Asking for the next file isn't false pretenses. I don't know if this analogy works quite right. Even rifling through a file cabinet wouldn't be false pretenses, it would be something else.
And you have to cause injury for it to be fraud. Is "Help I was too honest to a customer." a valid injury claim?
The closest real-life equivalent to asking a computer server for a document and getting it is asking a human server (e.g. office clerk, archivist) for a document and getting it. If I go to the IRS to do some paperwork and notice it says "File #7881991" in the top right corner and I go to the clerk and ask them "Hey, can I have files 7881992 and 7881993, too?" and they give them to me, who is liable for that? It's quite obvious.
But this is assuming that the server has more agency than it does. Servers don't have minds and they don't make authorization decisions. This is more like someone giving you key to a filing cabinet in order to retrieve some documents and while you're there you snoop on the ones next to yours.
Is this system more trusting of people than it should be? Probably. Does that mean you're allowed to snoop on other people's documents -- nope.
The humans who administer the server have agency. They went and purchased an apparatus for publishing information to the world. They connected it to the world. They pointed it at that information. They turned it on.
A printing press also isn’t sentient and can’t guess whether its operators really mean to share every sentence on the plate. But browsers and readers of printed materials (that are left in public places) have no obligations to the publisher’s state of mind. Why should browsers of digital materials?
> This is more like someone giving you key to a filing cabinet in order to retrieve some documents
No. It's like someone asking you what you need, you telling them "I want all my documents and the ones from my neighbours because I feel like it", and them proceeding to hand you everything you asked for neatly collected in a folder.
You’re still ascribing agency and authority to a fancy vending machine. The server has absolutely zero authority to grant you authorization to the documents. It can only grant you access. The servers are not representatives of the government or the site-owners, they are just machines. And just because the vending machine is broken and works without you paying doesn’t make it not stealing.
The fact that the server cannot make decisions that were not predetermined is exactly why the responsibility for its behaviour lies with the people running it. They make the rules, they are the ones whose job it is to read the manual. And when someone makes a technically valid request (instead of, say, SQL injection attacks) it's not the user's fault for an incorrect response. They might not even be aware that they're not allowed to do a specific request: it's reasonable to assume IDs in the URL are not sensitive information, as URLs are public and unprotected by default.
Of course it's on the user if they know they're not supposed to have access to some info and they use it to their advantage regardless. If they're a nice person they'll even report the issue (though less likely after news like this).
> just because the vending machine is broken and works without you paying doesn’t make it not stealing
So if it's broken and doesn't work despite me paying, does that make my payment a donation? No.
Though it probably is theft if I knowingly abuse the error for profit.
I feel like I'm taking crazy pills here. We're specifically talking about someone who knew that they weren't supposed to access other business' data and did purposefully for their own gain. How is that not abusing the error for profit?
Like you can say "URLs aren't sensitive by default" up until the guy admits that he knows it's an error and he's accessing the private data he's not supposed to see. That changes the situation completely.
Right. The server is not liable. The people who set up the server to serve application data for every client to any client is.
Just like the IRS admin assistant in the example was, the agent to cause the transfer. The filing cabinet/server is not the agent, simply the repository responding to the system and practices in place.
But this is assuming that the server has more agency than it does.
No, it merely assumes the server is acting on authority of the organization identified by the domain name. It doesn't assume agency, only representation.
Which also seems nuts. Like they’re servers. How anyone assumes that some Ruby code can be acting as an authoritative representative of the government is silly.
Yes, how could anyone assume that the ATM down the street can be acting as an authoritative representative of your bank when you insert your card? That's just silly.
But that’s exactly right! It’s not. If the machine has a bug and reports the wrong balance or gives you too much or not enough money on withdrawals it’s explicitly not authoritative and you can get it corrected by an actual representative of the bank.
If you give me the key to the files and don’t explicitly forbid me then it certainly does mean I’m “allowed” to look at the documents. You literally and explicitly just allowed me to do so by granting me access.
No, it's not, because computers and humans are not the same. A computer might give away too much information because someone misconfigured it. The closet human analog to that would be if the human was improperly trained in what information they're supposed to give out. But the human also has other options: they could be tricked into giving out more information than they should, or they could be giving out more information because they're being paid off or given some other benefit.
