"Hacking" Teenager in trouble - for downloading public documents
-
Apparantly, downloading Public documents is hacking now in Canada ....
"I decided these are all transparency documents that the government is displaying. I decided to download all of them just to save," he said.
He says it took a single line of code and a few hours of computer time to copy 7,000 freedom-of-information requests.
"I didn't do anything to try to hide myself. I didn't think any of this would be wrong if it's all public information. Since it was public, I thought it was free to just download, to save," he said.
-
Not the first time I've heard of government leaving documents out where the public has easy access and getting all of sahara in their collective cunts over people actually reading the documents they have access to.
This has the cherry on top as it's all accessed on a freedom of information server. Someone in charge need to be publicly shamed and fired over this, and the teen should walk perfectly free.I also do not think landing a job will be a big problem for him. Most people in the security sphere have some incident in their history.
-
I wonder if anyone already got Jason Scott and other folks from the Internet Archive on this. Jason will have a field day with this shit.
Also, if your "secret" data is available by just doing a
wget -r
it's your own fucking fault if someone grabs it. Hell, the afforementioned Internet Archive might already have it all without knowing if they left directory listing on, or they had a script that does that.I'm also half tempted to find an installer for Opera 12 now, which had a "Fast Forward" button that basically did just that - it would analyze the URL and try to guess what the next page might be (they also probably fired off a quick request to see if it 404s as well, but I'm just guessing there). It would be hilarious if I could "hack" a website using a built-in browser feature...
-
I guess if I were a government admin I might enjoy responding like this to server cooties and the people responsible, too.
-
something something Aaron Swartz ✝ something something
-
[Freely admit the following is a WTF --- but....]
a) There are jurisdictions where information may be viewed but not copied. I have no clue if this is applicable in the referenced case.
b) Automation of manual processes can also run afoul of various legalities. Thus an operation directly performed by a human may be legitimate, but any writing of "scripts"/"code" is a violation.
-
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
There are jurisdictions where information may be viewed but not copied.
Which is idiotic on the web as it is. Unless someone wants to file a suit against my browser for caching things.
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
Automation of manual processes can also run afoul of various legalities. Thus an operation directly performed by a human may be legitimate, but any writing of "scripts"/"code" is a violation.
Yeah, we have captchas of various kind for those purposes. Real life example: over heret here is a registry of phone numbers which are explicitly listed as "you are not allowed to call this number for any kind of marketing purposes without a signed agreement", or however you write that in legalese.
There's an API for which you can get read and/or write access to by registering with the governing body which will then issue you an API key. You can also check a number on their site, but:
You have to match the colors (not sure if the number in the ball matches as well by accident or not).
Yes, this is actually poor as a capthca. I bet all of you already have several ideas on how to break this. But at the very least it's some kind of indication that you probably shouldn't fuck with it much. It's not like it's just
checkNumber/385xxxxxxxx
in the URL and you can "hack" it by literally making a spreadsheet to generate a list or URLs for you to click out of an existing list of numbers. There, a semi automatic way to "hack" the system any moderately competent office worker can do!
-
As pointed out in the Hacker News thread about this case, unless he can either persuade the government not to prosecute him or get any evidence from the search of his seized computers thrown out (don't know enough about rules of evidence in Canada to know if that's plausible), this poor kid is going to prison for a long, long time. He admits he has terabytes of fucking 4chan backups on his machines. How enormous a cache of child porn must he unwittingly have in there?
-
@cabbage said in "Hacking" Teenager in trouble - for downloading public documents:
He admits he has terabytes of fucking 4chan backups on his machines. How enormous a cache of child porn must he unwittingly have in there?
Zero.
-
@cabbage said in "Hacking" Teenager in trouble - for downloading public documents:
4chan
If he's been engaging in correspondence with such a notorious hacker, then I think it's quite clear that this boy is extremely dangerous
-
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
over heret here is
Offtopic: this is what happens when you have a fucking Chrome debugger running in a different window and the damned thing steals focus every time it hits a breakpoint.
Fixed it in the window manager. Fucker.
