|
|
|
| Authored by: Anonymous on Tuesday, July 02 2013 @ 06:41 PM EDT |
.... I can't stop laughing....
encoded in plain
text
Like this post - I've encoded it in plain text.... you'll need
to decode it before you can understand the joke!
RAS[ Reply to This | Parent | # ]
|
| |
| Authored by: tknarr on Tuesday, July 02 2013 @ 08:27 PM EDT |
And? A lot of Web sites use query-string parameters to identify pages. You
can see it on Groklaw itself. The URL for this page is
"http://groklawstatic.ibiblio.org/article.php%3fstory=20130702033515452". Notice the value
of the "story" variable. It's a story identifier. It's pretty obvious by looking
at the URL that you should be able to change that value to get other stories.
It's even pretty clear from looking at the value that it starts with a date in
YYYYMMDD format. If I go and start poking around fetching URLs by picking a date
and trying 9-digit numbers after that date as the "story" value, is that
unauthorized access? Obviously not, Groklaw hasn't even asked for authorization
yet and it's a public site that (for the most part) doesn't require
authorization to access stories (and where it does, it's not going to serve up
the story until you've logged in no matter how you try to get at it). Yet by
your logic my access is unauthorized. It has to be, because I'm doing exactly
the same thing in exactly the same way as you say is unauthorized at the
AT&T site.
Again, you can't simply decide something's off-limits and
make everybody else abide by your (unknown to them) decision. You have to take
some sort of measure to demand authorization and prevent access if proper
authorization isn't presented. AT&T didn't. They hoped that nobody would
look at their URLs and notice the values, they hoped nobody would try
substituting other values, but they did not do anything to prevent access
if someone tried different values. And it is not our job to secure
AT&T's Web site. It's their job. If there's a lobby to a building
with the doors unlocked and open, it's not my job to figure out whether the
company really intended for anyone to be able to walk into the lobby or whether
you're only supposed to enter if you're one of their employees. If they want it
to be employees-only it's their job to put locks on the doors that open only to
keycards issued to employees or at the least have the doors closed and latched
with "Employee Access Only" signs on them. If they can't be bothered to do that
much, then it's Not Our Problem. [ Reply to This | Parent | # ]
|
| |
| Authored by: Anonymous on Wednesday, July 03 2013 @ 08:50 AM EDT |
Maybe he was a "punk" and a dishonorable person, but that
doesn't mean he broke the law. Spin it how you will, but AT&T
posted these email addresses in public and this guy just
collected them and shared them. Because a big company wound
up with egg on their faces, this weasel gets punished.
This isn't any different from dialing a series of consecutive
phone numbers and listening to see how the call is answered.
That might be rude, but it isn't "hacking".[ Reply to This | Parent | # ]
|
| |
| Authored by: Anonymous on Friday, July 05 2013 @ 07:11 PM EDT |
I went to the website Wikipedia.org and submitted the fake name "Barack
Obama" as part of the URL: http://en.wikipedia.org/wiki/Barack_Obama
It then returned personal information such as Obama's date of birth (August 4,
1961), and place of birth (Kapiʻolani Maternity & Gynecological
Hospital Honolulu, Hawaii).
He simply when to publicly available webpages and read the email addresses
stupidly posted to the public at those webpages. AT&T specifically did NOT
place any login authorization in front of these webpages.... these pages *were*
the login webpages that AT&T specifically sent to the unauthenticated
general public who had not (yet) logged it.
It's like walking down the street and looking at the number publicly posted on
the door of each house. AT&T had set up a separate login webpage for each
person, with that person's email address PUBLICLY posted on those publicly
accessible webpages. It's like Facebook posting people's personal information on
people's profile pages, displaying that profile page to people who are not yet
logged in, and Facebook complaining that no one is supposed to look at that
profile page is the person themselves who go there to enter their password and
log in.
-[ Reply to This | Parent | # ]
|
|
|
|
|
