| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Jun 2010 20:25:12 +0000
From: "Thor (Hammer of God)" <Thor@...merofgod.com>
To: T Biehn <tbiehn@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Congratulations Andrew
On all those points, I agree. But that's the problem - there is no explicit granting of rights unless, well, they are explicit. That's why *I* get to say what is legal or not as the owner.
If you telnet to 80 on my box, and type HEAD / HTTP/1.0 then that's fine. But if you type HEAD / HTTP/SIRHACKALOT then I can say you were trying to hack into my system. And I could probably get some DA somewhere who's looking for press to buy into it.
That's the real problem here. It's like Apple having the cops break down the door of the journalist who wrote about the phone. That's Stormtrooper stuff if you asked me, but yet, he's got to defend himself against the charges. And that costs money.
Anyway, I agree with you in theory on everything you've said, but the unfortunate truth is that there your implicit rights to data do not translate into explicit.
t
From: T Biehn [mailto:tbiehn@...il.com]
Sent: Wednesday, June 16, 2010 1:18 PM
To: Thor (Hammer of God)
Cc: wilder_jeff Wilder; full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] Congratulations Andrew
Lets just call a spade a spade here:
AT&T got butthurt at the media ruin and forced the man to come down hard on someone.
A perfect someone to restore public faith in the order of the world was Weev.
So AT&Ts lawyers drafted some bum legal pretense under which to raid weev looking for some related incriminating content and handed it off to the cops. Of course they were going to find something illegal on his premises, have you seen half the shit he writes online?
This is another instance of Corporate Policy leading to unjustified Policing action; it is the second such occurrence in the past few months. Maybe AT&T schooled Apple in mobile networking and in turn Apple schooled AT&T in corporate control of public police forces.
-Travis
On Wed, Jun 16, 2010 at 4:12 PM, T Biehn <tbiehn@...il.com<mailto:tbiehn@...il.com>> wrote:
Furthermore if I access an online resource and I notice that the information ends and the URL has a &page=1 on the end and no link exists on that page to say... &page=2 is that illegal?
On the same note, if I notice something that looks like a SELECT statement in a URL (due to excellent coding) is it illegal for me to modify that SELECT statement to return other information?
Is the legality of access to the resource something that must be explicitly granted to me or is it some abstract property depending on the content I've accessed? Is it legal to randomly fuzz web service arguments without knowing the data that it will return?
Usually systems of this nature will have an EXPLICIT notice that you cannot access data on it unless you're authorized OR will require (as it does now) authentication.
Did the ICCID count as authentication if it is not explicitly labeled by AT&T as such? A field like:
&password would clearly be illegal to brute force.
An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding private property doesn't really seem to fit.
-Travis
On Wed, Jun 16, 2010 at 3:58 PM, T Biehn <tbiehn@...il.com<mailto:tbiehn@...il.com>> wrote:
So what grants you legal access to aol.com<http://aol.com> (HTTP port 80 get / )?
I'm confused? Does search engine indexing grant legal access to online resources?
-Travis
On Wed, Jun 16, 2010 at 3:34 PM, Thor (Hammer of God) <Thor@...merofgod.com<mailto:Thor@...merofgod.com>> wrote:
By the same logic, then yes you would. Which is why the statement "if a system has no password, then you have a legal right to whatever data is on it" is complete horse hockey.
Don't take technical advice from your lawyer, and don't take legal advice from people on security lists.
t
From: full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk> [mailto:full-disclosure-bounces@...ts.grok.org.uk<mailto:full-disclosure-bounces@...ts.grok.org.uk>] On Behalf Of wilder_jeff Wilder
Sent: Wednesday, June 16, 2010 11:56 AM
To: full-disclosure@...ts.grok.org.uk<mailto:full-disclosure@...ts.grok.org.uk>
Subject: Re: [Full-disclosure] Congratulations Andrew
By that same standard.. if you leave your house unlocked.... does that give someone the right to enter it?
just my thoughts
________________________________
Date: Wed, 16 Jun 2010 19:58:27 +0200
From: uuf6429@...il.com<mailto:uuf6429@...il.com>
To: tbiehn@...il.com<mailto:tbiehn@...il.com>
CC: full-disclosure@...ts.grok.org.uk<mailto:full-disclosure@...ts.grok.org.uk>; Valdis.Kletnieks@...edu<mailto:Valdis.Kletnieks@...edu>
Subject: Re: [Full-disclosure] Congratulations Andrew
Reminds be of Al Capone and tax evasion ;-)
Good ol' America.
On Wed, Jun 16, 2010 at 7:49 PM, T Biehn <tbiehn@...il.com<mailto:tbiehn@...il.com>> wrote:
Yes.
The FBI was investigating the AT&T incident, presumably the AT&T incident was what the fed were serving against.
What possible valid search warrant could be executed? There was no hack, breach, illegal access of data, or anything else for that matter.
If you leave a system online with no password which allows you to scrape content you have a legal right to scrape that content.
-Travis
On Wed, Jun 16, 2010 at 11:10 AM, <Valdis.Kletnieks@...edu<mailto:Valdis.Kletnieks@...edu>> wrote:
On Wed, 16 Jun 2010 10:09:22 EDT, T Biehn said:
> I doubt the search warrant will hold up in court.
Do you have any actual basis for saying that? Sure, the warrant might be
bullshit, it might be solid - the article doesn't give us enough info either
way to tell.
"Auernheimer was also arrested in March for giving a false name to law
enforcement officers responding to a parking complaint."
Sad. The dude may have the intelligence to pull the hack, but not have the
wisdom to not dig a hole deeper. Just man up and take the frikking parking
ticket. ;)
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
________________________________
The New Busy is not the old busy. Search, chat and e-mail from your inbox. Get started.<http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
--
FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C
http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on
http://pastebin.com/f6fd606da
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists