Is It Still A Hack If The Content Was Available In The Open?
from the security-by-stupidity dept
As the investigation continues into the supposed hack of California Gov. Arnold Schwarzenegger’s computers, apparently the evidence is now pointing to his gubernatorial race challenger, Phil Angelides’ offices. Of course, Angelides’ team has a pretty good excuse: they claim the content was on an open server, not protected at all. It’s not yet clear if this accurate or not, but if it turns out to be true, it’s hard to see how anyone can accurately call that “hacking.” Most people, I think, would simply call it incompetent.
Comments on “Is It Still A Hack If The Content Was Available In The Open?”
of course it is, just like i hacked this page to view the article before it was on google’s list.
Re: Re:
1337 hax
Re: Re: Every single one of you STOLE this page!
You downloaded this page from a public server.
incompetent or not ...
incompetent or not, tresspass is still tresspass
Re: incompetent or not ...
yeah… if Angelides’ folks did this, it’s still sleazy and… illegal?
Re: Re: incompetent or not ...
yeah… if Angelides’ folks did this, it’s still sleazy and… illegal?
Potentially, yes. All of the government servers that I connect to have a warning about “authorized use only”.
Frankly, after what came out when the Governator was elected, I don’t see why this is a big deal. Only partisan hacks on both sides will care.
Re: Re: Re: incompetent or not ...
And its authorized use to view that page. Attempt to access material further then become unauthorized.
Re: Re: incompetent or not ...
it’s politics, it’s supposed to be sleazy and illegal…
Re: incompetent or not ...
One more person that doesn’t understand how networks have worked since ARPANET.
If a network is not protected, it is assumed to be open for everyone. That is why I personally don’t see anything wrong with using people’s open wireless AP’s or what this person did (assuming they are telling the truth).
Re: Re: incompetent or not ...
And yet when the government does the very same thing everybody gets pissed off….
Funny how when the shoe is on the other foot it becomes a problem….
Re: incompetent or not ...
If you have no fence around your front yard you can’t prosecute for trespassing someone who is standing in your grass if you have never told them they are otherwise not allowed to.
If you place an open server on that Internet, you obviously have no issues with sharing the data on it. If it was a mistake made by you, my question would be do you also have to remind yourself to breathe at regular intervals?
I’ve worked in IT for 24 years and I still don’t get the mentality that somehow things are “just different” when talking about computers.
If I leave my truck unlocked and the keys in it and you drive off with it, if caught, you will be arrested for stealing.
If I leave my house unlocked and you enter it you can be arrested for trespassing (or shot if I wake up with you standing over my wife).
If you take a co-worker’s purse from on top of the desk in the open-air cubicle she works in, you are stealing.
If the sexy girl wears a short skirt and walks alone to her apartment, she is *not* asking to be sexually assaulted – and any such assailant would be prosecuted.
But, if I neglect to close every port, or fail to CHMOD every directory, or don’t set up a honeypot, then heaven help me, poor fool, because when we’re talking about computers, its ok to trespass, rape, and steal from anyone because, well, you can?
Maybe once ppl graduate from college they should be required to go back to kindergarten for a year: “No, Jimmy. Give Kevin back his juice box. We don’t take things that don’t belong to us.”
Re: Re:
If a system is open then permission is assumed.
Otherwise the internet wouldn’t function.
Imagine having to call up each website provider to check if you have permission to view their site.
Now what is interesting about the way a server works is that that is exactly what you do.
When I request a webpage I ask the server “Can I have this page?”
and it replies by sending it to me. Therefore it has granted me permission to view it, the owner of the server is in control of it and therefore responsible for it actions.
Re: Re:
Except the law should treat the internet more like a public information store, as in a library, or a public transportation device, as in a road.
You see, he didn’t do anything illegal. He drove his virtual car (probably Internet Explorer) to a valid destination (a server) and opened a file at the destination that was left open for everyone (like, say, him walking into a library and opening a book.)
You see, it is not trespassing to enter a public building, nor is it trespassing to enter a public server. For private businesses or privately owned servers that allow the public to enter freely, it is assumed that until they (the owners, lease-holders, what-have-you) tell you to leave, you cannot be charged with trespassing. So if there is no notice on the server that the data is for only certain individuals, then there is no way they could know that what they were doing was illegal. And, in fact, it shouldn’t be.
