As an information security professional, I see two different issues at play here. First, they got access. They were granted access by the admin who did not lock down the server. I am not a lawyer, but I see the unauthenticated web server, no matter how much of a mistake, as being implicit permission to access the site. A house, by default, implies privacy. A web server is more of a business in this metaphor. If the door is open and the lights are on, it's implied you can come in and look around. Machines accessible over the web are by default open to everyone unless permission is revoked. The "unauthorized access" charge, in my opinion, should be struck down. When a site is made accessible from the unauthenticated Internet an admin implicitly granting you permission to visit the site.
The second issue at play is the fact that the guy apparently collected some email conversations to use as proof. Using my business metaphor, walking into a closed business that to a layman appears open is a simple mistake. Anyone could reasonably assume the business is open. However, collecting their merchandise even just to prove they forgot to lock up would still be stealing. In this situation, it's unauthorized copying. Most reasonable people would consider this to be unacceptable.
The second situation is muddied a bit further by my wording "most". Websites accessible when unauthenticated are able to be scraped easily. What if the Googlebot crawled the site and collected the information due to a poor robots.txt? What if you walked into the business and tried some free samples (unauthenticated websites are implicitly free samples)? Data privacy comes into play on this one though, and I would argue that any reasonable person would understand these as private communications. While they are accessible to view, any reasonable person would understand it is unethical to read them and unacceptable to copy them.
The fatal flaw of the defendant was copying the emails. Up to that point, he was completely within reasonable practice in my opinion. Here's a takeaway for any startups: security isn't a joke. It's a career ender, it's a business ender, and it could be a career ender for your customers who trusted you. You hire the best programmers, but budget a little aside for an external penetration test, and take the results seriously. Don't lose your company and your reputation because of a caffeine-fueled oversight.
You don't live in a world governed by machines and pure logic. You live in a world governed by human beings and their nature.
You have the capacity to recognize where you should be and where you shouldn't be. What you should be seeing and what you shouldn't be seeing.
Right from wrong.
> A web server is more of a business in this metaphor. If the door is open and the lights are on, it's implied you can come in and look around.
No.
If you're inside a business and you see a door open and it is evident by the design of the building that it is their storage space ... you do not have the right to waltz on in. You damn well know through your experience in hundreds of other stores that this area is used by employees and for employees only. You do not belong there.
Are you telling me he read those emails by accident? Just stumbled on them? Or did he know exactly what he was doing?
Enough of this white hat bullshit. I do not have the right to self-deputize myself and become a vigilante on the Internet. If these clowns don't know how to secure their own damn servers, let them pay the price that will be exacted by less scrupulous individuals. That's how the free market works. Stupidity is severely punished. They will very quickly learn how to properly set permissions on their server.
The problem with metaphors is that they only resemble what they are describing. They'll always be imperfect. The problem with web servers is that anything that is public-facing is just that. Security through obscurity is no security at all.
Like I said, the guy went too far. But visiting a public-facing website is not a crime, no matter how you happen to discover the URL. There's no sign on the door saying "keep out", even though the server is more than capable of displaying one. Do you have a right to walk into any business, or walk into their storage space? No, but any reasonable person (notice I keep using this phrase? It's going to come up in court) would assume if the lights are on and the door is open, you can walk in. You might be mistaken, and a clerk might show you out. Intent is a critical factor. Like I said, the guy went too far. He didn't enter by mistake, though someone could have. He entered with the intent of making unauthorized copies of private data. Walking into a store's storage space isn't illegal, but a reasonable person would know that taking pictures of customer data is.
It's not illegal to visit any public facing Internet site. It is illegal to make unauthorized copies of restricted data. It's also against The company is hugely to blame in this situation for leaking private information. So is the guy who broke the law by making unauthorized copies of this private information. I support him having criminal charges filed against him. My point was that there are two issues at hand, one illegal and one perfectly within the law. Implied consent at odds with intent. It should be an interesting case.
He demonstrated a proof of concept, collected data, and went to journalists. Cherry picking irc logs for things for possible uses of the data is weak because they have a weak case.
Arguing about methods of responsible disclosure, a very dead horse that has been beaten to dust, seems like a waste of time and not really relevant.
This is just the endgame of the chilling effect of arresting and hounding researchers which has been going strong ever since 2001
http://news.cnet.com/2100-1001-270082.html
> Intent is a critical factor. Like I said, the guy went too far. He didn't enter by mistake, though someone could have. He entered with the intent of making unauthorized copies of private data.
We're in agreement here. I think we're both making the same point. Intent is the key here.
The problem is that if you just consider servers, configurations, permissions, and other technical aspects ... intent doesn't enter the picture. That's the wrong way to think about this.
I do agree that we're making the same point, and I wrote my response to you in the mindset that I had poorly communicated my initial conclusion. Your point compliments my own. The difference we may have is that I don't view intent in the highest importance when someone visits a public server. Intent will only get you so far as long as server, configurations, permissions, and other technical aspects are in order. The reason he was able to copy restricted data is because the technical aspects were not in order. That's where the muddiness comes in; you wouldn't need intent to make unauthorized copies in this situation. The Googlebot could have made unauthorized copies. Your browser's cache could make unauthorized copies. Archive.org could have made unauthorized copies. Googling for plaintext and valid credit card numbers might shock you in what Google is finding on public servers.
His intent comes into play only secondarily in my opinion. I might enter a store with intent to steal something, but if a security guard is standing next to me and a camera is watching, I'd walk right back out. The lack of security is what allowed him to complete his intentions of unauthorized copying. It does not absolve him of his crimes, but thinking about the potential for unintentional restricted data access tells me that his crimes sit in line with the failed (non-criminal but out-of-compliance) policies of the host.
> If these clowns don't know how to secure their own damn servers, let them pay the price that will be exacted by less scrupulous individuals.
AT&T will not be affected whatsoever by a security breech, only those people whose information is leaked will be affected. The whole point of a white hat is to show this vulnerability and have it fixed before damage is done by someone with malicious intent.
> That's how the free market works. Stupidity is severely punished. They will very quickly learn how to properly set permissions on their server.
We do not live in a free market, and corporations are disproportionately powerful compared to individual people. You are asking that individual people have their data leaked and their lives potentially affected so that AT&T can look bad and then walk away from this situation without any punishment.
Further, it is very clear that companies make mistakes all the time with configuration their servers and tools in ways that makes data leaks and theft possible. We should demand that this flaws be exposed and fixed ASAP, there is nothing to be gained here by harassing those doing that exposure.
> AT&T will not be affected whatsoever by a security breech
That's naive. If my emails become public, trust me, I'll cancel my AT&T service. If AT&T becomes known for airing people's dirty laundry, they will quickly bleed customers.
> Further, it is very clear that companies make mistakes all the time with configuration their servers and tools in ways that makes data leaks and theft possible.
Yes, they do. And in cases where individuals are hurt, those individuals sue the company involved. Either individually or collectively. Those companies do pay for their mistakes.
Except, of course, in cases where no actual measurable harm was done by the security breach.
> We should demand that this flaws be exposed and fixed ASAP, there is nothing to be gained here by harassing those doing that exposure.
There is a reason we vest the authority to enforce laws and pursue criminals in only a select few trained individuals. It's naive to think random teenagers have a fine grasp of the law, civil rights, and a well-tuned moral compass.
The second issue at play is the fact that the guy apparently collected some email conversations to use as proof. Using my business metaphor, walking into a closed business that to a layman appears open is a simple mistake. Anyone could reasonably assume the business is open. However, collecting their merchandise even just to prove they forgot to lock up would still be stealing. In this situation, it's unauthorized copying. Most reasonable people would consider this to be unacceptable.
The second situation is muddied a bit further by my wording "most". Websites accessible when unauthenticated are able to be scraped easily. What if the Googlebot crawled the site and collected the information due to a poor robots.txt? What if you walked into the business and tried some free samples (unauthenticated websites are implicitly free samples)? Data privacy comes into play on this one though, and I would argue that any reasonable person would understand these as private communications. While they are accessible to view, any reasonable person would understand it is unethical to read them and unacceptable to copy them.
The fatal flaw of the defendant was copying the emails. Up to that point, he was completely within reasonable practice in my opinion. Here's a takeaway for any startups: security isn't a joke. It's a career ender, it's a business ender, and it could be a career ender for your customers who trusted you. You hire the best programmers, but budget a little aside for an external penetration test, and take the results seriously. Don't lose your company and your reputation because of a caffeine-fueled oversight.