0
Kennedy

Visiting a Public, Unencrypted Website Now a Federal Felony

By Kennedy, in Speakers Corner

Recommended Posts

GeorgiaDon    379

GeorgiaDon
Quote

Where did you get that from?

Here, about 2/3 down the page. I know, it's a department of justice document so it can't be believed, as they are in on the conspiracy to silence all the creative and innovative minds in America.

Here is an article that nicely deconstructs the "open access" argument; I quite like the comparison of Auernheimer's script with whacking at a pinata.

If ATT's client emails are "open access", and "published openly on the internet for anyone to see", then why can't I retrieve this list by searching with Google, Yahoo, Bing, or any other search engine you can name? Maybe because those search tools don't whack away at the internet by randomly generating millions of urls to see what they can uncover?

If you have to pretend to be someone you aren't to get at the data, how does that make it "openly published on the internet"?

The argument that information is not stolen if it is merely copied and posted where anyone can access it is interesting. It is true that it is not "stolen" in the sense of taking it away from from the owner, as the owner still has the information and can presumably continue to use it. But let's do a little thought experiment here. Let's suppose I obtain your social security number, the numbers for your bank accounts, your credit card numbers, your usernames and passwords, and so on, and I post that information online. Let's also say that I do not actually use that information to buy anything, or to personally access your accounts, but I just copy and paste it to a public site. Have I stolen anything from you? You can still use your credit cards, access your bank account, etc, so what's the problem? Maybe the fact that several hundred million other people can now also use your credit cards and access your bank account? Do you think that might be a wee bit of an issue? I doubt you would be inclined to say that I did nothing wrong by copying your private information and posting it to a public site, but maybe I'm wrong about that.

I know Auernheimer only posted email addresses, but that still exposed people to potentially being inundated by spam, forcing them to change their email and notify everybody in their contact list. If the address that was published was connected to a business in any way (say, for example, they sell stuff on eBay), then there could be financial impacts due to people's inability to contact them. There is a good reason why it's considered very bad internet behavior to post people's email addresses in a form that is easily accessible to bots.

I'm not arguing that ATT's system wasn't boneheadedly stupid. But two wrongs don't make a right. Uncovering the flaw and letting ATT know about it would have been a public service. But it's clear that that is far from the motivation involved in this case (and in others Goatse Security has been involved in). What was the motivation? In Auerheimer's own words: "I did this because I despised people I think are unjustly wealthy and wanted to embarass them. Odd that you argue so strongly in support of someone whose driving motivation is hatred of people because they are rich.

I do have to admit, though, that the security endorsement "Goatse tight" is pretty funny.

Don
_____________________________________
Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996)
“Education is not filling a bucket, but lighting a fire.” (Yeats)

Share this post

Link to post
Share on other sites

Fast    0

Fast
Quote



Tell me, in your world do identity thieves do anything wrong when they use a skimmer to help themselves to people's credit card numbers? After all, they are just collecting information, information that the victims provide (unknowingly) when they use their credit card.

Don



Of course it is something wrong and it doesn't even compare to what was done here.

As an IT professional, if information is accessible on the public facing internet via a given URL requiring no decryption or authentication I would consider it openly published. Data stored behind a firewall or other means of authentication is an entirely different story.

AT&T was using security through obscurity. It's something commonly used, but in this case it shouldn't have been. Protecting customer information like email addresses in this manner is not very responsible.

Just because the data didn't have a nice index (web page of links to the data) doesn't mean it wasn't published.
~D
Where troubles melt like lemon drops Away above the chimney tops That's where you'll find me.
Swooping is taking one last poke at the bear before escaping it's cave - davelepka

Share this post

Link to post
Share on other sites

ryoder    1,590

ryoder
Quote


If ATT's client emails are "open access", and "published openly on the internet for anyone to see", then why can't I retrieve this list by searching with Google, Yahoo, Bing, or any other search engine you can name? Maybe because those search tools don't whack away at the internet by randomly generating millions of urls to see what they can uncover?



No, it is because search engines find new URL's by following links in previously-retrieved URL's. i.e. it is like learning about something via word-of-mouth. If there are no other URL's pointing to the URL in question, no search engine will never find it.

I've used this technique myself on my own website when I put something on there temporarily for just a couple people and sent them the direct link. I did this because I didn't want the world burying my personal DSL line with traffic.

