Hacker News new | past | comments | ask | show | jobs | submit login

> However the CFAA simply doesn't work that way. "Authorisation" is what the designers intended, and the initial paywall made that intention perfectly clear.

That might be the case but it's also nuts. It encourages litigation over better design and makes public enemies out of security professionals, ultimately driving away those professionals from the US and making US developed tech weak.




It's not nuts when compared to non-tech laws.

It's illegal to come into my house and take my stuff even if I forget to lock my back door.

If we want to protect security professionals, we should write laws that do so.


I think the local culture needs to be taken into account. Suppose I walk onto your porch, see something I want, and take it with me. That's pretty plainly theft, right? Now suppose I am eight years old, taking candy from a bowl left out on Halloween. That's pretty plainly not theft. To somebody unfamiliar with the cultural practice of trick-or-treating, they might assume that it is theft.

The internet has different cultural norms than physical space. One-to-one analogies are useful for exploring those differences, but not for arguing what they should be. If I have a WiFi connection, leaving it without a password is implicit permission to use it. If I have a server that provides HTTP without authentication, that is implicit permission to access the contents.

That is not to say that people should take advantage of these social norms. If I find a bowl of car keys left on a front porch, even if it is Halloween, I should inform the owner of the house that they probably don't want to do that. If I find incremental IDs that lead to other customers' personal information, I should inform the company, and the other customers if necessary.


> That's pretty plainly not theft.

There's not a matter of perception or culture as the candy was intentionally left out for a trick or treater to take. And since it's a well known holiday, the intent has been communicated.


And that's exactly my point: the cultural norms dictate whether something is an offer or not. For Halloween, the placing of candy outside one's door indicates that it is intended to be shared. For WiFi networks, in the absence of any other indication, not placing a password indicates that it is intended to be used.


>If I have a WiFi connection, leaving it without a password is implicit permission to use it. If I have a server that provides HTTP without authentication, that is implicit permission to access the contents.

If your door is open can I take a shower and cook a meal for myself in your house?


>If I have a WiFi connection, leaving it without a password is implicit permission to use it. If I have a server that provides HTTP without authentication, that is implicit permission to access the contents.

Lol. I don't know where you got this impression, but no, it absolutely is not.

Not only is it not, but you can absolutely be prosecuted and imprisoned for accessing those networks/servers without permission.

Furthermore, that doesn't really apply in this case because not only was he not given "implicit permission to use it", the in-flight WiFi system explicitly bars you from using the internet without paying for it.


Where do you live?

Open WiFi is like a water fountain, or a bench, in a pubic place to me. There's no explicit sign telling you to use it but who'd put it there of it were not to be used? I'm in the UK.

So, for example if I'm out and about and there's an open WiFi I'll connect to it without seeking permission .. in fact I think it would be weird to go and ask (if you could work out who to ask).


In the UK, what you're doing is illegal under the Computer Misuse Act. I don't think the police are out scouring the streets for people stealing wifi, so you probably won't be prosecuted for it. But still, it is technically illegal. Example: https://uk.reuters.com/article/uk-britain-wireless/two-cauti...

(It's also very, very, very terrible practice for your own security. Don't do it.)


It would be illegal if it were unauthorised, I'm not checking it's authorised because you'd have to be a moron to have published your open router if you didn't intend to have an open router being published. Whilst there's a chance that when I go to McDo that I'm not actually authorised and to use the published open wifi, it's so slim that it's not worth me tracking down the router owner to ask them -- if that were even possible to do.

If you place a bench in public and you don't want anyone to sit on it then you need to notify people explicitly ... it's the same, I don't find the owner of benches and ask them.

Are there any attacks that work just by connecting to someone's wifi, obviously I'm only using it for non-sensitive traffic unless it's a recognised provider, it's certainly part of my security considerations. Are there specific attacks you're thinking of? Such attacks would work equally if I had explicit authorisation, of course.

Re your link, last time I looked it was allowed to have open shared wifi, and the way you indicate it's open for sharing is having it open and shared. That's probably why the police gave cautions, it placates the complainant and they didn't have to lose in court.


Connecting to open WiFi for internet access is just as secure as connecting to WiFi with WPA enabled. There are so many insecure hops between you and your destination that the last mile access mode is irrelevant.


>Furthermore, that doesn't really apply in this case because not only was he not given "implicit permission to use it", the in-flight WiFi system explicitly bars you from using the internet without paying for it.

Then it should do so. If I connect and I can use the network without paying, that's not my fault.


If you knowingly and with intent use that network without paying, even when knowing that the owner of the network wants all users to pay, it absolutely is your fault. The airline could literally put zero restrictions on their network access, but as long as they put up a sign that says "internet is only for those who pay for it", it would be both illegal and wrong for you to access that internet without paying.

