• Zagorath
      link
      fedilink
      arrow-up
      27
      ·
      2 months ago

      I have no idea what the law is in India, but if he got a “hacking” charge for this it would be a gross miscarriage of justice, considering he never once did anything resembling social engineering, brute forcing passwords, any sort of injection attack, or anything else that might actually be involved in hacking.

      However, assuming he never tried to reach out to the company themselves first (and I saw no indication in the article that he had), this is really quite a horrible irresponsible disclosure. It’s pretty obviously a significant leak of sensitive data—both customer and business data—and giving them 90 days to fix it before alerting the public to what you found is pretty basic security ethics.

      • dylanmorgan@slrpnk.net
        link
        fedilink
        arrow-up
        12
        arrow-down
        2
        ·
        2 months ago

        I also don’t know the laws in India, but in the US nearly every major “hacking” case for decades has been a miscarriage of justice to some degree or another.

        Like Kevin Mitnick who simply figured out that a major early ISP was keeping customer payment information in plaintext on an internet-connected server.

        • thesmokingman@programming.dev
          link
          fedilink
          arrow-up
          4
          ·
          2 months ago

          That’s a huge misrepresentation of what Mitnick did and how the government mischarged him. He did a bunch of dumb stuff that was illegal. He was overcharged in very bad ways supporting ridiculous lies from the companies he broke into.

      • ITGuyLevi@programming.dev
        link
        fedilink
        arrow-up
        3
        ·
        2 months ago

        Well there was that one part where he turned off his laptop after (not wanting to drop what he did here as the article was pulled), but I could totally see a company freaking out and going nuclear. That being said, I’m just looking through the FreedomGoggles that recently saw a “hacker” using F12 to compromise a bunch of teacher data. You know, their important sensitive data that was definitely not sent to their device where it could be seen by right clicking and hitting view source.

      • pandapoo@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        2 months ago

        Under US law, that would be considered hacking.

        It is antiquated, and frequently abused by prosecutors, but legally speaking hacking is as simple as accessing any system you’re not authorized to.

        And even more so, he documents alterations and changes that he made to that system e.g. ordering a soup for a random table.

        Again, only speaking for America, but this would be a textbook example of grayhat hacking, which could easily be prosecuted.

        I’m not saying it should be illegal, or that I agree, just that it currently is.

        • Zagorath
          link
          fedilink
          English
          arrow-up
          1
          ·
          2 months ago

          A good lawyer in a case with a sensible well-informed judge could run a good case, since he’s only actually making calls to an API that has not just been left open for anyone to access (which you could argue is implicit authorisation no different to how a store having unlocked doors is implicit invitation to enter the store), but has actually been explicitly invited to access by virtue of the site he was sent to in the QR code causing his browser to make requests to that API.

          Admittedly, a competent prosecutor could also make a case that by changing the query parameters, he was then losing that explicit invitation, and could then try to pick apart the implicit argument.

          Though it’s all irrelevant, because there’s a reason I said “miscarriage of justice” and not “incorrect application of the law”. If the law did find someone guilty here, it would be an unjust law. That was my point.

          • pandapoo@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            1
            ·
            edit-2
            2 months ago

            So you’re saying that if all lawyers, and judges involved, are all also programmers, security researchers, or otherwise well-versed in computer security, they might choose to ignore the law how is written, and nullify it with their own experience?

            Also, there is plenty of case law, and people with convictions on their record, for doing far less than what this guy did.

            That doesn’t mean the law is just, or that I agree with it, just that it’s currently illegal.

            • Zagorath
              link
              fedilink
              English
              arrow-up
              1
              ·
              2 months ago

              So you’re saying that if all lawyers, and judges involved, are all also programmers, security researchers, or otherwise well-versed in computer security, they might choose to ignore the law how is written

              No? That’s nothing close to what I said? I said that the law as it’s written could very likely be interpreted in a way that achieves a just outcome, as long as people involved have adequate understanding of technology.

              • pandapoo@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                edit-2
                2 months ago

                If this guy was living in America, the only thing protecting him would be prosecutorial discretion, which would be bad news for him, because absent that, he’d be looking at real jail time. Because your argument is that lawyers and judges can nullify the law with their outside expertise on topics other than the law, but they can’t. That is not something they are empowered to do.

                I’m outsourcing the rest my response to Llama because i think you need a more in-depth response then I’m willing to type out on my phone screen.

                The prompt was just to summarize the CFAA, something an LLM is actually useful for:

                The Computer Fraud and Abuse Act (CFAA) is a federal law in the United States that was enacted in 1986 to address various forms of computer-related crimes. Here’s a summary of the key aspects of the CFAA:

                Purpose: The CFAA aims to prevent and punish unauthorized access to computers, computer systems, and computer data, as well as to protect against malicious activities that can cause harm to individuals, businesses, and the government.

                Key Provisions:

                • Unauthorized Access: The CFAA prohibits accessing a computer without authorization or exceeding authorized access to obtain information or disrupt the system.
                • Computer Fraud: The law prohibits using a computer to commit fraud, including obtaining something of value by false pretenses or misrepresentations.
                • Computer-Related Espionage: The CFAA prohibits accessing a computer to obtain national defense or trade secrets.
                • Computer Trespass: The law prohibits intentionally accessing a computer without authorization, causing damage or disrupting the system.
                • Computer Sabotage: The CFAA prohibits intentionally causing damage to a computer system or data.

                Penalties:

                • Criminal Penalties: The CFAA provides for fines and imprisonment for up to 10 years for first-time offenders and up to 20 years for repeat offenders.
                • Civil Liability: The law also allows for civil lawsuits to recover damages and obtain injunctive relief.

                Notable Cases:

                • United States v. Morris (1991): The first case to interpret the CFAA, which involved a computer virus that caused widespread damage.
                • United States v. Drew (2008): A case involving a woman who created a fake MySpace profile to harass a teenager, who later committed suicide.
                • United States v. Nosal (2016): A case involving a former employee who accessed his former employer’s computer system without authorization.

                Criticisms and Controversies:

                • Overly Broad Language: Critics argue that the CFAA’s language is too broad, allowing for prosecution of activities that are not necessarily malicious or harmful.
                • Chilling Effect: The law has been criticized for having a chilling effect on security research and whistleblowing.
                • Disproportionate Penalties: Some argue that the penalties under the CFAA are disproportionate to the harm caused by the offense.

                Overall, the CFAA is a complex law that aims to address various forms of computer-related crimes, but its broad language and harsh penalties have raised concerns about its impact on security research, free speech, and individual rights.

                • Zagorath
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  2 months ago

                  Because your argument is that lawyers and judges can nullify the law with their outside expertise on topics other than the law,

                  JFC why do people always do this shit? Repeatedly insist on misrepresenting someone’s argument even when they have explicitly explained why the misrepresentation is wrong…

                  • pandapoo@sh.itjust.works
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    edit-2
                    2 months ago

                    “… said that the law as it’s written could very likely be interpreted in a way that achieves a just outcome, as long as people involved have adequate understanding of technology.

                    Okay, then if that’s not what you mean by the above, please explain your real intent.

                    Because that blog post documents at least three separate types of violations of the CFAA:

                    Unauthorized access, computer fraud, and computer trespass.

                    So I’m not sure what special technical knowledge the judges or lawyers involved could have that would resolve the case without a conviction, unless you mean that because they have that knowledge they understand how arcane and unjust the CFAA law is, and would move to nullify it.

                    But you’re adamant that is not what you mean, so help me understand.