lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-id: <4C195A77.13429.F49F3A1@nick.virus-l.demon.co.uk>
Date: Thu, 17 Jun 2010 11:12:55 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Congratulations Andrew

T Biehn wrote:

> Furthermore if I access an online resource and I notice that the information
> ends and the URL has a &page=1 on the end and no link exists on that page to
> say... &page=2 is that illegal?

IANAL, but I recall a few years back a huge uproar over a case in 
Germany where the ruling effectively was that what you just described 
would be considered "illegal access" (or "unauthorized access" or 
whatever the actual wording of the relevant German law is, translated 
into English).  IIRC, the precise details in that case revolved around 
the technically simpler act of crawling back up the directory tree 
exposed by a publicly disclosed URI.  That is, the judge (??) ruled 
that accessing a URI like:

   http://www.example.com/1/2/

was in breach of whatever law when, in fact, only a URI like:

   http://www.example.com/1/2/3/

or:

   http://www.example.com/1/2/foo.htm

had ever been explicitly published or provided in an authorized page as 
a link.

Again, as I understand that ruling, it effectively said that accessing 
any URI that had not been explicitly published as a link was deemed to 
be unauthorized access.

In and/or from Germany, of course...

> On the same note, if I notice something that looks like a SELECT statement
> in a URL (due to excellent coding) is it illegal for me to modify that
> SELECT statement to return other information?

To _return_ (that is "only read") other data?  That's getting greyer...

However, under most jurisdictions with some legal notion of "authorized 
access" the answer is probably "fairly clearly yes" if you alter such 
URIs in ways that are likely to alter the contents of the database.  
The reasoning here goes something like if you have the ability to 
recognize that that is what those parts of the URI are for, then it is 
likely to be deemed reasonable that you should also understand the 
implications of altering those parts of such a URI.  If you then issue 
a request for such a modified URI that you reasonably should have been 
aware would alter data in whatever database, then you are knowingly 
altering data that you do not know you have authorization to alter (or, 
worse, that you know you do not have authorization to alter).

> Is the legality of access to the resource something that must be explicitly
> granted to me or is it some abstract property depending on the content I've
> accessed? Is it legal to randomly fuzz web service arguments without knowing
> the data that it will return?

Good questions, but in general, in jurisdictions with notions of 
authorized access, you should be very careful with _other people's_ 
data, as it is unlikely the courts will have much sympathy for you 
tweaking anything that is not explicitly "yours", particularly if you 
appear to be aware that accessing or changing someone else's data that 
you reasonably should know you were not entitled to access/change in 
that way was a likely outcome.

That is, just because you can doesn't mean you should...

> Usually systems of this nature will have an EXPLICIT notice that you cannot
> access data on it unless you're authorized OR will require (as it does now)
> authentication.

AFAIK, most "authorized access" type legislation puts the onus _on the 
accessor_ to be _sure_ that they have the proper authority for whatever 
they are doing, and _not_ on the access provider to _prevent_ anything 
but authorized access.

> Did the ICCID count as authentication if it is not explicitly labeled by
> AT&T as such? A field like:
> &password would clearly be illegal to brute force.
> 
> An analogy to a case with CLEARLY AND EXPLICITLY defined law regarding
> private property doesn't really seem to fit.

Sorry -- don't know what US (and even possibly which state) legislation 
would cover this case.  Presumably some ugly intersection of federal 
laws and those of the the states where the perpetrator(s) resided 
(and/or obtained access from), the state(s) where the accessed AT&T 
server(s) were, perhaps even the state where AT&T is incorporated 
and/or has its head office, and perhaps even the state(s) where the 
network access services, proxy devices, etc used by the perpetrators 
were?



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