[tptacek]

I agree. I think the case against Aurenheimer is ridiculous and the sentence a travesty. But I don't think it's reasonable to take that conclusion and work it back to "anything you can do with a URL that doesn't say user/password is fair game".

[Volpe]

I have trouble agreeing with this. I know nothing of the law around this, but also realise given the international nature of the internet, the law probably doesn't mean much in perspective. Would Aurenheimer be prosecuted if he were Chinese?

The grandparent making the point about status 200 has a point, especially in regards to this case. If a website is returning 200s for a get request. Then you are implicitly 'authorized' to see that page. The counter point made of SQL injection is also valid, but SQL injection wasn't used here. Just plain old GET requests.

It's difficult to draw real world comparisons to things like this. So I don't think you can simplify it down to locked/unlocked doors, or public/private property.

If I go to cia.gov/supersecretfiles and it returns something... did I just "hack" the CIA? It doesn't make sense to me.

URIs that return 200s are public resources.

[rmrfrmrf]

In northern Maine, everyone I know keeps their house doors unlocked and their keys sitting in the ignition of their cars. However, it's still illegal to steal their cars and enter their houses.

There doesn't even need to be a metaphor here: the data physically existed on a private server, and weev was not authorized to access it.

[Volpe]

GET google.com

What's returned is data physically on a private server. I am not authorized to access that server.

But the internet would be a pretty crap place if that was against the law.

As I said, metaphors to locked/unlocked public/private don't make sense. But happy for you to keep stretching this analogy until it fits.

[sneak]

When you put data on a private server accessible via GET with no access control or firewall, it is published on the web to the public.

Comparing it to houses that have doors, locked or otherwise, is exceptionally disingenious.

[reginaldjcooper]

That's not how HTTP servers work. They are not cars and when they send information back it is not as if you have set foot on property.

[tptacek]

No, he would not have been prosecuted if he were Chinese.

The point about "200" error codes is sophistry. We all know that every 200 code is not actually a deliberate authorization. If you believe otherwise, then any SQL injection attack that uses GETs and generates 200 must be authorized.

[Volpe]

SQL injection wasn't used here. The URL scheme being used was used exactly as intended (by developers).

Seems the sophistry here is applying another clear cut version of hacking to say that this 'not clear cut at all' version is also wrong.

[revelation]

Certainly the conclusion can't be that the legality of your actions depends on the reaction of an automated system at the other end of a pipe that you don't control?

I have no problem with basing it off intent, but the focus should be on prosecuting whoever put that data out there in the first place with gross negligence.

[tptacek]

The legality of your actions depends on whether you know, as you interact with the automated system, that you have managed to find a path to data that you should not have had access to.

So, if by incrementing ICC-IDs, you found random technical data about AT&T provisioning, it would be very hard to argue that you were knowingly accessing it without authorization. But when the information you find is so personal that your first instinct is chat about selling it to spamming rings, you are on considerably less safe footing.

I am ambivalent about software liability. Vulnerable software is much more common than most people think it is, and it would be a shame if ill-conceived liability rules created a situation for startups analogous to that of medical malpractice insurance. On the other hand, liability laws would be hugely lucrative for me.

[Volpe]

Putting the burden on a user to "know" whether they are authorized or not, seems crazy. Even if they talked about selling to spammers.

Hypothetically the police give me a Police report number that I can access at police.gov/crimes/:reportno I discover if I increment/decrement these I can get ALL reports. I then build a cool mashup of crimes in the area on a google map. It turns out the police didn't intend that, am I now a criminal (because of the polices intent)?

[twoodfin]

Indeed, it's a judgment call. That's why we have judges and juries.

[reginaldjcooper]

I think that is reasonable because that's the defined and expected interaction between HTTP clients and servers.