Create an Account
username: password:
 
  MemeStreams Logo

Errata Security: You are committing a crime right now

search

Decius
Picture of Decius
Decius's Pics
My Blog
My Profile
My Audience
My Sources
Send Me a Message

sponsored links

Decius's topics
Arts
  Literature
   Sci-Fi/Fantasy Literature
  Movies
   Sci-Fi/Fantasy Films
  Music
   Electronic Music
Business
  Finance & Accounting
  Tech Industry
  Telecom Industry
  Management
  Markets & Investing
Games
Health and Wellness
Home and Garden
  Parenting
Miscellaneous
  Humor
  MemeStreams
Current Events
  War on Terrorism
Recreation
  Cars and Trucks
  Travel
Local Information
  United States
   SF Bay Area
    SF Bay Area News
Science
  Biology
  History
  Math
  Nano Tech
  Physics
Society
  Economics
  Politics and Law
   Civil Liberties
    Internet Civil Liberties
    Surveillance
   Intellectual Property
  Media
   Blogging
Sports
Technology
  Computer Security
  Macintosh
  Spam
  High Tech Developments

support us

Get MemeStreams Stuff!


 
Errata Security: You are committing a crime right now
Topic: Miscellaneous 11:02 am EST, Nov 21, 2012

It sounds an awful lot like AT&T and the FBI have just convicted someone of a crime because they exposed a security vulnerability and AT&T was embarrassed. Usually in these cases there is something more going on, but its not obvious to me that there is this time.

The guy isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd.

More information is here. A bunch of IRC chat logs are included wherein the idea of committing a crime (such as insider trading) is discussed. Joking around on IRC about committing a crime is not the same thing as actually committing a crime. Its not clear to me what crime was actually committed (other than possession of narcotics).

Unless there is some key fact not here in evidence I think this is going to do tremendous harm to the relationship between the law enforcement and the hacker community.

Update: After some reading about this I'm not sure I agree with Robert Graham's position. I posted the following to the thread:

After some consideration and reading I think there might be more of a grey area here than the framing of this post lets on. However, I am not fully aware of all of the technical details in this case, so if I am misrepresenting how this actually worked, by all means, please correct me.

I agree that changing a value like "articleId=31337" in order to access data is not fraud, because the numbers are sequential and not personally identifying, so they don't constitute an access control, and changing them is not an act of deception.

On the other hand, imagine a website with a value in the URL like "password=31337". Your personal password is "31337" and when you access this page it provides you with your personal data. Other people have other passwords on the system and when the value of the password field is changed to someone else's value, you get to see their data. Otherwise you get an error message. The password values are not sequential, but if you tried a large number of them you would successfully guess many active passwords.

Although this would be a stupid way to design a website, I think we'd agree that writing a program to brute force guess many of these passwords and running that program on the live site would be a crime (an act of fraud), because the passwords identify the individual requesting data, so presenting someone else's password is an act of deception.

Now, lets imagine a third scenario - a website with a value like "SSN=078-05-1120". If you put someone else's Social Security Number in that field, you get access to their personal data. Social Security numbers aren't sequential, but if you tried to guess them you would easily get lots of successful hits. Nevertheless, they are personally identifying.

I think writing a program to brute force guess Social Security numbers in such a website would be more akin to the password guessing scenario than the articleId guessing scenario - it would be fraud.

Furthermore, as best I understand it, the SSN scenario is similar to what happened in this case. The values guessed were subscriber ID numbers. Again, I'm not 100% clear on the facts of this case, so please correct me if you think that I'm mischaracterizing this or if there are important technical details that lead to a different interpretation.

Having said all of that, I think there is another ingredient here, which is "intent to defraud." I don't see any evidence of that here. Wired magazine published some IRC chat logs where people were joking about committing a crime, but joking about committing a crime is not the same thing as actually committing a crime.

As a security researcher, its obvious that my SSN website example is a bad design, but it might be hard to convince people at AT&T of that fact. They might argue that it would be hard to guess valid numbers or that their systems would detect any attempt to do so. It may have been impossible to demonstrate that this was a real vulnerability without actually performing the attack and going to the press with it.

I think, ultimately, it should be illegal to commit actual attacks without authorization in order to demonstrate that a computer security vulnerability is real. However, sometimes there is no alternative. There is such a thing a prosecutorial discretion, and shooting the messenger in a case like this sets a bad precedent in my view.

Errata Security: You are committing a crime right now



 
 
Powered By Industrial Memetics
RSS2.0