Is It Still A Hack If The Content Was Available In The Open?
from the security-by-stupidity dept
As the investigation continues into the supposed hack of California Gov. Arnold Schwarzenegger's computers, apparently the evidence is now pointing to his gubernatorial race challenger, Phil Angelides' offices. Of course, Angelides' team has a pretty good excuse: they claim the content was on an open server, not protected at all. It's not yet clear if this accurate or not, but if it turns out to be true, it's hard to see how anyone can accurately call that "hacking." Most people, I think, would simply call it incompetent.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Every single one of you STOLE this page!
[ link to this | view in chronology ]
incompetent or not ...
[ link to this | view in chronology ]
Re: incompetent or not ...
[ link to this | view in chronology ]
Re: Re: incompetent or not ...
Potentially, yes. All of the government servers that I connect to have a warning about "authorized use only".
Frankly, after what came out when the Governator was elected, I don't see why this is a big deal. Only partisan hacks on both sides will care.
[ link to this | view in chronology ]
Re: Re: Re: incompetent or not ...
[ link to this | view in chronology ]
Re: Re: incompetent or not ...
[ link to this | view in chronology ]
Re: incompetent or not ...
If a network is not protected, it is assumed to be open for everyone. That is why I personally don't see anything wrong with using people's open wireless AP's or what this person did (assuming they are telling the truth).
[ link to this | view in chronology ]
Re: Re: incompetent or not ...
Funny how when the shoe is on the other foot it becomes a problem....
[ link to this | view in chronology ]
Re: incompetent or not ...
If you place an open server on that Internet, you obviously have no issues with sharing the data on it. If it was a mistake made by you, my question would be do you also have to remind yourself to breathe at regular intervals?
[ link to this | view in chronology ]
If I leave my truck unlocked and the keys in it and you drive off with it, if caught, you will be arrested for stealing.
If I leave my house unlocked and you enter it you can be arrested for trespassing (or shot if I wake up with you standing over my wife).
If you take a co-worker's purse from on top of the desk in the open-air cubicle she works in, you are stealing.
If the sexy girl wears a short skirt and walks alone to her apartment, she is *not* asking to be sexually assaulted - and any such assailant would be prosecuted.
But, if I neglect to close every port, or fail to CHMOD every directory, or don't set up a honeypot, then heaven help me, poor fool, because when we're talking about computers, its ok to trespass, rape, and steal from anyone because, well, you can?
Maybe once ppl graduate from college they should be required to go back to kindergarten for a year: "No, Jimmy. Give Kevin back his juice box. We don't take things that don't belong to us."
[ link to this | view in chronology ]
Re:
Otherwise the internet wouldn't function.
Imagine having to call up each website provider to check if you have permission to view their site.
Now what is interesting about the way a server works is that that is exactly what you do.
When I request a webpage I ask the server "Can I have this page?"
and it replies by sending it to me. Therefore it has granted me permission to view it, the owner of the server is in control of it and therefore responsible for it actions.
[ link to this | view in chronology ]
Re:
You see, he didn't do anything illegal. He drove his virtual car (probably Internet Explorer) to a valid destination (a server) and opened a file at the destination that was left open for everyone (like, say, him walking into a library and opening a book.)
You see, it is not trespassing to enter a public building, nor is it trespassing to enter a public server. For private businesses or privately owned servers that allow the public to enter freely, it is assumed that until they (the owners, lease-holders, what-have-you) tell you to leave, you cannot be charged with trespassing. So if there is no notice on the server that the data is for only certain individuals, then there is no way they could know that what they were doing was illegal. And, in fact, it shouldn't be.
You keep trying to form analogies that suggest files on the internet are like physical goods, but really, they're more like books at public or private libraries. And the servers are those public or private libraries. Unless the library says you cannot enter, or denies you the ability to read certain books, it is not illegal.
You picked the inappropriate metaphor, and so your argument loses merit.