Now suppose the Soclal Security Administration put everyone's personal file online at a URL like this:

http://www.ssa.gov//

so anyone's file could be retrieved just by replacing "" with any valid SSN.
No login;
No passward;
NO SECURITY.
There is no "hacking", "cracking", or anything else going on here, it is publicly displayed information.
"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

Share this post

Link to post
Share on other sites

GeorgiaDon    379

GeorgiaDon
Quote

As an IT professional, if information is accessible on the public facing internet via a given URL requiring no decryption or authentication I would consider it openly published. Data stored behind a firewall or other means of authentication is an entirely different story.

AT&T was using security through obscurity. It's something commonly used, but in this case it shouldn't have been. Protecting customer information like email addresses in this manner is not very responsible.

Just because the data didn't have a nice index (web page of links to the data) doesn't mean it wasn't published.

Thanks, your comments help me to understand the thinking involved here. I think.

You say that AT&T was using "security through obscurity". That seems like a nice description to me. We certainly agree that this approach was not very responsible.

What I find interesting is that it seems (to me) that the "arms race" between IT security types on the one hand and those who want to gain access to data for malicious reasons on the other, has resulted in a community frame of mind that considers weak security to mean openly published. How deep does this attitude go? Surely not to the point of saying that any security system that can possibly be breached, even if that requires very sophisticated tools, is "published"? If not, where is the boundary I should not cross? Apparently in the eyes of the community a simple script to generate a large number of urls and use them to probe is "open access", and anything that is retrieved is OK because it was "published". So where is the line? Would I have to get into de-encryption to be considered over that line?

On my gym locker, I have one of those dial-type locks that you have to turn right to a certain number, then left to another number, then right again to a third number. Given enough time, someone could manually try every possible combination and eventually open the lock. Or, they could design a device that did this much faster than a human could, but still uses the same principle to arrive at a solution. How is this different in fundamental nature from what was done in the case we are discussing? If someone can use such a device to pick my simple lock, in IT-land does that mean they can use my sweaty gym clothes without fear of adverse consequences (other than having to shower for a really long time)?

Don
_____________________________________
Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996)
“Education is not filling a bucket, but lighting a fire.” (Yeats)

Share this post

Link to post
Share on other sites

kelpdiver    2

kelpdiver
Quote


If ATT's client emails are "open access", and "published openly on the internet for anyone to see", then why can't I retrieve this list by searching with Google, Yahoo, Bing, or any other search engine you can name? Maybe because those search tools don't whack away at the internet by randomly generating millions of urls to see what they can uncover?



My entire website(s) are open access/published, but do not appear on reputable search engines because I direct their web crawlers not to descend beyond the top page (robots.txt). So that's not a suitable definition for published.

Share this post

Link to post
Share on other sites

labrys    0

labrys
Quote

Now suppose the Soclal Security Administration put everyone's personal file online at a URL like this:

http://www.ssa.gov//

so anyone's file could be retrieved just by replacing "" with any valid SSN.
No login;
No passward;
NO SECURITY.
There is no "hacking", "cracking", or anything else going on here, it is publicly displayed information.



I remember something similar to this many years ago with a large bank's online access. Someone noticed that their account number was being passed as a URL variable, so they tried to access another account by just changing the variable and it worked.

Once they'd authenticated to their own account, they could access / manipulate any other account.

I don't remember the details. Maybe someone else does.

It does feel wrong to me for someone to go looking for information by scripting a brute-force search for valid IDs though. That's crossing a line.
Owned by Remi #?

Share this post

Link to post
Share on other sites

Southern_Man    0

Southern_Man
Quote

Quote

Now suppose the Soclal Security Administration put everyone's personal file online at a URL like this:

http://www.ssa.gov//

so anyone's file could be retrieved just by replacing "" with any valid SSN.
No login;
No passward;
NO SECURITY.
There is no "hacking", "cracking", or anything else going on here, it is publicly displayed information.



I remember something similar to this many years ago with a large bank's online access. Someone noticed that their account number was being passed as a URL variable, so they tried to access another account by just changing the variable and it worked.

Once they'd authenticated to their own account, they could access / manipulate any other account.

I don't remember the details. Maybe someone else does.

It does feel wrong to me for someone to go looking for information by scripting a brute-force search for valid IDs though. That's crossing a line.



