Reporter may be prosecuted for using “view source”
stltoday.comWe desperately need a law that says (or at least need people in power to understand that) if your server sends it (as an agent working on behalf of your interests), you decided it was ok for me to receive it! For HTTP this understanding is literally conveyed in the status code (200-OK). Once data is sent to the client, you can't say they are breaking the law by looking at it[0]. Anyone with a text-based browser would have seen this data right away without even having to use the Powerful Hacking Tool view source.
A law like this would also prevent the grave injustice of being considered a criminal for incrementing a query parameter to iterate through different records (weev/AT&T, I think). That also should never have been considered "hacking". Companies need to fix their damn auth instead of relying on the CFAA being overly generous to financially/politically-endowed interests. That law needs a neuter.
[0]: notwithstanding an actually-compromised server, which is no longer an agent working in its owners interest. We'd have to be very careful to word this law, but I believe we can do a lot better than what we've got today.
Powerful Hacking Tool view source
Even the FBI agent quoted in the article got it wrong, stating “allowed open source tools to be used to query data that should not be public.” - as if proprietary browsers don't provide a View Source feature, only "evil" open source tools. Maybe I'm reading too much into it and it's a minor mistake but given the context even a potentially innocuous statement like that rubs me the wrong way for being incorrect.
As anyone could probably guess, LEOs that do actual technical work are rarely the same ones talking to the public about that technical work. Thus what gets said to or published for the public is rarely reflective of the actual internal understanding.
Totally possible that an FBI agent would be using the intelligence community sense of "open source" meaning "publicly available", rather than the sense of "open source" that's the mode around here.
I like to point out that the Governor installed that powerful hacking software on his own computers!
I read this as a failure of the state for publishing information that "should not be public".
I agree that both of those shouldn't be punished. I'm not sure how one would properly define the law tho - for ex. an SQL injection could also be "just a query parameter" and the server would haply reply with a 200.
That would make a lot of companies responsible for the data they keep and should be responsible for protecting.
SQL injection can be (and probably is) malicious though, so I suppose it becomes a unclear line for that example. Maybe punishment of both parties would be appropriate but I'm not a lawyer so don't have expertise in law punishments. But I could see this as incentivizing data security. Even if a 0 day is discovered, companies will be less inclined to drag their feet for a patch when one becomes available.
Honestly, I'd want to see strict liability for data breaches, with revealing of personal information included as a type of injury, and not merely something that must be shown to have led to other forms of injury. Right now, the most I can do is reduce the amount of personal information that is collected about me, and I have no ability to ensure that it is stored in a secure manner. Companies that record personal information about me (e.g. Google, Equifax, Facebook, etc) have the ability to improve their security, or to reduce the scope of collected data, but have no incentive to do so. By placing the liability on the same entity as makes the decisions, it creates that incentive.
I’m not sure I believe in 100% strict liability. Imagine if someone were to perform a B&E or armored robbery at a physical location to steal hard copies of records.
Clearly if someone uses a zero day to steal personal information from an otherwise secure server than the server’s owners were not negligent.
In addition, often times the only people that know there was a data breach is the organization that had their data breached and the attackers that stole the data. None of the parties could report the data breach without violating their 5th amendment rights if they both had legal liability.
It would make the most sense to define software as a legal agent of those who deploy it.
If an HTTPS server prints OK and returns a document for a straightforward request, then it's manifestly obvious that the owner's agent intended to give you that information. If the owner did not intend that to happen, the issue is between them and their agent. (Think: a customer service rep who didn't follow policy)
Supplying a SQL injection to an HTTPS server would be akin to fraud or false pretenses - like if you walked up to a customer service rep, showed them a fake ID, and asked for information about your account.
(Furthermore, copyright trolls wouldn't be able to wriggle out of their fraudulent DMCA requests by blaming it on software that they themselves deployed)
If you socially engineer an employee to access data or steal money it's still a crime.
Yes, that was my point about SQL injection. By knowingly performing an SQL injection, you're deceiving the software agent webserver. Whether you're guilty of a crime then depends on your intent for why you did that. If you do this to find and report a bug, and don't do much else with the ill-gained information, you're demonstrating good intent. If you use the information to make further compromises or otherwise profit by it, then not so much.
But in the larger scenario here the software-agent webserver was not tricked at all, making it hard to argue that the person accessing the willfully-published information did something improper regardless of their intent.
With a sql injection, you have to willfully provide an input with the hope that it results in injection
my understanding is that the reporter looked at the source that was being sent as intended -- no manipulation of input by the client
You send a query string to a server with the hopes that the server will give you what you want. Isn't that the World Wide Web?
Proving "intent" is much harder than proving action. And, to me it seems bad for the law to enforce based on whether the server's authors "wanted" to provide a specific piece of information.
Intent is something that is considered in murder homicide cases, so why not in these cases too?
Because murder is a crime, intent is not.
To differentiate between murder and manslaughter (say, due to negligence), the idea of intent (or state of mind) is taken into account.
There is nothing illegal about reading what was sent to you though.
If the data was sent as part of normal operation, then yes, it should be fine. But the post above is talking about incrementing an ID in a query, or inject SQL.
The intent of the person doing the incrementing id, or sql injection, is very much required to be taken in to consideration when considering whether it is an illegal act of computer trespass.
Anyone can increment an ID or try to inject sql. 30 years of security practices shows white/grey hat hacking to be a good thing, and should be expected. GDPR even makes poor security finable. Cyberdefence also requires more security expertise, which can only be had from real experience.
"It's fine when the good guys do it", is poor lawmaking. So intent is hard to prove, and not very practical. It also put the blame on the accused, having to prove their innocence.
I find it interesting that people equate information breaches with murder.
Intent to murder is now a misdemeanor… in Maryland.
Plans for crime can be a crime though. Law is complicated! :P
> With a sql injection, you have to willfully provide an input with the hope that it results in injection
If I send you a link that happens to include arguments that happen to be a SQL injection (or my cat steps on my keyboard in just the right way), there was no intent.
