A law like this would also prevent the grave injustice of being considered a criminal for incrementing a query parameter to iterate through different records (weev/AT&T, I think). That also should never have been considered "hacking". Companies need to fix their damn auth instead of relying on the CFAA being overly generous to financially/politically-endowed interests. That law needs a neuter.
[0]: notwithstanding an actually-compromised server, which is no longer an agent working in its owners interest. We'd have to be very careful to word this law, but I believe we can do a lot better than what we've got today.
Even the FBI agent quoted in the article got it wrong, stating “allowed open source tools to be used to query data that should not be public.” - as if proprietary browsers don't provide a View Source feature, only "evil" open source tools. Maybe I'm reading too much into it and it's a minor mistake but given the context even a potentially innocuous statement like that rubs me the wrong way for being incorrect.
SQL injection can be (and probably is) malicious though, so I suppose it becomes a unclear line for that example. Maybe punishment of both parties would be appropriate but I'm not a lawyer so don't have expertise in law punishments. But I could see this as incentivizing data security. Even if a 0 day is discovered, companies will be less inclined to drag their feet for a patch when one becomes available.
If an HTTPS server prints OK and returns a document for a straightforward request, then it's manifestly obvious that the owner's agent intended to give you that information. If the owner did not intend that to happen, the issue is between them and their agent. (Think: a customer service rep who didn't follow policy)
Supplying a SQL injection to an HTTPS server would be akin to fraud or false pretenses - like if you walked up to a customer service rep, showed them a fake ID, and asked for information about your account.
(Furthermore, copyright trolls wouldn't be able to wriggle out of their fraudulent DMCA requests by blaming it on software that they themselves deployed)
my understanding is that the reporter looked at the source that was being sent as intended -- no manipulation of input by the client
Don't believe what you have heard, I know it seems very hacker-y and noble, and he tried to do the right thing and disclose, so we should just cut him a break, blah blah blah. There's MILES of evidence against him seeing free life. He's been involved in financial fraud, harassment cases against minors, illegal pornography against minors, threats of harms against strangers on the internet, there's even (unfounded, though somewhat plausible) claims that he's developed spyware for profit. I don't want to be doxxed, so I'll leave it at that. I've known weev for a long time, and I'm sure glad he doesn't know me.
To clarify, I am in favor of laws defending those who receive data from a sender having immunity. It seems common-sense. If you give me a ten dollar bill, and ask for it back, I can just decline, and walk away. It's rude and wrong, but it's legal, and it ought to be. CFAA has put a lot of bright, young minds in jail, and they are subsequently extorted and abused by multiple state agencies in the name of "cyber defense." It's grotesque.
But don't make weev a hero. He's not.
Why not just have a law against subverting the intent of existing laws, or against making bad-faith arguments? Laws are only as good as people's willingness to accept impartial assessment thereof. Absent that, they will just be exploited selectively for strategic leverage.
Aristotle observed that laws tend to multiply under tyrannical regimes, as rulers impose ever more onerous conditions upon their subjects; I think it's also true that an excess of laws creates opportunity for tyranny in the sense of creating a much larger attack surface for a malicious or cynical actor to exploit. To my mind, the growth of the US and state codes* is a bug rather than a feature, and pruning such complexity highly desirable.
You can't have laws whose interpretation is "don't do things you shouldn't" because parties in legal disputes clearly disagree about what "shouldn't" means, else they wouldn't fucking be resolving them through expensive and lengthy legal action.
There's a meaningful distinction between clarification of and expansion of the law. Legislators are responsible for both. OP may not have phrased it precisely, but they're saying the CFAA needs to be _clarified_. This doesn't mean it expands in scope--if anything, its scope would be narrowed.
In my country they classify it as "unauthorized access". That's perfectly fine with me.
In other words, if your server sends it, and you intended to send it, then I can have a look at it. If your server sends it, but you never intended (sysadmin, programmer error, bureaucracy, unsecured servers etc), and it's clear for me the information was never meant to be public, then I'm committing unauthorized access.
You could say a transparent window is literally made for the purpose to be able to see through, but I'm certain I'd be breaking the law if I started taking pictures of people undressing in their homes.
So if your server sends privileged data and I "View Source" to see how you implemented some unrelated part of your site and accidentally see that data, I'm now guilty of unauthorized access and should be prosecuted?
How about we shift the burden back to the people who have been entrusted to keep this data secure in the first place?