[ link to this | view in chronology ]
Re: (Ferd's comments)
Sorry buddy but your slippery slope argument fails to hold water.
1.
And - if I crash the stolen car you will still be held liable for the damages because you were neglectful in protecting it.
In tort law this is actionable negligence (see Jackson v. Ryder Truck Rentals, Inc). So... in this case the person who put it on the public server is negligent and should be held liable
2. Leaving the house unlocked
- Again, while the tresspass is not legal you will still be held liable if they trip or fall. Also, don't see the parallel between the two. A networked outside publically accessible server is by definition closer to a public sidewalk rather than a house.
3. Rape - um... how the heck did this get involved? Slippery slope gets to the bottom of the hard fall...
4.
No - I don't think that stealing money from bank accounts because someone is stupid to fall for phishing is ok nor is a ddos very nice.
But... I would say that if you don't lock up your servers front door and end up leaking information then you are negligent and should be held responsible.
To take your argument and apply it, if I live on Main st and stand naked in front of my first story window - that doesn't make the people passing by criminals for looking.
In the case of this story - if I don't close my shades, even if I didn't think anyone could see through my second story window, I would be responsible.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
hacking
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: No
Let's ignore that though, if you left your bike in a refuse bin how's anyone supposed to know that it's not trash? If documents on a network aren't protected it's just like saying it's free to download.
[ link to this | view in chronology ]
Re: Re: No
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
hacking
[ link to this | view in chronology ]
Re: hacking
[ link to this | view in chronology ]
If you leave your bike in your yard and I take, it is stealing. If I just make an exact copy and leave your bike alone, what is that? Nothing has been lost, exactly privacy perhaps. This is the same BS that causes all sorts of grief in software licensing, since technically a copy of an app has to go into memory to run, thereby "duplicating it".
But don't you forfeit your right to privacy by allowing something to be seen by the world?
Keep your eyes on this. Far-reaching implications are in the works, especially since this issue has now been poisoned in the political realm.
[ link to this | view in chronology ]
wrong
[ link to this | view in chronology ]
Re: wrong
[ link to this | view in chronology ]
Re: wrong
[ link to this | view in chronology ]
maybe its just bad manners
Just because its there and available doesnt mean you are entitled to look at.
Just because someone didnt explicitly permit you to look at it doesnt mean its tresspassing.
Its neither way--data is out there in the open because its better for everyone that way. Dont access it if its not your business. Stealing files from an opponent's open machine is like passing around embarassing photos or bandying about ancient mortifying quotes. Certain bad manners and dirty tricks are OK in our political climate, and so thats what was done. You use what your opponent gives you and go for a crude, decisive victory.
But we can solve this problem in general as an issue of manners.
[ link to this | view in chronology ]
Re: maybe its just bad manners
But this type of lightweight hacking shouldn't be illegal - most of us have probably edited URLs fairly innocently to see if we could get a directory listing, or to check for a "Chapter4.htm" when the search engine returns only "Chapter5.htm" etc. I haven't heard that that was illegal. Disclosure of confidential information is easily avoided by not putting them in the public directory tree of the server, or by configuring password or other protection.
[ link to this | view in chronology ]
right
Read the recent developments: http://news.com.com/Rival+behind+Schwarzenegger+Web+flap/2100-1029_3-6115082.html?tag=nefd.top
Ye p, the file was found but cutting dirs off the URL...
i.e. this page is http://techdirt.com/articles/20060912/134156.shtml
if configured properly, I shouldn't get anything illicit by typing: http://techdirt.com/articles/20060912/
Arnold's wasn't configured properly, and gave a nice file listing when going directly to /speeches/
Hacking? Do we really want to lower the bar that far?
From the link:
"The controversy may center on the design of the Web server called speeches.gov.ca.gov. The California government used it to post MP3 files of Schwarzenegger's speeches in a directory structure that looked like "http://speeches.gov.ca.gov/dir/06-21.htm.htm". (That Web page is now offline, but saved in Google's cache.)
A source close to Angelides told CNET News.com on Tuesday that it was possible to "chop" off the Web links and visit the higher-level "http://speeches.gov.ca.gov/dir/" directory, which had the controversial audio recording publicly viewable. No password was needed, the source said. "
[ link to this | view in chronology ]
It's a hack
[ link to this | view in chronology ]
stealing none the less...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The TAX-PAYING public. TAXES pay for the machine to host public information.
What was stolen? Does the "thief" pay taxes? So he was stealing from whom?
My argument doesn't apply to sensitive data of course, but are the public comments of an elected official sensitive? Who's working for who again???
[ link to this | view in chronology ]
Every available story says the recordings were lifted off of work servers in the governor's office, not some public web server. Networked computers and systems are not the same thing as web servers and the information contained upon them does not fall in the same category as HTML pages. I really dont think explaining http requests fully addresses this particular situation.
Besids, information on government computers IS protected by various federal and state laws. At the very least, unauthorized access of a computer is Trespass to Chattel in most states.
Hey, this should be fun for all the 'your IP is my IP' types here... hang around a bar in Arlington, VA after the DARPA guys get off work... listen out until some sloshed IT guy lets slip a network ID or 'backdoor' port he opened for nighttime work. Take this information and make as many innocent "but i didnt really TAKE anything" copies as you like of some cool Defense documents and publish them on the web and see what happens. Of course, you should hire a really good lawyer before this undertaking. ;)
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
:: sheepish grin ::
And here I thought political staffers weren't savvy enough to even know what FTP was, much less use it to upload files to web servers.
[ link to this | view in chronology ]
corrosione: see #13
Claiming that I'm trespassing by typing URL that opens a list of all your files THAT YOU MADE PUBLICALLY AVAILABLE in the first place (by placing your unprotected machine on the public network that IS the internet) is ludicrous.
I'm not stealing anything, I'm copying it. As a public official, he can't copyright his speeches or trademark anything, so **AA's arguments don't even work here....
(publicly accessible, funded originally by all of our tax dollars I might add)
[ link to this | view in chronology ]
Ferd
Th e files in question were on the public web server, specifically: http://speeches.gov.ca.gov/dir/
[ link to this | view in chronology ]
Isn't the same as the Havard case?
Anybody remember what I'm talking about?
How was that case finally settled.
Frankly I think this case is a crime, and I base that one the simple common sense that an 'unlocked' is not legal cover for burglary.
I am just a poor simple man in fly-over country, but I do smell jail time...
[ link to this | view in chronology ]
"This is Arnold's computer. Don't take anything or it's astala vista baby"
[ link to this | view in chronology ]
Um, No
Calling what happened at Harvard hacking is absurd. Still, Harvard was in its right to deny admission.
"Frankly I think this case is a crime, and I base that one the simple common sense that an 'unlocked' is not legal cover for burglary."
Hmmm...in this case, the Governor's office created a publicly available directory of MP3 files of the governor's speeches on a publicly available web server owned by the State of California. It accidentally (one presumes) put an MP3 of Schwarzenegger making disparaging remarks on tape in that public directory.
Now I visit the site. Am I supposed to do some mind-reading and assume that I am allowed to listen to every one of those files *except* for this one particular file based entirely on its content (after all, there would be nothing else to differentiate it from the other MP3 files there).
Suppose the website had a bunch of imags of Arnold making appearances, and somehow his webmaster forgot and accidentally included some pornographic shots of Arnold and his wife up there right next to him ribbon cutting at schools. Would it be a crime to look at the photos that the governor's office itself has made publicly available?
There's no crime here. Just sheer incompetence. What likely happened is someone FTPed a bunch of MP3 files of speeches from their machine to the web server and accidentally included this embarssing MP3. But they made it public the second they did so. Whining about hacking and crimes and other such nonsense is pathetic on the campaign's part.
[ link to this | view in chronology ]
If I have a bike in a garage and I leave my garage door open, is it illegal for you to look at it?
What kills me is there was obviously some bad wording on that document yet they still felt the need to transfer it to a server? Someone did an "ooo boo".
[ link to this | view in chronology ]
I can look at whatever I want on an open server and it isn't stealing.
The analogies to taking physical property or entering physical properties all fail. This is virtual and if it is open to the world, the implicit expectation is anyone in the world can and if interested will take a look.
What's the diff between a private computer left open and a web site? What is there to tell me that I am doing something wrong? How would I know?
If I use a P2P client to get a file and the person I get the file from isn't aware they left their P2P software running am I hacking their system and stealing their files?
Of course not.
[ link to this | view in chronology ]
Already admitted that, until the post from Brian, all indications were that these files came from an 'office' computer, not a web server.
Who hasn't backed up a few URL directories in address bar to get to that update file some overworked web schmuck mis-linked in an update notice, or some such scenario? Obviously this situation is much different than bypassing some firewall at the Gov's office and hacking files.
To the points above, "hacking", copying "unsecured" files from a network, etc, unlike seeing some naked exibitionist in his garage with the door open, requires a *willful* act, some amount of intent to take, some direct conscious action... that was my point from the beginning. Whether or not some loser can find a sleazy lawyer and sue me if he wrecks the car he stole from me, the fact is he still took something not belonging to him and everyone can recognize that fact, yet when it comes to computers and digital information, the world increasingly thinks "whats yours is mine". Period.
it is sad, as a previous poster put it, that in today's society the naked garage guy would draw a curious crowd of neighbors when, not too long ago, folks would have turned their heads in embarassment and hurried on their way.
[ link to this | view in chronology ]
RE: #38 by Ferd
Or they call the cops and get you arrested for indecent exposure in your own house. Happened to a neighbor.
No one ever took the time to ask him if he knew they could see or tell him what they saw. He had recently installed mirrored tint on his windows never suspecting they could see him at night.
[ link to this | view in chronology ]
IMHO
Lets make this comparison:
The CEO of Bank of America goes completely crazy (possibly not far from the truth but bear with me). He decides to start GIVING people money. All the people have to do is ask for the money and they get it. Now I go up to him and ask for a trillion dolllars. He gives it to me without asking my name or anything else about me. Did I steal it?
I don't think so. But he sure is stupid!
[ link to this | view in chronology ]
Sneaky hacking would be somebody installed a bot on one of the office pc's, gain access to sensitive files, and then upload them to a part of a public website. Then cover the trax and make the defensible argument that you were just d/l'ing public files...?
[ link to this | view in chronology ]
hack
the data is free game, using it questionably is between you and your clergy. Ethics and Morals cant be regulated and the internet shouldnt be.
[ link to this | view in chronology ]
hack
the data is free game, using it questionably is between you and your clergy. Ethics and Morals cant be regulated and the internet shouldnt be.
[ link to this | view in chronology ]
stealing analogy doesnt work.
No stealing, no hacking.
[ link to this | view in chronology ]
Ive been in IT for about 15 years and I highly disagree with your mentality.... Why was the internet created? To share information. If you do not want your information to be shared, then I suggest you store it on a local drive or a usb stick in your pocket. If you want it to be shared amongst a private group, put the restrictions on.
If I set out an open box of cookies in the break room and come back 3 hours later to find them all gone.. Do I have a right to be angry?
If I post pictures on myspace and someone steals them and uses them for profit. Do I have the right to sue?
If you put something on the net, you should expect other people to view it right? Its liek the girl who gets upset because her parents read her myspace blog. Is it now against the law to modify URL's?