Your intent by crafting such a link was clear.
Thats a third party. Youre mixing responsibility and ascribing it to an innocent party. That was the obvious point, with an incidental mention of another (random input) case where innocence is a reasonable deduction. Therefore, it is not necessary for an sql injection attack to be connected with the intent of the actor. Period.
From US caselaw, theres a little history about the not chasing after infected botnet hosts as bad actors.
If you commit wire fraud through an innocent intermediary, you're still guilty of wire fraud. If you give someone a link that's an attack and they unknowingly run it, then you're the one at fault not the person clicking the link.
I think it's pretty straight forward.
> an SQL injection could also be "just a query parameter" and the server would haply reply with a 200. (true)
> With a sql injection, you have to willfully provide an input with the hope that it results in injection (false)
> If I send you a link that happens to include arguments that happen to be a SQL injection (or my cat steps on my keyboard in just the right way), there was no intent. (true)
> Your intent by crafting such a link was clear. (irrelevant)
You can have SQL injection without intent, as I have adequately explained.
This redirection to an "original actor" is a bad faith argument toward finding if there is someone culpable. The poster I responded to, made a bad general assertion and I stand by it. GL with whatever.
You're kind of just describing why it's hard to prosecute based on intent though.
For the purposes of distinguishing between if something is an exploit or not, it doesn't seem too relevant
SQL injection is probably malformed input in lots of cases and should return a 400 Bad Request. If you are returning a 200 maybe you really did want to take SQL (think of Mode or PHPMyAdmin).
That's the entire point of hacking, circumventing protections that the server has in place to get a response you were not supposed to get. The status code is irrelevant.
The same applies in the real world too. If I perform a social engineering hack and get you to pay a fake invoice, it's still theft (or fraud), even though someone willingly and deliberately sent you money.
That assumes that the server recognized it as invalid. It it had, then it should take measured to block the input, but if the attack succeeded then the server would not be recognizing the attach and would respond with a 200
As someone who was thoroughly and intimately familiar with both the person weev was/is and the details surrounding the AT&T disclosure case, there is absolutely NO question that weev deserved to be incarcerated and for far longer than he ended serving. Multiple people are in federal prison on his account, multiple lives have been stained and essentially ruined on account of weev surrendering ("snitching") information, sometimes true and sometimes false, about other criminal events.
Don't believe what you have heard, I know it seems very hacker-y and noble, and he tried to do the right thing and disclose, so we should just cut him a break, blah blah blah. There's MILES of evidence against him seeing free life. He's been involved in financial fraud, harassment cases against minors, illegal pornography against minors, threats of harms against strangers on the internet, there's even (unfounded, though somewhat plausible) claims that he's developed spyware for profit. I don't want to be doxxed, so I'll leave it at that. I've known weev for a long time, and I'm sure glad he doesn't know me.
To clarify, I am in favor of laws defending those who receive data from a sender having immunity. It seems common-sense. If you give me a ten dollar bill, and ask for it back, I can just decline, and walk away. It's rude and wrong, but it's legal, and it ought to be. CFAA has put a lot of bright, young minds in jail, and they are subsequently extorted and abused by multiple state agencies in the name of "cyber defense." It's grotesque.
But don't make weev a hero. He's not.
I feel dumb for even having to make this argument, but people can be bad and guilty of other crimes and that doesn't mean they should be found guilty for things unrelated to those other crimes. Everything you listed in this comment is unrelated to the weev v. at&t case, which was (imo) a sham of a lawsuit, irrespective of whatever other heinous things he did.
We desperately need a law
Why not just have a law against subverting the intent of existing laws, or against making bad-faith arguments? Laws are only as good as people's willingness to accept impartial assessment thereof. Absent that, they will just be exploited selectively for strategic leverage.
Aristotle observed that laws tend to multiply under tyrannical regimes, as rulers impose ever more onerous conditions upon their subjects; I think it's also true that an excess of laws creates opportunity for tyranny in the sense of creating a much larger attack surface for a malicious or cynical actor to exploit. To my mind, the growth of the US and state codes* is a bug rather than a feature, and pruning such complexity highly desirable.
This approach is inherently unclear. Intent is never completely recorded because doing so is fundamentally impossible--there's far too much minutiae and unwritten context to guarantee that jurists are following intent, and consistency is important in law (ideally, anyway--this ignores the real and present issues in US jurisprudence where consistency is thrown out the window for partisan benefit).
You can't have laws whose interpretation is "don't do things you shouldn't" because parties in legal disputes clearly disagree about what "shouldn't" means, else they wouldn't fucking be resolving them through expensive and lengthy legal action.
There's a meaningful distinction between clarification of and expansion of the law. Legislators are responsible for both. OP may not have phrased it precisely, but they're saying the CFAA needs to be _clarified_. This doesn't mean it expands in scope--if anything, its scope would be narrowed.
I believe what we've got today in most countries is pretty ok, maybe ambiguous but it does the job as far as an ethically concerned person would go.
In my country they classify it as "unauthorized access". That's perfectly fine with me.
In other words, if your server sends it, and you intended to send it, then I can have a look at it. If your server sends it, but you never intended (sysadmin, programmer error, bureaucracy, unsecured servers etc), and it's clear for me the information was never meant to be public, then I'm committing unauthorized access.
You could say a transparent window is literally made for the purpose to be able to see through, but I'm certain I'd be breaking the law if I started taking pictures of people undressing in their homes.
> If your server sends it, but you never intended (sysadmin, programmer error, bureaucracy, unsecured servers etc), and it's clear for me the information was never meant to be public, then I'm committing unauthorized access.
So if your server sends privileged data and I "View Source" to see how you implemented some unrelated part of your site and accidentally see that data, I'm now guilty of unauthorized access and should be prosecuted?
How about we shift the burden back to the people who have been entrusted to keep this data secure in the first place?
So if you left open the front door of a police station and I enter to see how an unrelated part of the building is built, and accidentally grab a gun I see on somebody's desk.. then I would most certainly expect to be prosecuted.
I understand you want to punish whoever forgot to close the door, and obviously the guy who abandoned his gun, I agree... but I have no business of being there whatsoever!
We don't need to get this creative.
Say I mail a dead tree letter to the Department of Elementary and Secondary Education. And say in that letter I put a request for information on a particular teacher.
They send me a bit of a heavy envelope back. Which is a bit funny for my simple query but eh, I've gotten heavy envelopes before . The first page actually has the answer to my query, and then there seems to be a large number of pages of small print.
Normally people don't really read the small print, but today I'll do it anyway (maybe I'm suspicious due to the large packet) . What I find is that there's some normal legalese for a page or two I guess, and then on say page 5 through 100 it's actually a table with row after row of teacher's names and social security numbers. Ok, that's not good.
So the letter is addressed to me, and it landed on my doormat. It's pretty clear I'm the intended recipient.
In THAT case, I don't think it would fly for the state to go "But you were only supposed to read the first page, you were never supposed to read small print". I think that might be going a bit too far.
* If we assume the letter was printed by a computer, and
* And we assume the same knuckleheads who wrote the website also wrote the letter printing code.
Then it's not so much an analogy as it is very nearly the same thing (but now in terms a lawyer can understand, hopefully). All we've done is changed the underlying protocol and representation.
Except in your analogy, I didn't "grab" anything -- I asked a question about paying a parking ticket at the front desk and as an answer they handed me a loaded gun. When I tried to give it back, they prosecuted me for theft.
There is a very big difference here. In your example, you've clearly entered into someone else's property; in the case of reading the info sent to your computer... I am reading a thing you sent me!
A more accurate version of your analogy is if I asked to hold a police officer's tazer and he handed me his gun by accident... or even if I asked to see his gun and he handed it to me thinking it was empty, but it was in fact loaded.
Point being, the website essentially put that information on my computer! I am asking for something from them, but what they give me is 100% their business! They don't have to obey my request but they do have to not-send-private-data-to-random-people-who-ask-for-it
Let's say I'm viewing a webpage, and I'm curious about some aspect of how it's implemented. I click "view source", and see something that isn't supposed to be there. Is the conclusion "whoops, guess I'm a criminal now"? Shouldn't there be some way for people to avoid committing a crime besides knowing in advance that a website is going to send them private data?
You could say, "obviously stumbling across the data is fine, as long as you then responsibly report the issue, or ignore it and go on with your day. It's only illegal if you then go on to do nefarious things with it." But this is exactly what the current system is failing at by prosecuting this reporter.
Getting the hacking issue right should not be this hard. In practice, it's pretty obvious what's hacking/unauthorized access and what isn't.
In the hacking category: SQL injection. Breaking DES. Cross site scripting attacks. Tracking cookies and browser fingerprinting, arguably.
In the not-hacking category: Incrementing integers in the URL. "Breaking" rot13. Using "view source".
> You could say a transparent window is literally made for the purpose to be able to see through, but I'm certain I'd be breaking the law if I started taking pictures of people undressing in their homes.
Disclaimer: IANAL. Also, don't take creepy photos of your neighbors through their windows regardless of the legality of doing so.
In many parts of the US at least, the law is less clear-cut than you might think. In many jurisdictions you would have to argue that the photos were of a sexual nature (probably not hard for pictures of people undressing, but it's not an automatic win depending on context). In some states and/or localities there are explicit laws preserving privacy when in ones residence, but in many others, a photograph taken through an unshaded window is legal as long as it doesn't violate other laws.
[edit]
I guess all of the above strengthens your point that such simplistic laws as "a 200 response means you are authorized to do what you want with it" are not in any way analogous to the way laws for other systems work.
Context on the AT&T thing (which was overturned on an appeal):
https://www.wired.com/2014/04/att-hacker-conviction-vacated/
https://arstechnica.com/tech-policy/2013/03/auernheimer-aka-...
I agree that this would be an improvement, but I see two problems:
1) This would require law enforcement, attorneys, judges, and juries to learn how the Internet works. For most people, what a server sent is what you can see in a web page. Concepts like server and client aren't ubiquitous.
2) This doesn't account for vulnerabilities. If I use an open source package that has a security flaw, and that flaw is exploited causing my server to send sensitive data, did I still implicitly authorize this because the server was acting as an agent of my interests? I probably need to be held accountable, but surely the attacker is not innocent. If we agree on this, then how do we craft a law that draws the line between incrementing a query parameter and remote code execution?
> We desperately need a law that says (or at least need people in power to understand that) if your server sends it (as an agent working on behalf of your interests), you decided it was ok for me to receive it!
No, this is a bad idea for a law. It's appealing to nerds (like myself), but it's not how the law does (or should) work. It's very easy to imagine scenarios where you could get a server to send you an HTTP 200 even though you knew you were accessing data you weren't supposed to. That should clearly be illegal. (It's not what happened here, though. This case is much sillier.)
Yes, this should be pretty obvious. If you kidnap someone and force them to log in to a computer system they have access to so that you can steal information or resources using that computer system, obviously that would be illegal (on top of the kidnapping) even though the computer system is working entirely as intended.
Even if we had a law like that, you could still get "prosecuted", i.e. sued by the govt for whatever reason. Depending on the DA, they may even bring prosecutions to "make a point," knowing it won't go anywhere.
That said, this case seems to be tossing into a gray area any plugin or browser or browser version that alters the "expected rendering" in any way. So if I wrote my website and only tested with IE, and you opened it in Firefox which due to a rendering difference reveals something I didn't intend to be revealed, this government would presumably try to sue you...
