It was hardly 'hacking' was it?

Forums › Off topic › It was hardly 'hacking' was it?

1 | 2 | 3 | 4 | 5 | 6 | 7

821 posts

Ultimate Geek

#1110189 17-Aug-2014 22:36

mattwnz:
JWR:
freitasm: Of course there are many definitions of "hacking". One is the skills people use to develop programs (as in "hacking code" and "hacktons). The other applies to people who deeply understand how a system work and are capable of using it to the max (legal or illegal, for example phreaking). And lastly the one that is the mainstream (even though I don't agree) is someone using tricks, social engineering, system exploits to illegal access data.

Under these definitions, yes it was a hack. But I wouldn't classify it as a high end hacking - no deep exploits required, no social engineering applied to steal someone's password, no keylogger installed, etc.

So, it can sway both ways here.

I think the term 'Hacking' is meaningless now.

I would call it exploiting a security vulnerability.

The discovery of the vulnerability isn't the issue. It is what was done with the knowledge.

Also, too many analogies in this thread.

Analogy, is used to simplify something for easier understanding and not used to turn it into something else.

Too much something else.

Anyone who is 'exploiting a security vulnerability' though, would still be doing something illegal wouldn't they? Compare this to a house where a door has a faulty lock on it, where it doesn't lock. So even though the owner thinks they locked their front door, it doesn't mean that you can then go up to their house open the door and access their house, just because the door wasn't locked. Analogies are needed due to the medium, and in court they would also use analogies to get a clear understanding.

ajobbins

5052 posts

Uber Geek

Trusted

#1110208 17-Aug-2014 23:49

Hacking is effectively using any method to bypass a mechanism to secure information.

In this specific case, I don't think the directory that was left open was specifically linked from anywhere on the site, however obviously a quick tinker with the URL would reveal the contents.

It could be argued, that the method of securing these files was obscurity. Obviously, security by obscurity is an absurdly poor form of security, but none the less, the files weren't (as I understand it) as 'public' as is being made out.

For someone to access the files, they either needed to have stumbled across it, or specifically know that the vulnerability exists. Past that point, continuing to access the files, which you clearly know aren't intended for you is the problem.

Poor security doesn't justify access and replication of content you specially know isn't intended for you.

Twitter: ajobbins

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1110232 18-Aug-2014 07:29

ajobbins: I don't think the directory that was left open was specifically linked from anywhere on the site, however obviously a quick tinker with the URL would reveal the contents.

It could be argued, that the method of securing these files was obscurity. Obviously, security by obscurity is an absurdly poor form of security, but none the less, the files weren't (as I understand it) as 'public' as is being made out.

For someone to access the files, they either needed to have stumbled across it, or specifically know that the vulnerability exists. Past that point, continuing to access the files, which you clearly know aren't intended for you is the problem.

Poor security doesn't justify access and replication of content you specially know isn't intended for you.

Did you watch the video?

The front page of one of the domains went directly to a directory listing on the server. If you go to www.website.co.nz and get presented with a "index of /" directory listing, and browse through it, that's about as bloody public as it gets.

https://www.youtube.com/watch?v=AnOAeVaU5xM#t=240

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup.

freitasm

BDFL - Memuneh
79294 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1110234 18-Aug-2014 07:47

At the end it would come down to this: it is still illegal (as pointed before) to access information from a computer system without authorisation. This is in the current law.

As mentioned above it wasn't a "hack" in the sense that the web server was giving the contents away by simply visiting the home URL. However it did need a bit of digging to find what other domains were available in the same server IP.

A low level hack? Sure. Poorly configured server? Yes. Accessing information and using it? Yes. Stupidity of whoever designed a service with a SQL database in the same server, unecrypted and storing personal information such as name, credit card and donation? Hell, yeah.

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1110245 18-Aug-2014 08:29

freitasm: At the end it would come down to this: it is still illegal (as pointed before) to access information from a computer system without authorisation. This is in the current law.

That is one possible interpretation of that law, but not I suspect one that would withstand significant scrutiny. Firstly the offence is accessing the computer system, not the information on it. Secondly, having a public facing web server on the internet that doesn't require any form of authentication to view content implies that the public are permitted a certain degree of access, and the law very clearly includes an exemption that it "does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access."

IANAL, but I strongly suspect any charges filed under these circumstances would get laughed out of court. It would also explain why no charges were filed at the time the incident occurred.

I don't know if Rick Shera or Judge Harvey frequent these forums but it would be interesting to hear their take.

gzt

17140 posts

Uber Geek

Lifetime subscriber

#1110366 18-Aug-2014 11:43

BarTender: IANAL but I think it's pretty clear cut in the crimes act.

http://www.legislation.govt.nz/act/public/2003/0039/latest/whole.html#DLM200269

Or

http://www.legislation.govt.nz/act/public/2003/0039/latest/whole.html#DLM200273

It wasn't hacking, but it wasn't accessing a computer for honest purposes or was authorised either.

As Lias mentioned above the second does not apply. See 252(2) in that link.

nate

6473 posts

Uber Geek

Retired Mod

Trusted

Lifetime subscriber

#1110373 18-Aug-2014 11:47

If Google had indexed that data, I would've been keen to see what the ramifications of this were.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

jeffnz

2870 posts

Uber Geek

Trusted

Lifetime subscriber

#1111000 19-Aug-2014 07:42

well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.

Galaxy S10

Garmin Fenix 5

Lias

5589 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1111064 19-Aug-2014 09:09

jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.

There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed.

bagheera

539 posts

Ultimate Geek

#1111080 19-Aug-2014 09:31

Lias:
jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.

There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed.

The only crime I can see is for the owner of the website - failing to keep personal info secure, having a website with no security and in the public domain with personal info is a big privacy breach i would have thought.

jeffnz

2870 posts

Uber Geek

Trusted

Lifetime subscriber

#1111113 19-Aug-2014 10:03

Lias:
jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.

There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed.

I understand the bias and frustration it causes but would like to know the actual legality without the bias so thankyou for your post

Galaxy S10

Garmin Fenix 5

networkn

Networkn
32353 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1111117 19-Aug-2014 10:11

To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable.

Would you want such muppets to ru(i)n the country? I wouldn't think so.

BarTender

3606 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1111164 19-Aug-2014 11:05

networkn: To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable.

Would you want such muppets to ru(i)n the country? I wouldn't think so.

But it's perfectly appropriate for senior staff from National to be involved in it right??? Since Key never gave a straight answer to that rather simple question.

We shouldn't be expecting to hold our elected officials to a higher standard as they write the laws of this country should we?

ajobbins

5052 posts

Uber Geek

Trusted

#1111169 19-Aug-2014 11:12

networkn: To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable.

Would you want such muppets to ru(i)n the country? I wouldn't think so.

No, it's a bit like finding a DVD on someone's front step labelled "Private Sex Tape" and instead of knocking on the door and handing it over, taking it home, watching it then uploading it to YouTube and sharing the link.

The info they leaked wasn't at the root of the directory structure exposed at the domain level, they went digging in sub folders, and downloaded and rebuilt an SQL database from it's backup files.

This is likely where it will get legally interesting. Sure, the directories were unsecured, but does that then means it's OK for them to go poking around and then make copies of things you know you're not supposed to have access to?

Much better conduct from the Greens: [source]

Greens show they can be trusted - with folders

The Green Party showed a nice side of politics when it returned a misplaced folder to Nikki Kaye.

Spotting the folder on a flight, a party staffer contacted colleagues about what to do and was told to return it to the food safety minister unread.

A spokesman for Kaye confirmed the folder was misplaced, but that it contained ‘‘no sensitive information’’, with only a few speaking notes and printed pages from her diary.

‘‘She is very grateful to the Green Party staffer for picking it up.’’

Twitter: ajobbins

6FIEND

774 posts

Ultimate Geek
Inactive user

#1111171 19-Aug-2014 11:14

I'm not sure the "leaving the front door to your house open" analogies are entirely correct to use in this case.

Labour *PUBLISHED* this information in clear text on the public internet. There was no circumventing of any security. No backdoors access. Credit Card and private membership data should never have been stored on an Internet Webserver in the first place. Let alone in an unencrypted and unsecured form.

The correct analogy is that you took all of your valuable possessions and carried them all out to the street and left them lying beside the kerb. Nobody has to even enter your property to look through or take your stuff. (At least they didn't advertise the fact that they were having the equivalent of an un-manned garage sale ;-)

It is morally wrong to trawl through such material? Probably. Is it fair game to lambast someone for being so irresponsible with data that they have a "duty of care" to protect? ABSOLUTELY.

1 | 2 | 3 | 4 | 5 | 6 | 7