You keep trying to form analogies that suggest files on the internet are like physical goods, but really, they’re more like books at public or private libraries. And the servers are those public or private libraries. Unless the library says you cannot enter, or denies you the ability to read certain books, it is not illegal.
You picked the inappropriate metaphor, and so your argument loses merit.
Re: (Ferd's comments)
Sorry buddy but your slippery slope argument fails to hold water.
1.
And – if I crash the stolen car you will still be held liable for the damages because you were neglectful in protecting it.
In tort law this is actionable negligence (see Jackson v. Ryder Truck Rentals, Inc). So… in this case the person who put it on the public server is negligent and should be held liable
2. Leaving the house unlocked
– Again, while the tresspass is not legal you will still be held liable if they trip or fall. Also, don’t see the parallel between the two. A networked outside publically accessible server is by definition closer to a public sidewalk rather than a house.
3. Rape – um… how the heck did this get involved? Slippery slope gets to the bottom of the hard fall…
4.
No – I don’t think that stealing money from bank accounts because someone is stupid to fall for phishing is ok nor is a ddos very nice.
But… I would say that if you don’t lock up your servers front door and end up leaking information then you are negligent and should be held responsible.
To take your argument and apply it, if I live on Main st and stand naked in front of my first story window – that doesn’t make the people passing by criminals for looking.
In the case of this story – if I don’t close my shades, even if I didn’t think anyone could see through my second story window, I would be responsible.
Re: Re:
Way to GO. Damn well put!
hacking
chris-joe, but is it hacking?
If i leave my bike in the yard is it still free for the takng?
Re: No
… but this isn’t a bike. It’s a digital document. I can take it a million times over and it will still be on the server.
Let’s ignore that though, if you left your bike in a refuse bin how’s anyone supposed to know that it’s not trash? If documents on a network aren’t protected it’s just like saying it’s free to download.
Re: Re: No
invalid…if a bike is in the dumpster it is considered public property because the public pays for that property, which is why you can rummage through the trash. My yard or server that i pay for is not public property. And if this was a public server not designed for the governor and only his staff then the same applies.
Its not hacing but it is stealing
Please excuse my inability to type
A sleazy politician? Oh now theres a suprise!
hacking
if i find a book and read it or parts of it and leave it unaltered or changed-hacking,theft,stealing, gonna shoot me? The internet is a big book without hacking i read a lot of things and leave them where there at. I also leave my network open so people can use …
Re: hacking
It was pretty stupid of A-nuld,he shud uv known bedder!
I think you guys are missing the point. This isn’t stealing, it’s more about privacy. What was stolen exactly?
If you leave your bike in your yard and I take, it is stealing. If I just make an exact copy and leave your bike alone, what is that? Nothing has been lost, exactly privacy perhaps. This is the same BS that causes all sorts of grief in software licensing, since technically a copy of an app has to go into memory to run, thereby “duplicating it”.
But don’t you forfeit your right to privacy by allowing something to be seen by the world?
Keep your eyes on this. Far-reaching implications are in the works, especially since this issue has now been poisoned in the political realm.
wrong
in this case he was not leaving the information with the intent that the whole world see it. It was on a computer on the internal network of the building. At work you would not go snooping around other peoples computers on the networks and making their personal files public right? This is the same thing. Don’t compare a bike to computer files..cmon. Get up to date. When hackers steal personal information from the credit card company they are just making “copies” if you will, but it does not make it right.
Re: wrong
No, it’s not right… but it’s also the credit card company’s responsibility to take security measures to ensure that this doesn’t happen (or at the very least make it extremely hard). Let’s be real though, when you have the $$ they do then it’s just easier to buy off the criminal if he “promises” not to use or distribute the information. So I ask you now… who is in the wrong here??? By using this new technology you take the responsibility/burden to safeguard anything that you do not want open to the public. (The easiest way to do this is to have a stand alone PC not connected to any network/internet in a locked room for only you & your guest to use)
Re: wrong
Whilst we all know that politicians check their morals at the door, I liken this to shifting through a coworker’s desk and photo-copying her balance in her checkbook.
maybe its just bad manners
Can we just say that its really bad manners? Its impolite to look at files you werent intended to look at. Its bad manners to read IMs that pop up at your coworker’s desk. Its not good form to read emails that were sent to you on accident.
