(Some might argue that it was authorised because the computer let him do it. However the CFAA simply doesn't work that way. "Authorisation" is what the designers intended, and the initial paywall made that intention perfectly clear.)
So practically yes, let's be aware that the author could indeed be persecuted under the CFAA. But let's not grandstand and pretend that following that law is some sort of moral imperative that benefits everyone. The common individual will be the target of the same attacks with or without that law.
My perspective is that a fundamental aspect of the Internet and the digital world is that the software-codified rules are basically authoritative. While constructive behavior still does matter - eg knowingly turning off a hospital ventilator is still murder - the only gain here was temporarily obtaining some transit. The real remedy is for the provider to fix their systems.
Do you think that hacking per se is ever immoral?
In isolation, why would finding a hole in someone else's ruleset be immoral? If hacking per se were immoral, then there could be no such thing as a "white hat".
I specifically wrote "per se", so no - I'm not.
> If hacking per se were immoral, then there could be no such thing as a "white hat".
White hat hacking it typically specifically authorized (e.g. red teams). That is not the case with the example from the article.
In the locksport community there is a pretty strong norm to only pick locks you own or have specific authorization to pick.
Computer security not the same thing, but it's also not that different.
That is merely one kind of white hat hacking. Another kind would be figuring out an exploit for software that you have a local copy of, even against the wishes of its developer. If we agree that this is moral, then general finding of holes itself cannot be immoral.
I don't think you mean to imply that in locksport, you only pick models of locks that the manufacturer has given you the go-ahead to attack. Rather you're referring to ownership of the physical lock itself, which is merely one type of authorization. I would also guess that the reason the community repeats this prominently is to head off legal entanglement.
To the extent that a given ruleset only exists on a specific device that one does not own, then it is indeed hard to find holes in it without also affecting that device itself. However, it is still important to draw the distinction between any effects and the logical hacking itself, lest minor effects end up being persecuted inequitably.
In the context of the original article, there are essentially no damages and a little bit of unjust enrichment. Yet this whole thread has blown up about a spectre of harsh punishment under the CFAA, when equity is closer to the amount of the access fee.
EDIT: I’m fairly sure at current prices a single flight could pay for a month’s service for a single plane, probably several times over. The profit margins (& I imagine some the cut to the airline) must be enormous, & there is no pretense of fair terms at sale time because a single corporation can entirely monopolize your attention.
In what bizarro world are people being forced to buy inflight wifi?
How come that isn't happening here?
Anyway, it's a commodity. The positioning of it as a luxury service amounts to theft.
Offense versus defense.
Not saying this is ethical (although selling WiFi for 12$ per hour isn’t either) but I wouldn’t go as far as calling this an attack.
Care to elaborate on this? WiFi on a plane isn’t any kind of thing people are dependent on to survive and satellites are pretty expensive. Airplane WiFi is entirely a luxury good.
Do you feel that charging $12 to watch a movie in a theatre is unethical as well? How about $150k for a Porsche?
Finally it’s just way too expensive at that price.
Versus tracking does actually do something on your computer (e.g. running JS to discover fonts). Arguably that is a circumvention of the intentions of the user on their own hardware.
This is why the CFAA is such a horribly written law. It takes the ToS, something that should be squarely under civil law, and elevates them to being a felony under federal law.
All the js code runs but it doesn't download anything.
Obviously the Terms of Service could prohibit that too.
Refusing to fetch a particular resource would be non-access. You cannot punish non-access as unauthorised access, because no such crime of non-access exists.
I'm curious if it would be feasible to sue a company over sending ads. They have just as much information about what you want displayed on your computer as you have about how they want you to use their apis.
The possible crime (if it is one) would be if you know your browser has adblock, you know authorization to use their server is conditional on not using adblock, and you choose to access it anyway.
Pontificating about abstract "intent" is not actually useful in the digital realm. Protocols  are what ultimately mediate between parties with different desires. The CFAA is merely a relic that gets invoked when some powerful entity gets upset at the outcome of a protocol.
 to be clear, I'm talking about de facto protocols as executed, not de jure protocols as written into RFC.
So let us turn to the ‘proposed’ argument itself: “Software doesn’t commit crimes; people do” The first thing to notice is that the argument has no stated conclusion. What follows? That there should be no software regulation at all? That there should not be any more software regulation than there already is? That the increase in cybercrimes done with ‘software’ is irrelevant to whether or not there should be cyber regulations? Who knows? An argument without a conclusion is by technical basis, not an argument at all.
The statement under consideration clarifies that, when it comes to crimes committed with software , people are the ultimate cause and software is merely a proximate cause—the end of a causal chain that started with a person deciding to commit cyber crimes. But nothing follows from these facts about whether or not software should be regulated. Such facts are true for all criminal activity, and even noncriminal activity that harms others: The ultimate cause is found in some decision that a person made; the event, activity, or object that most directly did the harming was only a proximate cause. But this tells us nothing about whether or not the proximate cause in question should be regulated or made illegal. For example, consider the following argument:
"Bazookas don't kill people; people kill people."