I think existing laws are OK, if not enforced properly (laws are different jurisdiction to jurisdiction, so I don't know what exact law this guy is being accused of breaking). Usually, though, in court, you do have to prove intent in a criminal case. That this case is against the state, though, is probably unlucky. The governor doesn't want to appear to have egg on his face, even if it would be better for the good people of Missouri if he would just say "thank you" and delegate the responsibility of fixing the issue to the right person.
Still need to make illigal tricking the server into thinking it's OK. This area of law seems rather difficult to codify perfectly, but it's clear that "view source" shouldn't be a problem, since no trickery is involved. Generally, this should be called Honest but Curious behavior.
> This area of law seems rather difficult to codify perfectly
Sure, but law doesn’t function by codifying things perfectly. There is no perfect codification of the physical ways one can move one’s fist, but clearly some such ways constitute an illegal act while others don’t.
Or stop using common law system? Follow strict Nulla poena sine lege?
> “If somebody picks your lock on your house — for whatever reason, it’s not a good lock, it’s a cheap lock or whatever problem you might have — they do not have the right to go into your house and take anything that belongs to you,” Parson said.
The reporter did the equivalent of noticing a lock was rusted through and barely hanging on. He poked the lock and it crumbled to pieces. He didn't take anything, he reported the problem to the government and later to the public. He didn't take the personal data just because his eyes saw it in passing.
If the reporter compiled a database of every teachers personal information, that's another thing. That's not what happened, the reporter looked at 3 teachers to establish the pattern and then reported it.
Locks are a terrible analogy for what's going on here. This would be like the government publishing a newsletter, and then writing a bunch of teachers' social security numbers on it in invisible ink. Someone then noticed that you can still read the invisible ink, and then wrote an article about how incompetently the government managed the data.
This is a simple case of an egotistical politician who wishes he was King tussling with the media that is rightfully making him look incompetent. "Anyone who disagrees with me is a criminal" is a common pattern for wannabe dictators. Vote against him at the next opportunity.
I'd say even invisible ink is taking the analogy too far. It's like the government published a newsletter, printed the PII on the back of the paper, and now wants to prosecute the first person to look at the back of the page.
I commented below that I think it is like opening a CSV in notepad++ vs Excel. Same data, Excel just hides the commas. The commas are still there, though!
Yeah, that's fair. Comments are a little bit like invisible ink; they look like they're not there because the rendering engine doesn't display them, but they're still sent with every copy of the information.
It would be better if the SSNs were white text on a white background and we were here because someone highlighted the text, though.
The absence of locks is a good analogy. But I think a fruit welcome basket is a better one. Not only because they handed PII over to all visitors, but because the epilogue is fruity
> The reporter did the equivalent of noticing a lock was rusted through and barely hanging on. He poked the lock and it crumbled to pieces.
No. The reporter did the equivalent of opening a book available to be read by the public and having the audacity to try and figure out what the words on the pages meant.
I'm not sure the lock analogy works at all.
The reporter asked for a page of information, it contained information that wasn't supposed to be there, and he's being blamed as if his eyes manifested it into existence.
Seems more akin to shining a UV light on a piece of paper. (Interesting how the sibling comment came to a similar example with invisible ink.)
I actually like the paper analogy a lot, let's extend it: Say the journalist was instead freely handed a redacted government document on sheets of paper. The reporter notes that it was redacted poorly and the redacting can be peeled off or a bright light can be shined on it to reveal the text underneath. By doing this, is the reporter committing a crime? I have no idea. My intuition says probably not, but I think interestingly it's not a "definitely not" because 1) it's apparent to the reporter that the redacted information is intended to be private and 2) the reporter took some steps to uncover that information.
It's still not a perfect metaphor. It's not immediately clear that 1) is true here (the reporter probably was not trolling for private information) and it's highly questionable if 2) is true as it seems that this info was being sent along in HTTP responses. What is obvious to me is that that this guy had no malicious intent, took steps to do responsible disclosure (they didn't publish the article until the issue was fixed) and is being targeted by the political establishment as retribution for embarrassing them. Shameful stuff.
If it was just in the html the website served to you, and it just basically has it written in a way that tells the browser to not display that part of the html. Wouldn't that be closer to handing a journalist a government document with some text, then a line saying: "don't read the stuff below this line", and then a bunch of sensitive stuff below that in plain text?
All analogies are flawed. My main point was that, in terms of the Governor's own analogy, and also literally, the reporter didn't "take" anything.
All analogies aside, intent matters, and the reporters intent was to report a vulnerability and then to report the Government's actions to the public once the vulnerability was fixed. Neither of which are illegal.
No, because there is a difference between “being displayed by default” and “explicitly forbidden from being viewed”. It’s closer to requesting information, and in response being handed a bunch of material, some of which is in a stack of papers and some of which is enclosed in an unsealed, unmarked envelope. It isn’t displayed by default, but it’s there, and with the most minimal of effort it’s viewable, there is nothing explaining it shouldn’t be viewed, and it’s not absurd to assume that if it was included in the bundle of information you received in response to a question, it’s fine to view.
The onus is on the person providing the information to not include it in what they provide, not the viewer to not look at information provided.
With your redacting example, we don't even need to decide if looking at the paper with a light is illegal. The reporters discovered the poor redaction, and immediately informed the State that it was poorly implemented. They did not disclose this was a problem until the problem was fixed, and new papers were handed out without this flaw. How can you argue someone did something illegal in this case!
There have been many instances where PDFs have been "redacted" by painting black rectangles over the text, but keeping the text intact. I can't think of anyone who has been prosecuted for unredacting those documents - the people who did their jobs poorly are considered liable.
A barebones PDF reader implementation would/could not render that 'layer' anyway, so I can't imagine you'd actually lose such a case. (As distinct from not having the will/funds to fight it long enough...)
At least the invisible ink is an attempt at hiding the information. A comically bad attempt but still an attempt.
A better analogy would be that the state sent the journalist a document with everything readable in regular light, and a separate sheet that tells him which words he must redact. There was no attempt to conceal information, and worse, the redaction list would have been promptly ignored by anyone using a screen reader or other accessibility devices.