Wrong and legal are very different concepts. It may be wrong. Based on my understanding of the technology I don't see how it can be illegal.
"What if there were no hypothetical questions?"

Share this post

Link to post
Share on other sites

Andy9o8    2

Andy9o8
Quote

Quote

Quote

Now suppose the Soclal Security Administration put everyone's personal file online at a URL like this:

http://www.ssa.gov//

so anyone's file could be retrieved just by replacing "" with any valid SSN.
No login;
No passward;
NO SECURITY.
There is no "hacking", "cracking", or anything else going on here, it is publicly displayed information.



I remember something similar to this many years ago with a large bank's online access. Someone noticed that their account number was being passed as a URL variable, so they tried to access another account by just changing the variable and it worked.

Once they'd authenticated to their own account, they could access / manipulate any other account.

I don't remember the details. Maybe someone else does.

It does feel wrong to me for someone to go looking for information by scripting a brute-force search for valid IDs though. That's crossing a line.



Wrong and legal are very different concepts. It may be wrong. Based on my understanding of the technology I don't see how it can be illegal.



Well, I'm willing to shift my mind back over to "undecided" on the legality of this, as I sit back and learn some more. I believe he's appealing his conviction. Logically, I've got to believe these arguments will be made on appeal. Should be interesting to see how the prosecution attempts to refute them, and how the appellate court handles it.

There are a lot of computer nerds on this forum, and several lawyers. Anyone here who's both?

Share this post

Link to post
Share on other sites

labrys    0

labrys
Quote

Based on my understanding of the technology I don't see how it can be illegal.



The earlier analogy of trying every possible code on a combo lock until you succeed rings more true to me. A 2 digit combo lock would be a crappy way to secure a bike, but it doesn't mean you didn't steal it if you try all 100 possible combos until you get it unlocked and ride off on it. :S
Owned by Remi #?

Share this post

Link to post
Share on other sites

ryoder    1,590

ryoder
Quote

Quote

Based on my understanding of the technology I don't see how it can be illegal.



The earlier analogy of trying every possible code on a combo lock until you succeed rings more true to me. A 2 digit combo lock would be a crappy way to secure a bike, but it doesn't mean you didn't steal it if you try all 100 possible combos until you get it unlocked and ride off on it. :S


Another analogy:

Back in the olden days before HTTP/HTML/search-engines, we navigated the Internet by exploring FTP sites. Once logged into the FTP site, we could explore the entire directory structure under the home directory. If the site owner didn't want something to be seen by the public, he simply didn't put it under the FTP server's home directory, or he set permissions on the directory to unreadable. Example:

ftp://ftp.freebsd.org/

Once you access that URL, you are free to explore anything under it, even though your original URL stopped at the domain name.

Same thing.
"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

Share this post

Link to post
Share on other sites

GeorgiaDon    379

GeorgiaDon
Quote

Sounds to me more like reading somebody's house number and last name from their mailbox that they put on the curb.

Do you have to write a script to try millions of combinations to read a mailbox?

Don
_____________________________________
Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996)
“Education is not filling a bucket, but lighting a fire.” (Yeats)

Share this post

Link to post
Share on other sites

Southern_Man    0

Southern_Man
Quote

Quote

Sounds to me more like reading somebody's house number and last name from their mailbox that they put on the curb.

Do you have to write a script to try millions of combinations to read a mailbox?

Don



No, but I bet I could write a script to collect that information much faster using Google Street View.
"What if there were no hypothetical questions?"

Share this post

Link to post
Share on other sites

GeorgiaDon    379

GeorgiaDon
Quote

Now suppose the Soclal Security Administration put everyone's personal file online at a URL like this:

http://www.ssa.gov//

so anyone's file could be retrieved just by replacing "" with any valid SSN.
No login;
No passward;
NO SECURITY.
There is no "hacking", "cracking", or anything else going on here, it is publicly displayed information.

Thanks (really!) for the interesting example.

I guess I'm just applying old-fashioned "physical world" thinking to this issue. In your example, I could put in my SSN and get my info. My SSN is pretty directly analogous to the combination for my lock. To use the system to get your file, on the other hand, the simplest way would be if I know your SSN. If I know it because you want me to have it and you gave it to me, no legal problems arise. If I know it because I stole the information from somewhere, things are different.

