Hacker News new | ask | show | jobs
by IanCal 4655 days ago
I like the librarian comparison. Perhaps a receptionist would also work for this, they can give out some information about people working there (office phone number, etc) but not salaries.

> When is the onus on the web server owner to configure their security properly? When is a "200 OK" response actually not okay? This is the "mind reader" aspect the article mentions

This is why the laws usually care about the intent. It's a combination of the action and the reason that's important (which is why there's a difference between murder and manslaughter).

There are no hard and fast rules, and there simply cannot be.

Weev clearly knew that AT&T shouldn't be handing over the information. He wasn't there saying "Wait, this isn't a normal service?".

> The librarian is smart enough to not hand out things like access to the staff lounge, a list of employees and their salaries, or even things like an arbitrary library member's borrowing history.

If the librarian didn't know to restrict access to salary information, lets say the managers thought that if you knew the SSN that was enough of an ID to get access, and you repeat the example, it becomes a bit more clear how intent is important.

    You: Can I have the salary of IanCal?
    Recep: Sure, it's £X

    You: Hmm, hey Dave, I think there's a security issue here, mind if I know your salary?
    Dave: Sure, it's £Y
    You: Can I have the salary of Dave?
    Recep: Sure, it's £Y

    You: Best go tell the managers.
That would be looked on very differently than:

    You: Can I have the salary of IanCal?
    Recep: Sure, it's £X

    You: Hmm, hey Dave, I think there's a security issue here, can you generate SSN numbers?
    Dave: Yeah I think so
    You: Can I have the salary of SSN#1
    Recep: Sure, it's £Y
    ...
    You: Can I have the salary of SSN#147934
    Recep: Sure, it's £Y
    You: Hahahahaha, let's give all the info to a news site, bet you'd make money shorting the stock!
The core of it is the same, you've requested information for someone else that you shouldn't really have. Even if you remove the consent of Dave in the example, it's still different than the second example. And that was what was important.
1 comments
victorf 4654 days ago
I like your analogy. Exactly what crime would you be charged with after calling with SSNs? He committed thoughtcrime, sure, but let's wait until he attempts to follow through with it before charging him.
link