't be. What you should be seeing and what you shouldn't be seeing.

Right from wrong.

> A web server is more of a business in this metaphor. If the door is open and the lights are on, it's implied you can come in and look around.

No.

If you're inside a business and you see a door open and it is evident by the design of the building that it is their storage space ... you do not have the right to waltz on in. You damn well know through your experience in hundreds of other stores that this area is used by employees and for employees only. You do not belong there.

Are you telling me he read those emails by accident? Just stumbled on them? Or did he know exactly what he was doing?

Enough of this white hat bullshit. I do not have the right to self-deputize myself and become a vigilante on the Internet. If these clowns don't know how to secure their own damn servers, let them pay the price that will be exacted by less scrupulous individuals. That's how the free market works. Stupidity is severely punished. They will very quickly learn how to properly set permissions on their server.

[freehunter]

The problem with metaphors is that they only resemble what they are describing. They'll always be imperfect. The problem with web servers is that anything that is public-facing is just that. Security through obscurity is no security at all.

Like I said, the guy went too far. But visiting a public-facing website is not a crime, no matter how you happen to discover the URL. There's no sign on the door saying "keep out", even though the server is more than capable of displaying one. Do you have a right to walk into any business, or walk into their storage space? No, but any reasonable person (notice I keep using this phrase? It's going to come up in court) would assume if the lights are on and the door is open, you can walk in. You might be mistaken, and a clerk might show you out. Intent is a critical factor. Like I said, the guy went too far. He didn't enter by mistake, though someone could have. He entered with the intent of making unauthorized copies of private data. Walking into a store's storage space isn't illegal, but a reasonable person would know that taking pictures of customer data is.

It's not illegal to visit any public facing Internet site. It is illegal to make unauthorized copies of restricted data. It's also against The company is hugely to blame in this situation for leaking private information. So is the guy who broke the law by making unauthorized copies of this private information. I support him having criminal charges filed against him. My point was that there are two issues at hand, one illegal and one perfectly within the law. Implied consent at odds with intent. It should be an interesting case.

[rattus]

He demonstrated a proof of concept, collected data, and went to journalists. Cherry picking irc logs for things for possible uses of the data is weak because they have a weak case.

Arguing about methods of responsible disclosure, a very dead horse that has been beaten to dust, seems like a waste of time and not really relevant.

This is just the endgame of the chilling effect of arresting and hounding researchers which has been going strong ever since 2001 http://news.cnet.com/2100-1001-270082.html

[maratd]

> Intent is a critical factor. Like I said, the guy went too far. He didn't enter by mistake, though someone could have. He entered with the intent of making unauthorized copies of private data.

We're in agreement here. I think we're both making the same point. Intent is the key here.

The problem is that if you just consider servers, configurations, permissions, and other technical aspects ... intent doesn't enter the picture. That's the wrong way to think about this.

[freehunter]

I do agree that we're making the same point, and I wrote my response to you in the mindset that I had poorly communicated my initial conclusion. Your point compliments my own. The difference we may have is that I don't view intent in the highest importance when someone visits a public server. Intent will only get you so far as long as server, configurations, permissions, and other technical aspects are in order. The reason he was able to copy restricted data is because the technical aspects were not in order. That's where the muddiness comes in; you wouldn't need intent to make unauthorized copies in this situation. The Googlebot could have made unauthorized copies. Your browser's cache could make unauthorized copies. Archive.org could have made unauthorized copies. Googling for plaintext and valid credit card numbers might shock you in what Google is finding on public servers.

His intent comes into play only secondarily in my opinion. I might enter a store with intent to steal something, but if a security guard is standing next to me and a camera is watching, I'd walk right back out. The lack of security is what allowed him to complete his intentions of unauthorized copying. It does not absolve him of his crimes, but thinking about the potential for unintentional restricted data access tells me that his crimes sit in line with the failed (non-criminal but out-of-compliance) policies of the host.

[king_jester]

> If these clowns don't know how to secure their own damn servers, let them pay the price that will be exacted by less scrupulous individuals.

AT&T will not be affected whatsoever by a security breech, only those people whose information is leaked will be affected. The whole point of a white hat is to show this vulnerability and have it fixed before damage is done by someone with malicious intent.

> That's how the free market works. Stupidity is severely punished. They will very quickly learn how to properly set permissions on their server.

We do not live in a free market, and corporations are disproportionately powerful compared to individual people. You are asking that individual people have their data leaked and their lives potentially affected so that AT&T can look bad and then walk away from this situation without any punishment.

Further, it is very clear that companies make mistakes all the time with configuration their servers and tools in ways that makes data leaks and theft possible. We should demand that this flaws be exposed and fixed ASAP, there is nothing to be gained here by harassing those doing that exposure.

[maratd]

> AT&T will not be affected whatsoever by a security breech

That's naive. If my emails become public, trust me, I'll cancel my AT&T service. If AT&T becomes known for airing people's dirty laundry, they will quickly bleed customers.

> Further, it is very clear that companies make mistakes all the time with configuration their servers and tools in ways that makes data leaks and theft possible.

Yes, they do. And in cases where individuals are hurt, those individuals sue the company involved. Either individually or collectively. Those companies do pay for their mistakes.

Except, of course, in cases where no actual measurable harm was done by the security breach.

