By making that tweet he's impersonating a government agency and passing it off as an official document. If he hadn't posted that tweet I'm sure he wouldn't have anything to fear.
EDIT: I looked up the relevant law: False Impersonation of Federal Officer or Employee . It doesn't seem he got anything of value, so it's unlikely he could be charged. Although I'd be surprised if he didn't at least receive a stern conversation from a government official.
The original incident in the article seems more like the latter to me. If I were on the jury, I certainly wouldn't convict.
Yeah, it's obviously substantially below FDR interning 100,000 Japanese people  based on their ethnicity. Or spraying black neighborhoods with toxic chemicals to test on them in the 1950s.  Or J Edgar Hoover's decades-long parade of power abuses and rights violations of the American People. Or Lyndon Johnson inserting us - hundreds of thousands of drafted young men - into a civil war in Vietnam, in which we helped to directly kill vast numbers of people with no clear plan or explanation for why we were there. Or the testing of hundreds of nuclear weapons on US soil, with little concern for how it would harm citizens. Or Sherman burning down Atlanta. Or Nixon's parade of abuses. Or the CIA's countless, terrifying programs in the 1970s. Or how the FBI tried to get MLK to kill himself. Or prohibition and the terrible results that imposed upon the people (eg rampant organized crime). Or the 50 year war on drugs and the horrific toll that has taken on the people.
We used to treat our people with the utmost dignity and respect.
By law they need to share what you post publicly, including files. This 'vulnerability' has been around for decades.
"Digital Government: Building a 21st Century Platform to Better Serve the American People". United States Federal CIO Council. May 23, 2012.
This is a bad idea, though, as it makes it easy and legal for non-authorized entities to impersonate the authorized ones: freecreditreport.com
It was a way to easily allow unprivileged users to share content from their ~/public_html/ directory.
Nevertheless, it's clearly associated with UGC content, and as far as I know there have never been any major sites that have hosted non-UGC content using this scheme. (E.g. there is no history of use for things like Amazon product pages or whatever.)
And in school we were always taught that content coming from user pages on university systems shouldn't be cited as if it were academic content being published or endorsed by the university. I'm sure others were taught the same.
- Browsers might want to treat it differently for malware scanning purposes.
- Content owners might want to treat it differently when filing automated DMCA complaints.
- Search engines might want to treat it differently for ranking purposes.
The benefit of the tilde is that, at least as far as I know, it has never been used for anything other than signaling that something is UGC content. (Even if that was a technological accident and not its original intent.)
Do you think the assumption that the content was created by the organization who owns the domain should be default? Wouldn't it be better for the organization to provide a signature for the content it did create?
Sure, and I think that is the current assumption. What's missing is a way to specify UGC content that wasn't created by the organization.
> Wouldn't it be better for the organization to provide a signature for the content it did create?
I don't think this would be viable for two reasons:
- It would require people to do the work to opt in, without any obvious incentive for doing so.
Whereas there are good use cases for allowing folks to mark content as being UGC. For example, let's say the game Draw Something wanted to let users upload their creations. So no security issues, since images are created through their own app, but they don't necessarily want everyone thinking that they're spending all day creating and uploading millions of dick drawings either.
I suggested just adding a ~ to the domain name, because when you see a domain name like this:
It's universally recognized that the content on that page was not created by columbia.edu or cs.columbia.edu in an official capacity.
Other people said we can't do this because it's not an official standard, so I said let's just make it a standard. Which I think is good because it keeps an important piece of Internet culture alive by codifying it, which would let people rely on it when designing new systems. And ultimately it should work because there is no history of this URL pattern being used for non-UGC content.
it appears your only goal is to be right.
Websites have been using this pattern for 25+ years, so it's pretty universal by now.
The `~` or `~username` is expanded by your shell (but not necessarily all shells) and has nothing to do with the operating system. If you pass a filename like `~myusername/test.txt` to any unix's open() syscall, it's going to either fail or open a file in a directory literally called `~myusername`. This means anywhere you're passing a filename into a program that isn't your shell does not generally support that syntax.
A narrowly defined, poorly recognized convention is not a great thing to rely on for security purposes.
Also, that ® at the end of posix is part of the URL, you will unfortunately get a 404 if you don't copy-paste it right. You might be better to search for "site:opengroup.org posix"
Good luck, man
Was he? This was obviously satirical. Impersonation involves a genuine attempt at deception, not merely having a few trappings of something official. Otherwise, what's the difference between this and somebody dressing-up as a cop for Halloween?
the student's mistake (well, beyond not contacting them to report the issue) was using the FCC's official letterhead to create an embarrassing document and uploading it to their official website and posting it on social media.
