Hacker News new | comments | show | ask | jobs | submit login
Grabbing random DHL package signatures (mclemon.cz)
62 points by smcl 1397 days ago | hide | past | web | 51 comments | favorite

On Sunday, weev will spend his 28th birthday in federal prison for doing this exact same thing.

The CFAA declines to define "unauthorized access", meaning that the site operator can simply label anything that wasn't what they envisioned as "unauthorized" and suddenly you're a felon.

You are obviously not aware of the times in which we live.

The UK is the same. I don't think it has been tested in court, but the Computer Misuse Act 1990 makes "Unauthorised access to computer material" illegal. Doing this would legally fall under this, resulting in a fine of up to £5000 or 6 months behind bars.

So, the actual sentencing is certainly overzealous, but are you arguing that "unauthorized access" shouldn't be illegal? Should it just be a free-for-all: if you can get into it, you're welcome, and you can do whatever you want with any data you can get your hands on? If not, what's the threshold? Are you allowed to guess a password? What if you bruteforce it? Can you use a zero-day vulnerability in Rails?

Both Weev and this guy clearly knew that they were accessing data they weren't supposed to access, even if the protection in place was/is clearly inadequate.

Unauthorized Access should mean there is something that enforces authorization in front of it, and you circumvented that or forcefully passed through.

Legal actions based on security through obscurity is a silly idea.

Nope. If I leave my front door open and you walk in off the street, it's still trespassing. You don't have to make a reasonable effort to secure physical goods, why should you have to to secure virtual information?

People who complain that "that could make any URL illegal!" are being facetious: if you hit a site once and see personally identifiable information (PII), report it and leave! It's like if you were out hiking and you wandered onto someone's land: one incursion isn't going to get you thrown in jail, but repeated, systematic incursions will make it hard for you to argue that it was an accident.

If you really want more explicit laws on this sort of stuff, you're going to end up with a ton of very explicit cruft all over the web. You know those email footers saying "If you aren't the intended recipient, throw this away"? The best we can expect is to require sites to put those boilerplate warnings on pages you aren't supposed to access. These would be analogous to 'no trespassing' signs in real life.

Seems to me more like you leaving your door open and then trying to have someone arrested for looking through your doorway.

If someone physically circumvents your door in order to see what's inside there's a difference in culpability.

If they peek in once, they wouldn't go to jail. If they come in a thousand times and take pictures, that's very different.

He said "look". There's nothing criminal or morally wrong about looking through someone's open door, regardless of extent.

Nope. If I leave my front door open and you walk in off the street, it's still trespassing.

Don't laws about the physical world make a distinction between trespassing and breaking & entering?

if you hit a site once and see personally identifiable information (PII), report it and leave!

And get either ignored or sued.

> Don't laws about the physical world make a distinction between trespassing and breaking & entering?

Sure. In rough terms:

Trespassing is being on real property of another without permission or legal privilege.

Breaking and entering is entering a residence or other enclosed property through the use of even the slightest amount of force (including things like pushing open a door or window that is not locked -- or even one that is not fully closed.)

Burglary is the same as B&E, but with the intent to commit any other crime on the property.

Most importantly, though, in the physical world, all of them are still illegal; Why should "unauthorized access" being punishable in the digital world should require some kind of effective security system when "unauthorized presence" (trespassing) in the phjyiscal world does not?

The door analogy does not carry over well. Its more like I had a yard sale on my front lawn with an invisible line beyond which you are trespassing.

I think it is wrong that these companies go unpunished. It would be one thing if it was an "actual" hack, but in these cases the companies are literally giving away the private information of their customers to anyone who asks for it.

That they are giving out signatures makes it even worse, as it could easily be used for identity theft. I am never using DHL again.

According to the site he is based in Czech Republic, are the laws there the same there as in the USA? and if not, do you think that he could face extradition for this?

I am, I just reckon this is not quite the same. Some shitty pixellated signatures are not a particularly big deal

The shitty, pixellated signatures could be used to fraudulently sign electronic documents...

I'll submit that it was not smart to collate them into a tarball and bung them into my dropbox

In weev's case all he grabbed were email addresses but this landed him with 41 months in a federal prison and a fine of $73,000.

My advice would be to take down the script, remove the signature image from your blog post and contact DHL (if you haven't already).

This is probably something you should have reported to DHL before you shared this.

As for analysis of signatures, it would be interesting to see if you could compare male / female writing, and see if there was anything you could learn, to predict if the writing was by a man or woman. There is a list that you can download from the Library of Congress http://www.census.gov/genealogy/www/data/1990surnames/names_... for first male / female names.

Well DHL at least are aware of the issue , via a twitter conversation https://twitter.com/DHLPaket/status/373388119175090176

I called it in to DHL Australia, & followed it up today (no reply yet).

They were really easy to deal with; the chap on the phone was very helpful and took copious notes. All in all a much nicer process than when I called Mastercard about a vulnerability a few years ago.

So, raspberries to DHL for the bug existing in the first place, but kudos for the way they handled the report. Very impressive so far.

While it's good to expose such a security issue why would he grab 1000 signatures and than share the script? What do white hat security researches think of that?

Why would DHL publish -all- of the signatures on the web without even a rudimentary audit/security review?

This is 2013. It's not about the "grab". The act is publishing, making available. Those who access are not the gatekeepers.

Two wrongs don't make a right

It's not wrong to read something someone posted inside a window.

I didn't even think of it as a security thing. A surname, signature and vague region in a country is not a particularly narrow combination. I was mostly just wanting to look at the signatures themselves - I'm not by any stretch of the imagination expert in breaking security. Any idiot could take a URL and increment a param in the URL.

As to why I shared the script, I dunno I just figured others might find it interesting - though on reflection it's not particularly advanced.

This doesn't surprise me. I think DHL is an absolute joke when it comes to security and validating identity.

For several months, DHL's debt collectors have been pursuing my company for unpaid import taxes because some fraudsters trivially used our (misspelled) company name on their account (without any true "ID theft" taking place). Despite mountains of proof to the contrary, the case continues and may be headed for court.

I'm so tempted to report this to the ICO because it seems like a violation of British data protection laws.

Yeaaaah, you could probably fall afoul of the CFAA with this one... See: weev.

Edit: Ahh, I see you're based outside the US, carry on.

Lol on the edit :P

Fortunately, for many of us, signing for packages is probably the only frequent use of our scrawl so hopefully the potential for fraud from this hack is lessened.

I think a scarier prospect is that signature recognition may make it possible for someone to search for all the packages you've ever signed-for, regardless of the courier or location at which you accepted it. I'd be surprised if couriers weren't already doing this in collaboration with law enforcement.

Ethics aside, this is a pretty large oversight on the part of DHL. All you need to stop the incrementing is to require a second param such as the recipient postcode or customer surname. Plenty of other companies get this right.

That's actually how the german DHL website works - unless you enter the recipients postcode, all you get is information that's not telling you who the recipient is (that is, the shipment progress, the latest status). If you enter the postcode, the recipients name and the name of the person the package was delivered to (for example your neighbor) will be revealed.

I like the way how TNT asks for PIN to display pod details..

uhhhh... didn't something like this happen with at&t a while back that is pretty well known now?

Kind of shocked that anyone thinks this is a significant breach. It is 2013. Nothing of significance is secured by "the kind of unusual way I write my name" any more.

What I did find interesting was how much effort most people seem to apply to doing a proper signature on that tiny, awkward device. I just dash a line and the delivery guy is happy.

I usually sign "Chuck Norris" at the grocery store.

It seems to me that signatures are way past their useful shelf life. The world is not set up to verify them against anything. If you sign off on a package with a fake signature, you'll probably be fine - the computer will check the box as having a signature on file and close the delivery - and you won't be exposed to privacy breach like this.

More sinister: if somebody grabs your check book and starts writing bad checks, I doubt the bank will pay much attention to whatever they scribble on them and you'll have a real nuisance on your hands.

My bank doesn’t do checks, but they check the signature on incoming (paper) mail with a signature of mine they have stored somewhere – I had to come in once specifically because my signature was different.

Similarly, when signing leases for flats, you usually need a copy of your passport/ID to prove that the signature is indeed yours.

Edit: Oh, and just pretending to be someone else is a lesser crime than pretending to be someone else and faking their signature, so requiring a signature might help as some sort of deterrent. (You can still do three circles for your signature, but doing three circles while impersonating someone else and giving the impression that said three circles are their signature is a crime on its own (in Germany (IANAL))).

Your signature has only every been useful as your "mark". Any formal contract requires two witnesses or a notary.

If you go to court over some contract, how much the signature looks like yours is not particularly important - it's whether or not you made it.

Stories about people signing contracts "Mickey Mouse" are apocryphal for the same reason.

The only place your signature really counts is when signing a credit card bill - something that was only ever really a convenience until a better(ish) solution came along.

You should have reported this to DHL first. Signatures are sensitive bits of information. While its a large oversight on DHLs part its still not right to upload people's signatures publicly

Time to practice generic and illegible signatures. For example, draw four circles and cross it out.

They are everywhere… a particular hotel’s breakfast order card you hang on the door knob requires a signature, banks require them, you sometimes have to sign when paying with a credit card, people expect you to doodle in a little box whenever there is exchange of money and goods.

Remind me to print HERP DERP next time with DHL please.

Actually if you look through the signatures I grabbed, a lot of them are just a big capital "D", a random squiggle or just the same name as is published but in a semi-legible form

I think USPS is basically the same way. I just shipped something with Signature Confirmation. The only thing I needed was the tracking number, and then I could sign up to receive an email with the signature in a PDF. Maybe you have to sign up before it's delivered though.

inb4 'righteously' indignant people are offended that OP 'hacked', 'stole', 'broke in to', 'etc' but not the least bit worried that DHL has utterly failed to protect that which ought to be confidential information, (for years).

Pretty standard for package trackers.

Only thing that helps is a sufficiently random tracking hash/string.

Anything sufficiently random to avoid automated guessing is going to be too long to enter on a keyboard.

On the German DHL package tracking page, you have to enter the recipient ZIP code before being shown recipient details like name and signature. The tracking code itself is 20 decimal characters, although it is not randomly generated.

I work in this industry and even if the fix is as small as you mentioned is not going to happen for months/years... Sadly it's not only the case with one carrier

This is pretty old news (has been the case for years and years with DHL), however by grabbing those signatures, you've just put yourself in Weev's shoes.

If weev had done what he did from the Czeck Republic (and never entertained the idea of visiting the USA) he'd almost certainly be doing just fine right now (well, as "fine" as weev ever did…)

I've no intention of visiting the US anyway.

That's a pity – in spite of everything, it's a wonderful place with some amazing people.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact