undefined | Better HN

0 pointsyebyen2y ago0 comments

It is true that leaving your door unlocked does not give burglars permission to burgle you, but how is an open door different than a closed door?

Legally, I think it's also true that an open door looks more like an invitation to enter (and it's different from burglary to simply poke your head in the door, see if anything is wrong, and not breaking or taking anything)

If an API is served on a public network and your client hits that API with a valid request which returns 200 (not 401) and that API is shaped like an open door, such that no "knock" or similar magic or special protection-breaking incantations were required in order to obtain "the access" ...

Then would you concede it's not actually like a burglary, but a bit more like going in through an open door to see if everyone is OK? (It sounds like that's more precisely what happened here, I'll admit I haven't read it all...)

0 comments

tptacek2y ago

This isn't complicated. You can be convicted of breaking & entering through an open door. At trial, your defense will have to convince a jury that a reasonable person would believe they were entitled to go through the door. If the door was to, say, a Starbucks, that defense will be compelling indeed. If it is to a private home owned by strangers, you'll be convicted.

I think that's roughly how it will play out in a CFAA case too: the case will turn on why it was you thought you were authorized to tinker with the things you tinkered with. If, as is so often encouraged on HN, your defense turns on the meanings of HTTP response codes, you'll likely be convicted. On the other hand, if you can tell a convincing story about how anybody who understands a little about how a browser works would think that they were just taking a shortcut to something the site owner wanted them to do anyways, you're much more likely to be OK.

If you create an admin account in the database, it won't much matter what position the door was in, so to speak.

The concept we're dancing around here is mens rea.

(Again: DOJ has issued a policy statement saying they're not going after cases like this Fizz thing, so this is all moot anyways.)

yebyenOP2y ago

I don't think it's that simple. The prosecution will have to prove the intent to commit a crime. If it looks like a service that should require authorization, and the door is swinging wide open, I think there's a decent argument to be made that you can't prove a reasonable neighbor's intent wasn't to perform a welfare check, and with no criminal intent there is no crime of burglary.

If my neighbor leaves his door open (in the winter, say), and I have cause to believe that something is wrong based on that, is a jury going to convict me for going in there to check on them? It really sounds like that's what was done here.

I guess creating an admin account while I'm in there is a bit like making a key for myself while I look around. That might be over the line. But without that step, I'm not sure how you can have proved that something was even wrong...

I'll go read the article now.

2 more replies

sokoloff2y ago

> You can be convicted of breaking & entering through an open door.

That does not appear to be the case in Massachusetts. Here are the jury instructions relevant to B&E in the nighttime, with the full link below:

To prove the defendant guilty of this offense, the Commonwealth must prove four things beyond a reasonable doubt:

First: That the defendant broke into someone else’s (building) (ship) (vessel) (vehicle);

Second: That the defendant entered that (building) (ship) (vessel) (vehicle);

...

To prove the first element, the Commonwealth must prove beyond a reasonable doubt that the defendant exerted physical force, however slight, and thereby removed an obstruction to gaining entry into someone else’s (building) (ship) (vessel) (vehicle). Breaking includes moving in a significant manner anything that barred the way into the (building) (ship) (vessel) (vehicle). Examples would include such things as (opening a closed door whether locked or unlocked) (opening a closed window whether locked or unlocked) (going in through an open window that is not intended for use as an entrance). On the other hand, going through an unobstructed entrance such as an open door does not constitute a breaking.

(Italicized emphasis is mine.) Entering through an open door appears to be an entering (the second element of the crime), but not a breaking (the first element). IANAL.

https://www.mass.gov/doc/8100-breaking-and-entering-a-buildi...

runnerup2y ago

> You can be convicted of breaking & entering through an open door.

This definitely must vary by state. At least in Michigan that would just be trespassing. I know, because I had some very in-depth conversations with my lawyer about whether I had committed trespassing or B&E while exploring steam tunnels underneath a university. In my case, B&E couldn't apply because the door was unlocked. I also committed no other crimes besides simple trespassing.

tptacek2y ago

You're totally right. The more accurate thing to say is "you could be convicted of residential burglary by walking through an open door if the prosecution could convince a jury you did so with the intent to commit a further crime".

runnerup2y ago

That sounds right. I also appreciate how much you regularly add to discussion about the CFAA. I personally think it's a horrible law, but for the most part my understanding of it matches yours. Too many people mix up what "should be" vs. "what is".

In general, I've learned that if you ever wonder whether you might be breaking the CFAA, you are in violation of the CFAA. The only time this logic has ever failed that I've seen was HiQ vs. LinkedIn.

dahfizz2y ago

Yes, I think your description is perfectly reasonable. You could make a convincing argument that the researchers poked their head in to an open door. The fact that the law requires you to steal data or otherwise cause damages would support this idea.

I just wanted to argue against the idea that an unprotected computer is fair game for hacking. Morally and legally, it is not.

j / k navigate · click thread line to collapse

0 comments

tptacek2y ago

If you create an admin account in the database, it won't much matter what position the door was in, so to speak.

The concept we're dancing around here is mens rea.

(Again: DOJ has issued a policy statement saying they're not going after cases like this Fizz thing, so this is all moot anyways.)

yebyenOP2y ago

I'll go read the article now.

2 more replies

sokoloff2y ago

> You can be convicted of breaking & entering through an open door.

That does not appear to be the case in Massachusetts. Here are the jury instructions relevant to B&E in the nighttime, with the full link below:

To prove the defendant guilty of this offense, the Commonwealth must prove four things beyond a reasonable doubt:

First: That the defendant broke into someone else’s (building) (ship) (vessel) (vehicle);

Second: That the defendant entered that (building) (ship) (vessel) (vehicle);

...

(Italicized emphasis is mine.) Entering through an open door appears to be an entering (the second element of the crime), but not a breaking (the first element). IANAL.

https://www.mass.gov/doc/8100-breaking-and-entering-a-buildi...

runnerup2y ago

> You can be convicted of breaking & entering through an open door.

tptacek2y ago

runnerup2y ago

dahfizz2y ago

I just wanted to argue against the idea that an unprotected computer is fair game for hacking. Morally and legally, it is not.

j / k navigate · click thread line to collapse