> We should demand that this flaws be exposed and fixed ASAP, there is nothing to be gained here by harassing those doing that exposure.

There is a reason we vest the authority to enforce laws and pursue criminals in only a select few trained individuals. It's naive to think random teenagers have a fine grasp of the law, civil rights, and a well-tuned moral compass.

[ams6110]

A web server isn't an agent of the company and has no capacity to grant or deny permission.

A web server certainly can grant or deny permission, but it seems that this one didn't.

[jrabone]

That is perhaps not the same as "capacity" in the legal sense. Is a web-server legally competent?

[freehunter]

The blame would rest on the admin who set the permissions. You can't blame a lock for not being locked, but you can blame the night watchman for not locking it. This doesn't remove blame from the intruder though.

[gknoy]

A webserver that doesn't restrict access (not even obfuscating the URL) is more similar to a "Free reading material!" shelf at the bookstore. If you go and take one of everything, it's not your fault if the bookstore mistakenly put things there that they'd intended not to be freely available.

[mcherm]

> A web server isn't an agent of the company and has no capacity to grant or deny permission.

Imagine I send a company a polite letter, requesting permission. The CEO hand-writes a letter (with his quill pen) telling me that I may access the information. After doing so, some critics on the internet start complaining that "A letter isn't an agent of the company and has no capacity to grant or deny permission."

Your claim is completely bogus. A web server DOES have the capacity to grant or deny permission because it is simply the mechanism by which the granting is delivered. Those who configured the server were the ones granting the permission.

I do not believe that the judge is claiming a web server cannot grant permission, I believe the judge is claiming that having to construct the URL by hand (rather than clicking on a link) is "a security measure" that has been "bypassed". For what it's worth (not much) I disagree strongly with this interpretation.

[teraflop]

By that reasoning, a lock has the capacity to grant or deny access to whatever is behind a locked door. And if I pick the lock, well, that just means I was sufficiently persuasive that the lock agreed to let me in, doesn't it? Clearly, by using a lock that opens in response to certain inputs, the owner is choosing to grant access to anybody who provides those inputs.

I'm not trying to argue that guessing sequential IDs in a URL is morally the same as picking a lock. I'm arguing that in both cases, there's no human in the loop, so it's not at all obvious to what extent a human should be assigned responsibility. In your example, the letter does not have agency, but the CEO certainly does; and if weev had written 110,000 letters to AT&T that were read and responded to by humans, I can't imagine how there would be any case against him.

See also: the debates surrounding Google's autonomous cars, or the Do-Not-Track header.

[warfangle]

On the other hand, if Weev is sentenced: what does that mean for such things as Google's security flaw bounty?

[robmurrer]

>> required visiting an AT&T web address with a particular – and easy to guess – code tagged onto the end.

How is this different than a password?

[maxerickson]

A password at least makes it clear to a bystander that some access control is intended at that URL. Consider the silly case where I have a server responding to example.com/funny/ and then try to claim that it was secure simply because I had not published the link. People would be quite confused if they went to jail for visiting it.

[josteink]

Someone can provide you with a clickable link, as in for instance this submission, and you would never even know that the content you are accessing is supposed to be "protected".

[gabemart]

You can format a link to be something like:

http://username:password@members.example.com

I wouldn't say that means the account in question is unprotected.

[josteink]

If you are going to nitpick, I will say that this is a feature that relies on browser-support. It's not fundamental to the web. Query-strings however by definition needs to be supported on the server-side. They are a part of the web. They are required for the web to work.

Why is "browser-support" relevant? Your example is not supported in MSIE. I also thought it was removed from Chrome (in the name of "simplicity"), but I may be wrong.

A link with query-strings is guaranteed to work for everyone.

http://support.microsoft.com/kb/834489

[gabemart]

Huh, I had no idea that feature had been deprecated. I guess it's been a little longer since I used it than I thought.

[josteink]

It was used for lots of http://famous-website.com:long-token-nobody-will-ever-read@p... style attacks.

Microsoft's solution to the problem may not have been ideal, but at least that was the reasoning behind it.

Edit: And what do you see once you click post? Hacker news ironically proving Microsoft's point. It's a wonderful world we live in.

[robmurrer]

I see your point, but how does this apply to this case?

[rapala]

I guess this is exactly the thing that the court must decide on: whether guessing that code can be considered as a circumvention of security measures or not.

[josteink]

Following that logic breeds bizarre results.

What if you find this magic token because it was embedded in some client-side, javascript login-form? Are you a hacker for viewing the source?

Securing content on the internet is easy. If you don't want it accessible to anyone, don't give the content to anyone who provides an unauthenticated HTTP request.

Why are we putting the legal responsibility of maintaining security on that content on everyone except the ones actually in position to do so?

[robmurrer]

If I look under your doormat, and there is a key, and I use it to open your front door...

[josteink]

Rather if you leave a (possibly classified) document under your doormat, am I a criminal if I find them and read them?

[rapala]

Depends on the document and jurisdiction. If I remember correctly, some levels of military classifications here in Finland require you to not read the document and return it to the officials. Of course the one who left the document would also get reprimanded at least.

Using someones password without permission is as illegal whether you shoulder surfed it, cracked it or red it from a post-it note.

[nitrogen]

A house's front door implies an expectation of privacy. A web server implies an expectation of public access.

[curiousdannii]

Yes, the 403 status code exists for a reason!