Surely this is bad enough to warrant criminal prosecution? Not sure if that's even possible in the UK but it ought to be...Shameful to have sat on that for over a year. Shameful.
If this were the USA it would certainly be bad enough to warrant prosecution of the researcher. I am not familiar with laws in the UK, however. Keep in mind the similarities between this research and weev's research.
This type of blatant insecurity definitely should be punished and I wish more policy makers both cared, and made the effort to understand the terminology behind phrases like "No authentication", "Plaintext", Etc.
First of all, the company could definitely be sued for negligence in the US. Not sure if they could in the UK.
Second, there are not that many similarities between this research and weev's research. In this case, the researcher created 2 accounts which he had control over, then read data from both of the accounts despite not authenticating to either of them. He did not access any other customer's information (or at least he's suggesting he didn't).
Weev on the other hand scraped private information for over 100,000 customers and shared it with friends and reporters.
Both technically violated the CFAA, but weev's offense is a much greater violation of customer privacy, while this researcher has not violated anyone's privacy.
I still don't think weev should have gotten any jail time, but you're making an unfair comparison.
Personally (and I know this is likely to be an unpopular sentiment on HN) I have very little sympathy for weev.
He knowingly and deliberately attack a weakness he had found to scrape data, knowing that the access was unauthorized. I disagree that the data was in the public domain (although the Third Circuit disagrees) - just because something is accessible to the public doesn't mean it's in the public domain.
Just because he wrote it up as a security researcher doesn't mean he should be immune for his actions - in fact in some ways it makes it worse because he did it knowing that he was unauthorized.
He exposed the vulnerability to the press (so he didn't act in good faith regarding the disclosue) and he did so potentially for monetary gain (he claimed to be a member of a hacker group called “the organization,” making $10 million annually).
I think one part of improving cyber security is prosecuting people who deliberately and maliciously hack into other systems who do so for either monetary gain or fame. I think this is especially the case whereby they don't act in good faith (e.g. providing proper disclosure).
>I think one part of improving cyber security is prosecuting people who deliberately and maliciously hack into other systems who do so for either monetary gain or fame.
This would do nothing except cast a chilling effect over the security community. Everyone would sit on exploits, too afraid of overzealous prosecutors to publish them or even reach out to the affected parties.
Unless, of course, you believe the US justice system to be the paragon of restraint and reasonableness.
No, it would be better if responsible disclosure was codified in the CFA. That's worthy of a campaign - but weev didn't practice that, so he's a poor figurehead for such a campaign.
Such a protection could provide an equal level of footing with the DMCA (i.e. you aren't liable for malicious attacks on a computer company if you provide full disclosue and advance notice, in the same way YouTube isn't liable for hosting copyrighted content if they provide a takedown mechanism).
Weev should probably be in jail for several reasons. Just not the specific reason they sent him to jail for. The EFF had to fight because the conviction set a really bad precedent for other research.
“The trouble with fighting for human freedom is that one spends most of one’s time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all.”
I honestly don't think it is unfair. "Both technically violated the CFAA" is an important sentence.
The legal system is very complicated and sometimes small details make very big differences in cases. I'm not convinced others in the legal system would see this as different
I don't think that the author violated the CFAA, though: in both cases, he was acting on behalf of his users that he had created in the system -- the same requests he would normally make when using those accounts. ("BobAtHome", "BobAtWork" could concievably be two accounts for Bob.) That seems substantially different than what Weev did, which was try to read ${Everyone}'s data.
Moonpig.com is not an application you run on your own computer, though, it's a service operated and hosted by Moonpig. Any tampering with that application in a way that's not intended is a violation of the CFAA.
As you and I have essentially both just said, it's very unlikely there would be any prosecution due to the facts and the researcher's intentions, but I think it is still a technical violation. Paraphrasing, but the first line of the CFAA is "having knowingly accessed a computer without authorization or exceeding authorized access" (that line is explicitly for access that could jeopardize national security, but it goes on to set similar limits for general unauthorized access of any entity).
In this case it is not necessarily unauthorized access of a customer's account, but unauthorized access to a component of Moonpig's system.
The CFAA is a very broad statute, but the US legal system still does focus heavily on intent both for charging and sentencing, as well as deciding whether to charge at all. Even if in theory 2 people are convicted under the exact same law, they could get drastically different sentences based on how the judge perceives the defendant's intent.
In this case there's almost no chance law enforcement would charge the researcher unless Moonpig decided to press charges. And even then, they may decide not to charge due to the facts of the case (though of course they legally can).
> If this were the USA it would certainly be bad enough to
> warrant prosecution of the researcher
Sounds like he didn't access any data he wasn't allowed to, if he read the data of test accounts. Not sure how you'd prosecute this in the UK.
Also you'd need to convince the CPS that it was in the public interest to prosecute, and they're not elected officials who need to appear Tough On Crime unlike the US. And even if both of those things happened, you'd then need to convince a magistrate that the case warranted a conviction.
Still, he should have gone to ICO first and foremost.
He has authorisation to access the data, and authorisation to access the computers in question. He doesn't, perhaps, have authorisation to use the specific mode of access but that isn't pertinent to the Act as written AFAICT.
The only possible part he falls foul of is Section 3(3) in that his actions might have caused the system to fail, but "recklessly" has a suggestion of him knowing that such deleterious outcomes were likely, and I don't think that's really true. I think his actions as reported are not in breach of this Act.
However, the proposed Section 3A will cover such actions if he [the reporter of the security lapse] believes that the information (see 3A(4)) he published is likely to be used to assist in the commission of an offence.
>"A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3." (CMA 1990, proposed S.3A(2))
This section is exceptionally broad. Indeed it appears to outlaw the disclosure of bugs found without malice and without intent. Communicate to Google, say, a program/data that could be used to break in to their system and it seems you fall foul of the letter of that Section. Chilling indeed.
This type of blatant insecurity definitely should be punished and I wish more policy makers both cared, and made the effort to understand the terminology behind phrases like "No authentication", "Plaintext", Etc.