• Welcome to the Internet Infidels Discussion Board.

Does obtaining private data from a "misconfigured" website violate the law?

 
 
 
maxparrish

maxparrish

Veteran Member
Joined
Aug 30, 2005
Messages
2,262
Location
SF Bay Area
Basic Beliefs
Libertarian-Conservative, Agnostic.
Does obtaining leaked data from a misconfigured website violate the CFAA?

The U.S. Department of Justice is current prosecuting Ross Ulbricht for being the apparent mastermind of the illegal narcotics website Silk Road, which was run for years on a hidden website. In defending the prosecution, the U.S. Attorney’s Office recently filed a very interesting brief explaining how investigators found the computer server that was hosting the Silk Road (SR) server. Although the brief is about the Fourth Amendment, it has very interesting implications for the Computer Fraud and Abuse Act, the federal computer hacking statute.

The brief explains how the FBI found the SR server:...
Click to expand...

http://www.washingtonpost.com/news/...rom-a-misconfigured-website-violate-the-cfaa/

Interesting article. Especially so because the government has charged private citizen(s) with felonies for similar sleuthing (see the article)...
 
maxparrish said:
Does obtaining leaked data from a misconfigured website violate the CFAA?

The U.S. Department of Justice is current prosecuting Ross Ulbricht for being the apparent mastermind of the illegal narcotics website Silk Road, which was run for years on a hidden website. In defending the prosecution, the U.S. Attorney’s Office recently filed a very interesting brief explaining how investigators found the computer server that was hosting the Silk Road (SR) server. Although the brief is about the Fourth Amendment, it has very interesting implications for the Computer Fraud and Abuse Act, the federal computer hacking statute.

The brief explains how the FBI found the SR server:...
Click to expand...

http://www.washingtonpost.com/news/...rom-a-misconfigured-website-violate-the-cfaa/

Interesting article. Especially so because the government has charged private citizen(s) with felonies for similar sleuthing (see the article)...
Click to expand...

Depends on the situation - and in both cases above I would argue that it does not. In both cases the information obtained was publicly available and did not require authentication to actually access.

If the situation were data behind a faulty authentication scheme being accessed then I feel it could be illegal - since while the mechanism was broken, it should be obvious to the person attempting to gain access that they should not be intruding.

In one case we have a metaphorical street number on a sign which was turned to not face the street, and in the other we have the proverbial unlocked door. SR and AT&T tried to obscure information but did not make an effort to secure it.
 
I think it should be legal.

Whether done by the government or a private individual.

Now, accessing the systems thus revealed is another matter and very well might be illegal.
 
FBI personnel entered the Subject IP Address directly into an ordinary (non-Tor) web browser, and it brought up a screen associated with the Silk Road login interface, confirming that the IP address belonged to the SR Server.
Click to expand...
This has got to be stupidest cyber-criminal ever.
And I agree, it should be perfectly fine and legal for FBI to do that.
 
Fuck if I believe the FBI is telling the truth. They use Parallel Construction all the time.
 
barbos said:
FBI personnel entered the Subject IP Address directly into an ordinary (non-Tor) web browser, and it brought up a screen associated with the Silk Road login interface, confirming that the IP address belonged to the SR Server.
Click to expand...
This has got to be stupidest cyber-criminal ever.
And I agree, it should be perfectly fine and legal for FBI to do that.
Click to expand...

I wouldn't call them the stupidest.

The basic problem is that he wasn't a computer security guy in the first place. He didn't *KNOW* how to do it right. He sought help with doing it, that doesn't protect him against configuration errors.
 
Loren Pechtel said:
barbos said:
This has got to be stupidest cyber-criminal ever.
And I agree, it should be perfectly fine and legal for FBI to do that.
Click to expand...

I wouldn't call them the stupidest.

The basic problem is that he wasn't a computer security guy in the first place. He didn't *KNOW* how to do it right. He sought help with doing it, that doesn't protect him against configuration errors.
Click to expand...

And that makes him stupidest. He did not know how to do it yet he decided to do it.
 
NobleSavage said:
As I figured

http://www.ibtimes.co.uk/fbi-lied-a...-server-location-says-security-expert-1464552
Click to expand...

Did you read the whole article? Others said that the server revealed it's IP long ago.

The fact that he couldn't isn't proof it was impossible at other times. A fixed security hole doesn't mean it didn't exist before.

- - - Updated - - -

barbos said:
Loren Pechtel said:
I wouldn't call them the stupidest.

The basic problem is that he wasn't a computer security guy in the first place. He didn't *KNOW* how to do it right. He sought help with doing it, that doesn't protect him against configuration errors.
Click to expand...

And that makes him stupidest. He did not know how to do it yet he decided to do it.
Click to expand...

I consider a guy who knew better but left it open anyway to be stupider than the guy who didn't know.
 
Loren Pechtel said:
Did you read the whole article? Others said that the server revealed it's IP long ago.

The fact that he couldn't isn't proof it was impossible at other times. A fixed security hole doesn't mean it didn't exist before.

- - - Updated - - -

barbos said:
Loren Pechtel said:
I wouldn't call them the stupidest.

The basic problem is that he wasn't a computer security guy in the first place. He didn't *KNOW* how to do it right. He sought help with doing it, that doesn't protect him against configuration errors.
Click to expand...

And that makes him stupidest. He did not know how to do it yet he decided to do it.
Click to expand...

I consider a guy who knew better but left it open anyway to be stupider than the guy who didn't know.
Click to expand...

Yes, that would be stupider but that have not happened yet, unless of course that's what happened. Either way, the guy is a stupidest cyber-criminal.
 
NobleSavage said:
Did you read the whole article? Others said that the server revealed it's IP long ago.

The fact that he couldn't isn't proof it was impossible at other times. A fixed security hole doesn't mean it didn't exist before.
Click to expand...

Yes, did you read the full analysis that was linked in the article?

https://www.nikcub.com/posts/analyzing-fbi-explanation-silk-road/
Click to expand...
I don't quite get why FBI can't just say the truth that they read it on reddit :)
I see no shame in that. And the guy is still stupid.
 
barbos said:
I don't quite get why FBI can't just say the truth that they read it on reddit :)
I see no shame in that. And the guy is still stupid.
Click to expand...

Yeah. Stupid. Running a billion dollar criminal enterprise with PHP and a newb programer.
 
You must log in or register to reply here.
Back
Top Bottom