Lets say I don't know your SSN. To use the url to discover it, I would have to go through up to 1,000,000,000 combinations (9 digits with 10 possibilities per position) one by one, see if I got a hit, and match the name/age/address to what I know about you. Obviously this would take an eternity, so to speed things up I could write a script to automate the process. So, I have to create a tool in order to use a number I have no legal right to use (your SSN), in effect pretending to be you, in order to gain access to your file. Yet, this is "put right out there for everyone to see".

And if I do find your information, it is quite OK for me to post that on a Google-accessible site for all and sundry to see. It's only copying what was left out in plain sight after all.

I just hope "internet ethics" doesn't get out into the physical world. It's funny that so many of the same people who get all worked up about drones spying on them from the air and TSA checking out their "package" have no problem with some internet-savy pinata-whacking anarchist posting people's private data online.

I do realize that unethical is not synonymous with illegal.

I'm also (perhaps too slowly) realizing an interesting culture difference: To me, "publishing" means putting information where people can easily find it, because I want them to have it. In IT, it seems that "publishing" means "didn't hide it well enough".

Don
_____________________________________
Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996)
“Education is not filling a bucket, but lighting a fire.” (Yeats)

Share this post

Link to post
Share on other sites

ryoder    1,590

ryoder
Quote

[
I just hope "internet ethics" doesn't get out into the physical world. It's funny that so many of the same people who get all worked up about drones spying on them from the air and TSA checking out their "package" have no problem with some internet-savy pinata-whacking anarchist posting people's private data online.



Hell, a few years back the goddamned *FCC* put my SSN online as part of releasing amateur radio license listings to the public. I was so PO'd that I let my license expire w/o renewing it.
"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

Share this post

Link to post
Share on other sites

GeorgiaDon    379

GeorgiaDon
Quote

Hell, a few years back the goddamned *FCC* put my SSN online as part of releasing amateur radio license listings to the public. I was so PO'd that I let my license expire w/o renewing it.

I know what you mean. Quite a few years ago there was a web site where you look up salary information on every State employee in my State, and the info on that site also included our SSNs. Potentially Identity Theft Central with state employees in the cross hairs. Eventually people kicked and screamed enough to get the SSN take down, though salary info is still publicly accessible. The problem is that the SSN gradually morphed from it's intended function, tied to social security benefits, into a sort of "universal identifier". We even used to use it as the student number for out inmates, err, students.

It's also interesting how much we have been forced into this defensive mode of hyper security by the actions of online thieves. People complain about the TSA as a freedom-sucking response to potential terrorism, but we have no problem with having to memorize 20 different passwords and getting locked out of our own accounts because we can't remember if we used a $ or a ! in the password.

Don
_____________________________________
Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996)
“Education is not filling a bucket, but lighting a fire.” (Yeats)

Share this post

Link to post
Share on other sites

Andy9o8    2

Andy9o8
Well, now. This has all been a wonderfully smooshy love-fest. Sorry to kill everyone's buzz here, but let's not forget that in Auernheimer's case these arguments failed to carry the day. And I'm not at all certain they will with the appellate court, either. We'll see. But just don't count your conviction-reversals before they're hatched.

Share this post

Link to post
Share on other sites

champu    1

champu
Quote

I guess I'm just applying old-fashioned "physical world" thinking to this issue. In your example, I could put in my SSN and get my info. My SSN is pretty directly analogous to the combination for my lock. To use the system to get your file, on the other hand, the simplest way would be if I know your SSN. If I know it because you want me to have it and you gave it to me, no legal problems arise. If I know it because I stole the information from somewhere, things are different.



I think I have a better analogy for you. You keep bringing up this "lock" and I want to be clear that no one with any business being in the computer security industry considers obscurity to be any kind of lock.

Picture, instead, you go to a gym and they have a few hundred lockers. Most of them are empty. You put your stuff in the 173rd locker and don't put a lock on it because, "what are the odds someone is going to look in that locker?" Everybody else does the same. Then someone comes along and goes through all the unlocked lockers, takes the contents out and puts them on the ground in front of the lockers and stands back and calls everyone idiots.

Share this post

Link to post
Share on other sites

GeorgiaDon    379

GeorgiaDon
Quote

Picture, instead, you go to a gym and they have a few hundred lockers. Most of them are empty. You put your stuff in the 173rd locker and don't put a lock on it because, "what are the odds someone is going to look in that locker?" Everybody else does the same. Then someone comes along and goes through all the unlocked lockers, takes the contents out and puts them on the ground in front of the lockers and stands back and calls everyone idiots.

