Tuesday, July 02, 2013

Unwanted access

Weev's lawyers have filed their appeal. It's interesting, readable even for non-lawyers.

Part of the appeal is based on the obvious idea that public websites are, well, public. Just because some computer access isn't "wanted" doesn't necessarily mean that it's "unauthorized". Sure, physical trespass is a good analogy for private computers, but the analogy for public websites is that you've invited the guest into your home, but they ignore your hints they should leave, because you haven't explicitly told them so.

Take search engines as an example. They steal a website's content in order to profit by it. That's the definition of "search engine". Back when they were invented, they made people upset. They'd overload the server with their aggressiveness. They would make things available and public things that website owners didn't want to be so public. Somehow, zealous prosecutors avoided making felons out of search engineers, and they have become the social norm today -- even though these problems still persist.

The same is true of cyber-security research. I do unwanted things against websites all the time, such as my frequent testing of the Un.org website to see if it it's still vulnerable to SQL injection. Those guys hate me. Yet, my blogposts have improved the situation (they fix whatever I post a few days later, and now they've got a WAF in front. I really need to play with that WAF, but I'm lazy).

The reason I'm writing this blogpost is to solicit other examples of unwanted behavior -- things you do that you know is unwanted, but which you believe is "authorized". Or, things that you would do, but aren't sure if you'll be crossing a line. Please add them to the comments below, or send me a tweet @ErrataRob.


a. said...

Hi. On the top of my head, I remember two things.

One is a service provider for online transactions called "Sofortüberweisung" (SÜ for short). Some online vendors let you pay via SÜ by providing SÜ your online banking credentials. SÜ will then do the transaction and guarantee the vendor that the money was tansfered. Both German Banks (which operate a closed rival system) and consumer protection groups were not happy (as the customers gives his credentials to a 3rd party). Not sure if the question of legality has been settled.

If I remember correctly, there were quite a few other cases, over the years, where companies were accessing German online banking systems "on behalf of" customers.

Second there were cases with online travel portals doing screen scraping, especially on the Ryanair web site. The airline said they were not allowed to do this. The travel sites wanted to find the best prices.

Hope you won't mind me just giving these pointers. It should be possible to find more background using your favorite search engine.



Michael Clark said...

Potential examples of "unwanted, yet authorized:"

- looking for a site's RSS feed by adding /feed/ /index.rdf /index.xml or /atom.xml to the base URL of the site

- search engines not even asking for the robots.txt file

Potential of examples of unwanted and unauthorized:

- trying to fingerprint a site's CMS (tons of requests for common readme.txt or other files).

- searching for vulnerabilities in a site other than your own

- search engines reading and ignoring robots.txt directives