

Ask HN:  Why is "exploiting" a website illegal? - sam_in_nyc

This is in reference to the Twitter worm, and the Samy Myspace worm awhile back.<p><i>MySpace filed a lawsuit against the virus creator, Samy Kamkar. He entered a plea agreement, on January 31, 2007, to a felony charge.[2] The action resulted in Kamkar being sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.</i><p>From: http://en.wikipedia.org/wiki/Samy_(XSS)<p>I'm not sure what is going to happen to the kid that did the Twitter worm.<p>On what grounds is what these people did considered harmful?  It doesn't harm any end-users... at worst it only modifies their profile page.  It's a bug (or feature) in the web application, not exactly a virus that affects other peoples computers.  I guess my point is, it's all encapsulated to the website.<p>Furthermore, it just seems like they're taking advantage of the features the developers created.  If you can execute javascript, why not force people to friend you?  If the developers included a big button that said: "Delete a random user's profile" and you pushed it... would that be illegal?  What if instead of a button, there was a hidden URL that did this?  What if you needed to provide a 1 digit password?<p>I just don't get how fooling around with a website can be considered illegal, and what defines the line between legal and not.
======
mechanical_fish
Three observations.

One: There are specific laws against unauthorized access to computer systems:

<http://www.ncsl.org/programs/lis/CIP/hacklaw.htm>

These acts are generally considered illegal because... they contravene laws!

Two: "What defines the line between legal and not?" The answer, ultimately, is
judges and juries. These people have a wide range of discretion and are often
surprisingly reasonable. (Although certainly not always. And they cost a lot
to convince, and they can be _randomly_ unreasonable, which is why there are a
lot of jury-trial horror stories and why lawyers prefer to avoid jury trials
whenever possible.)

If I leave a loaded gun lying around and you pick it up and shoot me dead, the
legality of your action is going to depend crucially on what you can make the
prosecutor and the jury believe. If you convince them that you did it by
accident -- that you were honestly just playing around with the gun on the
assumption that nobody would be dumb enough to leave a loaded gun around --
you might be found innocent. If you had a documented motive for killing me, or
were arguing with me at the time in front of witnesses, or if there were _no_
witnesses... well, good luck.

Finally, when you say:

 _It doesn't harm any end-users... at worst it only modifies their profile
page._

You are making a lot of unwarranted assumptions. For one thing: If you
publicly deface a website you advertise the existence of an exploit which
someone _else_ might then use for evil purposes. But, more importantly: Who
says that an edit to a user profile is always harmless? People have lost
relationships, job leads, careers, and reputations over such "trivial" things.
Remember the poor teacher whose Windows box got infected by a virus and spewed
porn links all over the screen in front of the students? The woman who lost
her job and narrowly missed being convicted as a sex offender by a crazy
prosecutor?

<http://news.cnet.com/8301-1009_3-10107743-83.html>

If I were a teacher and someone defaced my online profile with a porn link I'd
consider it a direct threat to my family's life.

~~~
sam_in_nyc
_You are making a lot of unwarranted assumptions. For one thing: If you
publicly deface a website you advertise the existence of an exploit which
someone else might then use for evil purposes. But, more importantly: Who says
that an edit to a user profile is always harmless? People have lost
relationships, job leads, careers, and reputations over such "trivial" things.
Remember the poor teacher whose Windows box got infected by a virus and spewed
porn links all over the screen in front of the students? The woman who lost
her job and narrowly missed being convicted as a sex offender by a crazy
prosecutor?_

These people are using the website with _no warranty_. It says so in the Terms
of Service. Myspace, Twitter, Facebook, etc, guarantee _nothing_ about the
security of their website, and whether or not their technology even works
correctly. _Even if_ they did say in their warranty: "Your information is
guaranteed to be secure," does that magically make it illegal to make a worm?

 _Two: "What defines the line between legal and not?" The answer, ultimately,
is judges and juries. These people have a wide range of discretion and are
often surprisingly reasonable. (Although certainly not always. And they cost a
lot to convince, and they can be randomly unreasonable, which is why there are
a lot of jury-trial horror stories and why lawyers prefer to avoid jury trials
whenever possible.)

If I leave a loaded gun lying around and you pick it up and shoot me dead, the
legality of your action is going to depend crucially on what you can make the
prosecutor and the jury believe. If you convince them that you did it by
accident -- that you were honestly just playing around with the gun on the
assumption that nobody would be dumb enough to leave a loaded gun around --
you might be found innocent. If you had a documented motive for killing me, or
were arguing with me at the time in front of witnesses, or if there were no
witnesses... well, good luck._

Good points. Especially the loaded gun thing.

But in the Myspace example -- what harm was done to Myspace that warranted any
punishment? Is it because they're such a successful website, that it matters
more? I mean, let's say the kid made this worm for a site with like 1,000
users... is it any less of a crime? And why is it not Myspace's fault for not
securing the website?

Another thing I'm confused about... how responsible do the website owners have
to be? Let's say they allow javascript in profiles. The worm was nothing more
than javascript.. I'd argue that somebody was just getting creative with their
profile! If they made an endless loop of alerts, is that a "virus" because in
most browsers (ridiculously) you have to force quit them?

And, finally, how in the world does any of this technology stuff get explained
to the people making the decisions, eg, the judge and jury. It seems it's
nearly impossible for it to be adequately explained to them to the point of
them understanding enough to make a fair judgment.

~~~
mechanical_fish
_These people are using the website with no warranty_

I think you will find that a jury will have no trouble telling the difference
in value between something that has no warranty, something that has no
warranty _and_ is broken thanks to an error by its vendor, and something that
is broken because some third party broke it. Warranty law is about the first
two cases. It has nothing to do with the third case. If you break a company's
product, you are going to be liable, whether the product is under warranty or
not.

Incidentally, we have reached the point where it's important to point out that
I am not a lawyer.

 _I'd argue that somebody was just getting creative with their profile!_

If you get creative with your _own_ profile, and it brings down _your_
browser, you have found a bug. Indeed, if you get creative with your own
profile, and it brings down _Twitter_ , you have merely found a bug. (Though
one that could obviously be used to perform a DOS attack on Twitter. If you
exploit the bug to bring down Twitter over and over for your own amusement,
you're getting into shakier legal ground. The responsible thing to do is
_report_ the bug.)

If you "get creative with your profile" to create a XSS attack that
deliberately defaces other profiles? Hire a lawyer, pronto.

 _how responsible do the website owners have to be?_

The truthful answer is "not very". You can be convicted for breaking into an
account that has little or no actual security on it. You can be convicted for
_searching_ for an exploit on your _employer's_ computer, even if you don't
exploit it. (Ask Randal Schwartz. You should probably Google up his case.
Sounds like you need some legal briefings.)

Don't impersonate other people on computer systems. Even if the system owners
are _begging_ for it. ( _Especially_ if the system owners are begging for it.)
And don't "test" people's security without specifically getting their
permission in advance.

------
acro
That last sentence is a bit troubling, are you serious? Think about a
situation for example where all of your income comes from a website you
publish and someone else does (without your permission) something to
change/destroy the content, how that can be legal? If a car has unlocked doors
and the keys are in ignition is it legal to take that car?

~~~
sam_in_nyc
_If a car has unlocked doors and the keys are in ignition is it legal to take
that car?_

I'm not talking about stealing a car. That would be hijacking or shutting down
the entire website.

If you want to go the "car analogy" route, then put a whiteboard on your car,
and claim it's illegal when somebody comes along and writes on the whiteboard.
This is still a pretty crappy analogy.

The best analogy would be making something intended for one purpose, but
somebody uses it for another purpose. Then, since it's bad for business, you
sue the person who used the item as not intended. It just seems ridiculously
unfair.

I'm talking about things like Web 2.0 profiles. The TOS on these things are
that the entire use of the website is without warranty... yet if somebody
comes along and makes a worm on these sites, a worm which harms nothing other
than these warrantless profile pages, that's illegal?

Another example: Let's say Myspace said: "Feel free to use Javascript in your
profile." Would it be OK to make the worm? It's just javascript, after all.

~~~
acro
Making a worm that changes something on a site means disrupting the service
between a service provider and a customer, it is not just using something for
another purpose.

If something is easy to do or the actual damage is small does not make that
something more "right".

------
pclark
doing anything on someone else's account without them aware (or in control)
has to be illegal ... ?

my concern is that its myspace one day, my bank the next. Stemming this in the
bud is of value for everyone.

~~~
sam_in_nyc
What makes your account, on some website like "myspace" at all sacred and
secured by laws? What defines an "account"? Does the person in charge of the
account, in this case Myspace, have any obligation to ensure the security of
your account?

For example, what if Myspace only allowed a 1 digit password on your account.
Is it still illegal to "hack" your account, or is it Myspace's fault?

------
GrandMasterBirt
The same exact argument as the OP holds for CSS... When is playing a DVD
considered illegal? What if I just put it into an unlicensed player? What if
the decryption algorithm is so simple a 14 year old can crack it? What if the
algorithm has been cracked for 14 years?

DCMA says that breaking ANY encryption even if the encryption says take my
data, treat it as binary and invert all the digits, and the first line
contains those instructions, it is illegal to break the encryption because of
DCMA.

So yea if its a 1 digit password its illegal to guess it.

