Hacker News new | ask | show | jobs
by gnur 4576 days ago
To be fair, there was a scope set, and the author was fully aware of it:

> I had spent a total of 2 hours sifting and crawling through their services which were in scope, but wanted to see if I could locate any other subdomains, with the assistance of google.

While I agree that he most certainly found a "bug" (perhaps flaw would be a better word), it was out of scope. And using credentials from an employee to log in is nearly always out of scope.
1 comments
3JPLW 4576 days ago
That said, he could have gone "gray-hat" and used the source to find in-scope bugs. Such a resource would be invaluable to an exploit author or bug bounty hunter.
link
eli 4576 days ago
Legally, I don't think there's much "gray" in stealing source code that doesn't belong to you.
link
shawabawa3 4576 days ago
> Legally, I don't think there's much "gray" in stealing source code that doesn't belong to you

I thought the whole point of gray hat is that it's possibly illegal, but not downright "evil".

i.e. Stealing source code to fix bugs = gray, stealing source code to steal credit card info = black

link
meowface 4576 days ago
You're right, but it will still get you into legal trouble. Not only may you not get a bounty, but they might sue or press charges for essentially copying and scanning their source code.

Generally "gray hat" and "corporation/law-friendly" don't mix, even if there are some cases that call for it.

link
3JPLW 4576 days ago
From Wikipedia, which agrees with my understanding of the phrase: "… such people sometimes act illegally, though in good will, to identify vulnerabilities in computing processes." My point, though, is that it's hardly out of scope when it's a valuable resource for developing novel attacks on in-scope domains.

https://en.wikipedia.org/wiki/Grey_hat

link
err4nt 4576 days ago
I doubt it could have been called 'stealing' if he only accessed what was posted publicly by the authors themselves at the time.

Until he contacted Prezi, how could he be certain beyond any doubt that they weren't already aware of it? Could you explain that to me?

link
davorak 4576 days ago
Using login in credentials that are not your own found in a public place to take source code is like finding someones house key on a park bench and coping their secret invention designs or trade secrets.
link
dllthomas 4576 days ago
As I read it, he didn't use the credentials to take the source code; he found the credentials in the source code. He used the credentials merely to verify the credentials were valid.
link
davorak 4575 days ago
Ahh, at the time I thought err4nt was referring to the public posted login credentials and was making the analogy off of that.
link
csallen 4576 days ago
Define "take" source code. Do you mean "read" or "access" source code? I know this is an aside, but I think we as a community need to be more judicious in our use of criminally-accusatory words, especially when it comes to taking/stealing/theft vs copying vs distributing/selling vs reading/watching/accessing. They're all very, very different things.
link
davorak 4575 days ago
You read my post in the ~5 secs widow where it had the word "take." It was the wrong word because in the case I was talking about it would not have deprived Prezi access to their source code.
link
angersock 4576 days ago
How exactly does one "steal" source code, if the original copy still remains with the authors?
link