This lock analogy is terrible. It’s like a business putting the wrong price tag on a product and then claiming people who bought a smartphone for $1 instead of $500 were stealing because they didn’t halt the transaction for what’s obviously a bogus price.
There was no lock. The door was open with an "open house" sign and the owners were just hoping you wouldn't notice the sensitive documents lying on the table.
The sensitive documents were paid bare on the porch. He just walked up to the door and looked down.
A better example is that you wrote a snail-mail letter to the government asking for some info (HTTP Request) and the written mail response (HTTP Response) included a sticky note stuck to it with secret info. Confused, you write another 2 letters and get another 2 sticky note (now you confirm its a problem). Realizing something is wrong, you tell the gov and they move the pile of sticky-noted confidential info away from the letter processing desk.
I think a better analogy would be if someone looked through your window and saw something that shouldn’t be out in plain sight, called you to hide it, and then you prosecute them because they looked into your house.
Exactly! It's like if someone was not trespassing (they are on a public road/sidewalk) and looked in your windows and saw you standing there naked. Then you get upset and demand they be arrested. It's YOUR responsibility to draw the shades, or only walk around naked in front of windows that do not have a clear view to a public space.
Another reason the lock analogy is ridiculous is that it’s illegal to trespass on or burglarize property even if there wasn’t a lock.
A better analogy would be if you sent a letter asking the government for specific public personnel records and they just Xeroxed their entire private file and sent it to you without reading it.
We need to stop with the analogies.
What's actually happening is: someone is broadcasting the data. End of story.
Now I'm going to ignore my own advice: it's like displaying the data on a big screen in the town square and then trying to arrest people for turning their head to look at it.
I'd say it's like you left one piece of paper, from a pad, that was just under a handwritten "secret document" out on a table in a public park.
Then a reporter came along and rubbed a pencil on it, revealing the writing from the sheet above it.
In general, it's a mistake to operate with the metaphor chosen by someone with whom you have a strenuous disagreement, because the second image rarely has the same cognitive/emotional impact as the first. In this case, a better rejoinder might be 'the door was not locked, and there is no crime in looking through an open door.'
So it seems Parsons administration decided this is the hill to die on in 2021.
he had every opportunity to pump the brakes on this investigation but decided doubling down on a journalist had a better payoff, and a more prominent ability to cast him as a white knight protecting the state of Missouri against fiendish hackers.
the 'view source' prosecution strategy is certainly something id hope to keep out of the spotlight as long as possible as its chum in the water for technologists and privacy groups. the EFF could easily eviscerate it in court, as could the FSF and god help you if a cyber security firm takes interest. although most computer privacy laws in the US are written with a fire hose to catch anything remotely pertaining to an integrated circuit, these laws all generally restrict themselves to the domain of interstate commerce, healthcare, and energy.
Parsons fight is against an established journalist using an established and well respected process to report an information security exploit...so its really tough to see if or how a competent prosecution hopes to land any charges outside the governors "Lol do it anyway" edict which, fwiw, feels eerily similar to the malarkey Aaron Schwartz was put through.
> a more prominent ability to cast him as a white knight protecting the state of Missouri against fiendish hackers.
The goal isn't to appear as a white knight protecting the state from hackers, it's to mount a crusade against big-city journalists.
Malarkey may be the intent. Knowing the case is nonsense and having no expectation of winning, you press on because even if eventually found not-guilty, the process of the defendant getting there if prosecuted can be used to destroy their career, reputation, finances, etc. Enough that it still feels like a win to the state, who rarely has much to lose in a relative sense.
What the reporter saw was the base64 encoded contents of the typical .Net "VIEWSTATE" session stuff, that looks like this:
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="[SOME_BASE_64_HERE]" />
I am totally mystified how a competent DA wouldn't have dropped this immediately.
Missouri Gov. Mike Parson on Dec. 29, 2021, talks about possible charges against the Post-Dispatch from the Cole County prosecuting attorney after the paper in October alerted officials to a data vulnerability on a state website.
Whistleblowers getting punished is just a feature of an authoritarian regime. It has little to do with competency.
The county prosecutor just got the case from the MSHP. It awaits to be seen what the prosecutor does with it- I imagine there are some political pressures at this point. But if prosecution proceeds, it will be a waste of taxpayer money, as it highly unlikely it succeeds.
>I am totally mystified how a competent DA wouldn't have dropped this immediately.
Competence and morality aren't the most important factors here. Some people want to advance their career, even if it means screwing over someone like this. The governor probably wanted to shift blame away from himself and his administration, and is likely willing to make promises or exchange favors to further that goal.
Seems risky though. A judge or jury could then publicly hand you your ass making you look incompetent.
in this case the government is breaking the law allowing confidential data to be distributed by thier servers to whomever connects with a browser.
it is civic duty to report a crime, and within the law to be prosecuted for not reporting a crime.
it is also a crime to make misleading or false statements or acting in a manner that obstructs a legal investigation.
the government of missouri has spun this around, 180 degrees attempting to make someone revealing the matter look like a criminal, and validate government obstruction of legal recourse.
the pot is painting the kettle an offcolour to hide its own.
Prosecutors are politicians. Competency is often not the first concern of voters.
> I am totally mystified how a competent DA wouldn't have dropped this immediately.
DAs have elections to win, and the risk of not having the governor's endorsement would put them in a tricky position.
This is Missouri. It might be hard to find a competent DA in the entire state.
I know you're probably saying this half-jesting... But the harsh reality is that if a judge cannot understand the minutiae of "browser requested one thing and the PLANTIFF's server sent personal info, unencrypted", then the precedent that is set is an awful one. I get that the amount of technical stuff that needs to be understood here is beyond what your average NON-hacker-news type might understand... but when it comes to prosecution, wouldn't an expert be consulted??