You can certainly assign various levels of blame and responsibility to the human "server" in those scenarios. But the human on the other side of the interaction, the one requesting information, doesn't magically become free of reproach. If they are requesting information they know they should not have access to, and then making use of that information for their own gain, they're guilty too.
There's a very narrow carve-out for the white-hat: requesting information with the intent of uncovering vulnerabilities, with the intent to help them get fixed. We expect a white-hat actor here to destroy and not make use of any information they obtain that they shouldn't have.
> If I go to the IRS to do some paperwork and notice it says "File #7881991" in the top right corner and I go to the clerk and ask them "Hey, can I have files 7881992 and 7881993, too?" and they give them to me, who is liable for that? It's quite obvious.
Yes, it is obvious: the clerk is liable for giving you something they shouldn't have, and you are liable for fraudulently representing yourself as someone who should have access to those files.
I don't get where this idea of "the other person let me do the crime, so the crime is ok" comes from. That's just not how the law works in the real world. If you then walked out of the IRS office with those files, I would absolutely expect you to get arrested. (Even if you immediately gave the files back, you'd probably be on shaky legal ground.)
> Yes, it is obvious: the clerk is liable for giving you something they shouldn't have, and you are liable for fraudulently representing yourself as someone who should have access to those files.
It's always okay to ask for things. There would be no way for society to adapt, progress, or change if people were limited to only asking for things that they knew in advance they were allowed to have. If it's legal for a telemarketer, pollster, reporter, cop, or recruiter to contact me and ask me questions then it's just as legal for me to contact and ask a web server a question. The correct response to unauthorized requests is a 4xx, not a lawsuit.
More to the point, what makes it okay to ask a new web server for "/" without permission? Even if browse-through terms of service were legally enforceable they aren't known to the user or the browser before making the first connection and request.
If a web server doesn't want to answer questions then don't connect it to the Internet.
It is the intent of the act, not the act itself, that is important.
If you know doing x will cause y, then when you do x you are doing y and you are responsible for the consequences of doing y. It doesn't matter what x was.
I think misdirected mail might be a better analogy. My understanding is that, even if it is delivered to your mailbox, it is still a felony (in the US) to open mail that is not addressed to you.
Users don't normally construct urls by hand. Wouldn't the equivalent more be like:
You filled out some form to request a document from the irs. You give the form to the person they give you the document.
You notice they dont check ids, so you change the name on the form, and get someone else's document.
This definitely seems to fit the definition of fraud:
380 (1) Every one who, by deceit, falsehood or other fraudulent means, whether or not it is a false pretence within the meaning of this Act, defrauds the public or any person, whether ascertained or not, of any property, money or valuable security or any service [that's the canada definition]
I don't think simply changing the ID in the URL to see what would happen is itself a malicious act. But, after discovering the vulnerability, OP admitted to continuing to exploit the vulnerability so they could make use of the information they'd gotten, information that they should not have access to. That part of it is actively malicious.
"deceit, falsehood or other fraudulent means" => editing the URL is neither of those. Forgig a cookie for access is, just like randomly trying passwords and usernames.
The closest real life example I can think of would be along the lines of:
- your car is in a public parking space and someone look inside vs
- the same car is in the garrage and someone breaks the door to look inside your car
You never typed google.com into the browser? I doubt it.
Maybe you just mean "construct" as in edit the url to access another site - well, that's still a perfectly normal use-case. I regularly change reddit urls to old.reddit because it gives me a better user interface. Or access a subreddit by adding an "r/subname". Sure, those aren't alphanumeric IDs, but that distinction is meaningless. Some unique IDs on the web do actually consist exclusively of english words. And some numeric IDs are harmless page numbers or pagination info.
I don't think changing the name is a fair comparison.
This definition of fraud doesn't define the word "defraud"? I don't know how I'm supposed to see if it fits or not.
It can't mean any action, or going into a store, lying about my name, and asking what aisle has baked beans would fit. Because that has "deceit" and "any service".
If I interpret things as the service being minimal and provided for free, so that I'm not deceptively getting the service, then we have to look at what actually gets sent to me, and whether it's "property, money or valuable security". And since it's just a copy of the data sent at no cost, it's much harder to argue fraud exists.
The data in this case clearly had value; OP admitted to continuing to change numbers in the URL to get more information about what plans other companies were signing up for, because that information was valuable to them.