[ link to this | view in chronology ]
privacy: two-way street
It's more like being in a position where other's opinions of you have an impact on you and your lifestyle. Don't have an orgy in your back yard, if it's visible to your neighbors. Or like the idiot in my USAF squadron whose dorm room was over the laundry room. He used to go out on the roof of the laundry room and smoke pot. Then he was shocked (shocked!) that the SP squadron (right next door) eventually brought dogs through the dorm.
Look, if you have nothing to hide, do everything in public. Otherwise, take steps to ensure your own privacy.
OTOH, firms which require our personal information in order to do business have a responsibility to safeguard that data. Just like Arnold's people did.
[ link to this | view in chronology ]
The question is....
And the answer is NO. Hacking by definition is finding aletrnative methods so bypass standard procedures and security.
This is just picking up a folder on someones desk. It is unethical and immoral, but not hacking. And the question was "is it hacking."
[ link to this | view in chronology ]
Redirection...
Remember the whole Clinton mess and whether Linda Tripp violated wiretap laws? That was buried and the focus returned to what Monica did when and to whom and how many times. None of these same conservatives cared about the potentially illegal recording of phone calls then...funny how that works... ;-)
[ link to this | view in chronology ]
this is why the internet is corrupt
What I am ashamed of is all of the technically savvy folks that read articles like this and truly wonder "what was done wrong?" Then they reply to comments giving all sorts of reasons why it is free to the public and is completely legal. Your "I work in IT" claims only make me more skeptical about your comments to follow. Law? You work in IT and law? great - then you really know the answer.
There is NO debate. Its not yours - you don't take it. Internet IS public domain. Networks are not assumed public. Simple as that. Take your chances. Speed on an open highway with no speed bumps because you can. Once the cops catch you, see how your Wild Wild West attitude holds up then!
[ link to this | view in chronology ]
first, if i have pictures on a myspace or facebook account, anyone can get to them. including potential employers. (i just graduated from PSU and know all about this) is it right for the employer to go to the social site and see what i'm doing? well if i'm a member of "420 = 2 blunts a day", "screw work, i'm going drinking" and "i don't study, i sit next to the smart kid" groups, i doubt i'll get hired. however can i sue the company because they weren't supposed to see that? well i set it in the open, and they got it.
now that was in a very public place. on the main page, no url hacking or anything. now do i have to go to www.google.com and type in google maps to get tehre, or can i put maps.google.com in. what about my local movie chain. to get to the store, can i type www.moviepalace.com/"state"/"city"/index.htm to get there? i think so.
now how about a library example. I walk into a library, pick out a book, make copies of it on the photo copier and walk out. i don't belong to the library or anything, but because it's public i can go in and read, just not take out. if the "hacker" deleted the file, that's something different.
and yes, the internet is based on permissions. your computer goes to a servere and says, i'm so and so, i want this data. the server is either like...you check out, here ya go, or helz no, you ain't got no permisionz n00b and kickbans you.
moreover, the internet is a place for information. i have a credit card, do i post it on a webserver? nope. that way, no one can get it. do i want people to read my documents on my computer? no, so i lock them up. the internet was a way to share information. if it is on the web, it is ment to be shared. it is up to the poster to secure it. if they don't want joe schmoe to read it, they put passwords and computer checks and whatnot up. they don't just not publish the location.
same thing happened at psu, a prof. had old tests on his course website. they weren't on a true link, but if you typed .../tests/index.htm you got to them, or whatev. then the prof used the same questions on the tests for the next semester, and everyone got like 90s. he was upset and said it was cheating because ppl dld the test. he got away with giving low grades because he has the power to assign grades as he sees fit. dumb on h is part, ingenious on the students part, yet no one really came out ahead. the students had lower grades, and the prof didn't have students the next term.
so it's not illegal. possibly immoral, but hey free is free.
[ link to this | view in chronology ]
Re: Best Anonymous Coward ever!
Time for a sandwich!
[ link to this | view in chronology ]
your example may not be illegal...
[ link to this | view in chronology ]
a question?
[ link to this | view in chronology ]