undefined | Better HN

0 pointszaroth10y ago0 comments

It's intent that matters. Setting user-agent in order to properly render a page is legal. Setting a user-agent string to gain access to otherwise unauthorized content is probably not.

0 comments

16 comments · 4 top-level

jsprogrammer10y ago· 6 in thread

User-agent string is not an authorization mechanism.

zarothOP10y ago

Interestingly, the CFAA does not define the term "without authorization" however it does define "exceeding authorization" exactly as I quoted above;

  - to access a computer with authorization and to use such access
    to obtain or alter information in the computer that the accesser
    is not entitled so to obtain or alter.

So arguing User-agent is not an authorization mechanism probably won't help you, because exceeding authorization means, first, that you were authorized to access the computer (HTTP GET returns 200) but then that you used that access to obtain information in the computer that you were "not entitled so to obtain."

jsprogrammer10y ago

If the computer on the public Internet responds to a standard HTTP request, it has explicitly authorized my access to whatever information it sent me.

3 more replies

ignoramous10y ago

It isn't. But I have seen top internet companies (Netflix and the like) use it to authorise requests. It boggles my mind.

seanp2k210y ago

Curious where Netflix is using this to authorize requests. Any more info on that?

1 more reply

njharman10y ago

Good luck arguing that in court. Esp against the multiple lawyers a corporation will be able to afford.

If you don't get it, court doesn't care about what's reasonableness, technically correctness, etc. Only if your lawyers can convince jury/judge. Twinky made me crazy, It the gloves don't fit... and so forth.

tajen10y ago

If you don't set it for a particular website but generally browse the web with it, based on another legitimate purpose (I'm a developer, I had to test a website, I forgot the setting) could you oppose the court on "knowingly and with intent of defraud"? If you didn't see the paywall, how can it be "knowingly"?

1 more reply

CyberDildonics10y ago· 4 in thread

Unauthorized? If you put up a sign and tell people they have to pay to look at it, is it illegal to look at it and not pay? This should be a rhetorical question.

sneak10y ago

[I am not a lawyer and this is not legal advice.]

It is not specifically defined in the law, so it reverts to the traditional meaning: anything the owner of the system says you aren't authorized to access.

It's lunacy, I know. That's what HTTP headers and WAFs and such are for. But that's the stupid law, and it sent someone who used to be my friend to federal prison for changing a user agent and referrer and accessing unprotected data on the web.

Tread carefully.

tomcam10y ago

Whoa. Care to tell that story or link to it?

1 more reply

sbierwagen10y ago

18 USC § 1030 (a) (4) https://www.law.cornell.edu/uscode/text/18/1030

  Knowingly and with intent to defraud, accesses a 
  protected computer without authorization, or exceeds 
  authorized access, and by means of such conduct 
  furthers the intended fraud and obtains anything of value,

The courts have interpreted "protected computer" as any computer connected to the internet.

majewsky10y ago

> The courts have interpreted "protected computer" as any computer connected to the internet.

The mismatch between the world views of jurisprudence and engineers is a neverending source of joy. (If working in tech has made you cynical like me, that is.)

dheera10y ago· 2 in thread

In that case, I'm just going to set my User-Agent permanently to Google's crawler for fun and see how the web renders, in general. Just for fun, because I want to see what the world looks like from a different perspective. That's my intent. I've stated it. Now that my user agent has been changed, I'm going to go grab lunch, carry on with life, maybe check out some cat pictures and then maybe some news sites over tea and snacks, and then go for a run.

lojack10y ago

In my opinion the WSJ has a major rendering bug that affects everyone except for the google search crawler, and I selectively set my User Agent to get around said bug.

comex10y ago

In any judge's opinion, you'd be full of shit. Judges aren't stupid.

Which doesn't matter, because the WSJ is never going to sue you. But make sure you only consider your justification a personal one, not one that would provide any legal protection.

1 more reply

profeta10y ago

intent can be many things.

i disable javascript. so i can't even see their page (and hence i don't know my access is being denied since i got a 200 http response, which means "OK") so i try different user agents with the intent of reading the content they are providing. Just like microsoft case.

j / k navigate · click thread line to collapse

0 comments

16 comments · 4 top-level

jsprogrammer10y ago· 6 in thread

User-agent string is not an authorization mechanism.

zarothOP10y ago

Interestingly, the CFAA does not define the term "without authorization" however it does define "exceeding authorization" exactly as I quoted above;

  - to access a computer with authorization and to use such access
    to obtain or alter information in the computer that the accesser
    is not entitled so to obtain or alter.

jsprogrammer10y ago

If the computer on the public Internet responds to a standard HTTP request, it has explicitly authorized my access to whatever information it sent me.

3 more replies

ignoramous10y ago

It isn't. But I have seen top internet companies (Netflix and the like) use it to authorise requests. It boggles my mind.

seanp2k210y ago

Curious where Netflix is using this to authorize requests. Any more info on that?

1 more reply

njharman10y ago

Good luck arguing that in court. Esp against the multiple lawyers a corporation will be able to afford.

tajen10y ago

1 more reply

CyberDildonics10y ago· 4 in thread

Unauthorized? If you put up a sign and tell people they have to pay to look at it, is it illegal to look at it and not pay? This should be a rhetorical question.

sneak10y ago

[I am not a lawyer and this is not legal advice.]

It is not specifically defined in the law, so it reverts to the traditional meaning: anything the owner of the system says you aren't authorized to access.

Tread carefully.

tomcam10y ago

Whoa. Care to tell that story or link to it?

1 more reply

sbierwagen10y ago

18 USC § 1030 (a) (4) https://www.law.cornell.edu/uscode/text/18/1030

  Knowingly and with intent to defraud, accesses a 
  protected computer without authorization, or exceeds 
  authorized access, and by means of such conduct 
  furthers the intended fraud and obtains anything of value,

The courts have interpreted "protected computer" as any computer connected to the internet.

majewsky10y ago

> The courts have interpreted "protected computer" as any computer connected to the internet.

The mismatch between the world views of jurisprudence and engineers is a neverending source of joy. (If working in tech has made you cynical like me, that is.)

dheera10y ago· 2 in thread

lojack10y ago

In my opinion the WSJ has a major rendering bug that affects everyone except for the google search crawler, and I selectively set my User Agent to get around said bug.

comex10y ago

In any judge's opinion, you'd be full of shit. Judges aren't stupid.

Which doesn't matter, because the WSJ is never going to sue you. But make sure you only consider your justification a personal one, not one that would provide any legal protection.

1 more reply

profeta10y ago

intent can be many things.

j / k navigate · click thread line to collapse