The media would have a field day and say that he hacked his school database. It's crazy how so many institutions are doing the digital equivalent of leaving an unlocked car in a bad neighbourhood and no one holds them accountable. Most people understand the concept of an unlocked car, not many understand that he didn't do anything special to hack his school db. He just strolled right in.
Someone who snatched a purse out the hand of someone else isn’t “doing anything special” either. The illegality doesn’t hinge on the difficulty of the action. Why is that so hard to grasp for technical crowds?
If you find a car with the keys in the ignition and the door unlocked, you won’t get away with driving it a block down the road by telling the judge: “Oh, but it was obviously insecure, and I was just testing to see if I could steal it”.
The data that's available isn't the school, it's student data! The school left the students "cars unlocked" and no one holds them accountable. They just say that people shouldn't steal cars.
They left the car unlocked in the same sense that your home is unlocked. With the right tools, it’ll take me 5 minutes to gain entry. I could then claim that it’s your own fault I gained entry because you don’t have a metal enforced door, steel bars across windows, and a lock that can’t be easily or Hardily picked...
Yes, someone technically minded with the right tools and access can break in. But that’s less than 5% of the population, very similar to the percentage who could easily pick even a complicated lock, but Of cause near 90% will be able to take an ax to a door or kick in a window.
Even with that house analogy, I'd argue that you shouldn't store large volumes of other people's sensitive personal data in a house that has the bare minimum security.
The issue is organisations being reckless with our data and then blaming hackers when they lose it. It should be common sense that if you have sensitive information then it needs an appropriate level of security but someone companies have convinced everyone it's not their fault
I think this is where analogies between physical theft/trespass and digital access break down.
Pressing the handle down, maybe even opening a door, but not walking in and not taking anything. No theft, no trespass. AFAIK in my local laws trespass requires entry and theft requires carrying-off. Indeed -- apparently -- you're legally allowed to enter abandoned properties if you don't break-in.
That to me is equivalent to access, maybe even duplication (proving access with no 'alarms'), of digital data. When it becomes immoral is when you use that data, or make it available for use by others.
Of course the CMA(UK)/CFAA(USA) don't see things this way they both seem to make the equivalent of 'looking in the direction of a door and noticing it's open' into an illegal act.
> When it becomes immoral is when you use that data, or make it available for use by others.
That's logically consistent but shockingly permissive. And to be frank, I don't believe for a second this is really a principled opinion on your part, it's an excuse.
You'll get behind the hacker linked on HN out of solidarity or for some other personal reason (maybe you hate schools, or java). You'd never forgive someone for walking in and lifting your photo history due to a security lapse by Facebook, even if they never "used" the data nor "made it available for use by others". And that is why this behavior is criminal.
This is apparently a curious student that discovered a vulnerability and, judging by the way that blog post is written, is unsure how to properly disclose it. If this was your Facebook analogy, they'd have a relatively visible path to disclose that. Here, they have to potentially fear being reprimanded or criminally charged.
Under the premise that yes, granted, all that might technically qualify for some criminal act: The aspect of intent and malice are, imho, important in these discussions and should be for the corresponding laws. They found a vendor negligently handling student data, instead of dumping it somewhere, making a fuzz in the press or using it for something they try to disclose it (at least I'd hope so). It's not like the author abused that data, they tried out a proof of concept to see if access to other users could be gained. Not just out of solidarity that's something we should applaud and shield, instead of branding it as criminal behaviour.
For me this is more akin to past cases of people being reprimanded for trying to change URL parameters that are not sufficiently protected, while I see that it might be a philosophical standpoint rather than a legal one, I think the fine in these cases should go to the negligent company, not some curious individual without malicious intent.
Your post to me is a bit like how people said "you feel violated, don't you" when we had burglars. I didn't feel violated, nor particularly care I'd had unknown people in my house -- what I cared about was the nuisance of making insurance claims.
>You'd never forgive someone for walking in and lifting your photo history //
Someone who looked at one of my photos to prove they could, or downloaded one - never shared it, never re-published it?? I wouldn't ever know, for one thing.
If they downloaded all my photos and never used them? Am I supposed to be angry?
>it's an excuse //
What do you think I'm excusing?
You mention school, so say someone hacks the school network, they don't share any of the info ever with anyone, don't use it in any way -- except perhaps the only result is they anonymously inform the school they have a breach -- what's immoral there? (Yes, practically you move the legality toward the easily measurable act of making access assuming immoral intent, I understand that.)
> Why is that so hard to grasp for technical crowds?
Because laws concerning actual theft are objectively defined, and are logically consistent with themselves and other laws.
Laws about 'hacking', where the crime is simply a message, not a physical action, are extremely subjective. It revolves around intent more than the action.
For example: If a user goes to the website of theirbank.com and the root page is a list with all the credit card numbers of all the clients. Is he committing a crime? He used computers to get information that he shouldn't be allowed to see. Most people would say: no, he only wanted to visit the website.
If I see that the bank's API has no security, am I committing a crime?
If I use SQL injection to see all the users data, am I committing a crime?
Most people would say that it depends on intent, but intent is extremely subjective, and IMO a pretty bad way to define laws.
I did this when I was at high school with a friend. Basically the place had a shared Windows file system, and the only thing that prevented everyone from viewing it was that it was hidden in the UI. On the drive was lots of data, including some applications in PDF format - completely unprotected - full of personal information of minors.
At the time we had recently covered data protection in IT class, so we wrote up a document explaining what we did, and why it was bad, and gave copies to a few people in prominent positions (principle, head of IT, IT teacher) as well as posting it (with instructions redacted) on an internal message board.
Well of course they didn't take it very well. They threatened to expel us and call the cops, and suspended us for a week until they decided what to do. In the end a well written warning from my friend's parent made them drop the issue and let us back in. I doubt they did anything to change the "security".
He saw a car
He tried the doors until he found one that was open
He climbed in and searched everywhere until he found personal information about other users of the system
Even though the security of this system was poor, he still (probably) broke the law. There are plenty of opportunities for people with some knowledge of IT to abuse their power, but it's our responsibility not to do so.
He looked in the window of a car and saw tons of users' personal information -- visible through the window! Any criminal could walk by and copy the info, privately, without anyone knowing. Maybe some criminals already have.
I think the important thing we miss with car/physical crime analogies is that cybercrime can be so invisible. Nothing is missing, nothing is taken... but users private data is lost. So if an organization is doing something terribly naive like publishing passwords to userdata in plaintext... it's disgusting for our society to punish the wrong people, the people pointing out the flaws rather than the ones who cause them. All the really malicious entities came and went and will never be caught.
They put private information into a JSON file accessible by an HTTPS GET, the only password being one that they put in plaintext onto everyone's phones.
My analogy: They put the private information onto a billboard, but you can only see the billboard from a particular vantage point in a public park.
He downloaded the apk and extracted the database key from it. This is probably beyond the means of >98% of people of people. To be fair there have been instances were literally just editing the route on a URL to view a different document has resulted in hacking charges, I wouldn't go to such great lengths to defend this guy.
If you go up to someone's house and look under their welcome mat and find a key, is it okay to unlock the door and stroll in with the rationale that the poor security counts as consent to enter?
