lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-id: <4F172814.15193.EB9EABAF@nick.virus-l.demon.co.uk>
Date: Thu, 19 Jan 2012 09:14:12 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 83, Issue 21

BMF to Valdis:

> > Yes, people *have* been prosecuted for playing "twiddle the URL" games
> > before.  I'd have to go dig up a cite, but it's happened (hacker was basically
> > abusing a site's predictable URL scheme).
> 
> Here is one relatively recent incident of "twiddle the URL" which got
> someone prosecuted and will be familiar to some here...
> 
> http://simonhunt.wordpress.com/2011/01/19/two-charged-with-data-theft-from-june-10s-att-hack/

That's not really "twiddle-the-URL is hacking" though.

They allegedly (cough, splutter!) knowingly and wilfully twiddled a 
specific URL in a specific way that they had already determined led to 
the exposure of account details of users other than themselves, et seq. 
If that is the case they clearly were in breech of all manner of 
"unauthorized access" laws.  That has little to do with true "twiddle-
the-URL is hacking".

To get a "purer" example of "twiddle-the-URL is hacking", I seem to 
recall that there was a German case back in the late 90s/very earlier 
00s where the court ruled that a trivial act of "URL pruning" -- taking 
a published URL and removing the tail, and/or traversing back up the 
directory tree exposed by the _published_ URL -- was an act of 
"hacking" (I don't recall the exact German legal issue/charge, but am 
fairly sure it was something other than a trivial/silly (mis-) 
application of "unauthorized access").

I can't be bothered trying to find a record of that case -- previous 
attempts last time I recall this issue arising in this list failed -- 
but I will refer you to a UK case from 2005:

   http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/

   http://www.pmsommer.com/CLCMA1205.pdf

Basically, given a URL like http://example.com/?foobar or 
http://example.com/foobar.php has been published in some way, and 
http://example.com/ has not, this case suggests that trying to access 
that second URL is an "unauthorized access" offence.  In particular, 
note from p. 2 of the PDF in the second URL, above:

   But the prosecution said that Cuthbert must have known the directory
   traversal was unauthorised. It was this interpretation the court
   accepted; in effect, overall intent was irrelevant, there were no
   circumstances in which there was consent for directory traversal.

This conviction seems to be pretty widely seen as a trivial/silly mis-
application of the UK's Computer Misuse Act "unauthorized access" 
offence:

   http://www.legislation.gov.uk/ukpga/1990/18/section/1

There are bound to be other vaguely similar cases in the UK and other 
jurisdictions.



Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