Full Disclosure mailing list archives
Re: Congratulations Andrew
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 17 Jun 2010 11:12:55 +1200
T Biehn wrote:
Furthermore if I access an online resource and I notice that the information ends and the URL has a &page=1 on the end and no link exists on that page to say... &page=2 is that illegal?
IANAL, but I recall a few years back a huge uproar over a case in Germany where the ruling effectively was that what you just described would be considered "illegal access" (or "unauthorized access" or whatever the actual wording of the relevant German law is, translated into English). IIRC, the precise details in that case revolved around the technically simpler act of crawling back up the directory tree exposed by a publicly disclosed URI. That is, the judge (??) ruled that accessing a URI like: http://www.example.com/1/2/ was in breach of whatever law when, in fact, only a URI like: http://www.example.com/1/2/3/ or: http://www.example.com/1/2/foo.htm had ever been explicitly published or provided in an authorized page as a link. Again, as I understand that ruling, it effectively said that accessing any URI that had not been explicitly published as a link was deemed to be unauthorized access. In and/or from Germany, of course...
On the same note, if I notice something that looks like a SELECT statement in a URL (due to excellent coding) is it illegal for me to modify that SELECT statement to return other information?
To _return_ (that is "only read") other data? That's getting greyer... However, under most jurisdictions with some legal notion of "authorized access" the answer is probably "fairly clearly yes" if you alter such URIs in ways that are likely to alter the contents of the database. The reasoning here goes something like if you have the ability to recognize that that is what those parts of the URI are for, then it is likely to be deemed reasonable that you should also understand the implications of altering those parts of such a URI. If you then issue a request for such a modified URI that you reasonably should have been aware would alter data in whatever database, then you are knowingly altering data that you do not know you have authorization to alter (or, worse, that you know you do not have authorization to alter).
Is the legality of access to the resource something that must be explicitly granted to me or is it some abstract property depending on the content I've accessed? Is it legal to randomly fuzz web service arguments without knowing the data that it will return?
Good questions, but in general, in jurisdictions with notions of authorized access, you should be very careful with _other people's_ data, as it is unlikely the courts will have much sympathy for you tweaking anything that is not explicitly "yours", particularly if you appear to be aware that accessing or changing someone else's data that you reasonably should know you were not entitled to access/change in that way was a likely outcome. That is, just because you can doesn't mean you should...
Usually systems of this nature will have an EXPLICIT notice that you cannot access data on it unless you're authorized OR will require (as it does now) authentication.
AFAIK, most "authorized access" type legislation puts the onus _on the accessor_ to be _sure_ that they have the proper authority for whatever they are doing, and _not_ on the access provider to _prevent_ anything but authorized access.
Did the ICCID count as authentication if it is not explicitly labeled by AT&T as such? A field like: &password would clearly be illegal to brute force. An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding private property doesn't really seem to fit.
Sorry -- don't know what US (and even possibly which state) legislation would cover this case. Presumably some ugly intersection of federal laws and those of the the states where the perpetrator(s) resided (and/or obtained access from), the state(s) where the accessed AT&T server(s) were, perhaps even the state where AT&T is incorporated and/or has its head office, and perhaps even the state(s) where the network access services, proxy devices, etc used by the perpetrators were? Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Congratulations Andrew, (continued)
- Re: Congratulations Andrew T Biehn (Jun 16)
- Re: Congratulations Andrew Christian Sciberras (Jun 16)
- Re: Congratulations Andrew wilder_jeff Wilder (Jun 16)
- Re: Congratulations Andrew Thor (Hammer of God) (Jun 16)
- Re: Congratulations Andrew T Biehn (Jun 16)
- Re: Congratulations Andrew Michael Holstein (Jun 16)
- Re: Congratulations Andrew T Biehn (Jun 16)
- Re: Congratulations Andrew T Biehn (Jun 16)
- Re: Congratulations Andrew Christian Sciberras (Jun 16)
- Re: Congratulations Andrew Thor (Hammer of God) (Jun 16)
- Re: Congratulations Andrew Nick FitzGerald (Jun 16)
- Re: Congratulations Andrew ghost (Jun 16)
- Re: Congratulations Andrew Nick FitzGerald (Jun 16)
- Re: Congratulations Andrew Byron Sonne (Jun 16)
- Re: Congratulations Andrew huj huj huj (Jun 17)
- Re: Congratulations Andrew Thor (Hammer of God) (Jun 16)
- Re: Congratulations Andrew gillis jones (Jun 16)
- Fwd: Congratulations Andrew n3ptun3 (Jun 16)
- Re: Congratulations Andrew bk (Jun 16)
- Re: Congratulations Andrew Valdis . Kletnieks (Jun 16)
- Re: Congratulations Andrew Nick FitzGerald (Jun 16)