You could say, "obviously stumbling across the data is fine, as long as you then responsibly report the issue, or ignore it and go on with your day. It's only illegal if you then go on to do nefarious things with it." But this is exactly what the current system is failing at by prosecuting this reporter.
Getting the hacking issue right should not be this hard. In practice, it's pretty obvious what's hacking/unauthorized access and what isn't.
In the hacking category: SQL injection. Breaking DES. Cross site scripting attacks. Tracking cookies and browser fingerprinting, arguably.
In the not-hacking category: Incrementing integers in the URL. "Breaking" rot13. Using "view source".
Disclaimer: IANAL. Also, don't take creepy photos of your neighbors through their windows regardless of the legality of doing so.
In many parts of the US at least, the law is less clear-cut than you might think. In many jurisdictions you would have to argue that the photos were of a sexual nature (probably not hard for pictures of people undressing, but it's not an automatic win depending on context). In some states and/or localities there are explicit laws preserving privacy when in ones residence, but in many others, a photograph taken through an unshaded window is legal as long as it doesn't violate other laws.
[edit]
I guess all of the above strengthens your point that such simplistic laws as "a 200 response means you are authorized to do what you want with it" are not in any way analogous to the way laws for other systems work.
https://www.wired.com/2014/04/att-hacker-conviction-vacated/
https://arstechnica.com/tech-policy/2013/03/auernheimer-aka-...
1) This would require law enforcement, attorneys, judges, and juries to learn how the Internet works. For most people, what a server sent is what you can see in a web page. Concepts like server and client aren't ubiquitous.
2) This doesn't account for vulnerabilities. If I use an open source package that has a security flaw, and that flaw is exploited causing my server to send sensitive data, did I still implicitly authorize this because the server was acting as an agent of my interests? I probably need to be held accountable, but surely the attacker is not innocent. If we agree on this, then how do we craft a law that draws the line between incrementing a query parameter and remote code execution?
No, this is a bad idea for a law. It's appealing to nerds (like myself), but it's not how the law does (or should) work. It's very easy to imagine scenarios where you could get a server to send you an HTTP 200 even though you knew you were accessing data you weren't supposed to. That should clearly be illegal. (It's not what happened here, though. This case is much sillier.)
That said, this case seems to be tossing into a gray area any plugin or browser or browser version that alters the "expected rendering" in any way. So if I wrote my website and only tested with IE, and you opened it in Firefox which due to a rendering difference reveals something I didn't intend to be revealed, this government would presumably try to sue you...
Sure, but law doesn’t function by codifying things perfectly. There is no perfect codification of the physical ways one can move one’s fist, but clearly some such ways constitute an illegal act while others don’t.
The reporter did the equivalent of noticing a lock was rusted through and barely hanging on. He poked the lock and it crumbled to pieces. He didn't take anything, he reported the problem to the government and later to the public. He didn't take the personal data just because his eyes saw it in passing.
If the reporter compiled a database of every teachers personal information, that's another thing. That's not what happened, the reporter looked at 3 teachers to establish the pattern and then reported it.
This is a simple case of an egotistical politician who wishes he was King tussling with the media that is rightfully making him look incompetent. "Anyone who disagrees with me is a criminal" is a common pattern for wannabe dictators. Vote against him at the next opportunity.
No. The reporter did the equivalent of opening a book available to be read by the public and having the audacity to try and figure out what the words on the pages meant.
The reporter asked for a page of information, it contained information that wasn't supposed to be there, and he's being blamed as if his eyes manifested it into existence.
Seems more akin to shining a UV light on a piece of paper. (Interesting how the sibling comment came to a similar example with invisible ink.)
It's still not a perfect metaphor. It's not immediately clear that 1) is true here (the reporter probably was not trolling for private information) and it's highly questionable if 2) is true as it seems that this info was being sent along in HTTP responses. What is obvious to me is that that this guy had no malicious intent, took steps to do responsible disclosure (they didn't publish the article until the issue was fixed) and is being targeted by the political establishment as retribution for embarrassing them. Shameful stuff.
A better analogy would be that the state sent the journalist a document with everything readable in regular light, and a separate sheet that tells him which words he must redact. There was no attempt to conceal information, and worse, the redaction list would have been promptly ignored by anyone using a screen reader or other accessibility devices.
What's actually happening is: someone is broadcasting the data. End of story.
Now I'm going to ignore my own advice: it's like displaying the data on a big screen in the town square and then trying to arrest people for turning their head to look at it.
Then a reporter came along and rubbed a pencil on it, revealing the writing from the sheet above it.
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="[SOME_BASE_64_HERE]" />
I am totally mystified how a competent DA wouldn't have dropped this immediately.
Whistleblowers getting punished is just a feature of an authoritarian regime. It has little to do with competency.
Competence and morality aren't the most important factors here. Some people want to advance their career, even if it means screwing over someone like this. The governor probably wanted to shift blame away from himself and his administration, and is likely willing to make promises or exchange favors to further that goal.
it is civic duty to report a crime, and within the law to be prosecuted for not reporting a crime.
it is also a crime to make misleading or false statements or acting in a manner that obstructs a legal investigation.
the government of missouri has spun this around, 180 degrees attempting to make someone revealing the matter look like a criminal, and validate government obstruction of legal recourse.
the pot is painting the kettle an offcolour to hide its own.
DAs have elections to win, and the risk of not having the governor's endorsement would put them in a tricky position.
It's not a partisan statement. I'm not saying it to favor one party or another (though unavoidably the other party would benefit - we'd be better off with multiple parties committed to democracy). We agree on freedom and democracy for all, we stand up for it, we give our 'lives, honor, and fortune' for it, or we are not the United States.
EDIT: I reworded it to remove political party names, to try to reduce any appearance of partisanship.
The world isn't equal, and both-sidism is a great way to try to divert people from taking action - nobody is wrong or evil, everyone is. We need to distinguish right and from wrong and to act, now. We need to use our free will, our free moral choice, to choose and act right. We will get the consequences we choose and act upon.
Intimidating witnesses - misrepresenting evidence - omitting counter-evidence - over-charging defendants - denying timely access to council.
If you think this is about politics - you are mistaken. You just haven't seen all the other times defendants have been mistreated in court.
It actually doesn't matter that there's no way the prosecution will "win" nor does this have anything to do with caring about information security.
Folks are wasting their breath if they explain why "view source" isn't hacking. The prosecution DOESN'T EVEN CARE.
Hopefully the Post-Dispatch has the resources to aggressively retaliate and take a pound of flesh in return. The charges were likely brought simply because the newspaper is stretched thin and they're either being told to "shut-up" or the governor is trying to pull "a Peter Thiel style" maneuver for some past grievance.
Typically, this can only be done after prevailing in court as I understand it and the bar for success is quite high.
STL covered its tracks perfectly on this one; if they did lose, it would be a token loss.
[0]https://focuslawla.com/rare-happens-plaintiff-ordered-pay-de...
[1]https://thelawdictionary.org/article/what-percentage-of-laws...
Now, even if a jury convicts this is unlikely to stand on appeal just given the bare facts as we know them, but the state can definitely drag the reporter through jail, trial, and possible imprisonment as an example of what happens to anyone the governor takes a dislike to.
Sad this thing is still going on. What’s really up with the governor?
They are allergic to accountability it seems. That's why once it come out of their mouth, it is impossible for them to admit they fucked up. So double/triple/quadruple/quintuple-down is part of their playbook.
To continue with the prosecutor analogy of the lock, having a shitty lock doesn't allow others to enter your house, but what if there is no lock, and what if the door is wide open? If you write "do not look" on top of your source code, can you prosecute someone who looked at it? If not, can you open a package marked "for Alice" if you are Bob, even if it is unsecured.
For computer security, what is punishable? Obviously, using exploits and installing rootkits is, but what about deciphering weakly encrypted streams, what about accessing "secret" urls that do not have access control, what about probing undocumented APIs.
For me, it is just the prosecutor doing his job of accusation, maybe poorly, I don't know, but if there is a trial, there will be a defense attorney, and a judge, and hopefully a reasonable verdict.
If a researcher breaks a few ciphers, and makes no effort to store the plaintext, and reports the flaw, that not a crime.
This is a case of A requesting something from B, and B giving A stuff they shouldn't have, and prosecuting A for noticing it.
At no point did the journalist go into anyone's property/territory. The site simply handed out the confidential stuff.
I get that's not the point of your comment but I refuse to even acknowledge that using HTTP as intended without feeding a server a malicious request can ever be considered a crime.
