IP: Defining the line between hacking and web surfing... -- from

[Dave Farber <farber () cis upenn edu>]

Date: Wed, 1 Jul 1998 19:49:14 -0700
From: Eli Goldberg <eli () prometheus-music com>
Subject: Defining the line between hacking and web surfing...


I've recently been faced with a very curious intellectual dilemma: at what
point is the web browsing that we do potentially --- and unknowingly ---
crossing the line into illegal hacking?


RISKS has explored this topic before (such as with alternate uses of 
robots.txt files, such as for finding interesting stuff like 
http://www.cnn.com/webmaster_logs/). 


Here are two recent encounters that have left me rather perplexed:


Case #1: A lot of AFS directories (a network file system popularized by 
CMU in the 1980s) have been starting to appear in recent months as 
publically viewable HTTP directories, without the knowledge of their 
owners. (In many cases, the directory owners have since graduated or 
moved to a staff position, leaving countless long-forgotten files and 
E-mail archives in their home directory.)


On two occasions in the past month (one at MIT, and one at CMU), 
I've performed ordinary web searches using ordinary search engines, and 
ended up finding private documents belonging to friends, with personal 
and confidential information. 


In each case, I immediately alerted the friend, and they had the 
permissions changed immediately, and the offending material removed. 
(Now, removing the summaries from a dozen search engines for hundreds of 
pages will be another matter. ;)


Could perhaps a tenuous argument be constructed that an individual 
reading these private documents --- after realizing that they were not 
meant to be publically posted --- was hacking?




Case #2: A *lot* of webmasters omit index.html files in critical 
directories, or perhaps forget to configure their servers to deny access 
to directory listings to HTTP directories that lack index.html files. 
This renders any casual web surfer trivially able to surf the actual 
directory tree of their web site --- including their CGI directory --- 
and associated private data files.


I've encountered this twice tonight --- once while attempting to 
post a housing vacancy at a local University's housing list (system was 
down, and I was curious why ;), and a second time while browsing a web 
site of a music publisher whose works I have enjoyed in the past.


In the latter case, I immediately stumbled upon full archives of 
this company's (unprotected) customer orders, web logs, & associated 
information, and other information that I believe any company should 
reasonably consider private. Ouch! 


Let's say I went ahead and read those files. 


Say, I was curious about more information about the company's 
customers buying habits, and had no malicious or criminal intent. Would 
this be breaking the law? 


On one hand, the webmaster *probably* didn't intend for the 
information to be public. Does a difference truly exist between 
exploiting known configuration errors in web sites, and exploiting known 
configuration errors in networked UNIX systems to access information not 
meant to be public?


On the other hand, it doesn't matter what they intend. They *have* 
made it public, and they've just placed it on a server where any bozo 
with a web browser can get to it just by typing a regular URL; how could 
one be breaking the law by viewing what they've already placed in a 
public area for viewing? 


(Certainly, I never signed an agreement to limit my use of the web site to
merely clicking on links, and have every right to type whatever I'd like
into the URL field!)


Now, let's say a competitor to the company in question happened to stumble
upon the same URL and data. What, then?