That's pretty much a "fuck you" and not a great way to start a conversation.
Unfortunately, these "temporary" file uploads end up accessible from the main FCC domain (i.e. fcc.gov), unlike e.g., Google (e.g., "googleusercontent.com" vs. "google.com"). In Google's case, the separate domain helps distinguish the content as unofficial.
It's understandable why it was originally engineered this way, since it's probably easier to create a subdomain under fcc.gov rather than to get an unrelated domain, but that's why we ended up here!
The server and DNS configuration you need for a subdomain is identical to what you need for separate domain. Possibly slightly more to manage if you are using the "naked" domain because of the DNS issue with not supporting CNAME records on the naked domain.
If you already have a wildcard SSL certificate for the subdomain a separate domain might be more work because you need a new cert and you don't if you stick with a subdomain.
The most work is actually buying the domain.
Then again, this is government we are talking about so buying a $10 domain is probaly three weeks worth of paperwork.
There are security implications galore, mostly due to the same-origin policy. Books can and have been written about web security; if you're writing webapps, you need to read one.
One method works, one doesn't.
But keep on telling people to read a book, for all the good it will do.
It's not that bad.
It is slightly annoying that the procurement rules don't let sysadmins buy multi-year domain registrations---not even for .gov domains.
Ultimately, there's nothing stopping a federal employee or contractor from buying another domain except ignorance of good infosec practices. Even a .gov domain isn't all that expensive---$400/year is a drop in the bucket of federal spending.
Dev: "Can I have a domain?"
10 minutes later done
In government I imagine you need a procurement order which needs to be approved. And my anecdotal experience has been that the dev teams don't always take high priority in those queues.
I'm sure it's not as hard as I made it out to be but it is certainly not as straight forward as many of us are used to.
I regularly need to host internal applications accessible by other staff and often just do so from my machine during the daytime and send them updated IP addresses/ports where they can access them... boss didn't even think it was possible...
Yeah. I imagine the government processes are pretty convoluted.
Some of the tools are temporary mind you, and it's much quicker to run the temp tool on my machine through the local network for a couple of weeks than to spend a few days waiting on resource allocation and then getting it shut down afterward.
Some of them are scheduled to be merged into larger projects that will seek out the necessary permanent resources... in time.
And things always take their time. It's my first excursion into such a large company and it is boggling at times. Things that would be small flaws in a smaller business are magnified 10, or 100x.
It's a shame most organizations do not do a good job handling vulnerability reports from outside sources and everyone knows is (so nobody tries to alert the organization). I would be very surprised if he was the first procrastinating college student to figure this out.
If I had discovered this, I'd wipe my trail clean and never speak of it again. The likely hood that I'd end up in federal prison for it is just way too high.
Why would you go to Federal Prison for using an intended feature on a government website?
Just because you can do something doesn't mean you are legally allowed to. People have been prosecuted for simply opening URLs without any authentication, and I know the specifics of that case were different, but it still terrifies me that I might accidentally trigger a bug in a system that looks "intended" to me, but to them looks like a malicious attack.
And once they have decided it's against their intention, i'm in the wrong. There's no way for me to easily or quickly "prove" my intentions were pure or my understanding was incorrect, and even if I could it's still months or years of litigation possibly with me in jail.
And all of this goes doubly for trying to be a whitehat and letting the government know about vulnerabilities. Saying "hey I found this vuln in your system" is pretty much a confession that I did break the law and used a computer system illegally.
It also serves as a handy handle to insult someone's virility or manliness that fits better in a tweet.
I wonder how much Twitter influences which new slang catches on. 'Bae' is a convenient three letters. For that matter, 'SJW' and 'MRA' are nice and short. You can get each term into a tweet, twice even, without using up much space.
Start throwing around 8 or 10 letter terms and no one is going to tweet them enough to quickly force them into culture.
That's precisely the intended meaning, that one literally or figuratively enjoys being taken advantage of.
When applied to political situations, Foo's wife would be the US and the others would be illegal immigrants. So Foo is a cuck because he wants illegal immigrants to come over and mess up the US.
And I do believe that many of them are aware that it's a fetish, with many jokes about Foo's wife's boyfriend.
like, if he called him a douche, i'd assume it was to say he doesn't care about his obligations to the american people and is only interested in helping his rich buddies... not that the prankster was too lazy to come up with anything other than a gross and generic comparison to female hygiene.
If that's not the definition of being "cucked" I'm not sure what is.
"Access Denied. File must be attached to a posted filing to be available."