I honestly can't believe we're even having this conversation. It is theft, period. Not only is it illegal, it's blatantly immoral.


>I honestly can't believe we're even having this conversation. It is theft, period. Not only is it illegal, it's blatantly immoral.

It's not theft. It's not immoral either. Open wlan means exactly that, so where is the sign? You are on HN, so using something like a VPN is not uncommon, regardless of what network you are using.


> It's illegal to come into my house and take my stuff even if I forget to lock my back door.

For some reason, on HN when I've made this argument before, the resulting comments have been that the internet is somehow different, and that real-world analogies don't exist. Using equipment that you don't own in a way the owners don't intend is apparently well-accepted.


Probably because this is a victimless crime...

What he did would be more akin to someone entering your property, having their lunch in your garden and cleaning up before leaving.


This is a business and satellite bandwidth is fairly precious.

A better analogy would be going into a restaurant with big “No Outside Food” signs with a sandwich you made at home, hiding the sandwich in a false compartment to get past a check at the door, printing the restaurant’s name on your sandwich wrapper so it looks like you bought it there, and then eating it at a table meant for paying customers.


I love these analogies, but that's wrong. A better analogy would be you use their raw ingredients to make your own food, bring your own utensils and plates, and sit at their restaurant to eat. Basically, you're leasing their bandwidth without payment. Airlines are paying viasat or some other company for access to their satellites and expecting customers to pay the cost for usage (and probably make some profit).


Uplink for airplanes is not free by any means.

Regardless of the criminality a real world analog would be more akin to someone taking a chair in a starbucks without paying - maybe there's room, and maybe it doesnt burden them unduly - but the company definitely pays a cost for each table aggregated across its customers.


> Probably because this is a victimless crime...

How is this a victimless crime?


It's not victimless, the loser is the service provider whose bandwidth is consumed. The line many draw is that corporations aren't people and can't be the victim, this is a false analogy.

Thus: let's switch who is penalized: everyone else on the flight. Bandwidth isn't unlimited, without payment it's hard to justify increasing bandwidth if it isn't profitable.

What should the author do? Report it. If he didn't, maybe you can submit it to the company. If they have a bug bounty, you may get paid (if this happens: would you give the money to the original author?)

If you run a company: you should determine how to insensitivise reporting, it's possible in this case: not fixing it spreads awareness, most people can't/don't exploit it.


> "Thus: let's switch who is penalized: everyone else on the flight."

Only if everybody else on the flight was paying for WiFi (doubtful) and bandwidth was maxed out during the flight (plausible.)


Correct, I failed to clarify it penalized the paying users IF bandwidth was maxed out.


Name the victim, please.

Because it looks like it causes a infinitesimal harm to a corporation whereby no person is harmed to any noticeable extent, aka a victimless crime.

"Victimless crime" doesn't mean there are no negative effects, it means no _person_ is a victim.


Every user who bears the additional cost of the service because of freeloaders is a victim.


Your working definition sounds like it's wrong: Could you give an example of what you call a "victimless crime"?


Have you tried Wikipedia?


What you're describing (someone entering your property, having their lunch in your garden and cleaning up before leaving) meets all the elements of physical trespass if the owner of the property didn't grant permission, and is unlawful. Now, the damages might be minimal, but it's still unlawful.

In the U.S., property law is about the right to control access and use -- harm is a secondary concern.


Well, mentally ill people sometimes do break into houses and do harmless things, like making a sandwich or taking a shower, and this generally has severe consequences for them even though it was not malicious, and is of course experienced as a shock and/or violation by the owner who discovers it.

It's really weird that this is presented as normal so frequently in a virtual context.


Granted that's still a crime. You probably won't use the video recording of that guy to file a police report (unless you suspect he did something else on your property, which would be like the author also running aggressive nmap scans) just as viasat is probably not going to file a lawsuit.


Closer to breaking into a vacant hotel room instead of checking in at the front desk.


maybe more like someone entering a restaurant, sitting down at one of their tables and eating a lunch they brought themselves, or just reading a book, taking up that table during a busy lunch period.


No, it's more like tricking the restaurant staff into giving him a free meal.


Equating entering buildings with communicating with computers on the internet really is an awful analogy. You can stand in front of a building and be able to tell whether it's a house or a store, i.e. a building meant for private access or for public access. You can also tell a difference between a back door and a front door by looking from afar. You can do neither of these things with computers. You can't look at it from afar to give you clues, you need to communicate with it. The way computers communicate is dictated by protocols. Protocols will tell you stuff like whether you're allowed to talk to them or not. TCP includes telling you whether you're allowed or not via its protocol. HTTP will tell you whether you're allowed or not via its protocol. If the protocols don't tell you they're unwilling to talk, and continue by talking to you, you can only assume its ok for them to talk to you.