It's really not though. Even my parents know and understand what view source is in the browser. A browser is simply a way to render information sent. Once it was wilfully sent and in your browser you are not accessing a machine in a criminal way. I hope that if they even try to bring charges the reporter and the newspaper counter sue for violation of rights. Mozilla and the Chrome team need to weigh in on the defendant side. Anyone here from those teams willing to stand up for this guy?
Yep, the counter-suit would be the angle I'd hope they'd pursue. "YOU exposed PII, you are in breach... no one 'broke into a system'"... but as others are mentioning in this thread, the article doesn't explicitly say the reporter is being charged. So I'm probably getting my blood-pressure up for no reason.
Same here... Damn it's supposed to be vacation and project time!
> wouldn't an expert be consulted??
All the prosecutes need is an expert that says "Base64 is an encryption. Sending data encrypted means they don't want you to read it.. they tried to break encryption and succeeded when they werent supposed to"
And then just fear-monger the risk of broken encryption and government and how you have to try to break it and its dangerous or something.
Lots of people claim to be experts, and know enough to pass. Plenty of people want to curry gov favor, or get their 10 seconds of attention.
Base64 is a well-known plain-text encoding format. Using it as an encryption format violates privacy laws.
You sure the courts will know that if an "expert" paid by the state says otherwise?
According to the article, charges haven't been filed yet. Likely the DA is very closely examining the letter of the law with an expert right now to see if they have a reasonable case. A judge wouldn't be involved until there's a trial. Even then, the judge doesn't have to play a role in deciding if the defendant is guilty or not (see bench trial vs trial by jury). If there is a trial, in either case, there would likely be an expert witness testifying.
i hope someone realizes prosecuting this would mean the government thinks it is illegal to use a webbrowser to request HTML et. al. from a webserver.
by extension missouri is deliberating a court case that questions the legality of public access to WWW.
The concern is not about what a competent DA would do.
Someone - a particular political party - is attacking the free press and freedom generally. The only answer is to be heard, loudly, and vote them out of office. The cavalry isn't coming - nobody will save us but us.
It's not a partisan statement. I'm not saying it to favor one party or another (though unavoidably the other party would benefit - we'd be better off with multiple parties committed to democracy). We agree on freedom and democracy for all, we stand up for it, we give our 'lives, honor, and fortune' for it, or we are not the United States.
EDIT: I reworded it to remove political party names, to try to reduce any appearance of partisanship.
Unfortunately, it's actually both political parties.
You'll have to back that up somehow. I strongly believe that that it is false - for generations, both parties supported the free press and put freedom and democracy first. Even in Watergate, it was a narrow attack on the press and the Republicans eventually turned on Nixon. That is no longer true.
The world isn't equal, and both-sidism is a great way to try to divert people from taking action - nobody is wrong or evil, everyone is. We need to distinguish right and from wrong and to act, now. We need to use our free will, our free moral choice, to choose and act right. We will get the consequences we choose and act upon.
Obama, Trump, Hillary, Biden - all conspiring against Assange & Snowden. All droning innocent civilians. Both parties seem quite content with cancelling people & banning them from social media (the only thing they cannot agree on, is which people).
What more proof do you want?
Also, I don't understand your point. If anything, "they're all bad" should motivate people to take more action.
They're all bad is something said in retarded countries like China and Russia. It becomes truth because action becomes oppressed.
That and expansion of surveillance authority is the one thing they seem to agree on.
I hope you'll give some thought to the scenario where one group in a polity rejects or modifies the electoral franchise as the ultimate mechanism of decision.
I have seen prosecutors act like complete slime balls - from both parties.
Intimidating witnesses - misrepresenting evidence - omitting counter-evidence - over-charging defendants - denying timely access to council.
If you think this is about politics - you are mistaken. You just haven't seen all the other times defendants have been mistreated in court.
I'm not talking about defendant and DAs (which I agree with you about). I'm talking about a political party and elected officials (including a governor in this case, recently a president) actively trying to shut down the free press.
On the one hand, as someone familiar with software and computer systems, it’s hard to see the prosecution winning. And the acquittal could prove stinging for the guv and the prosecutor. On the other hand, 12 Missouri citizens and a few appellate judges could convict and uphold, making things much less safe on line in Missouri.
Sad this thing is still going on. What’s really up with the governor?
> Sad this thing is still going on. What’s really up with the governor?
They are allergic to accountability it seems. That's why once it come out of their mouth, it is impossible for them to admit they fucked up. So double/triple/quadruple/quintuple-down is part of their playbook.
Those people then should all be scrutinized to see if they have ever viewed source in a browser. I'm betting a large portion of society including the prosecutor and the governor have viewed source in the browser themselves.
Parson wasn't an elected governor initially. He was the Lt. Governor from an appointed position previous election cycle. Governor and Vice Governor resigned due to a scandal, and Parson took office similar to how Ford did after Nixon. Parson did win 're-election' riding on former President Trump's coattails.
India also has this kind of stupid vague law that makes ethical hacking partly illegal:
> The contention is over Clause 7 of the Responsible Vulnerability Disclosure and Coordination Policy, released by CERT-In on September 3. According to the clause, the reporting party must “comply with all the extant laws” like the IT Act, Section 43, which bars unauthorised access to systems. while Section 66 prescribes the corresponding punishment (jail and/or fine).
> “Independent security experts may gain unauthorised access to a network when probing a system but they do so to study the vulnerabilities. So while their intent is not malicious, it could be seen as wrong under the IT Act, which is what this policy reinstates,” explains Rohin Garg of Internet Freedom Foundation (IFF), a New Delhi NGO that works to defend digital rights.
Source: https://www.deccanherald.com/metrolife/metrolife-on-the-move...
More here - https://internetfreedom.in/dont-penalise-cybersecurity-resea...
If this isn't immediately thrown out, there are much worse things to start worrying about.
I would love to also somehow see Parson penalized for egregious waste of government resources and monies on this charade that will go nowhere immediately at trial.