Just because its there and available doesnt mean you are entitled to look at.
Just because someone didnt explicitly permit you to look at it doesnt mean its tresspassing.
Its neither way–data is out there in the open because its better for everyone that way. Dont access it if its not your business. Stealing files from an opponent’s open machine is like passing around embarassing photos or bandying about ancient mortifying quotes. Certain bad manners and dirty tricks are OK in our political climate, and so thats what was done. You use what your opponent gives you and go for a crude, decisive victory.
But we can solve this problem in general as an issue of manners.
Re: maybe its just bad manners
Reminds me of the incident where applicants to Harvard and other business schools were caught editing URLs so they could see their personal status screens, which were supposed to be private. In that case, I had no problem with Harvard disqualifying the applicants. A candidate for a job or university class is expected to be on his/her best behavior, and a gaffe exposing questionable ethics or lack of social awareness can doom their chances.
But this type of lightweight hacking shouldn’t be illegal – most of us have probably edited URLs fairly innocently to see if we could get a directory listing, or to check for a “Chapter4.htm” when the search engine returns only “Chapter5.htm” etc. I haven’t heard that that was illegal. Disclosure of confidential information is easily avoided by not putting them in the public directory tree of the server, or by configuring password or other protection.
right
Except it wasn’t on an internal server, it was on his website!
Read the recent developments: http://news.com.com/Rival+behind+Schwarzenegger+Web+flap/2100-1029_3-6115082.html?tag=nefd.top
Yep, the file was found but cutting dirs off the URL…
i.e. this page is http://techdirt.com/articles/20060912/134156.shtml
if configured properly, I shouldn’t get anything illicit by typing: http://techdirt.com/articles/20060912/
Arnold’s wasn’t configured properly, and gave a nice file listing when going directly to /speeches/
Hacking? Do we really want to lower the bar that far?
From the link:
“The controversy may center on the design of the Web server called speeches.gov.ca.gov. The California government used it to post MP3 files of Schwarzenegger’s speeches in a directory structure that looked like “http://speeches.gov.ca.gov/dir/06-21.htm.htm”. (That Web page is now offline, but saved in Google’s cache.)
A source close to Angelides told CNET News.com on Tuesday that it was possible to “chop” off the Web links and visit the higher-level “http://speeches.gov.ca.gov/dir/” directory, which had the controversial audio recording publicly viewable. No password was needed, the source said. “
It's a hack
So it’s okay for me to eat someone else’s lunch at work because they left it in the refrigerator? Sweet!
stealing none the less...
no if it was open thats not breaking and enterning(hacking) but its till stealing. Thats like saying if you leave your lawn furniture on your lawn and someone puts it in their yards its all good…
IMO, post #13 nails it… Nothing more “technology-related” needs to be said. Explaining it in a 4-second soundbite, well that’s another story.
Another thing just struck me… These are public, GOVERNMENT computers tasked as a web-server provided info to the public.
The TAX-PAYING public. TAXES pay for the machine to host public information.
What was stolen? Does the “thief” pay taxes? So he was stealing from whom?
My argument doesn’t apply to sensitive data of course, but are the public comments of an elected official sensitive? Who’s working for who again???
Why is everyone debating this issue as if the information in question was taken from the http://gov.ca.gov/ web site?
Every available story says the recordings were lifted off of work servers in the governor’s office, not some public web server. Networked computers and systems are not the same thing as web servers and the information contained upon them does not fall in the same category as HTML pages. I really dont think explaining http requests fully addresses this particular situation.
Besids, information on government computers IS protected by various federal and state laws. At the very least, unauthorized access of a computer is Trespass to Chattel in most states.
Hey, this should be fun for all the ‘your IP is my IP’ types here… hang around a bar in Arlington, VA after the DARPA guys get off work… listen out until some sloshed IT guy lets slip a network ID or ‘backdoor’ port he opened for nighttime work. Take this information and make as many innocent “but i didnt really TAKE anything” copies as you like of some cool Defense documents and publish them on the web and see what happens. Of course, you should hire a really good lawyer before this undertaking. 😉
Re: Re:
How do you know this info did not come from the website? Because the governor’s staffers say so? What else would they say–“Oops”? Do you have an inside track on confidential information? Please explain further.
ummm… my last point mostly moot, now? duh.