Although it is obviously true that bazookas are only proximate causes, it clearly does not follow that bazookas should be legal. Yes, bazookas don't kill people, people do—but bazookas make it a lot easier for people to kill people, and in great numbers. Further, a bazooka would not be useful for much else besides mass murders. Bazookas clearly should be illegal and the fact that they would only be proximate causes to mass murders does not change this. In fact, it is totally irrelevant to the issue; it has nothing to do the fact that they should be illegal. Why? Because other things are proximate causes to people’s demise, but obviously shouldn’t be illegal. For example, consider this argument (given in the aftermath of a bad car accident):
"Cars don't kill people; people kill people."
Obviously cars should not be illegal, but notice that this has nothing to do with the fact that they are proximate causes. Of course, they should be regulated; I shouldn't be allowed to go onto the highway in a car with no brakes. But all of that has to do what cars are for (they are not made for killing people), what role they play in society (it couldn't function without them) and so on. It's a complicated issue—one to which pointing out that cars are merely proximate causes to some deaths contributes nothing.
In conclusion- people who make the feeble argument “software doesn’t commit crime; people do” have mistaken the relevance of proximate causation
As I interpreted it, someone said adblock may be illegal under existing law because you are accessing a server without authorization. Someone else seems to have argued that this isn't true because adblock doesn't cause anything to happen on the server; therefore, adblock must be legal because adblock only affects the client.
My comment was that this reasoning doesn't hold water. Perhaps the owner states that authorization is only granted to people who don't use adblock. (Maybe there's a splash page that informs the user they aren't authorized to proceed to the next page if they have adblock enabled.) What matters is the choices people make, not that the behavior of the software avoids interacting with the server. Your hands are not clean just because your software doesn't take an action.
> the term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter;
The information they were accessing didn't come from the computer. And this doesn't say anything about using a computer service in an unauthorized way, which is what it sounds like you're describing here
Even if that language weren't in 18 USC 1030(a)(4), the guidelines sentence assuming no priors would look to be 0-6 months and $250-$5000 fine, assuming you couldn't plea out to something less. I doubt the federal authorities are even going to waste their time looking at $12 of "fraudulent access" that will likely lead to almost no jail time.
That might be the case but it's also nuts. It encourages litigation over better design and makes public enemies out of security professionals, ultimately driving away those professionals from the US and making US developed tech weak.
It's illegal to come into my house and take my stuff even if I forget to lock my back door.
If we want to protect security professionals, we should write laws that do so.
The internet has different cultural norms than physical space. One-to-one analogies are useful for exploring those differences, but not for arguing what they should be. If I have a WiFi connection, leaving it without a password is implicit permission to use it. If I have a server that provides HTTP without authentication, that is implicit permission to access the contents.
That is not to say that people should take advantage of these social norms. If I find a bowl of car keys left on a front porch, even if it is Halloween, I should inform the owner of the house that they probably don't want to do that. If I find incremental IDs that lead to other customers' personal information, I should inform the company, and the other customers if necessary.
There's not a matter of perception or culture as the candy was intentionally left out for a trick or treater to take. And since it's a well known holiday, the intent has been communicated.
If your door is open can I take a shower and cook a meal for myself in your house?
Lol. I don't know where you got this impression, but no, it absolutely is not.
Not only is it not, but you can absolutely be prosecuted and imprisoned for accessing those networks/servers without permission.
Furthermore, that doesn't really apply in this case because not only was he not given "implicit permission to use it", the in-flight WiFi system explicitly bars you from using the internet without paying for it.
Open WiFi is like a water fountain, or a bench, in a pubic place to me. There's no explicit sign telling you to use it but who'd put it there of it were not to be used? I'm in the UK.
So, for example if I'm out and about and there's an open WiFi I'll connect to it without seeking permission .. in fact I think it would be weird to go and ask (if you could work out who to ask).
(It's also very, very, very terrible practice for your own security. Don't do it.)
If you place a bench in public and you don't want anyone to sit on it then you need to notify people explicitly ... it's the same, I don't find the owner of benches and ask them.
Are there any attacks that work just by connecting to someone's wifi, obviously I'm only using it for non-sensitive traffic unless it's a recognised provider, it's certainly part of my security considerations. Are there specific attacks you're thinking of? Such attacks would work equally if I had explicit authorisation, of course.
Re your link, last time I looked it was allowed to have open shared wifi, and the way you indicate it's open for sharing is having it open and shared. That's probably why the police gave cautions, it placates the complainant and they didn't have to lose in court.
Then it should do so. If I connect and I can use the network without paying, that's not my fault.
I honestly can't believe we're even having this conversation. It is theft, period. Not only is it illegal, it's blatantly immoral.
