Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7

JWR

779 posts

Ultimate Geek


  # 1110189 17-Aug-2014 22:36

mattwnz:
JWR:
freitasm: Of course there are many definitions of "hacking". One is the skills people use to develop programs (as in "hacking code" and "hacktons). The other applies to people who deeply understand how a system work and are capable of using it to the max (legal or illegal, for example phreaking). And lastly the one that is the mainstream (even though I don't agree) is someone using tricks, social engineering, system exploits to illegal access data.

Under these definitions, yes it was a hack. But I wouldn't classify it as a high end hacking - no deep exploits required, no social engineering applied to steal someone's password, no keylogger installed, etc.

So, it can sway both ways here.



I think the term 'Hacking' is meaningless now.

I would call it exploiting a security vulnerability.

The discovery of the vulnerability isn't the issue. It is what was done with the knowledge.

Also, too many analogies in this thread.

Analogy, is used to simplify something for easier understanding and not used to turn it into something else.

Too much something else.


Anyone who is 'exploiting a security vulnerability' though, would still be doing something illegal wouldn't they? Compare this to a house where a door has a faulty lock on it, where it doesn't lock. So even though the owner thinks they locked their front door, it doesn't mean that you can then go up to their house open the door and access their house, just because the door wasn't locked. Analogies are needed due to the medium, and in court they would also use analogies to get a clear understanding.


:)

Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 1110208 17-Aug-2014 23:49
Send private message

Hacking is effectively using any method to bypass a mechanism to secure information.

In this specific case, I don't think the directory that was left open was specifically linked from anywhere on the site, however obviously a quick tinker with the URL would reveal the contents.

It could be argued, that the method of securing these files was obscurity. Obviously, security by obscurity is an absurdly poor form of security, but none the less, the files weren't (as I understand it) as 'public' as is being made out.

For someone to access the files, they either needed to have stumbled across it, or specifically know that the vulnerability exists. Past that point, continuing to access the files, which you clearly know aren't intended for you is the problem.

Poor security doesn't justify access and replication of content you specially know isn't intended for you.




Twitter: ajobbins


 
 
 
 


3871 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1110232 18-Aug-2014 07:29
One person supports this post
Send private message

ajobbins:  I don't think the directory that was left open was specifically linked from anywhere on the site, however obviously a quick tinker with the URL would reveal the contents.

It could be argued, that the method of securing these files was obscurity. Obviously, security by obscurity is an absurdly poor form of security, but none the less, the files weren't (as I understand it) as 'public' as is being made out.

For someone to access the files, they either needed to have stumbled across it, or specifically know that the vulnerability exists. Past that point, continuing to access the files, which you clearly know aren't intended for you is the problem.

Poor security doesn't justify access and replication of content you specially know isn't intended for you.


Did you watch the video?

The front page of one of the domains went directly to a directory listing on the server. If you go to www.website.co.nz and get presented with a "index of /" directory listing, and browse through it, that's about as bloody public as it gets.

https://www.youtube.com/watch?v=AnOAeVaU5xM#t=240





Information wants to be free. The Net interprets censorship as damage and routes around it.


BDFL - Memuneh
64652 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1110234 18-Aug-2014 07:47
Send private message

At the end it would come down to this: it is still illegal (as pointed before) to access information from a computer system without authorisation. This is in the current law.

As mentioned above it wasn't a "hack" in the sense that the web server was giving the contents away by simply visiting the home URL. However it did need a bit of digging to find what other domains were available in the same server IP.

A low level hack? Sure. Poorly configured server? Yes. Accessing information and using it? Yes. Stupidity of whoever designed a service with a SQL database in the same server, unecrypted and storing personal information such as name, credit card and donation? Hell, yeah.







3871 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1110245 18-Aug-2014 08:29
One person supports this post
Send private message

freitasm: At the end it would come down to this: it is still illegal (as pointed before) to access information from a computer system without authorisation. This is in the current law.


That is one possible interpretation of that law, but not I suspect one that would withstand significant scrutiny. Firstly the offence is accessing the computer system, not the information on it. Secondly, having a public facing web server on the internet that doesn't require any form of authentication to view content implies that the public are permitted a certain degree of access, and the law very clearly includes an exemption that it "does not apply if a person who is authorised to access a computer system accesses that computer system for a purpose other than the one for which that person was given access." 

IANAL, but I strongly suspect any charges filed under these circumstances would get laughed out of court. It would also explain why no charges were filed at the time the incident occurred.

I don't know if Rick Shera or Judge Harvey frequent these forums but it would be interesting to hear their take.





Information wants to be free. The Net interprets censorship as damage and routes around it.


gzt

10904 posts

Uber Geek


  # 1110366 18-Aug-2014 11:43
One person supports this post
Send private message

BarTender: IANAL but I think it's pretty clear cut in the crimes act.

http://www.legislation.govt.nz/act/public/2003/0039/latest/whole.html#DLM200269

Or

http://www.legislation.govt.nz/act/public/2003/0039/latest/whole.html#DLM200273

It wasn't hacking, but it wasn't accessing a computer for honest purposes or was authorised either.

As Lias mentioned above the second does not apply. See 252(2) in that link.

6358 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1110373 18-Aug-2014 11:47
Send private message

If Google had indexed that data, I would've been keen to see what the ramifications of this were.

 
 
 
 


2868 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1111000 19-Aug-2014 07:42
Send private message

well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.




Galaxy S8

 

Garmin  Vivoactive 3




3871 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1111064 19-Aug-2014 09:09
Send private message

jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.


There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed. 




Information wants to be free. The Net interprets censorship as damage and routes around it.


359 posts

Ultimate Geek


  # 1111080 19-Aug-2014 09:31
Send private message

Lias:
jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.


There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed. 


The only crime I can see is for the owner of the website - failing to keep personal info secure, having a website with no security and in the public domain with personal info is a big privacy breach i would have thought.

2868 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1111113 19-Aug-2014 10:03
Send private message

Lias:
jeffnz: well I'm still lost I've no idea now if its "hacking" in the legal sense or if in fact what was done was illegal all we seem to get is people interpretations and some I would guess would be based on their political leanings but could be wrong.


There is much debate about it, within the IT and blog spheres, but the only legally qualified opinion I've seen so far (which admittedly is by someone with the potential for bias) came to the same conclusion I did, that no crime had been committed. 


I understand the bias and frustration it causes but would like to know the actual legality without the bias so thankyou for your post




Galaxy S8

 

Garmin  Vivoactive 3




21276 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1111117 19-Aug-2014 10:11
2 people support this post
Send private message

To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable. 

Would you want such muppets to ru(i)n the country? I wouldn't think so. 



2846 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1111164 19-Aug-2014 11:05
Send private message

networkn: To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable. 

Would you want such muppets to ru(i)n the country? I wouldn't think so. 


But it's perfectly appropriate for senior staff from National to be involved in it right??? Since Key never gave a straight answer to that rather simple question.

We shouldn't be expecting to hold our elected officials to a higher standard as they write the laws of this country should we?





Awesome
4859 posts

Uber Geek

Trusted
Subscriber

  # 1111169 19-Aug-2014 11:12
Send private message

networkn: To my way of thinking, if indeed going to www.website.co.nz gave the directory listing and this allowed access to the files in question, it's akin to playing your sex tape on the outside wall of your house with a projector, and then expecting people who walk past to avert their eyes, and if they don't trying to hold them criminally liable. 

Would you want such muppets to ru(i)n the country? I wouldn't think so. 




No, it's a bit like finding a DVD on someone's front step labelled "Private Sex Tape" and instead of knocking on the door and handing it over, taking it home, watching it then uploading it to YouTube and sharing the link.

The info they leaked wasn't at the root of the directory structure exposed at the domain level, they went digging in sub folders, and downloaded and rebuilt an SQL database from it's backup files.

This is likely where it will get legally interesting. Sure, the directories were unsecured, but does that then means it's OK for them to go poking around and then make copies of things you know you're not supposed to have access to?

Much better conduct from the Greens: [source]

 

Greens show they can be trusted - with folders

 

The Green Party showed a nice side of politics when it returned a misplaced folder to Nikki Kaye.

 

Spotting the folder on a flight, a party staffer contacted colleagues about what to do and was told to return it to the food safety minister unread.

 

A spokesman for Kaye confirmed the folder was misplaced, but that it contained ‘‘no sensitive information’’, with only a few speaking notes and printed pages from her diary.

 

‘‘She is very grateful to the Green Party staffer for picking it up.’’




Twitter: ajobbins


774 posts

Ultimate Geek
Inactive user


  # 1111171 19-Aug-2014 11:14
Send private message

I'm not sure the "leaving the front door to your house open" analogies are entirely correct to use in this case.

Labour *PUBLISHED* this information in clear text on the public internet.  There was no circumventing of any security.  No backdoors access.  Credit Card and private membership data should never have been stored on an Internet Webserver in the first place.  Let alone in an unencrypted and unsecured form.

The correct analogy is that you took all of your valuable possessions and carried them all out to the street and left them lying beside the kerb.  Nobody has to even enter your property to look through or take your stuff.  (At least they didn't advertise the fact that they were having the equivalent of an un-manned garage sale ;-)

It is morally wrong to trawl through such material?  Probably.  Is it fair game to lambast someone for being so irresponsible with data that they have a "duty of care" to protect?  ABSOLUTELY.




1 | 2 | 3 | 4 | 5 | 6 | 7
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36


2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17


Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46


Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51


Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.