I think there is a clear distinction that you can make between an SQL injection attack and the unsecured API that weev accessed. SQL injection attacks depend on inserting malicious code into an application in order to traverse that application and access systems that stand behind it. The point of SQL injection is to circumvent restricted permissions that the owner of the server has attempted to impose.
What weev did was quite different in that he accessed this web service in exactly the way it was intended. Even if he was not the intended consumer of this data, his attempted access never exceeded the defined and expected parameters of the API he was accessing. Furthermore, he didn't circumvent [1] any access restrictions; rather, access restrictions were never imposed. weev had no information available to himself as to AT&T's intent to disclose or not disclose customer emails; as far as he was concerned, the existence of this API could have been a purposeful and not simply negligent disclosure on the part of AT&T.
I think that the reason that the weev case rankles is that web developers do this kind of thing all the time. What is the difference between what weev did here and Padmapper did when it built a product on top of Craigslist's data? Despite Eric DeMenthon's protests to the contrary, a strong argument to could be made that Padmapper's intent was to cause severe commercial harm to Craigslist, which is conceivably why he got sued. In spite of the civil case, however, criminal charges are almost unthinkable.
Also, how often do we read about someone's project being hampered when a private Google API is turned off? [2] Anyone that builds a commercial product on top of something like this would be deemed a fool, but I've never seen anyone accuse a developer who is using this kind of API of acting criminally.
What is the difference, under the law, between someone accessing a private Google API and the private AT&T API that weev accessed? As a web developer with zero documentation, zero information beyond simply knowledge of the API URL's existence, there is no apparent difference beyond what content was being served by these APIs. So, if that is the case, at what point should web developers accessing undocumented APIs begin to be concerned about their criminal liability?
[1] Shouldn't it be circumvention not authorization that that defines criminal access under the law?
> What weev did was quite different in that he accessed this web service in exactly the way it was intended.
So is a thief who walks through a door carelessly left unlocked "accessing it exactly in the way it was intended." It's what he does afterwards that makes the difference.
> What is the difference, under the law, between someone accessing a private Google API and the private AT&T API that weev accessed? As a web developer with zero documentation, zero information beyond simply knowledge of the API URL's existence, there is no apparent difference beyond what content was being served by these APIs. So, if that is the case, at what point should web developers accessing undocumented APIs begin to be concerned about their criminal liability?
When the content you get back from a URL is other people's private data, it doesn't take a genius to figure out that maybe there's some criminal liability there.
>So is a thief who walks through a door carelessly left unlocked "accessing it exactly in the way it was intended." It's what he does afterwards that makes the difference.
If he takes some pictures and leaves he certainly isn't guilty of breaking and entering.
Point taken, intent does matter. But there is a large difference between taking the information you used to the black market and taking it to a media organization.
e.g. Homakov's hack of github didn't deserve jail time as it was for publicity, not malevolance.
I agree. I think the case against Aurenheimer is ridiculous and the sentence a travesty. But I don't think it's reasonable to take that conclusion and work it back to "anything you can do with a URL that doesn't say user/password is fair game".
I have trouble agreeing with this. I know nothing of the law around this, but also realise given the international nature of the internet, the law probably doesn't mean much in perspective. Would Aurenheimer be prosecuted if he were Chinese?
The grandparent making the point about status 200 has a point, especially in regards to this case. If a website is returning 200s for a get request. Then you are implicitly 'authorized' to see that page. The counter point made of SQL injection is also valid, but SQL injection wasn't used here. Just plain old GET requests.
It's difficult to draw real world comparisons to things like this. So I don't think you can simplify it down to locked/unlocked doors, or public/private property.
If I go to cia.gov/supersecretfiles and it returns something... did I just "hack" the CIA? It doesn't make sense to me.
In northern Maine, everyone I know keeps their house doors unlocked and their keys sitting in the ignition of their cars. However, it's still illegal to steal their cars and enter their houses.
There doesn't even need to be a metaphor here: the data physically existed on a private server, and weev was not authorized to access it.
No, he would not have been prosecuted if he were Chinese.
The point about "200" error codes is sophistry. We all know that every 200 code is not actually a deliberate authorization. If you believe otherwise, then any SQL injection attack that uses GETs and generates 200 must be authorized.
Certainly the conclusion can't be that the legality of your actions depends on the reaction of an automated system at the other end of a pipe that you don't control?
I have no problem with basing it off intent, but the focus should be on prosecuting whoever put that data out there in the first place with gross negligence.
The legality of your actions depends on whether you know, as you interact with the automated system, that you have managed to find a path to data that you should not have had access to.
So, if by incrementing ICC-IDs, you found random technical data about AT&T provisioning, it would be very hard to argue that you were knowingly accessing it without authorization. But when the information you find is so personal that your first instinct is chat about selling it to spamming rings, you are on considerably less safe footing.
I am ambivalent about software liability. Vulnerable software is much more common than most people think it is, and it would be a shame if ill-conceived liability rules created a situation for startups analogous to that of medical malpractice insurance. On the other hand, liability laws would be hugely lucrative for me.
Putting the burden on a user to "know" whether they are authorized or not, seems crazy. Even if they talked about selling to spammers.
Hypothetically the police give me a Police report number that I can access at police.gov/crimes/:reportno
I discover if I increment/decrement these I can get ALL reports. I then build a cool mashup of crimes in the area on a google map.
It turns out the police didn't intend that, am I now a criminal (because of the polices intent)?
"Attacking" - are databases people? Do they have rights?
I'm stumbling around trying to figure out what the right balance is too, but I think the existing laws we have around fraud and privacy are all that we need. That is, we don't need to criminalize accessing inadvertently public information; we just need to criminalize exploiting it.
Exploiting it is criminalized. Exploiting it is harder to detect and enforce. It is easy to read server logs and parse them for crimes. Lazy man's way to enforce the law.
What weev did was quite different in that he accessed this web service in exactly the way it was intended. Even if he was not the intended consumer of this data, his attempted access never exceeded the defined and expected parameters of the API he was accessing. Furthermore, he didn't circumvent [1] any access restrictions; rather, access restrictions were never imposed. weev had no information available to himself as to AT&T's intent to disclose or not disclose customer emails; as far as he was concerned, the existence of this API could have been a purposeful and not simply negligent disclosure on the part of AT&T.
I think that the reason that the weev case rankles is that web developers do this kind of thing all the time. What is the difference between what weev did here and Padmapper did when it built a product on top of Craigslist's data? Despite Eric DeMenthon's protests to the contrary, a strong argument to could be made that Padmapper's intent was to cause severe commercial harm to Craigslist, which is conceivably why he got sued. In spite of the civil case, however, criminal charges are almost unthinkable.
Also, how often do we read about someone's project being hampered when a private Google API is turned off? [2] Anyone that builds a commercial product on top of something like this would be deemed a fool, but I've never seen anyone accuse a developer who is using this kind of API of acting criminally.
What is the difference, under the law, between someone accessing a private Google API and the private AT&T API that weev accessed? As a web developer with zero documentation, zero information beyond simply knowledge of the API URL's existence, there is no apparent difference beyond what content was being served by these APIs. So, if that is the case, at what point should web developers accessing undocumented APIs begin to be concerned about their criminal liability?
[1] Shouldn't it be circumvention not authorization that that defines criminal access under the law?
[2] Just the easiest-to-find example: https://news.ycombinator.com/item?id=4441677