It's not theft. It's not immoral either. Open wlan means exactly that, so where is the sign? You are on HN, so using something like a VPN is not uncommon, regardless of what network you are using.
For some reason, on HN when I've made this argument before, the resulting comments have been that the internet is somehow different, and that real-world analogies don't exist. Using equipment that you don't own in a way the owners don't intend is apparently well-accepted.
What he did would be more akin to someone entering your property, having their lunch in your garden and cleaning up before leaving.
A better analogy would be going into a restaurant with big “No Outside Food” signs with a sandwich you made at home, hiding the sandwich in a false compartment to get past a check at the door, printing the restaurant’s name on your sandwich wrapper so it looks like you bought it there, and then eating it at a table meant for paying customers.
Regardless of the criminality a real world analog would be more akin to someone taking a chair in a starbucks without paying - maybe there's room, and maybe it doesnt burden them unduly - but the company definitely pays a cost for each table aggregated across its customers.
How is this a victimless crime?
Thus: let's switch who is penalized: everyone else on the flight. Bandwidth isn't unlimited, without payment it's hard to justify increasing bandwidth if it isn't profitable.
What should the author do? Report it. If he didn't, maybe you can submit it to the company. If they have a bug bounty, you may get paid (if this happens: would you give the money to the original author?)
If you run a company: you should determine how to insensitivise reporting, it's possible in this case: not fixing it spreads awareness, most people can't/don't exploit it.
Only if everybody else on the flight was paying for WiFi (doubtful) and bandwidth was maxed out during the flight (plausible.)
Because it looks like it causes a infinitesimal harm to a corporation whereby no person is harmed to any noticeable extent, aka a victimless crime.
"Victimless crime" doesn't mean there are no negative effects, it means no _person_ is a victim.
In the U.S., property law is about the right to control access and use -- harm is a secondary concern.
It's really weird that this is presented as normal so frequently in a virtual context.
When you first try to communicate with a computer, you can't even know it exists until it replies to you. For the analogy with entering buildings to hold, everybody must be blind and deaf and all buildings must be the same from the outside. Under these conditions, you need to lock your doors, because the only way for anyone to be able to differentiate a house from a store is whether or not the door is locked (TCP connection accepted or rejected). When they approach a door, they can't even tell if the door is really there. They might just grasp the air when they reach out with their hand (TCP timeout from lack of response).
A better analogy is people talking. Everybody is still blind but not deaf. Let's say your robot slaves are talking. Your robot, probably bored, calls out to somebody, "Robot 10?". A robot replies, "yeah?". So, now you know they exist and they're willing to talk to you; you've initiated a TCP connection. "So, how's it going?" your robot asks; HTTP GET /. "My master got married last week.", he responds; HTTP 200 OK. Then comes out his master from behind the curtain, and says "No! It was never my intention for my robot to give out this information. In fact, it was never my intention for my robot to reply to anything anyone ever said. This is your fault!", pointing at you. "You called out to Robot 10, and he replied when it was never my intention for him to reply. He should have said, 'Sorry, I don't talk to strangers' (TCP connection rejection or HTTP 403 Forbidden) or refused to talk (TCP timeout from lack of response) or something. I could have told him to keep quiet, that such things are confidential, but... but... but you should not have called out to Robot 10! You're a criminal! Don't ever do that again. I may just have configured him incorrectly to die whenever he hears a greeting and that will be your fault too if you greet him! I'll charge you with murder for greeting him! and I'll sue you for compensation for the damages I incurred from my robot not being able to do some work for me while being dead."
We could disregard a computer's configuration as indication of their master's intent. However, that doesn't mean not entering someone's house via the back door. It means not talking to anyone ever for fear of them turning around and accusing you for talking to them or for hearing stuff they willingly told you.
Sure it's illegal, but hardly worth 5 years and I doubt there's a judge who would give more than community service for a stunt like this. But who knows, people get a lot more sensitive when it happens with computers or if it involves air travel.
Trouble is, the judge doesn't get to decide. Judges have to follow the federal sentencing guidelines. These can produce some bizzare results. https://www.eff.org/deeplinks/2013/03/41-months-weev-underst...
This is such a poor analogy. You are conflating access with use... someone "steeling your stuff" is what they do with the access, access is figuring out how to open the door which is the focus of what this guy was doing...
This is where all physical world analogies basically end, the closest would be a lock picking enthusiast, but digital access is a huge complicated world that is conflated with the concept of selling communication.
The so-called US law talks of intent, so why not talk about intent of the "accused" here: This clearly isn't some average freeloader interested in saving $12, the interest is far deeper, the challenge in overcoming the access and then presenting what he found out "isn't this interesting" - is that really the behavior of someone intent on "steeling your stuff". No.
If you really want to talk about what he "stole" as a process of that intent, it's literally utility, like a bathroom with a $12 lock... of which it is of course not even clear how much he used, the focus was all about figuring out how to gain access, not seeing how much netflix he could download.