The only crime here is the negligence on the part of the Missouri government and the obvious abuse of power being displayed by Parsons after the fact.
he had every opportunity to pump the brakes on this investigation but decided doubling down on a journalist had a better payoff, and a more prominent ability to cast him as a white knight protecting the state of Missouri against fiendish hackers.
the 'view source' prosecution strategy is certainly something id hope to keep out of the spotlight as long as possible as its chum in the water for technologists and privacy groups. the EFF could easily eviscerate it in court, as could the FSF and god help you if a cyber security firm takes interest. although most computer privacy laws in the US are written with a fire hose to catch anything remotely pertaining to an integrated circuit, these laws all generally restrict themselves to the domain of interstate commerce, healthcare, and energy.
Parsons fight is against an established journalist using an established and well respected process to report an information security exploit...so its really tough to see if or how a competent prosecution hopes to land any charges outside the governors "Lol do it anyway" edict which, fwiw, feels eerily similar to the malarkey Aaron Schwartz was put through.
The goal isn't to appear as a white knight protecting the state from hackers, it's to mount a crusade against big-city journalists.
Also the fact that the prosecutors didn’t laugh in his face immediately is rather disappointing. I can I guess understand the Highway Patrol being forced into investigating, but there’s no excuse for the prosecutor not immediately slapping this down.
Trying to claim that if you don't resonate with a film then you're a bad person is a mistake imo.
Safari read aloud would have blurted out the SSNs in this case. So even for a layman, the lock analogy falls short.
> Like what if I sent out a paper newsletter to all my neighbors but printed it on recycled paper that happen to have SSN info on the other side
Court would place responsability on the person who failed to inspect the paper used. There's a reason medical offices all have shredders; you can't reuse paper with patient's personal information on it.
I am living in an apartment complex and I wouldn't mind if someone noticed my keys in my front door, opened that door, took a look and called out for me.
This cannot possibly register as breaking in?
I am not even talking about motive here. The actual event in my mind is clearly benign.
The actual headline reflects the content of the article better: "Parson says he believes prosecutor will bring charges in Post-Dispatch case." Having read the article, I don't see anyone but Parson opine that the reporter will be prosecuted, and if this whole ordeal has done nothing else, if has at least offered adequate reason for me to dismiss Parson's opinions with prejudice.
I also asked what they suggest individuals like us can do (if anything) to help.
Similar to you, I Googled first, and found a short comment from someone at the EFF but nothing indicating that they were directly involved in this case so far.
I'm not even a US citizen (I'm a Brit) but something about this case makes me incredibly angry and frustrated. Not just on behalf of the journalist himself but also because of the hugely negative impact it will have on responsible disclosure of security issues in the future if this action against him proceeds.
Whoever, under color of any law, statute, ordinance, regulation, or custom, willfully subjects, or causes to be subjected, any inhabitant of any State, Territory, or District to the deprivation of any rights,privileges, or immunities secured or protected by the Constitution and laws of the United States . . . shall be fined not more than$ 1,000, or imprisoned not more than one year, or both.
This law has never been used to protect First Amendment rights. But, on its face, it could be.
> The contention is over Clause 7 of the Responsible Vulnerability Disclosure and Coordination Policy, released by CERT-In on September 3. According to the clause, the reporting party must “comply with all the extant laws” like the IT Act, Section 43, which bars unauthorised access to systems. while Section 66 prescribes the corresponding punishment (jail and/or fine).
> “Independent security experts may gain unauthorised access to a network when probing a system but they do so to study the vulnerabilities. So while their intent is not malicious, it could be seen as wrong under the IT Act, which is what this policy reinstates,” explains Rohin Garg of Internet Freedom Foundation (IFF), a New Delhi NGO that works to defend digital rights.
Source: https://www.deccanherald.com/metrolife/metrolife-on-the-move...
More here - https://internetfreedom.in/dont-penalise-cybersecurity-resea...
We should all hope the paper vigorously defends its first amendment rights.
It's Halloween, so you put a bowl of chocolates outside your house with a sign saying "take one". You accidentally dropped your wedding ring in there, and when a reporter digs through the chocolates and sees it, they ring the doorbell to let you know.
Reporter who told Missouri officials of website flaw did 'nothing out of line' - https://news.ycombinator.com/item?id=29098289 - Nov 2021 (190 comments)
Gov. Parson releases video attacking newspaper for viewing HTML - https://news.ycombinator.com/item?id=28980855 - Oct 2021 (26 comments)
Gov Parson pushes to prosecute reporter who found security flaw in state site - https://news.ycombinator.com/item?id=28946392 - Oct 2021 (525 comments)