| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Jan 2012 09:14:12 +1300 From: Nick FitzGerald <nick@...us-l.demon.co.uk> To: full-disclosure@...ts.grok.org.uk Subject: Re: Full-Disclosure Digest, Vol 83, Issue 21 BMF to Valdis: > > Yes, people *have* been prosecuted for playing "twiddle the URL" games > > before. I'd have to go dig up a cite, but it's happened (hacker was basically > > abusing a site's predictable URL scheme). > > Here is one relatively recent incident of "twiddle the URL" which got > someone prosecuted and will be familiar to some here... > > http://simonhunt.wordpress.com/2011/01/19/two-charged-with-data-theft-from-june-10s-att-hack/ That's not really "twiddle-the-URL is hacking" though. They allegedly (cough, splutter!) knowingly and wilfully twiddled a specific URL in a specific way that they had already determined led to the exposure of account details of users other than themselves, et seq. If that is the case they clearly were in breech of all manner of "unauthorized access" laws. That has little to do with true "twiddle- the-URL is hacking". To get a "purer" example of "twiddle-the-URL is hacking", I seem to recall that there was a German case back in the late 90s/very earlier 00s where the court ruled that a trivial act of "URL pruning" -- taking a published URL and removing the tail, and/or traversing back up the directory tree exposed by the _published_ URL -- was an act of "hacking" (I don't recall the exact German legal issue/charge, but am fairly sure it was something other than a trivial/silly (mis-) application of "unauthorized access"). I can't be bothered trying to find a record of that case -- previous attempts last time I recall this issue arising in this list failed -- but I will refer you to a UK case from 2005: http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/ http://www.pmsommer.com/CLCMA1205.pdf Basically, given a URL like http://example.com/?foobar or http://example.com/foobar.php has been published in some way, and http://example.com/ has not, this case suggests that trying to access that second URL is an "unauthorized access" offence. In particular, note from p. 2 of the PDF in the second URL, above: But the prosecution said that Cuthbert must have known the directory traversal was unauthorised. It was this interpretation the court accepted; in effect, overall intent was irrelevant, there were no circumstances in which there was consent for directory traversal. This conviction seems to be pretty widely seen as a trivial/silly mis- application of the UK's Computer Misuse Act "unauthorized access" offence: http://www.legislation.gov.uk/ukpga/1990/18/section/1 There are bound to be other vaguely similar cases in the UK and other jurisdictions. Regards, Nick FitzGerald _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists