Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7

JWR

730 posts

Ultimate Geek
+1 received by user: 236


  Reply # 1110189 17-Aug-2014 22:36
Send private message

mattwnz:
JWR:
freitasm: Of course there are many definitions of "hacking". One is the skills people use to develop programs (as in "hacking code" and "hacktons). The other applies to people who deeply understand how a system work and are capable of using it to the max (legal or illegal, for example phreaking). And lastly the one that is the mainstream (even though I don't agree) is someone using tricks, social engineering, system exploits to illegal access data.

Under these definitions, yes it was a hack. But I wouldn't classify it as a high end hacking - no deep exploits required, no social engineering applied to steal someone's password, no keylogger installed, etc.

So, it can sway both ways here.



I think the term 'Hacking' is meaningless now.

I would call it exploiting a security vulnerability.

The discovery of the vulnerability isn't the issue. It is what was done with the knowledge.

Also, too many analogies in this thread.

Analogy, is used to simplify something for easier understanding and not used to turn it into something else.

Too much something else.


Anyone who is 'exploiting a security vulnerability' though, would still be doing something illegal wouldn't they? Compare this to a house where a door has a faulty lock on it, where it doesn't lock. So even though the owner thinks they locked their front door, it doesn't mean that you can then go up to their house open the door and access their house, just because the door wasn't locked. Analogies are needed due to the medium, and in court they would also use analogies to get a clear understanding.


:)

Awesome
4780 posts

Uber Geek
+1 received by user: 1059

Trusted
Subscriber

  Reply # 1110208 17-Aug-2014 23:49
Send private message

Hacking is effectively using any method to bypass a mechanism to secure information.

In this specific case, I don't think the directory that was left open was specifically linked from anywhere on the site, however obviously a quick tinker with the URL would reveal the contents.

It could be argued, that the method of securing these files was obscurity. Obviously, security by obscurity is an absurdly poor form of security, but none the less, the files weren't (as I understand it) as 'public' as is being made out.

For someone to access the files, they either needed to have stumbled across it, or specifically know that the vulnerability exists. Past that point, continuing to access the files, which you clearly know aren't intended for you is the problem.

Poor security doesn't justify access and replication of content you specially know isn't intended for you.




Twitter: ajobbins


 
 
 
 


2933 posts

Uber Geek
+1 received by user: 1529

Subscriber

  Reply # 1110232 18-Aug-2014 07:29
One person supports this post
Send private message

ajobbins:  I don't think the directory that was left open was specifically linked from anywhere on the site, however obviously a quick tinker with the URL would reveal the contents.

It could be argued, that the method of securing these files was obscurity. Obviously, security by obscurity is an absurdly poor form of security, but none the less, the files weren't (as I understand it) as 'public' as is being made out.

For someone to access the files, they either needed to have stumbled across it, or specifically know that the vulnerability exists. Past that point, continuing to access the files, which you clearly know aren't intended for you is the problem.

Poor security doesn't justify access and replication of content you specially know isn't intended for you.


Did you watch the video?

The front page of one of the domains went directly to a directory listing on the server. If you go to www.website.co.nz and get presented with a "index of /" directory listing, and browse through it, that's about as bloody public as it gets.

https://www.youtube.com/watch?v=AnOAeVaU5xM#t=240





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


BDFL - Memuneh
59591 posts

Uber Geek
+1 received by user: 10765

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 1110234 18-Aug-2014 07:47
Send private message

At the end it would come down to this: it is still illegal (as pointed before) to access information from a computer system without authorisation. This is in the current law.

As mentioned above it wasn't a "hack" in the sense that the web server was giving the contents away by simply visiting the home URL. However it did need a bit of digging to find what other domains were available in the same server IP.

A low level hack? Sure. Poorly configured server? Yes. Accessing information and using it? Yes. Stupidity of whoever designed a service with a SQL database in the same server, unecrypted and storing personal information such as name, credit card and donation? Hell, yeah.







2933 posts

Uber Geek
+1 received by user: 1529

Subscriber

  Reply # 1110245 18-Aug-2014 08:29
One person supports this post
Send private message

freitasm: At the end it would come down to this: it is still illegal (as pointed before) to access information from a computer system without authorisation. This is in the current law.


That is one possible interpretation of that law, but not I suspect one that would withstand significant scrutiny. Firstly the offence is accessing the computer system, not the information on it. Secondly, having a public facing web server on the internet that doesn't require any form of authentication to view content implies that the public are permitted a certain degree of access, and the law very clearly includes an exemption that it "does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access." 

IANAL, but I strongly suspect any charges filed under these circumstances would get laughed out of court. It would also explain why no charges were filed at the time the incident occurred.

I don't know if Rick Shera or Judge Harvey frequent these forums but it would be interesting to hear their take.





Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


gzt

9388 posts

Uber Geek
+1 received by user: 1361


  Reply # 1110366 18-Aug-2014 11:43
One person supports this post
Send private message

BarTender: IANAL but I think it's pretty clear cut in the crimes act.

http://www.legislation.govt.nz/act/public/2003/0039/latest/whole.html#DLM200269

Or

http://www.legislation.govt.nz/act/public/2003/0039/latest/whole.html#DLM200273

It wasn't hacking, but it wasn't accessing a computer for honest purposes or was authorised either.

As Lias mentioned above the second does not apply. See 252(2) in that link.

6303 posts

Uber Geek
+1 received by user: 378

Moderator
Trusted
Lifetime subscriber

  Reply # 1110373 18-Aug-2014 11:47
Send private message

If Google had indexed that data, I would've been keen to see what the ramifications of this were.

2852 posts

Uber Geek
+1 received by user: 681

Trusted
Subscriber

  Reply # 1111000 19-Aug-2014 07:42
Send private message

well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.




Galaxy S8

 

Garmin  Vivoactive HR




2933 posts

Uber Geek
+1 received by user: 1529

Subscriber

  Reply # 1111064 19-Aug-2014 09:09
Send private message

jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.


There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed. 




Information wants to be free. The Net interprets censorship as damage and routes around it.

 

Thinking about signing up to BigPipe? Get $20 credit with my referral link.


294 posts

Ultimate Geek
+1 received by user: 65


  Reply # 1111080 19-Aug-2014 09:31
Send private message

Lias:
jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.


There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed. 


The only crime I can see is for the owner of the website - failing to keep personal info secure, having a website with no security and in the public domain with personal info is a big privacy breach i would have thought.

2852 posts

Uber Geek
+1 received by user: 681

Trusted
Subscriber

  Reply # 1111113 19-Aug-2014 10:03
Send private message

Lias:
jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.


There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed. 


I understand the bias and frustration it causes but would like to know the actual legality without the bias so thankyou for your post




Galaxy S8

 

Garmin  Vivoactive HR




15740 posts

Uber Geek
+1 received by user: 4270

Trusted
Lifetime subscriber

  Reply # 1111117 19-Aug-2014 10:11
2 people support this post
Send private message

To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable. 

Would you want such muppets to ru(i)n the country? I wouldn't think so. 



2268 posts

Uber Geek
+1 received by user: 679

Trusted

  Reply # 1111164 19-Aug-2014 11:05
Send private message

networkn: To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable. 

Would you want such muppets to ru(i)n the country? I wouldn't think so. 


But it's perfectly appropriate for senior staff from National to be involved in it right??? Since Key never gave a straight answer to that rather simple question.

We shouldn't be expecting to hold our elected officials to a higher standard as they write the laws of this country should we?





Awesome
4780 posts

Uber Geek
+1 received by user: 1059

Trusted
Subscriber

  Reply # 1111169 19-Aug-2014 11:12
Send private message

networkn: To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable. 

Would you want such muppets to ru(i)n the country? I wouldn't think so. 




No, it's a bit like finding a DVD on someone's front step labelled "Private Sex Tape" and instead of knocking on the door and handing it over, taking it home, watching it then uploading it to YouTube and sharing the link.

The info they leaked wasn't at the root of the directory structure exposed at the domain level, they went digging in sub folders, and downloaded and rebuilt an SQL database from it's backup files.

This is likely where it will get legally interesting. Sure, the directories were unsecured, but does that then means it's OK for them to go poking around and then make copies of things you know you're not supposed to have access to?

Much better conduct from the Greens: [source]

 

Greens show they can be trusted - with folders

 

The Green Party showed a nice side of politics when it returned a misplaced folder to Nikki Kaye.

 

Spotting the folder on a flight, a party staffer contacted colleagues about what to do and was told to return it to the food safety minister unread.

 

A spokesman for Kaye confirmed the folder was misplaced, but that it contained ‘‘no sensitive information’’, with only a few speaking notes and printed pages from her diary.

 

‘‘She is very grateful to the Green Party staffer for picking it up.’’




Twitter: ajobbins


453 posts

Ultimate Geek
+1 received by user: 410


  Reply # 1111171 19-Aug-2014 11:14
One person supports this post
Send private message

I'm not sure the "leaving the front door to your house open" analogies are entirely correct to use in this case.

Labour *PUBLISHED* this information in clear text on the public internet.  There was no circumventing of any security.  No backdoors access.  Credit Card and private membership data should never have been stored on an Internet Webserver in the first place.  Let alone in an unencrypted and unsecured form.

The correct analogy is that you took all of your valuable possessions and carried them all out to the street and left them lying beside the kerb.  Nobody has to even enter your property to look through or take your stuff.  (At least they didn't advertise the fact that they were having the equivalent of an un-manned garage sale ;-)

It is morally wrong to trawl through such material?  Probably.  Is it fair game to lambast someone for being so irresponsible with data that they have a "duty of care" to protect?  ABSOLUTELY.




1 | 2 | 3 | 4 | 5 | 6 | 7
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel reimagines data centre storage with new 3D NAND SSDs
Posted 16-Feb-2018 15:21


Ground-breaking business programme begins in Hamilton
Posted 16-Feb-2018 10:18


Government to continue search for first Chief Technology Officer
Posted 12-Feb-2018 20:30


Time to take Appleā€™s iPad Pro seriously
Posted 12-Feb-2018 16:54


New Fujifilm X-A5 brings selfie features to mirrorless camera
Posted 9-Feb-2018 09:12


D-Link ANZ expands connected smart home with new HD Wi-Fi cameras
Posted 9-Feb-2018 09:01


Dragon Professional for Mac V6: Near perfect dictation
Posted 9-Feb-2018 08:26


OPPO announces R11s with claims to be the picture perfect smartphone
Posted 2-Feb-2018 13:28


Vocus Communications wins a place on the TaaS panel
Posted 26-Jan-2018 15:16


SwipedOn raises $1 million capital
Posted 26-Jan-2018 15:15


Slingshot offers unlimited gigabit fibre for under a ton
Posted 25-Jan-2018 13:51


Spark doubles down on wireless broadband
Posted 24-Jan-2018 15:44


New Zealand's IT industry in 2018 and beyond
Posted 22-Jan-2018 12:50


Introducing your new workplace headache: Gen Z
Posted 22-Jan-2018 12:45


Jucy set to introduce electric campervan fleet
Posted 22-Jan-2018 12:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.