Hacker News new | past | comments | ask | show | jobs | submit login

How does this not apply to stuff like trackers bypassing anti-fingerprinting browser protections?



Because a prosecutor hasn't tried to use it in that way.


Which highlights a fundamental truth to law - it's only enforced to backstop the status quo. Routing around a wifi paywall rocks the boat, performing invasive surveillance on website visitors doesn't.

So practically yes, let's be aware that the author could indeed be persecuted under the CFAA. But let's not grandstand and pretend that following that law is some sort of moral imperative that benefits everyone. The common individual will be the target of the same attacks with or without that law.


Following the law may not be a moral imperative, but let's not pretend like the author did anything moral here. He knowingly and with intent stole services from the airline. It not only was illegal, it's blatantly immoral.


The thing about morals is that we can disagree. Just because this scenario fits your definition of "stole" does not mean it fits mine.

My perspective is that a fundamental aspect of the Internet and the digital world is that the software-codified rules are basically authoritative. While constructive behavior still does matter - eg knowingly turning off a hospital ventilator is still murder - the only gain here was temporarily obtaining some transit. The real remedy is for the provider to fix their systems.


> My perspective is that a fundamental aspect of the Internet and the digital world is that the software-codified rules are basically authoritative.

Do you think that hacking per se is ever immoral?


I suspect you're still associating hacking with other actions that can be facilitated by hacking. But the very next thing I wrote was "knowingly turning off a hospital ventilator is still murder", so it only makes sense to answer as if you strongly intend the "per se".

In isolation, why would finding a hole in someone else's ruleset be immoral? If hacking per se were immoral, then there could be no such thing as a "white hat".


> I suspect you're still associating hacking with other actions that can be facilitated by hacking.

I specifically wrote "per se", so no - I'm not.

> If hacking per se were immoral, then there could be no such thing as a "white hat".

White hat hacking it typically specifically authorized (e.g. red teams). That is not the case with the example from the article.

In the locksport community there is a pretty strong norm to only pick locks you own or have specific authorization to pick.

Computer security not the same thing, but it's also not that different.


> White hat hacking [is] typically specifically authorized (e.g. red teams)

That is merely one kind of white hat hacking. Another kind would be figuring out an exploit for software that you have a local copy of, even against the wishes of its developer. If we agree that this is moral, then general finding of holes itself cannot be immoral.

I don't think you mean to imply that in locksport, you only pick models of locks that the manufacturer has given you the go-ahead to attack. Rather you're referring to ownership of the physical lock itself, which is merely one type of authorization. I would also guess that the reason the community repeats this prominently is to head off legal entanglement.

To the extent that a given ruleset only exists on a specific device that one does not own, then it is indeed hard to find holes in it without also affecting that device itself. However, it is still important to draw the distinction between any effects and the logical hacking itself, lest minor effects end up being persecuted inequitably.

In the context of the original article, there are essentially no damages and a little bit of unjust enrichment. Yet this whole thread has blown up about a spectre of harsh punishment under the CFAA, when equity is closer to the amount of the access fee.


It’s also immoral to force bad pricing down customer throats. And yet that is the definition of the inflight wifi business.

EDIT: I’m fairly sure at current prices a single flight could pay for a month’s service for a single plane, probably several times over. The profit margins (& I imagine some the cut to the airline) must be enormous, & there is no pretense of fair terms at sale time because a single corporation can entirely monopolize your attention.


> It’s also immoral to force bad pricing down customer throats. And yet that is the definition of the inflight wifi business.

In what bizarro world are people being forced to buy inflight wifi?


The profit margin for luxury addons is always insane. That doesn't make them unethical. In fact, there's a very good argument to be made that luxury pricing is positively ethical, as it allows the base experience to be offered for a lower price to more price-sensitive customers.


> In fact, there's a very good argument to be made that luxury pricing is positively ethical, as it allows the base experience to be offered for a lower price to more price-sensitive customers.

How come that isn't happening here?

Anyway, it's a commodity. The positioning of it as a luxury service amounts to theft.


His attack is active, privacy plugins are passive, even if they report back false fingerprints.

Offense versus defense.


Not sure if the attack is active. He’s not actively talking to the filtering equipment to try and mess up its configuration or disable it. He’s just sending out packets hoping to reach the internet (a perfectly valid thing to do considering the system is designed to let you access the internet). It just so happens that certain packets manage to slip through the poorly designed filter.


How is this different from trying a door handle to see if it's open.


In this case the “door handle” is marked with “pull to access the internet”, and he is pulling on it. The handle is supposed to have a mechanism to demand payment before opening but in this case it failed and opened right away.

Not saying this is ethical (although selling WiFi for 12$ per hour isn’t either) but I wouldn’t go as far as calling this an attack.


>although selling WiFi for 12$ per hour isn’t either

Care to elaborate on this? WiFi on a plane isn’t any kind of thing people are dependent on to survive and satellites are pretty expensive. Airplane WiFi is entirely a luxury good.

Do you feel that charging $12 to watch a movie in a theatre is unethical as well? How about $150k for a Porsche?


The problem is airplane WiFi has a captive audience with no competition so they can charge unfair rates and there is no free market to balance it.


So if you go to the top of a mountain and there is a single cabin selling water there, at outrageous prices, you would just help yourself to one bottle, because hey, no competition, captive audience.


The problem is that it’s $12 for an hour, regardless of whether you end up using it, or whether it works at all (do you get a guaranteed bandwidth along with that, and is there some BS filter that’s gonna interfere with certain sites or protocols despite you having paid?).

Finally it’s just way too expensive at that price.


You could say the same about adblock then, so lets not open that can of worms


Is it though? The adblocker runs locally on your own computer; it certainly prevents the ads from doing what the designer intended, but it doesn't make the designer's computer (or any computer controlled by the ad network) do anything.

Versus tracking does actually do something on your computer (e.g. running JS to discover fonts). Arguably that is a circumvention of the intentions of the user on their own hardware.


The problem is that the phrase "exceeds authorized access" does not distinguish between the access increasing beyond the authorization and the authorization decreasing below the current access. Suppose I put in my Terms of Service the phrase "Access to this system is contingent on running the delivered webpage, including all first-party and third-party Javascript, without modification." Now, whether or not the HTTP request to the server is authorized depends on what you do with the payload.

This is why the CFAA is such a horribly written law. It takes the ToS, something that should be squarely under civil law, and elevates them to being a felony under federal law.


Some adblockers work outside the browser. They block the hosts with custom /etc/hosts or by using a local proxy that filters out requests to ad servers.

All the js code runs but it doesn't download anything.

Obviously the Terms of Service could prohibit that too.


> Access to this system is contingent on running the delivered webpage, including all first-party and third-party Javascript, without modification.

Refusing to fetch a particular resource would be non-access. You cannot punish non-access as unauthorised access, because no such crime of non-access exists.


I am very confused as to what you're trying to say with this.


What about the reverse of that. When I load a website, I expect it to load the normal information of the page in question (for an article about something, that article). I do _not_ want or grant permission for it to display ads. As such, their host sending ads to my machine is "exceeding authorized access".

I'm curious if it would be feasible to sue a company over sending ads. They have just as much information about what you want displayed on your computer as you have about how they want you to use their apis.


You can't look at the legality of it from the point of what the adblocker does. Software doesn't commit crimes; people do.

The possible crime (if it is one) would be if you know your browser has adblock, you know authorization to use their server is conditional on not using adblock, and you choose to access it anyway.


> you know your browser has adblock, you know authorization to use their server is conditional on not using adblock, and you choose to access it anyway

Meanwhile the website publisher knows that authorization to run javascript may not include performing surveillance, yet includes circumvention code to perform surveillance anyway. So everybody is violating the law, which is why the CFAA is terrible legislation - it relies completely on selective persecution.

Pontificating about abstract "intent" is not actually useful in the digital realm. Protocols [0] are what ultimately mediate between parties with different desires. The CFAA is merely a relic that gets invoked when some powerful entity gets upset at the outcome of a protocol.

[0] to be clear, I'm talking about de facto protocols as executed, not de jure protocols as written into RFC.


This is an extremely naïve, baseless argument- if you could even call it an argument at all.

So let us turn to the ‘proposed’ argument itself: “Software doesn’t commit crimes; people do” The first thing to notice is that the argument has no stated conclusion. What follows? That there should be no software regulation at all? That there should not be any more software regulation than there already is? That the increase in cybercrimes done with ‘software’ is irrelevant to whether or not there should be cyber regulations? Who knows? An argument without a conclusion is by technical basis, not an argument at all.

The statement under consideration clarifies that, when it comes to crimes committed with software , people are the ultimate cause and software is merely a proximate cause—the end of a causal chain that started with a person deciding to commit cyber crimes. But nothing follows from these facts about whether or not software should be regulated. Such facts are true for all criminal activity, and even noncriminal activity that harms others: The ultimate cause is found in some decision that a person made; the event, activity, or object that most directly did the harming was only a proximate cause. But this tells us nothing about whether or not the proximate cause in question should be regulated or made illegal. For example, consider the following argument:

"Bazookas don't kill people; people kill people."

Although it is obviously true that bazookas are only proximate causes, it clearly does not follow that bazookas should be legal. Yes, bazookas don't kill people, people do—but bazookas make it a lot easier for people to kill people, and in great numbers. Further, a bazooka would not be useful for much else besides mass murders. Bazookas clearly should be illegal and the fact that they would only be proximate causes to mass murders does not change this. In fact, it is totally irrelevant to the issue; it has nothing to do the fact that they should be illegal. Why? Because other things are proximate causes to people’s demise, but obviously shouldn’t be illegal. For example, consider this argument (given in the aftermath of a bad car accident):

"Cars don't kill people; people kill people."

Obviously cars should not be illegal, but notice that this has nothing to do with the fact that they are proximate causes. Of course, they should be regulated; I shouldn't be allowed to go onto the highway in a car with no brakes. But all of that has to do what cars are for (they are not made for killing people), what role they play in society (it couldn't function without them) and so on. It's a complicated issue—one to which pointing out that cars are merely proximate causes to some deaths contributes nothing.

In conclusion- people who make the feeble argument “software doesn’t commit crime; people do” have mistaken the relevance of proximate causation


You have missed the point of my comment. It isn't about what the law should be. Instead, I was discussing whether it is currently legal to use adblock.

As I interpreted it, someone said adblock may be illegal under existing law because you are accessing a server without authorization. Someone else seems to have argued that this isn't true because adblock doesn't cause anything to happen on the server; therefore, adblock must be legal because adblock only affects the client.

My comment was that this reasoning doesn't hold water. Perhaps the owner states that authorization is only granted to people who don't use adblock. (Maybe there's a splash page that informs the user they aren't authorized to proceed to the next page if they have adblock enabled.) What matters is the choices people make, not that the behavior of the software avoids interacting with the server. Your hands are not clean just because your software doesn't take an action.


You're accessing the other sites computer in a way they did not intend, which is with adblock.


If they track me they are accessing my computer in a way I did not intend. I even provided them with a DNT header to make my wishes clear.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: