I swear I read some case a couple years back where a kid was facing serious prison time for automating requests to w publicly available government website. "Unauthorized access of a computer." I think the author may have just admitted to what the government considers a serious federal crime, as stupid as it is to consider it a crime.
Arguably the most famous one is this: https://en.wikipedia.org/wiki/Aaron_Swartz#United_States_v._...
I once had a flatmate who worked in IT at MIT at the time that happened. I don't remember the details, but it was a sad fluke that the feds even got involved - something like it was reported at the wrong time of day/when the person who should have got it was off-shift, or the feds happened to be doing something with the state police when the report came in and wanted to make a big news splash.
Whole thing was incredibly fucked up.
Interesting to see how much more thorough the Wikipedia page is now.
Whoa. That was an interesting read.
Different scenario but it reminds me of when Missouri prosecuted a reporter who found that teacher's SSN numbers were exposed in the HTML of a webpage
> "Parson described the journalist as a “perpetrator” who “took the records of at least three educators, decoded the HTML source code, and viewed the Social Security number of those specific educators” in an “attempt to steal personal information and harm Missourians.”"
Reminds me of a German developer that got prosecuted because he opened an EXE file with notepad and found a hardcoded database password there: https://www.heise.de/en/news/Modern-Solution-Convicted-IT-ex...
>The password to this database was stored unencrypted in an executable file of the middleware product and was the same for all Modern Solution customers
>Modern Solution then reported the security researcher to the police, who searched his home and confiscated his work equipment
>The programmer has thus been sentenced to a fine of 3,000 euros and must bear the costs of the proceedings
That didn't actually happen. The governor threatened to prosecute, and ordered the police to produce a report on their investigation into the matter. The police complied producing a report saying the person the governor wanted to prosecute did nothing wrong.
Isn't html copyrightable and thus it is a publication? (And thus exposed by the author). Or am I in the wrong ballpark here?
What makes something a publication is the act of publishing, not the format that it takes.¹ Copyright is implicitly granted at publication² although registration is required in order to sue for infringement.³
⸻
1. Within some limitations: certain types of creative works, most notably typefaces, are excluded from copyright law, although it was determined that digital font files that describe the outlines of the characters are programs and thus eligible for copyright. Bitmap font files on the other hand, as an expression of a typeface design are not eligible for copyright.
2. Although works created by federal employees as part of their job are explicitly excluded from copyright protection.
3. Note though, that the timing of the registration impacts what you can sue for. If registration takes place after the infringement you can only sue for actual damages, but if it takes place before the infringement you can sue for punitive damages.⁴
4. I should add the obligatory disclaimers that all of the above only describes US copyright law and also I’m not a lawyer (although I did used to watch Law and Order a lot) so everything in this comment could quite likely be completely wrong.
No. Imagine you wrote a personal diary entry in a text file on your computer, and only afterwards wrapped it in HTML tags. Did you just make it a document intended for broad publication?
It doesn't matter. The judges who pass these sentences don't know enough about the systems to understand whether or not a crime has been committed and they simply don't care.
Raw data isn't copyrightable. You can't copyright the contents of phone book, for example.
Just because you can hit a backend without a rate limit, doesn't mean you should. In my experience, government IT is very humorless about this sort of thing. Far better to blend in with normal traffic than to stand out as a bad actor.
Especially given how the response time doesn't matter much here! If you're just looking at 2-character license plates, that's 676/5=136 requests to check them all, and you could easily space that out to something like one request per minute to scan the space every two hours.
"Your honor, the defendant took steps to hide their activities, showing that they knew it was wrong"
The fun thing about the computer fraud and abuse act is that just about anything can be made into a federal crime with it!
Just about, indeed!
"Nonprofit hires woman, but she quits after a few days, asks for pay for that time; they refuse, and things get worse from there. But! They don’t turn off her email access to a board member’s email. She and a friend comb through the account, download internal documents, and then ask for a lot of money. Federal crime? Third Circuit: Not until they actually revoked her access."
https://www2.ca3.uscourts.gov/opinarch/233017p.pdf
Considering it was created during a major moral panic after the movie "War Games" came out, by a bunch of politicians who knew nothing about computers (aside from, again, watching the movie War Games).
As a direct result, anything and everything can be a crime (e.g. violating a private company's Terms & Conditions), and the punishments are completely disproportionate to the actual criminality.
See the AT&T/iPad data leak, where AT&T were leaking private information on the internet with no security checks at all. Someone found it, told the press, who in turn told AT&T, but the FBI still investigated it as a "crime", raided their home, charged them with "conspiracy to access a computer without authorization." AT&T go no punishment at all.
Should they have had better security? Yes. Was the vulnerability extremely basic? Yes. Doesn't change much, a vulnerability was used to dump a bunch of private data.
Exactly. If you find an unlocked warehouse, even if you are supposed to pick up something of yours, and instead of directly complaining you also ransack everything, you’re going to catch some heat.
> I think you are missing some nuance here. They found a vulnerability where they could just increment an "id" and get access to another user's information.
That's not nuance; the information was publically available on the internet without any security. Even search engines had indexed it before it was patched.
> They then went ahead and scraped as much as they could.
They told the press instead of releasing it.
> AT&T did not leak the information, Andrew did!
So AT&T dumping it all onto the open internet without any security isn't culpable, but the person who let the press know that their information was available to everyone is. That's quite an interesting take.
I'm struggling to see the nuance... You just repeated back what I already said, but added that you dislike the person personally, which is absolutely fine, but we're talking about miscarriages of justice not running a popularity contest. If you feel like they committed other crimes (which they likely did per Wikipedia), that is unrelated to THIS supposed crime.
> Was the vulnerability extremely basic? Yes.
There was no vulnerability. You just needed to request a record from a public web-server, which the server happily provided with no extra steps.
Let me ask this: When you request e.g. google.com, and they return a HTTP response, why is that not a "vulnerability?" Because we'd both agree it objectively is not. So then, why, when AT&T provides a URL with information they're meant to keep private but available to the public, and you then request it, that is suddenly a "vulnerability?"
Here is the actual URL you needed to call:
https://dcp2.att.com/OEPNDClient/openPage?IMEI=0&ICCID=<consecutive id>
You just needed to take any iPad's ICC ID and +1 for the next customer's record. So what is the "vulnerability?" Being able to count consecutively?
"The guy who did it sucked" is generally not a good justification.
It's an easy trap to fall into (we all want consequences for shitty people), but it's also a blurry line to hold.
"First they came…"
OP here - I did some pretty heavy research on this topic to make sure I'd be okay publishing this / automating anything at all. From what I looked into (and mind you, I'm a 23 year old security researcher & not a lawyer) there are a few recent landmark court cases (Van Buren vs. United States, hiQ Labs vs. LinkedIn) that protect webscraping of a public-facing page without bypass of any technological barriers. Furthermore, Florida has the Computer Abuse and Data Recovery Act that defines any malicious behavior as overuse of resources or an intent to defraud or cause harm, both of which I was very conscious about not violating. I appreciate the concern regardless!
I was charged with felony unauthorized access of a government computer years ago for an even stupider reason. Nobody should underestimate the state's willingness to prosecute over anything.
Soon he may be making vanity license plates