mailing list archives
Re: Congratulations Andrew
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 17 Jun 2010 11:12:55 +1200
T Biehn wrote:
Furthermore if I access an online resource and I notice that the information
ends and the URL has a &page=1 on the end and no link exists on that page to
say... &page=2 is that illegal?
IANAL, but I recall a few years back a huge uproar over a case in
Germany where the ruling effectively was that what you just described
would be considered "illegal access" (or "unauthorized access" or
whatever the actual wording of the relevant German law is, translated
into English). IIRC, the precise details in that case revolved around
the technically simpler act of crawling back up the directory tree
exposed by a publicly disclosed URI. That is, the judge (??) ruled
that accessing a URI like:
was in breach of whatever law when, in fact, only a URI like:
had ever been explicitly published or provided in an authorized page as
Again, as I understand that ruling, it effectively said that accessing
any URI that had not been explicitly published as a link was deemed to
be unauthorized access.
In and/or from Germany, of course...
On the same note, if I notice something that looks like a SELECT statement
in a URL (due to excellent coding) is it illegal for me to modify that
SELECT statement to return other information?
To _return_ (that is "only read") other data? That's getting greyer...
However, under most jurisdictions with some legal notion of "authorized
access" the answer is probably "fairly clearly yes" if you alter such
URIs in ways that are likely to alter the contents of the database.
The reasoning here goes something like if you have the ability to
recognize that that is what those parts of the URI are for, then it is
likely to be deemed reasonable that you should also understand the
implications of altering those parts of such a URI. If you then issue
a request for such a modified URI that you reasonably should have been
aware would alter data in whatever database, then you are knowingly
altering data that you do not know you have authorization to alter (or,
worse, that you know you do not have authorization to alter).
Is the legality of access to the resource something that must be explicitly
granted to me or is it some abstract property depending on the content I've
accessed? Is it legal to randomly fuzz web service arguments without knowing
the data that it will return?
Good questions, but in general, in jurisdictions with notions of
authorized access, you should be very careful with _other people's_
data, as it is unlikely the courts will have much sympathy for you
tweaking anything that is not explicitly "yours", particularly if you
appear to be aware that accessing or changing someone else's data that
you reasonably should know you were not entitled to access/change in
that way was a likely outcome.
That is, just because you can doesn't mean you should...
Usually systems of this nature will have an EXPLICIT notice that you cannot
access data on it unless you're authorized OR will require (as it does now)
AFAIK, most "authorized access" type legislation puts the onus _on the
accessor_ to be _sure_ that they have the proper authority for whatever
they are doing, and _not_ on the access provider to _prevent_ anything
but authorized access.
Did the ICCID count as authentication if it is not explicitly labeled by
AT&T as such? A field like:
&password would clearly be illegal to brute force.
An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding
private property doesn't really seem to fit.
Sorry -- don't know what US (and even possibly which state) legislation
would cover this case. Presumably some ugly intersection of federal
laws and those of the the states where the perpetrator(s) resided
(and/or obtained access from), the state(s) where the accessed AT&T
server(s) were, perhaps even the state where AT&T is incorporated
and/or has its head office, and perhaps even the state(s) where the
network access services, proxy devices, etc used by the perpetrators
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/