:: sheepish grin ::
And here I thought political staffers weren’t savvy enough to even know what FTP was, much less use it to upload files to web servers.
corrosione: see #13
You do know what the internet is, right? If you buy a server I can’t legally touch it. If you put it on the internet and take no measures to protect any of the data viewable on the internet, that’s fair game! If you take actions to protect it, OK, I can’t legally touch it.
Claiming that I’m trespassing by typing URL that opens a list of all your files THAT YOU MADE PUBLICALLY AVAILABLE in the first place (by placing your unprotected machine on the public network that IS the internet) is ludicrous.
I’m not stealing anything, I’m copying it. As a public official, he can’t copyright his speeches or trademark anything, so **AA’s arguments don’t even work here….
(publicly accessible, funded originally by all of our tax dollars I might add)
Ferd
Read: http://news.com.com/Rival+behind+Schwarzenegger+Web+flap/2100-1029_3-6115082.html?tag=nefd.top
The files in question were on the public web server, specifically: http://speeches.gov.ca.gov/dir/
Isn't the same as the Havard case?
Isn’t this the same deal as the Harvard admissions student hacking case, where the students were accussed of unethical behavior for editing the URL and looking for an unlocked (door) directory to either change some number or gain an peek as to their admission status?
Anybody remember what I’m talking about?
How was that case finally settled.
Frankly I think this case is a crime, and I base that one the simple common sense that an ‘unlocked’ is not legal cover for burglary.
I am just a poor simple man in fly-over country, but I do smell jail time…
See, he should have had one of those ftp welcome messages:
“This is Arnold’s computer. Don’t take anything or it’s astala vista baby”
Um, No
“Isn’t this the same deal as the Harvard admissions student hacking case, where the students were accussed of unethical behavior for editing the URL and looking for an unlocked (door) directory to either change some number or gain an peek as to their admission status?”
Calling what happened at Harvard hacking is absurd. Still, Harvard was in its right to deny admission.
“Frankly I think this case is a crime, and I base that one the simple common sense that an ‘unlocked’ is not legal cover for burglary.”
Hmmm…in this case, the Governor’s office created a publicly available directory of MP3 files of the governor’s speeches on a publicly available web server owned by the State of California. It accidentally (one presumes) put an MP3 of Schwarzenegger making disparaging remarks on tape in that public directory.
Now I visit the site. Am I supposed to do some mind-reading and assume that I am allowed to listen to every one of those files *except* for this one particular file based entirely on its content (after all, there would be nothing else to differentiate it from the other MP3 files there).
Suppose the website had a bunch of imags of Arnold making appearances, and somehow his webmaster forgot and accidentally included some pornographic shots of Arnold and his wife up there right next to him ribbon cutting at schools. Would it be a crime to look at the photos that the governor’s office itself has made publicly available?
There’s no crime here. Just sheer incompetence. What likely happened is someone FTPed a bunch of MP3 files of speeches from their machine to the web server and accidentally included this embarssing MP3. But they made it public the second they did so. Whining about hacking and crimes and other such nonsense is pathetic on the campaign’s part.
IF the document was in an area accessible by the public, then your examples are all wrong. Instead, consider…
If I have a bike in a garage and I leave my garage door open, is it illegal for you to look at it?
What kills me is there was obviously some bad wording on that document yet they still felt the need to transfer it to a server? Someone did an “ooo boo”.
If I can get to content on a computer without circumventing any protections then it is an open server.
I can look at whatever I want on an open server and it isn’t stealing.
The analogies to taking physical property or entering physical properties all fail. This is virtual and if it is open to the world, the implicit expectation is anyone in the world can and if interested will take a look.
What’s the diff between a private computer left open and a web site? What is there to tell me that I am doing something wrong? How would I know?
If I use a P2P client to get a file and the person I get the file from isn’t aware they left their P2P software running am I hacking their system and stealing their files?
Of course not.
:: sigh ::
Already admitted that, until the post from Brian, all indications were that these files came from an ‘office’ computer, not a web server.
Who hasn’t backed up a few URL directories in address bar to get to that update file some overworked web schmuck mis-linked in an update notice, or some such scenario? Obviously this situation is much different than bypassing some firewall at the Gov’s office and hacking files.
To the points above, “hacking”, copying “unsecured” files from a network, etc, unlike seeing some naked exibitionist in his garage with the door open, requires a *willful* act, some amount of intent to take, some direct conscious action… that was my point from the beginning. Whether or not some loser can find a sleazy lawyer and sue me if he wrecks the car he stole from me, the fact is he still took something not belonging to him and everyone can recognize that fact, yet when it comes to computers and digital information, the world increasingly thinks “whats yours is mine”. Period.
it is sad, as a previous poster put it, that in today’s society the naked garage guy would draw a curious crowd of neighbors when, not too long ago, folks would have turned their heads in embarassment and hurried on their way.
RE: #38 by Ferd
“it is sad, as a previous poster put it, that in today’s society the naked garage guy would draw a curious crowd of neighbors when, not too long ago, folks would have turned their heads in embarassment and hurried on their way.”
Or they call the cops and get you arrested for indecent exposure in your own house. Happened to a neighbor.
No one ever took the time to ask him if he knew they could see or tell him what they saw. He had recently installed mirrored tint on his windows never suspecting they could see him at night.
IMHO
Actually if you want to get technical the web server in question GAVE the “hacker” the file. The “hacker” simply asked the web server to give them a copy of the file in question and the web server abliged. The server did not ask for authentication, did not check to see if the “hacker” was authorized to view the information it just offered it up.
Lets make this comparison:
The CEO of Bank of America goes completely crazy (possibly not far from the truth but bear with me). He decides to start GIVING people money. All the people have to do is ask for the money and they get it. Now I go up to him and ask for a trillion dolllars. He gives it to me without asking my name or anything else about me. Did I steal it?
I don’t think so. But he sure is stupid!
number 13 really sums up the simple argument
Sneaky hacking would be somebody installed a bot on one of the office pc’s, gain access to sensitive files, and then upload them to a part of a public website. Then cover the trax and make the defensible argument that you were just d/l’ing public files…?
hack
My server goes out and askes your server “Is it ok to access this information?” and your server says “Ok, the content isnt SECRET or anything so go ahead.” The my server access the data without any special encryption or back doors…..
the data is free game, using it questionably is between you and your clergy. Ethics and Morals cant be regulated and the internet shouldnt be.
hack
My server goes out and askes your server “Is it ok to access this information?” and your server says “Ok, the content isnt SECRET or anything so go ahead.” Then my server access the data without any special encryption or back doors…..
the data is free game, using it questionably is between you and your clergy. Ethics and Morals cant be regulated and the internet shouldnt be.
stealing analogy doesnt work.
Its not like leaving a car or bike unlocked, its more like putting a couple of billboards up in your front yard for everyone to see and accidentally putting up a few you didnt want anyone to see. Maybe you put them down the side of the house so the viewer had to walk down a side alley to see them, but they are still there visible to the public, the viewer didn’t have to go onto private property to see them or anything.
No stealing, no hacking.
If I leave my truck unlocked and the keys in it and you drive off with it, if caught, you will be arrested for stealing.
Ive been in IT for about 15 years and I highly disagree with your mentality…. Why was the internet created? To share information. If you do not want your information to be shared, then I suggest you store it on a local drive or a usb stick in your pocket. If you want it to be shared amongst a private group, put the restrictions on.
If I set out an open box of cookies in the break room and come back 3 hours later to find them all gone.. Do I have a right to be angry?
If I post pictures on myspace and someone steals them and uses them for profit. Do I have the right to sue?
If you put something on the net, you should expect other people to view it right? Its liek the girl who gets upset because her parents read her myspace blog. Is it now against the law to modify URL’s?
privacy: two-way street
I hope everyone gets that the bike analogy doesn’t work. The billboard analogy is close, but … what happened was that Arnold’s people kept these recordings in an insecure place, easily found (my 7,9,10 year-old kids are smart enough to chop URLs), and potentially embarrassing.
It’s more like being in a position where other’s opinions of you have an impact on you and your lifestyle. Don’t have an orgy in your back yard, if it’s visible to your neighbors. Or like the idiot in my USAF squadron whose dorm room was over the laundry room. He used to go out on the roof of the laundry room and smoke pot. Then he was shocked (shocked!) that the SP squadron (right next door) eventually brought dogs through the dorm.
Look, if you have nothing to hide, do everything in public. Otherwise, take steps to ensure your own privacy.
