The CFAA declines to define "unauthorized access", meaning that the site operator can simply label anything that wasn't what they envisioned as "unauthorized" and suddenly you're a felon.
You are obviously not aware of the times in which we live.
Both Weev and this guy clearly knew that they were accessing data they weren't supposed to access, even if the protection in place was/is clearly inadequate.
Legal actions based on security through obscurity is a silly idea.
People who complain that "that could make any URL illegal!" are being facetious: if you hit a site once and see personally identifiable information (PII), report it and leave! It's like if you were out hiking and you wandered onto someone's land: one incursion isn't going to get you thrown in jail, but repeated, systematic incursions will make it hard for you to argue that it was an accident.
If you really want more explicit laws on this sort of stuff, you're going to end up with a ton of very explicit cruft all over the web. You know those email footers saying "If you aren't the intended recipient, throw this away"? The best we can expect is to require sites to put those boilerplate warnings on pages you aren't supposed to access. These would be analogous to 'no trespassing' signs in real life.
If someone physically circumvents your door in order to see what's inside there's a difference in culpability.
Don't laws about the physical world make a distinction between trespassing and breaking & entering?
if you hit a site once and see personally identifiable information (PII), report it and leave!
And get either ignored or sued.
Sure. In rough terms:
Trespassing is being on real property of another without permission or legal privilege.
Breaking and entering is entering a residence or other enclosed property through the use of even the slightest amount of force (including things like pushing open a door or window that is not locked -- or even one that is not fully closed.)
Burglary is the same as B&E, but with the intent to commit any other crime on the property.
Most importantly, though, in the physical world, all of them are still illegal; Why should "unauthorized access" being punishable in the digital world should require some kind of effective security system when "unauthorized presence" (trespassing) in the phjyiscal world does not?
That they are giving out signatures makes it even worse, as it could easily be used for identity theft. I am never using DHL again.
My advice would be to take down the script, remove the signature image from your blog post and contact DHL (if you haven't already).
As for analysis of signatures, it would be interesting to see if you could compare male / female writing, and see if there was anything you could learn, to predict if the writing was by a man or woman. There is a list that you can download from the Library of Congress http://www.census.gov/genealogy/www/data/1990surnames/names_... for first male / female names.
They were really easy to deal with; the chap on the phone was very helpful and took copious notes. All in all a much nicer process than when I called Mastercard about a vulnerability a few years ago.
So, raspberries to DHL for the bug existing in the first place, but kudos for the way they handled the report. Very impressive so far.
This is 2013. It's not about the "grab". The act is publishing, making available. Those who access are not the gatekeepers.
As to why I shared the script, I dunno I just figured others might find it interesting - though on reflection it's not particularly advanced.
For several months, DHL's debt collectors have been pursuing my company for unpaid import taxes because some fraudsters trivially used our (misspelled) company name on their account (without any true "ID theft" taking place). Despite mountains of proof to the contrary, the case continues and may be headed for court.
I'm so tempted to report this to the ICO because it seems like a violation of British data protection laws.
Edit: Ahh, I see you're based outside the US, carry on.
I think a scarier prospect is that signature recognition may make it possible for someone to search for all the packages you've ever signed-for, regardless of the courier or location at which you accepted it. I'd be surprised if couriers weren't already doing this in collaboration with law enforcement.
What I did find interesting was how much effort most people seem to apply to doing a proper signature on that tiny, awkward device. I just dash a line and the delivery guy is happy.
More sinister: if somebody grabs your check book and starts writing bad checks, I doubt the bank will pay much attention to whatever they scribble on them and you'll have a real nuisance on your hands.
Similarly, when signing leases for flats, you usually need a copy of your passport/ID to prove that the signature is indeed yours.
Edit: Oh, and just pretending to be someone else is a lesser crime than pretending to be someone else and faking their signature, so requiring a signature might help as some sort of deterrent. (You can still do three circles for your signature, but doing three circles while impersonating someone else and giving the impression that said three circles are their signature is a crime on its own (in Germany (IANAL))).
If you go to court over some contract, how much the signature looks like yours is not particularly important - it's whether or not you made it.
Stories about people signing contracts "Mickey Mouse" are apocryphal for the same reason.
The only place your signature really counts is when signing a credit card bill - something that was only ever really a convenience until a better(ish) solution came along.
They are everywhere… a particular hotel’s breakfast order card you hang on the door knob requires a signature, banks require them, you sometimes have to sign when paying with a credit card, people expect you to doodle in a little box whenever there is exchange of money and goods.
Remind me to print HERP DERP next time with DHL please.
Only thing that helps is a sufficiently random tracking hash/string.