Also the fact that the prosecutors didn’t laugh in his face immediately is rather disappointing. I can I guess understand the Highway Patrol being forced into investigating, but there’s no excuse for the prosecutor not immediately slapping this down.
If there's a prosecution, everyone involved should be put on trial for deprivation of civil rights under color of law. This is absolutely a violation of press and speech freedoms, and retaliatory to boot.
> Gov. Mike Parson on Wednesday expressed his opinion the Cole County prosecuting attorney would bring charges in the case of a Post-Dispatch reporter who alerted the state to a significant data vulnerability.
The actual headline reflects the content of the article better: "Parson says he believes prosecutor will bring charges in Post-Dispatch case." Having read the article, I don't see anyone but Parson opine that the reporter will be prosecuted, and if this whole ordeal has done nothing else, if has at least offered adequate reason for me to dismiss Parson's opinions with prejudice.
A better headline would be "MO Governor makes a fool of himself repeatedly". I would feel safe betting money on the reporter's continued freedom - the more important question is how much the paper will need to spend on legal defense before it gets thrown out. Which I suspect is actually the point, unless Parson really is that dumb.
"Don't look up" I watched it on Netflix last night and I can't get over how well it captures the insanity we witness on a daily basis. It's not a funny movie, it's painful to watch, but that's because it's a reflection of reality. Sure its over blown and silly in places, but it resonates so strongly with the idiocy of our time... It's a test with high specificity: If you don't get the resonance then you are part of the problem.
I have seen this movie referenced multiple times over the last several days and all I can say is, while I understand the points that McKay is trying to make, it's not funny because it's not funny and it's hardly insightful because it totally lacks any nuance and isn't particularly original. How long ago was Stephen Colbert synonymous with "dumb conservative"?
Trying to claim that if you don't resonate with a film then you're a bad person is a mistake imo.
and not a mistake imo.
The guy found keys in a lock, knocked on the door and said hey I found your keys in your lock you better figure out a way not to do that again since someone who had intent to do bad things could have come along instead of me.
Alas, yet another article that displays the incompetence of my state's governing body.
Incompetence would mean they have no clue. I genuinely believe that is not the case, and opportunity is really what this looks like here. I've found many politicians and legal professionals to really just use whatever they can to get what they want and throw as much at the wall to see what sticks.. Incompetence at least means some good faith that they do not know better, but I believe in most instances they do but they don't care.
Yes, IMHO, this is very much about governor Mike Parson using the court system as a "weapon" against the reporter (or more likely the newspaper).
It actually doesn't matter that there's no way the prosecution will "win" nor does this have anything to do with caring about information security.
Folks are wasting their breath if they explain why "view source" isn't hacking. The prosecution DOESN'T EVEN CARE.
Hopefully the Post-Dispatch has the resources to aggressively retaliate and take a pound of flesh in return. The charges were likely brought simply because the newspaper is stretched thin and they're either being told to "shut-up" or the governor is trying to pull "a Peter Thiel style" maneuver for some past grievance.
This doesn’t sound like incompetence. Or at least, targeting a journalist for prosecution because he revealed your incompetence sounds like a step down a bad road.
The banality of evil / the evil of banality.
I was born and raised in St. Louis. This whole situation doesn't surprise me one bit.
i had the same reaction at first, omg everyone knows about view source, this is a non-issue it was PUBLIC! But then the argument about "even if your lock is bad, doesn't mean someone can break into your house and steal your stuff." And I tried to look at that from the point of view of a normal non-tech person who doesn't know about view source or curl, they just know the normal view did not contain the info and someone did something "extra" and found it. I guess it comes down to how obvious and how "extra". Like what if I sent out a paper newsletter to all my neighbors but printed it on recycled paper that happen to have SSN info on the other side. Is it their fault for do something "extra" like turning the paper over and then seeing the other info?
> And I tried to look at that from the point of view of a normal non-tech person who doesn't know about view source or curl
Safari read aloud would have blurted out the SSNs in this case. So even for a layman, the lock analogy falls short.
> Like what if I sent out a paper newsletter to all my neighbors but printed it on recycled paper that happen to have SSN info on the other side
Court would place responsability on the person who failed to inspect the paper used. There's a reason medical offices all have shredders; you can't reuse paper with patient's personal information on it.
I don't see no extra in either of these situations.
I am living in an apartment complex and I wouldn't mind if someone noticed my keys in my front door, opened that door, took a look and called out for me.
This cannot possibly register as breaking in?
I am not even talking about motive here. The actual event in my mind is clearly benign.
The legal parts of this case seem straightforward. The scary thing is a governor using his platform to bully legitimate news-makers who are clearly acting in good faith.
We should all hope the paper vigorously defends its first amendment rights.
The lock analogy fails. First, the viewer was given the data. Second, obfuscation is not a lock.
How do we help this guy? I Google'd "EFF Mike Parsons" and "EFF View Source" and found nothing. Surely there is a way to help this guy.
Funny. I literally just emailed the EFF to ask if they are looking at this case and/or are in a position to support the journalist if needed.
I also asked what they suggest individuals like us can do (if anything) to help.
Similar to you, I Googled first, and found a short comment from someone at the EFF but nothing indicating that they were directly involved in this case so far.
I'm not even a US citizen (I'm a Brit) but something about this case makes me incredibly angry and frustrated. Not just on behalf of the journalist himself but also because of the hugely negative impact it will have on responsible disclosure of security issues in the future if this action against him proceeds.
That is another attack on general computing. Until now an "encryption" has been required to limit your legal ability to handle information legally residing on your computer. Now even the "encryption" isn't needed, just a post-factum statement from the information sender that you used unapproved (according to post-factum given definition of approved) viewer for that information. One can see how MS may for example decide that using an old version of Word or accessing MS site by Firefox instead of Bing or from a Linux computer may be qualified as such a hacking.
I wonder if that governor will charge prisoners who look out the window for 'felonius escape rumination'
Don't give them ideas!
Section 242 of the U.S. Criminal Code:
Whoever, under color of any law, statute, ordinance, regulation, or custom, willfully subjects, or causes to be subjected, any inhabitant of any State, Territory, or District to the deprivation of any rights,privileges, or immunities secured or protected by the Constitution and laws of the United States . . . shall be fined not more than$ 1,000, or imprisoned not more than one year, or both.
This law has never been used to protect First Amendment rights. But, on its face, it could be.
Laws that are vague are superseded by laws that are more specific.
I think that it is a bit far fetched here but where do you draw the line between what is an intrusion and what is not?
To continue with the prosecutor analogy of the lock, having a shitty lock doesn't allow others to enter your house, but what if there is no lock, and what if the door is wide open? If you write "do not look" on top of your source code, can you prosecute someone who looked at it? If not, can you open a package marked "for Alice" if you are Bob, even if it is unsecured.
For computer security, what is punishable? Obviously, using exploits and installing rootkits is, but what about deciphering weakly encrypted streams, what about accessing "secret" urls that do not have access control, what about probing undocumented APIs.
For me, it is just the prosecutor doing his job of accusation, maybe poorly, I don't know, but if there is a trial, there will be a defense attorney, and a judge, and hopefully a reasonable verdict.
Intent matters most. If the reporter had compiled a list of every teacher and their personal information by doing nothing more than "View Source", that would be a crime.
If a researcher breaks a few ciphers, and makes no effort to store the plaintext, and reports the flaw, that not a crime.
As mentioned in another thread, the lock analogy/trespassing analogy makes no sense here.
This is a case of A requesting something from B, and B giving A stuff they shouldn't have, and prosecuting A for noticing it.
At no point did the journalist go into anyone's property/territory. The site simply handed out the confidential stuff.
The article stated that the prosecutor hasn't commented on any of this yet. Everything you're attributing to the prosecutor was said by Parsons. I'm assuming the prosecutor hasn't commented because he's embarrassed to be dragged into the whole ordeal.
I get that's not the point of your comment but I refuse to even acknowledge that using HTTP as intended without feeding a server a malicious request can ever be considered a crime.
The only crime here is the negligence on the part of the Missouri government and the obvious abuse of power being displayed by Parsons after the fact.
Here's what I think is a better analogy than the lock picking one:
It's Halloween, so you put a bowl of chocolates outside your house with a sign saying "take one". You accidentally dropped your wedding ring in there, and when a reporter digs through the chocolates and sees it, they ring the doorbell to let you know.
I've written a statement to be issued by the reporter in question: "If the State DA is stupid enough to help Mike Parson prosecute me to avoid blame for his own incompetence, it will be my pleasure to face him in court, make him a national laughing stock, and end his career."
Recent and related:
Reporter who told Missouri officials of website flaw did 'nothing out of line' - https://news.ycombinator.com/item?id=29098289 - Nov 2021 (190 comments)
Gov. Parson releases video attacking newspaper for viewing HTML - https://news.ycombinator.com/item?id=28980855 - Oct 2021 (26 comments)
Gov Parson pushes to prosecute reporter who found security flaw in state site - https://news.ycombinator.com/item?id=28946392 - Oct 2021 (525 comments)
Parson is clearly a bad actor. View source is not a crime and it is prosecutorial misconduct — ESPECIALLY when informed by a professional that no network intrusion occurred — to charge anyone for it.
The analogies about locks... It's just wrong. There was no lock. A closer analogy is opening a csv file in notepad++ vs Excel. Same data, just a slightly different view of it.
I have no idea how US courts work. Can whatever it is that's currently happening end in the reporter "winning" and possibly walking away with some compensation?
There is malicious prosecution, which allows a defendant to sue the plaintiff for knowingly prosecuting even though they knew (or reasonably suspected) they were wrong or did so with ill intent.
Typically, this can only be done after prevailing in court as I understand it and the bar for success is quite high.
The prosecutor isn't going to initiate this case (no matter how much the governor says so) because they know they will lose and in losing, embarass the state even worse (since during discovery it will come out that the people who let the error happen in the first place were incompetent).
STL covered its tracks perfectly on this one; if they did lose, it would be a token loss.
Yes[0]. It's unlikely to ever get that far though - 95% of cases settle pre-trial [1] because this kind of stuff is all fun and games until someone has to put their words on the line. Especially when you're the governor and big public losses like these weigh heavily in voters' minds.
[0]https://focuslawla.com/rare-happens-plaintiff-ordered-pay-de...
[1]https://thelawdictionary.org/article/what-percentage-of-laws...
We're talking criminal prosecution here, though -- the only pre-trial settlement is a plea bargain or a dropped prosecution, neither of which are likely if the prosecutor really takes this dog to trial. The next steps are going to hinge on whether the Missouri Highway Patrol is a competent and relatively non-political entity, since they just returned their investigation to the prosecutor's office.
Now, even if a jury convicts this is unlikely to stand on appeal just given the bare facts as we know them, but the state can definitely drag the reporter through jail, trial, and possible imprisonment as an example of what happens to anyone the governor takes a dislike to.
I'd love to be an "expert witness" and decode a small snippet of base64 on a whiteboard for the jury. Just to show that the lock analogy is bullshit.
This is saying that someone is hacking if they read text in a pdf which was “redacted” by changing the style of the text to be black text on a black background.
“View source” is nothing like picking a lock. It’s more like opening the hood of a rental car and discovering a book full of trade secrets.
Being prosecuted for data that was sent to you by the server… I hope the judge can figure out the problem with this concept.
From Cuomo to this, I came to the realization that probably it’s not the governors really believed what they do or what they say, by shifting the public focus to something else more bizarrely, more outrageous, they will successfully quell any demands on accountability.
Doing basically anything with a computer is illegal in the US. It gives government a lot of power to deal with errant journalists or others.