I can see that perspective.

I'm still surprised that people would consider opening all the lockers and dumping out the contents to be appropriate behavior. I'm pretty sure that such behavior would earn someone an ass-kicking if they were to do that in the "real" world.

Don
_____________________________________
Tolerance is the cost we must pay for our adventure in liberty. (Dworkin, 1996)
“Education is not filling a bucket, but lighting a fire.” (Yeats)

Share this post

Link to post
Share on other sites

champu    1

champu
Quote

Quote

Picture, instead, you go to a gym and they have a few hundred lockers. Most of them are empty. You put your stuff in the 173rd locker and don't put a lock on it because, "what are the odds someone is going to look in that locker?" Everybody else does the same. Then someone comes along and goes through all the unlocked lockers, takes the contents out and puts them on the ground in front of the lockers and stands back and calls everyone idiots.

I can see that perspective.

I'm still surprised that people would consider opening all the lockers and dumping out the contents to be appropriate behavior. I'm pretty sure that such behavior would earn someone an ass-kicking if they were to do that in the "real" world.

Don



Well, when they're done kicking his ass (and serving any resulting sentences for assault) what they should do is reflect on their choice not to use a lock.

As I suggested in post #24, kicking the ass of people that do things like that does absolutely nothing to protect your stuff. Maybe you didn't know locks existed, or maybe (like in the OP) a third party was putting your stuff in lockers with no locks and not teling you. Either way, your reaction should focus on buying a lock and using it because the guy who opens up locker 173 and just walks off with the contents isn't going to hang around for an ass-kicking.

Share this post

Link to post
Share on other sites

kallend    2,146

kallend
Quote

Quote

[
I just hope "internet ethics" doesn't get out into the physical world. It's funny that so many of the same people who get all worked up about drones spying on them from the air and TSA checking out their "package" have no problem with some internet-savy pinata-whacking anarchist posting people's private data online.



Hell, a few years back the goddamned *FCC* put my SSN online as part of releasing amateur radio license listings to the public. I was so PO'd that I let my license expire w/o renewing it.



FAA did that with pilot licenses too. Made us request a new certificate if we wanted it changed.
...

The only sure way to survive a canopy collision is not to have one.

Share this post

Link to post
Share on other sites

Andy9o8    2

Andy9o8
Quote

Quote

I guess I'm just applying old-fashioned "physical world" thinking to this issue. In your example, I could put in my SSN and get my info. My SSN is pretty directly analogous to the combination for my lock. To use the system to get your file, on the other hand, the simplest way would be if I know your SSN. If I know it because you want me to have it and you gave it to me, no legal problems arise. If I know it because I stole the information from somewhere, things are different.



I think I have a better analogy for you. You keep bringing up this "lock" and I want to be clear that no one with any business being in the computer security industry considers obscurity to be any kind of lock.

Picture, instead, you go to a gym and they have a few hundred lockers. Most of them are empty. You put your stuff in the 173rd locker and don't put a lock on it because, "what are the odds someone is going to look in that locker?" Everybody else does the same. Then someone comes along and goes through all the unlocked lockers, takes the contents out and puts them on the ground in front of the lockers and stands back and calls everyone idiots.


See, this is why analogies are always thin ice.

Anyhow ;), unless you have your own stuff in one of the lockers, forgot which one it was, and are now randomly opening them to find your own stuff, you most certainly know that you're going to open lockers containing stuff belonging to other people that want it left alone. And to compound it, you do more than just open a locker and then rudely leave the door open rather than just closing it as you know fully well the occupant would expect; - what right do you have to touch that other person's stuff and pull it out of the locker? Opening the locker and leaving the door open is just being an asshole; touching the stuff and pulling it out of the locker really crosses the line.

Share this post

Link to post
Share on other sites

champu    1

champu
Quote

...lockers containing stuff belonging to other people that want it left alone.



People want a lot of things.

I would argue that if you put something in an unassigned, publicly accessible* locker, and don't lock it, you don't have reasonable expectation that it will be there when you get back. Sounds misanthropic. Is true.

*note that the gym isn’t even a perfect example because presumably you have to have a membership to get to the locker room… let’s make it a locker in a bus station.

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
0
Go To Topic Listing