You're assuming the "because that information was valuable to them" part. Or you're using such a broad definition of valuable that would also make this comment thread valuable because I have refreshed it multiple times.
While you could construct hypotheticals where OP is using the health plan information to gain actual value, they are all so far-fetched I wouldn't buy them as a fictional plotline. Dude was probably just curious.
A closer analogy would be that you keep the name as your name, but change the # of the document you're requesting. It's the IRS's job to ensure you're allowed to retrieve that doc.
Sure, but I guarantee you that if the IRS screwed up and gave you the other doc, and you made use of that information (rather than immediately turning around and saying "um, IRS, I think you made a mistake; this doc doesn't belong to me"), you'd be in trouble as well.
I think the analogy would be going up to the desk and saying: my id number is X (when its really Y), can i have my file.
If you convince them that you really are X and they give you the file, i think that would be considerd fraudulent. Whether or not an injury takes place to raise it to the level of fraud i guess depends on what was in the file, but in countries with strong privacy laws, someone would probably be in a heap of trouble.
Except that's not at all what they did - they simply accessed files that had been made public by the service provider.
To be able to login as BoBibbidyFooBar, and subsequently access ANY company's info in the system without changing their identity from BoBibbidyFooBar does not, in any way, constitute any sort of fraud. It literally cannot, by any sensible definition.
Intent matters. The service provider clearly did not intend that the files should be public. They screwed up, and they should take responsibility for that. But that doesn't make it ok to know about the security issue and download as many documents as you can in order to use them for your own purposes. Perhaps that wouldn't be "fraud" based on whatever definition you're using, but it's clearly unethical and immoral, and IMO hopefully illegal as well.
> I think the analogy would be going up to the desk and saying: my id number is X (when its really Y), can i have my file.
Not at all because what you describe involves impersonating someone else.
In the OP case, they were authenticated in the session as themselves and always acted under the truthful identity and asked for a document and access was granted.
So the analogy would be going up to the desk and saying: I'm John Doe, my id number is X (truthful value), could I see file ABC? And the attendant checks that id==X does have access to document ABC, and thus hands it over.
A better analogy would you asking for your files, and then the secretary taking you to a filing cabinet containing everyone's files right there with yours. You don't have to lie about who you are, you can just look at other files because they're right there in the place that you were just given access to.
How is that analogy wrong? Both in terms of the technical implementation and the subjective user experience, you're making separate requests for a document each time.
Analogies are always going to be imperfect, but I can't see the argument that the "separate request" analogy is any worse than yours, let alone "wrong".
And even in that case you're still not allowed to look at other people's documents. Like it doesn't matter that they're right in front of you, you still haven't been given authorization.
He had already given his correct details to be able to view plans. It’s like calling the cops to get your accident report then asking for the next higher numbers and they give it to you.
Not sure I see how. More like the records office decided that, rather than staffing the front desk to handle records requests, they instead just dumped an unlocked filing cabinet into an alcove off the hallway with an arrow pointing to it labelled "Health Care Plans". Essentially identical to blaming users for finding an unsecured S3 bucket or MongoDB instance: it's on the operator to secure the data.
> Essentially identical to blaming users for finding an unsecured S3 bucket or MongoDB instance
I agree that it's unreasonable to blame users for finding things like that. But if those same users are downloading all the data and making use of it for their own purposes, that's not ok. Finding a vulnerability and reporting it is an admirable thing to do; exploiting that vulnerability yourself is not.
It is more like the records office decide that, but didn't tell the people who they were holding records for that they didn't feel like staffing the desk. The records office is of course 99% to blame for their incompetence here, but it is still a bummer for the people who trusted them, and better not to look.
In our version though the system can require you to show whatever ID or authentication the designer decides so how can any process as simple as changing an ID in the URL be fraudulent. In this example the person who browsed other plans either wasn’t asked for any ID or the person fetching the documents didn’t check authorization. Either one is negligence on the department/sites side.
Because servers don't decide anything. They're autonomous systems imperfectly carrying out the will of humans who make the actual authorization decisions. If a computer system erroneously prints an extra 0 on a check mailed out to you that doesn't mean you get to keep the money because the computer isn't the entity that decides how much money you're owed.
If there was no decision, much less one based on materially false information, there can be no charge related to false pretenses. Your argument against decisionmaking is an argument against your claim of false pretenses.
> If a computer system erroneously prints an extra 0 on a check mailed out to you that doesn't mean you get to keep the money because the computer isn't the entity that decides how much money you're owed.
That's neither entirely true nor at all relevant to your false pretenses claim.
Well in this case I'm knocking on your door and you're opening the door saying "Come right on in!"
Requesting access (ie knocking on a door/typing a url) is not illegal. If you grant that request (ie invite me in/serving a webpage), I am under no obligation to psychically infer that you didn't mean to and refuse your invitation.
Unfortunately, it's never that simple. So much of it is about intent.
If I could simply use the excuse "well, the computer gave me the information", then there would be no such thing as hacking. It's always a case of the computer sending the information to you.
It's not about intent, it's about authority. If I have the authority to access something, it's legal for me to access it, regardless of my intent. I may be breaking other laws depending on what my intent is, but it's not hacking.
Compare to a restaurant: simply walking into a restaurant is not illegal, but an owner can restrict access and ban someone from their restaurant. It takes no technical skill to break into the restaurant, the door is wide open, but without authority it is trespassing. However, it is on the owner of the restaurant to actually ban someone. For a public space, be it a restaurant or a webpage, by default you are permitted access. Attempting to enter a restaurant you've never been to before is not breaking and entering, nor is accessing a URL hacking.
If a website has some user agreement saying you will not access certain portions, or even if there is just a notice on a website saying this site is not public, then they have done all they need to do to revoke someone's authority, even though they would be incredibly easy to "hack." But as laid out under Van Buren v US, you don't lose authority to access things simply because you possess some intent undesirable to the owner. If you invite me into your home and I sleep with your wife, I haven't trespassed; if you tell me to get out and I don't leave then I have.
Further, there's a distinction between accessing something by normal, legal means and accessing something by other methods. For example if you invite me into your home only after I give you a false identity, I'm trespassing because I was never legitimately given authority to enter. Likewise if you hack a system with say a stolen password, you don't have authority to access the system no matter how easy it was. But if you grant authority to someone without them having to do anything nefarious, then they have authority regardless of whether you should have done it or not. If you have something sensitive, don't put it in a place (in the real world or online) where authority to access is granted automatically and without oversight.
If I send a HTTP request, and the server -who I believe is acting on behalf of the publishing party- sends a 200 OK response along with the data, how am I to conclude I wasn't authorized? Since when is authorization the client's responsibility?
Send me a 401 (or a 403) status and I’ll know I’m not authorised.
In the physical world, nobody would lawyer up and go to court if someone walked through an open door with a sign saying “public entry here” and saw something confidential.
If you have confidential information around in the physical world, you make sure you have facilities staff who know the difference between “public entry here” signs and “authorised personnel only” signs. You also have facilities staff who know how to fit door locks and door closers, and security staff who know how to choose appropriate locks and to enforce compliance of locking doors. And if all that breaks down, it’s not Joe Concerned-Citizen who tells you about it, or even Mallory from your competitor who waltzes out with trade secrets who gets held to account, it’s the manager and/or executive in charge of facilities and security who’d be answering the difficult questions, probably with their lawyer at their side.
It sad that the legal system hasn’t yet started to hold people to account for having incompetent web developers and server operators.
I generally agree with this, but there is more nuance involved- like what if the library has a sign that says "Keep out"? Does the trespasser then bear some responsibility? i.e. Being served a 403, then appending some URL param that grants access. I wouldn't call this hacking, but it's something else- like "Digital trespassing", after all the 403 is a sign, not a cop. All of this to say The Simpsons did it.
A public web service is not the threshold of your home. If you want to make a domestic analogy, it's the box you drop off at Goodwill. You put something in there that you didn't mean to, and you understandably feel violated now that people are browsing it on Goodwill's shelves, but you can hardly blame the shoppers for that.
It's not the point. Of course they built stupidly insecure system, and of course sending people to jail for finding out such holes is wrong, but on the other hand ethical person should stop their access to personal data which they are not supposed to see after confirming that vulnerability exists and not make copies of said data.
Because you can do a thing does not mean you should do a thing.
If the security system is broken and you do exactly what it should be preventing, then you report it and get upset because they ask questions about you doing exactly what you did?
Say you are invited to your friends apartment in an apartment building, but none of the apartments have locks. So you decide to open up some other random apartments and look through their things, who is responsible?
We don't need to reach for analogies to observe that while the theoretical ideal is to report it after just one false access, that no significant damage was done by accessing just a few more via human manipulation of the browser URL, with no recording or sharing of the results. From a human perspective, no damage was done.
Whether that legally crosses a line involves a whole lot of details that few, if any people here, will be able to speak to, because of the complication of the law, and HN's conclusion as to the legality is of marginal interest even if someone competent were to give an opinion.
We can speak to the fact that even if it does technically cross a line, a prosecutor really ought to use their discretion to not prosecute since nobody was hurt. We can say that because that's just an opinion. I expect we don't have very many people here who actually want the book thrown here (though, as always, enough read this that it's probably non-zero).
I don't think quantifiable significant damage should be the bar we use, though that should act to moderate the consequences.
OP admitted to continue changing URLs in order to check out what plans other companies were getting and what they cost. That means OP downloaded lists of employee names, ages, SSNs, and other data. If I were an employee at one of these other companies, I'd be pissed at OP for that. I'd be even more pissed at the people who built the marketplace website for making the rookie security mistake that allowed it, but it's absolutely not ok to download other people's information when you shouldn't have access to it, and use that to your own advantage.
Sure, I don't think this is something that should be prosecuted as a CFAA violation with big fines and jail time. That's not a proportionate response. But I also don't think we should signal that it's ok to look at (and use!) other people's data just because someone else forgot to lock it up properly. I think, for example, something on the level of a parking ticket would be appropriate here.
If OP had changed the URL once, found the vulnerability, and then immediately closed the page and reported the problem, I would see nothing bad in what they did. But they didn't merely do that, and IMO crossed the line in their subsequent actions.
There's no evidence from the original comment that anyone invoked any legal lines. Instead, they seem to be upset that the person they reported the incident to asked them questions about exactly what they did rather than being effusively grateful.
That's not even close to the same analogy though. This would be like knocking on the door, asking if you can come in, and the person living there letting you in. Then getting mad about it later even though they let you in.
More like your friend let you into their apartment but then got upset that you went into the dining room when they only intended for you to go into the living room.
No, this is more like if you asked the landlord to let you in, and then they did, without the permission of the tenant. The tenant would completely be within their rights to be angry about that. Both at you and the landlord.
I think that's a valid response if the person letting you in wasn't expecting you and didn't want you there. Like, what are you doing knocking on random doors and going into random places just to look around? That's not honest behavior. Honest behavior is that if you know you're not supposed to have access to a thing, you shouldn't obtain access to the thing even if you technically can. I think it's pretty clear that you shouldn't have access to another company's healthcare plans. The first one is a mistake, maybe. The subsequent browsing and comparison shopping of restricted materials is definitely not okay though, and the harsh, suspicious response was warranted.
>if the person letting you in wasn't expecting you and didn't want you there.
Then they shouldn't have let you in. How are you completely absolving them of responsibility when all they had to do was say "Who the hell are you? No, you can't come in."
Well, to go with the analogy more: I leave my door unlocked because I'm expecting someone. There's a knock at my door and I yell "Come in" without looking at who is at the door. Not an unreasonable thing, happens all the time. When I finally look, I find you in my house, going through all of my things, for no reason other than you wanted to gain insight on my financial situation.
Do I bear responsibility for letting you in? Yes. Should you be there? No. Should you have knocked on the door? No. Should you have tried the same at my neighbor's house and every house on my block? No. In this metaphor and in the original context, everyone is acting with honest intent except the actor knowingly trying to access obviously confidential documents.
No one said anything about legality. I'm still going to yell at you to gtfo and never come back again, and I don't see why it would be surprising that I would.
Let's drop the metaphor. The original story was that someone accessed a number of documents they weren't supposed to but technically could, and the question was whether or not that it was reasonable that the owners of the documents were upset with that.
I argue there was good reason to be upset given the facts on the ground. In this particular situation, the original poster was there to access their own document. Having accessed someone else's document, that would be the point at which the behavior crosses from legitimate to illegitimate if it continues. Leaving at that point would be one appropriate response. But systematically going through a number of different documents goes beyond a mistake and into the realm of intentionally exploiting this security issue for unauthorized purposes. That's when it crosses from "honest mistake" to "dishonest exploitation".