OTOH, firms which require our personal information in order to do business have a responsibility to safeguard that data. Just like Arnold’s people did.
The question is....
Is it HACKING? Not is it legal, ethical, moral….
And the answer is NO. Hacking by definition is finding aletrnative methods so bypass standard procedures and security.
This is just picking up a folder on someones desk. It is unethical and immoral, but not hacking. And the question was “is it hacking.”
Redirection...
Amazing – the issue should be the governor of California making an ignorant and racist comment, instead the focus is now on *how* the content got out and not what was said.
Remember the whole Clinton mess and whether Linda Tripp violated wiretap laws? That was buried and the focus returned to what Monica did when and to whom and how many times. None of these same conservatives cared about the potentially illegal recording of phone calls then…funny how that works… 😉
this is why the internet is corrupt
The question was “is it hacking” and I find it laughable that we even should address that question.
What I am ashamed of is all of the technically savvy folks that read articles like this and truly wonder “what was done wrong?” Then they reply to comments giving all sorts of reasons why it is free to the public and is completely legal. Your “I work in IT” claims only make me more skeptical about your comments to follow. Law? You work in IT and law? great – then you really know the answer.
There is NO debate. Its not yours – you don’t take it. Internet IS public domain. Networks are not assumed public. Simple as that. Take your chances. Speed on an open highway with no speed bumps because you can. Once the cops catch you, see how your Wild Wild West attitude holds up then!
after reading several good posts, i have come to some conclustions.
first, if i have pictures on a myspace or facebook account, anyone can get to them. including potential employers. (i just graduated from PSU and know all about this) is it right for the employer to go to the social site and see what i’m doing? well if i’m a member of “420 = 2 blunts a day”, “screw work, i’m going drinking” and “i don’t study, i sit next to the smart kid” groups, i doubt i’ll get hired. however can i sue the company because they weren’t supposed to see that? well i set it in the open, and they got it.
now that was in a very public place. on the main page, no url hacking or anything. now do i have to go to http://www.google.com and type in google maps to get tehre, or can i put maps.google.com in. what about my local movie chain. to get to the store, can i type http://www.moviepalace.com/“state”/”city”/index.htm to get there? i think so.
now how about a library example. I walk into a library, pick out a book, make copies of it on the photo copier and walk out. i don’t belong to the library or anything, but because it’s public i can go in and read, just not take out. if the “hacker” deleted the file, that’s something different.
and yes, the internet is based on permissions. your computer goes to a servere and says, i’m so and so, i want this data. the server is either like…you check out, here ya go, or helz no, you ain’t got no permisionz n00b and kickbans you.
moreover, the internet is a place for information. i have a credit card, do i post it on a webserver? nope. that way, no one can get it. do i want people to read my documents on my computer? no, so i lock them up. the internet was a way to share information. if it is on the web, it is ment to be shared. it is up to the poster to secure it. if they don’t want joe schmoe to read it, they put passwords and computer checks and whatnot up. they don’t just not publish the location.
same thing happened at psu, a prof. had old tests on his course website. they weren’t on a true link, but if you typed …/tests/index.htm you got to them, or whatev. then the prof used the same questions on the tests for the next semester, and everyone got like 90s. he was upset and said it was cheating because ppl dld the test. he got away with giving low grades because he has the power to assign grades as he sees fit. dumb on h is part, ingenious on the students part, yet no one really came out ahead. the students had lower grades, and the prof didn’t have students the next term.
so it’s not illegal. possibly immoral, but hey free is free.
Re: Best Anonymous Coward ever!
I agree and I think that pretty much sums it up all right there. Very well said indeed.
Time for a sandwich!
your example may not be illegal...
fine example above – but it does not pertain to the discussion. Is it illegal to take something that is not yours? Yes. Immoral, Illegal – internet is a convenience, not suddenly a ticket for ignorance to rules.
a question?
I know this is not about IM’s, but I have a question about email I was wondering if anyone can answer. I sent an email to a coworker telling her the comments that another coworker had made to me when they flew off the handle for no reason at all (this is a habitual thing for them). Another coworker got into the email somehow of the person I sent the email to, and printed it out and made copies and is trying to get me in trouble. What can be done about this? I am not ashamed of what I wrote, because I only repeated what was said to me, and I did not write their names.