-
@carnage said in "Hacking" Teenager in trouble - for downloading public documents:
Not the first time I've heard of government leaving documents out where the public has easy access and getting all of sahara in their collective cunts over people actually reading the documents they have access to.
The problem is that legally speaking, just because a document is in a publicly accessible server with zero security doesn't mean you are allowed to access it. It's like leaving your car in the street with the doors wide open and the keys in the ignition, it's incredibly stupid but it's still illegal for someone to take it.
However if these were were explicitly public documents, well that kinda makes the whole point moot.
-
@bb36e said in "Hacking" Teenager in trouble - for downloading public documents:
@cabbage said in "Hacking" Teenager in trouble - for downloading public documents:
4chan
If he's been engaging in correspondence with such a notorious hacker, then I think it's quite clear that this boy is extremely dangerous and may attack at any moment, so we must deal with it
He's being crushed by the full force of the law
-
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
Offtopic: this is what happens when you have a fucking Chrome debugger running in a different window and the damned thing steals focus every time it hits a breakpoint.
I %&%$&$&^%$*& focus thieves.
-
@anonymous234 said in "Hacking" Teenager in trouble - for downloading public documents:
The problem is that legally speaking, just because a document is in a publicly accessible server with zero security doesn't mean you are allowed to access it. It's like leaving your car in the street with the doors wide open and the keys in the ignition
IMHO this is more like putting your secret reports on a public billboard and then expecting people to somehow figure out by themselves that they are confidential and not read them.
-
@pleegwat said in ["Hacking" Teenager in trouble - for downloading
I %&%$&$&^%$*& focus thieves.
Why is your Perl editor stealing focus? o.O
-
@pleegwat said in "Hacking" Teenager in trouble - for downloading public documents:
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
Offtopic: this is what happens when you have a fucking Chrome debugger running in a different window and the damned thing steals focus every time it hits a breakpoint.
I %&%$&$&^%$*& focus thieves.
Especially if it is a Ford Focus [see Blakey's post about cars, locks, and keys]
-
@anonymous234 said in "Hacking" Teenager in trouble - for downloading public documents:
It's like leaving your car in the street with the doors wide open and the keys in the ignition, it's incredibly stupid but it's still illegal for someone to take it.
This analogy really ticks me off. No it bloody well isn't.
For this analogy-world to be even passingly analogous it would be written in law that you may take any car on any street that hasn't been locked. So if someone takes your car you left unlocked and you didn't want that then it's your own bloody fault.
We have lots of access controls, if people don't use them effectively then that's their problem.
-
@cursorkeys said in "Hacking" Teenager in trouble - for downloading public documents:
For this analogy-world to be even passingly analogous it would be written in law that you may take any car on any street that hasn't been locked.
Not at all.
It is illegal to take something which is not yours unless you are explicitly given permission, and said permission is limited to what is authorized. Does not matter if it is a car on the street, or electronic content on the internet.
-
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
It is illegal to take something which is not yours unless you are explicitly given permission, and said permission is limited to what is authorized.
But the level of damages you could claim from someone for taking it might be severely curtailed if it was shown that you'd not even taken basic steps to secure things. The law doesn't really protect the reckless from the consequences of their lack of care.
-
@boomzilla said in "Hacking" Teenager in trouble - for downloading public documents:
I guess if I were a government admin I might enjoy responding like this to server cooties and the people responsible, too.
What do you have against @accalia?
-
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
There are jurisdictions where information may be viewed but not copied.
Which is idiotic on the web as it is. Unless someone wants to file a suit against my browser for caching things.
No need to cache anything. The data gets copied several times before it reaches your computer, and then your browser copies it to RAM.
-
@anonymous234 said in "Hacking" Teenager in trouble - for downloading public documents:
The problem is that legally speaking, just because a document is in a publicly accessible server with zero security doesn't mean you are allowed to access it. It's like leaving your car in the street with the doors wide open and the keys in the ignition, it's incredibly stupid but it's still illegal for someone to take it.
Is it illegal for someone to go into your car and take photos of it if you leave it in the street with the doors open? Or to scan your unlocked car for later 3D printing? Because the documents weren't removed from the website.
-
@ben_lubar said in "Hacking" Teenager in trouble - for downloading public documents:
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
There are jurisdictions where information may be viewed but not copied.
Which is idiotic on the web as it is. Unless someone wants to file a suit against my browser for caching things.
No need to cache anything. The data gets copied several times before it reaches your computer, and then your browser copies it to RAM.
ISPs are all accomplices and should be persecuted to the full extent of the law as well!
-
@anonymous234 said in "Hacking" Teenager in trouble - for downloading public documents:
It's like leaving your car in the street with the doors wide open and the keys in the ignition, it's incredibly stupid but it's still illegal for someone to take it.
But a wholly different kind of illegal than breaking into and hotwiring. Iunno about US or any other country, but in Poland it would be "use of private property without permission", while hotwiring would be theft and carry prison sentence.
-
@gąska said in "Hacking" Teenager in trouble - for downloading public documents:
private
Again, these were public documents. There shouldn't be any private property on a government website available to an unauthenticated GET request anyway.
-
@ben_lubar I'm pretty sure public institutions can have private property in Poland. Note that I was making car analogy, not talking about legal classification of reading documents.
-
@gąska said in "Hacking" Teenager in trouble - for downloading public documents:
can have private property
Yes, but a document available without logging in or guessing any URLs isn't exactly private.
-
@ben_lubar said in "Hacking" Teenager in trouble - for downloading public documents:
Or to scan your unlocked car for later 3D printing?
That sounds suspiciously like downloading a car, an act so heinous that even DVD pirates wouldn't do it.
-
@ben_lubar said in "Hacking" Teenager in trouble - for downloading public documents:
@gąska said in "Hacking" Teenager in trouble - for downloading public documents:
can have private property
Yes, but a document available without logging in or guessing any URLs isn't exactly private.
What if it includes the text:
this is meant only for the intended recipient. If you are not the intended recipient, please delete this and don't read it even though this is at the bottom so you'll see it after reading everything and forget you ever read it because it has a right to be forgotten
?
-
@ben_lubar said in "Hacking" Teenager in trouble - for downloading public documents:
guessing
I mean, "changing the ID in the URL" or whatever it was (I'm assuming it's this, based on the prior example in TFA, which might not be true) could be construed as "guessing"...
Still, once again, I wouldn't be surprised if bots of various kinds could have crawled those anyway, it reeks of lack of due diligence on every level.
-
@ben_lubar said in "Hacking" Teenager in trouble - for downloading public documents:
@boomzilla said in "Hacking" Teenager in trouble - for downloading public documents:
I guess if I were a government admin I might enjoy responding like this to server cooties and the people responsible, too.
What do you have against @accalia?
I was thinking about Bing, actually. And I did say "might."
-
@anonymous234 said in "Hacking" Teenager in trouble - for downloading public documents:
However if these were were explicitly public documents, well that kinda makes the whole point moot.
Well, they were fricking freedom-of-information requests, so... yes?
-
Quite a few years ago, the new government budget leaked a few days before it was to be publicly announced because somebody tried the URL that contained last year's budget and incremented the year. There was much public uproar regarding security, and no hacking allegations.
The year after, it happened again. In the exact same way.
-
@topspin said in "Hacking" Teenager in trouble - for downloading public documents:
@anonymous234 said in "Hacking" Teenager in trouble - for downloading public documents:
However if these were were explicitly public documents, well that kinda makes the whole point moot.
Well, they were fricking freedom-of-information requests, so... yes?
According to TFA, something like 250 were, quote:
But about 250 of the reports were prepared for Nova Scotians requesting their own government files. These un-redacted records contained sensitive personal information, and were never intended for public release.
Which they just chucked into the same system willy-nilly. It's not even that they failed to secure it, I highly doubt that there was any indication of those files being any different. This is equivalent of putting bowls of candy on a table, with a sign saying "FREE CANDY!" above them, but you're not supposed to take any of the lemon flavored ones.
Well fuck you, I love lemon flavored candy!
-
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
@cursorkeys said in "Hacking" Teenager in trouble - for downloading public documents:
For this analogy-world to be even passingly analogous it would be written in law that you may take any car on any street that hasn't been locked.
Not at all.
It is illegal to take something which is not yours unless you are explicitly given permission, and said permission is limited to what is authorized. Does not matter if it is a car on the street, or electronic content on the internet.
In this case you are explicitly given permission. RFC 2616 defines what will happen when you make a request, if you get 200 OK and your information then you have been given permission, there's no ifs and buts about that.
If you use nefarious means to access that data then most countries have laws about misusing computers/information resources.
As reported, this is not one of those cases. Legitimate requests were made and positively responded to. That the owner apparently didn't want it configured like that is irrelevant, at best they might have a professional competence civil claim against the staff member responsible for the misconfiguration.
-
@cursorkeys said in "Hacking" Teenager in trouble - for downloading public documents:
if you get 200 OK and your information then you have been given permission, there's no ifs and buts about that.
Does that constitute legal permission though? I would be very surprised if so.
-
@topspin said in "Hacking" Teenager in trouble - for downloading public documents:
something something Aaron Swartz ✝ something something
Yeah... no. Aaron Swartz was kicked out and blocked from the network multiple times, and actively worked to evade the ban, like a troll on a forum. This kid never had any warning to stop, as far as we know; someone just found out about it after the fact and decided to prosecute him.
-
@erufael said in "Hacking" Teenager in trouble - for downloading public documents:
Does that constitute legal permission though?
That in itself doesn't, but uploading the documents to a publicly-accessible location might do. It'd be something for the defence lawyer to try…
-
@jaloopa said in "Hacking" Teenager in trouble - for downloading public documents:
@ben_lubar said in "Hacking" Teenager in trouble - for downloading public documents:
@gąska said in "Hacking" Teenager in trouble - for downloading public documents:
can have private property
Yes, but a document available without logging in or guessing any URLs isn't exactly private.
What if it includes the text:
this is meant only for the intended recipient. If you are not the intended recipient, please delete this and don't read it even though this is at the bottom so you'll see it after reading everything and forget you ever read it because it has a right to be forgotten
?
You would need to download the document to read said text, so the actual downloading can't really be illegal then.
-
@dkf said in "Hacking" Teenager in trouble - for downloading public documents:
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
It is illegal to take something which is not yours unless you are explicitly given permission, and said permission is limited to what is authorized.
But the level of damages you could claim from someone for taking it might be severely curtailed if it was shown that you'd not even taken basic steps to secure things. The law doesn't really protect the reckless from the consequences of their lack of care.
Nope, the amount of damages has nothing to do with how good or bad your security is. If someone steals your car, your loss is the value of the car (maybe more, such as for lost time and/or wages, but never less).
In this case, of course, if all he did was download a bunch of public documents, there are no damages, which obviously raises the question of why it would be illegal.
-
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
@ben_lubar said in "Hacking" Teenager in trouble - for downloading public documents:
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
There are jurisdictions where information may be viewed but not copied.
Which is idiotic on the web as it is. Unless someone wants to file a suit against my browser for caching things.
No need to cache anything. The data gets copied several times before it reaches your computer, and then your browser copies it to RAM.
ISPs are all accomplices and should be persecuted to the full extent of the law as well!
As much as I agree with your suggestion as written, I think you might have meant "prosecuted".
-
@dragnslcr said in "Hacking" Teenager in trouble - for downloading public documents:
If someone steals your car, your loss is the value of the car (maybe more, such as for lost time and/or wages, but never less).
But if someone goes joyriding in your car and crashes it into the front of your house, have you lost it? You would have problems proving intention to permanently deprive, a key component of the definition of theft. The car is just a bit (or a lot!) damaged. If the car was an open-top coupé and you often just left it outside your house with the keys in the ignition, the level of legal sympathy you'd receive would be a lot less than if you had it locked in a secure garage.
Though the analogy of theft is unhelpful; this case definitely wasn't that. It'd be easier to prove espionage than theft.
-
@dragnslcr said in "Hacking" Teenager in trouble - for downloading public documents:
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
@ben_lubar said in "Hacking" Teenager in trouble - for downloading public documents:
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
There are jurisdictions where information may be viewed but not copied.
Which is idiotic on the web as it is. Unless someone wants to file a suit against my browser for caching things.
No need to cache anything. The data gets copied several times before it reaches your computer, and then your browser copies it to RAM.
ISPs are all accomplices and should be persecuted to the full extent of the law as well!
As much as I agree with your suggestion as written, I think you might have meant "prosecuted".
Both. Both is good.
Filed under: See also: signature
-
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
viewed but not copied
Where exactly is the line drawn? Given that everytime we see this information we actually see a copy of this information.
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
Which is idiotic on the web as it is. Unless someone wants to file a suit against my browser for caching things.
Oh, I see someone already covered that.
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
Automation of manual processes can also run afoul of various legalities. Thus an operation directly performed by a human may be legitimate, but any writing of "scripts"/"code" is a violation.
Where exactly is the line drawn? There is literally no way to interact with the internet without a machine.
@onyx said in "Hacking" Teenager in trouble - for downloading public documents:
Real life example: over here there is a registry of phone numbers which are explicitly listed as "you are not allowed to call this number for any kind of marketing purposes without a signed agreement", or however you write that in legalese.
Oh, I guess someone covered that as well.
Well I fancy a tangent, so...
IM(not-so)HO the problem is being able to make phone calls without people seeing where the call has come from. The phone must be 100 years old and still there exists versions where you can be called with a withheld number.
Also it seems these scambot companies have learned to just use new numbers when you block one. So I keep getting the same requests to a Mrs Monica Kajewski which I ignore. I don't know what the ethical response to that is. Send them junk data? "Hi I'm Monocron Kajamonski. You've spelled my name wrong. What do you want?"
-
@shoreline said in "Hacking" Teenager in trouble - for downloading public documents:
Also it seems these scambot companies have learned to just use new numbers when you block one.
That's why we have this system now. You ask your provider (or do it yourself when they implement that, though given how long it took them to build just this one service that's going to be in ~5 years, if we're lucky) to the, and this is a direct translation, "Do not call registry".
Any company that calls a number that's in the registry is in violation and will be fined. And, luckily, all you have to do is report them, the body governing that service handles the rest, so you don't have to fuck around with lawyers or whatever.
I tell you, it put fear into all of them and they are indeed careful. One of the selling points of our software stack is that you simply can't call such a number at all (unless you manually override the protection, which we log for ass covering porpoises), either by initiating the call from the web interface or typing it directly on the phone.
Also, AFAIK, in Germany they have a whitelist instead of a blacklist, so you can't call anyone unless they give permission, which, AIUI, amounts to companies you do business with putting the consent part in their contract, but then it's only those companies that can call you.
-
@shoreline - There are some interesting ones....
A certain large, well known company offers free (but licensed) software for "download, installation, and use". During a project about 2 years ago, the word "and" from that part of their license came into play. Seems that it was a violation if one installed a copy which that specific person did not download from their site!
This sparked some very serious discussions about what that really meant in terms of various caches, etc. While there was a concession that the license was problematic and had many unenforceable aspects, they were standing by it (though they also stated they would review - but it has not changed as of now).
As a result, the project was canceled. Pretty sure that this scenario exists in many places (and that people violate it on a regular basis).
-
@shoreline said in "Hacking" Teenager in trouble - for downloading public documents:
Also it seems these scambot companies have learned to just use new numbers when you block one. […] I don't know what the ethical response to that is.
Ask them what they're wearing and if they want to know what you're wearing.
(The aim is for them to tag your number in their system as a line that they really shouldn't be calling on work time.)
-
@dkf said in "Hacking" Teenager in trouble - for downloading public documents:
(The aim is for them to tag your number in their system as a line that they really shouldn't be calling on work time.)
Just be careful that they don't start calling you during the late hours...
-
@thecpuwizard said in "Hacking" Teenager in trouble - for downloading public documents:
Seems that it was a violation if one installed a copy which that specific person did not download from their site!
WTF kind of wankery is this? Only lawyers could come up with something that stupid.