I have no idea about the illegality of the issue. But the fact is plain that this person was not the intended recipient of the documents, they knew they weren't the intended recipient, and then after realizing the nature of the exploit, they continued to use it.
This is not the same as knocking on a door for a legitimate reason, being let in, and then the person inside being mad you're there. It's knocking on a door for no reason or a malicious reason, knowingly doing something inside the resident doesn't want you to do, and then wondering why they are mad at you.
The only person to be upset at is the one who didn't put access control on the site. That was a publically available endpoint. The better analogy is putting something private on a public bulletin board and being mad if someone read something you didn't want them to.
A billboard is a broadcast message though, whereas an HTTP request is more like a back and forth exchange between two participants. So I think the original knock->response->enter is a better metaphor.
You let me in knowing exactly who I was. You showed me some stuff I wanted to see, but sitting right next to it, out in the open, was stuff you didn't want me to see. All I had to do was look somewhere other than where you were pointing, and I did that. And then you got mad at me for looking at the stuff and called the police.
> All I had to do was look somewhere other than where you were pointing, and I did that.
The way you phrase this makes it seem like accessing the documents was a mistake. Maybe the first one was, but I think the thing you are missing about the OP's story is that the behavior was repeated. I think the first instance was arguably okay. But subsequent access with the knowledge that what they were accessing was not intended for them is in my eyes beyond a mere misunderstanding.
You also have to remember that having physical or digital access to a thing is not the same as having permission to view the thing. For example, if a "Top Secret" document is delivered to your house with your name and address attached to it, if you read it without the appropriate clearance you will still be in trouble. The legality of such a thing is well established in that case, but the principle is the same: even though you have access to a thing and all you have to do is move your eyes in some direction to see it, the act of seeing it is still at minimum an ethical breach (why are you looking at things that you know don't belong to you?).
I guess this is the fundamental philosophical and ethical question: do you believe you are entitled to know any information as long as you have the technical ability to physically or digitally access that information? What if I have medical records on a screen in a room you are in, and all you have to do is move your eyes over to see my most personal info? Are you entitled to read that information because it's visible to you? Or do you think you owe it to others not breach their privacy even though you have the ability to do so? Would you be mad if someone violated your privacy, and then retorted with "well you should have a had implemented some better technology to prevent me from moving my eyes in that direction"? I guess in that scenario you would have to blame yourself and your technological abilities, and not the person violating your privacy.
I was thinking of a similar analogy but I don't think it holds.
The right analogy would be if I was in the apartment complex and I said to a door not mine "I'm home open up!" If the door opened and I did it intentionally, am I liable?
I still feel like yes but since you have to request the document and receive it I think it's different than just checking locks.
People of all ages suffer from confirmation bias. Analogies can be useful because they allow someone to appreciate the logic of an argument while temporarily dissociating from strongly-held opinions. After the framing moves back to the question under debate, the logic might stick. At least all parties might understand everyone’s perspective better after a few analogies are exchanged.
The analogies in this thread are mostly only furthering confirmation bias.
Because any physical analogy is such a poor representation of how a website actually works, everyone just cherry-picks the analogy that demonstrates the logic they believe should apply, and then tries to constrain the argument to that logic via analogy.
Indeed -- it is like if arguments were things to transport, and analogies were cars... wait, no, they are railroad cars.
So the argument is a heist occurring on a train, so we've got the thing that we're trying to heist (which would be our point) and then we're shifting it from one car to another. And some of the analogies here are clearly like passenger coaches, but others are more like those... coal transporting car, whatever they are called... and at some point we move to the inappropriate railroad car and drop the point in the coal which obscures it.
Anyway, the point is that at some point you really just hope that some conventional train robbers will show up and derail the whole thing because it has gotten too convoluted to follow.
Nope, opening an unlocked door is still considered break&enter. AFAIK, the "unlocked door" can even be a beaded curtain. Turns out that the legal definition of "break" in this context is extremely old and doesn't correspond to lay usage anymore.
But I think that a better analogy would be asking the apartment manager to see your payment history and getting handed the entire apartment building's ledger.
