[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-id: <4F172814.15193.EB9EABAF@nick.virus-l.demon.co.uk>
Date: Thu, 19 Jan 2012 09:14:12 +1300
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Full-Disclosure Digest, Vol 83, Issue 21
BMF to Valdis:
> > Yes, people *have* been prosecuted for playing "twiddle the URL" games
> > before. I'd have to go dig up a cite, but it's happened (hacker was basically
> > abusing a site's predictable URL scheme).
>
> Here is one relatively recent incident of "twiddle the URL" which got
> someone prosecuted and will be familiar to some here...
>
> http://simonhunt.wordpress.com/2011/01/19/two-charged-with-data-theft-from-june-10s-att-hack/
That's not really "twiddle-the-URL is hacking" though.
They allegedly (cough, splutter!) knowingly and wilfully twiddled a
specific URL in a specific way that they had already determined led to
the exposure of account details of users other than themselves, et seq.
If that is the case they clearly were in breech of all manner of
"unauthorized access" laws. That has little to do with true "twiddle-
the-URL is hacking".
To get a "purer" example of "twiddle-the-URL is hacking", I seem to
recall that there was a German case back in the late 90s/very earlier
00s where the court ruled that a trivial act of "URL pruning" -- taking
a published URL and removing the tail, and/or traversing back up the
directory tree exposed by the _published_ URL -- was an act of
"hacking" (I don't recall the exact German legal issue/charge, but am
fairly sure it was something other than a trivial/silly (mis-)
application of "unauthorized access").
I can't be bothered trying to find a record of that case -- previous
attempts last time I recall this issue arising in this list failed --
but I will refer you to a UK case from 2005:
http://www.theregister.co.uk/2005/10/06/tsunami_hacker_convicted/
http://www.pmsommer.com/CLCMA1205.pdf
Basically, given a URL like http://example.com/?foobar or
http://example.com/foobar.php has been published in some way, and
http://example.com/ has not, this case suggests that trying to access
that second URL is an "unauthorized access" offence. In particular,
note from p. 2 of the PDF in the second URL, above:
But the prosecution said that Cuthbert must have known the directory
traversal was unauthorised. It was this interpretation the court
accepted; in effect, overall intent was irrelevant, there were no
circumstances in which there was consent for directory traversal.
This conviction seems to be pretty widely seen as a trivial/silly mis-
application of the UK's Computer Misuse Act "unauthorized access"
offence:
http://www.legislation.gov.uk/ukpga/1990/18/section/1
There are bound to be other vaguely similar cases in the UK and other
jurisdictions.
Regards,
Nick FitzGerald
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists