|
Authored by: Anonymous on Tuesday, July 02 2013 @ 06:45 PM EDT |
And that's the crux of the argument, actually. And why it's
NOT exceeding access.
To accept the argument that accessing a publicly facing URL
constitutes "unauthorized" access under ANY circumstances
requires the acceptance of a premise that it's reasonable
for the owner of a site to declare certain URL's are only
"allowed" to be accessed by certain individuals. There is
no requirement to PREVENT others from accessing the
information - no requirement to require credentials, or
authenticate the user in any way, or even post a notice that
this URL is only intended for a specific recipient. It's
enough for the author to have the INTENT that the content is
only for a certain audience.
That secret intent of the author ipso facto raises accessing
of that data by other people (regardless of whether they
even KNOW about that intent) to FELONY ABUSE of the CFAA.
Good luck using the web again if this is reasonable
precedent.
[ Reply to This | Parent | # ]
|
|
Authored by: Anonymous on Tuesday, July 02 2013 @ 07:02 PM EDT |
Is if you can't do that you can't access the web at all. There are only three
ways that you can get to the web
You either type in a url somewhere (ie the address bar of your browser) and go
visit that web page.
Or you go visit some web page someone else typed in to your browser (ie a
default homepage).
Or you can go visit a page which is a combination of a url someone else typed in
to your browser and what you typed in (ie a search bar).
In any of these three ways you or someone building software for you are simply
making an assumption that this exists, and are trying to access it. If no one
could do this (as you suggest) then no one can access the web at all.[ Reply to This | Parent | # ]
|
- The issue with this argument - Authored by: Anonymous on Tuesday, July 02 2013 @ 07:25 PM EDT
- The issue with this argument - Authored by: cjk fossman on Tuesday, July 02 2013 @ 07:39 PM EDT
- The issue with your argument... - Authored by: Anonymous on Tuesday, July 02 2013 @ 07:47 PM EDT
- The issue with this argument - Authored by: tknarr on Tuesday, July 02 2013 @ 08:38 PM EDT
- The issue with this argument - Authored by: PolR on Tuesday, July 02 2013 @ 09:13 PM EDT
- You can tell this guy didn't read the brief - Authored by: Anonymous on Tuesday, July 02 2013 @ 09:39 PM EDT
- The issue with this argument - Authored by: Anonymous on Tuesday, July 02 2013 @ 10:12 PM EDT
- Public website = house, terrible analogy - Authored by: Anonymous on Tuesday, July 02 2013 @ 10:46 PM EDT
- exactly - Authored by: Anonymous on Thursday, July 04 2013 @ 08:49 AM EDT
- The Butler Did It - Authored by: Anonymous on Wednesday, July 03 2013 @ 11:58 AM EDT
- A Phonebook is a better analogy for this - Authored by: Anonymous on Wednesday, July 03 2013 @ 11:37 PM EDT
- The issue isn't removing the window - it is stepping on the driveway - Authored by: Anonymous on Thursday, July 04 2013 @ 08:39 AM EDT
|
Authored by: Anonymous on Tuesday, July 02 2013 @ 10:24 PM EDT |
I'm wondering what he actually 'stole'. What Auernheimer had were email
addresses. He knew nothing about them other than the ICCID associated with
them.
I shall write an email address I thought up out of thin air -
pamela.jones@gmail.com. Is that the email address of our beloved PJ? I have no
idea. For all I know, it could be another Pamela Jones or some big hairy middle
aged guy who got the email address as a joke. Had that address come up from
Auernheimer and Spitler's exercise, they would have no idea either.
Sure, I could make up some email addresses that don't exist. Auernheimer and
Spitler no doubt found ICCID values that don't exist too. So what?
If I created a list of email addresses sourced from nothing but my own
imagination and posted them, would I have committed a crime? Unlikely it may be,
I could dream up exactly the same list Auernheimer published.
Finally, AT&T would have had their own internal processes for assessing the
security implications of anything they put up on the internet. No doubt, they
would have assessed the risk as low. After all, usernames (which is what they
were using the email addresses for) are generally not regarded as a highly
sensitive piece of information - that is why we have passwords. It seems to me
that this whole case stems from the fact that AT&T were embarassed by what
was effectively their own actions and decisions and made a big issue out of it
to deflect criticism. Better to claim you were hacked rather than admit you
didn't think it was important in the first place.[ Reply to This | Parent | # ]
|
|
|
|
|