When you first try to communicate with a computer, you can't even know it exists until it replies to you. For the analogy with entering buildings to hold, everybody must be blind and deaf and all buildings must be the same from the outside. Under these conditions, you need to lock your doors, because the only way for anyone to be able to differentiate a house from a store is whether or not the door is locked (TCP connection accepted or rejected). When they approach a door, they can't even tell if the door is really there. They might just grasp the air when they reach out with their hand (TCP timeout from lack of response).

A better analogy is people talking. Everybody is still blind but not deaf. Let's say your robot slaves are talking. Your robot, probably bored, calls out to somebody, "Robot 10?". A robot replies, "yeah?". So, now you know they exist and they're willing to talk to you; you've initiated a TCP connection. "So, how's it going?" your robot asks; HTTP GET /. "My master got married last week.", he responds; HTTP 200 OK. Then comes out his master from behind the curtain, and says "No! It was never my intention for my robot to give out this information. In fact, it was never my intention for my robot to reply to anything anyone ever said. This is your fault!", pointing at you. "You called out to Robot 10, and he replied when it was never my intention for him to reply. He should have said, 'Sorry, I don't talk to strangers' (TCP connection rejection or HTTP 403 Forbidden) or refused to talk (TCP timeout from lack of response) or something. I could have told him to keep quiet, that such things are confidential, but... but... but you should not have called out to Robot 10! You're a criminal! Don't ever do that again. I may just have configured him incorrectly to die whenever he hears a greeting and that will be your fault too if you greet him! I'll charge you with murder for greeting him! and I'll sue you for compensation for the damages I incurred from my robot not being able to do some work for me while being dead."

We could disregard a computer's configuration as indication of their master's intent. However, that doesn't mean not entering someone's house via the back door. It means not talking to anyone ever for fear of them turning around and accusing you for talking to them or for hearing stuff they willingly told you.


The path between two cities is privately owned and the owner charges people to walk through it. There is a side gate for bathroom access. This is akin to going up to the gate and telling the owner "I'm just here to use the bathroom" (sni:viasat) and then after going through the gate just continuing to the other city.

Sure it's illegal, but hardly worth 5 years and I doubt there's a judge who would give more than community service for a stunt like this. But who knows, people get a lot more sensitive when it happens with computers or if it involves air travel.


> I doubt there's a judge who would give more than community service for a stunt like this.

Trouble is, the judge doesn't get to decide. Judges have to follow the federal sentencing guidelines. These can produce some bizzare results. https://www.eff.org/deeplinks/2013/03/41-months-weev-underst...


> It's illegal to come into my house and take my stuff even if I forget to lock my back door.

This is such a poor analogy. You are conflating access with use... someone "steeling your stuff" is what they do with the access, access is figuring out how to open the door which is the focus of what this guy was doing...

This is where all physical world analogies basically end, the closest would be a lock picking enthusiast, but digital access is a huge complicated world that is conflated with the concept of selling communication.

The so-called US law talks of intent, so why not talk about intent of the "accused" here: This clearly isn't some average freeloader interested in saving $12, the interest is far deeper, the challenge in overcoming the access and then presenting what he found out "isn't this interesting" - is that really the behavior of someone intent on "steeling your stuff". No.

If you really want to talk about what he "stole" as a process of that intent, it's literally utility, like a bathroom with a $12 lock... of which it is of course not even clear how much he used, the focus was all about figuring out how to gain access, not seeing how much netflix he could download.


It's not illegal to use 500GB of fibre bandwidth in a month when you only pay for 250GB though (say due to a bug in their method of counting usage).


If you do it by accident? Sure. If you discover that you can trigger the bug by unplugging the router at 11:59PM and take advantage of this to blow through your limits? That’s not so legal, no.


It is not unauthorised access when you exceed your bandwith quota. It is simply another debt, even if it is not billed correctly yet. Most will lose internet subscription if it were considered unauthorised access.


It is if you intentionally structure your communications to evade their accounting.


Has it, though, in practice? The CFAA has been in effect for over 30 years. If this law actually had the chilling effect you claim it does, we would already have observed a significant security talent exodus from the U.S. My observation from having worked in Silicon Valley throughout the past 20 years suggests there's still plenty of talent to go around and plenty of lawful work being done.


The reason it hasn't is because the CFAA's track record as a prosecutorial tool is mixed at best. Of the 8 or so high profile cases using it only one conviction has actually held up. As a result, prosecutors are understandably hesitant about leaning on it.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: