Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tptacek 4 days ago

You have not here presented a fact pattern that would put the journalist at risk. A journalist can safely write a story about the gross insecurity of a website. You could put 10 million bank account numbers behinds a login field that accepts 'OR''=' as a password, and write about that. You could have a bypass for that login whereby incrementing an integer revealed those bank accounts, one after another, on an unauthenticated HTTP GET.

Where you get into trouble is when you use either of those conditions to collect bank account numbers. Whether you're collecting them to sell or collecting them as color (the amount, scale, diversity, whatever) for your story: you'll be expected to understand that you did not have authorized access to that data, and by collecting it, you'll have violated CFAA.

You would similarly be at risk when, having used the 'OR''=' password, you then poked around inside the website to see what else was exposed. That might "feel" like journalism. So too would be wandering around inside a bank you found unlocked at night. But no sane journalist would do what I just described.

In fact: this is straightforward. Further evidence of that: that journalists routinely write about this stuff and don't get prosecuted.

The Barrett Brown case is an especially good illustration of where the lines are drawn.

AnthonyMouse 4 days ago | parent [-]

They're not trying to write a story about the security of the website, they're trying to write a story about the crime the company is committing. They're allegedly poisoning the water and killing people, it's more serious than a website. If they write the first story the company immediately takes the site offline before anybody else can see what's there, or if anyone does then they could get prosecuted.

The analogy to a bank vault doesn't work because it isn't a bank vault and you've never left your office. It's more analogous to finding the mailing address of the company's internal records office and then sending them a letter requesting a copy of their records. You should go to jail for requesting something it's not even illegal for you to have just because they were willing to send them to you without establishing who you are?

tptacek 4 days ago | parent [-]

Yeah, you can't hack into websites to pursue stories about corporate misdeeds, any more than you could break into a company's office and rifle through the files. This is silly.

akerl_ 4 days ago | parent | next [-]

What if I team up with another journalist, and I tell them about curl commands to run but never tell them that they're exploiting vulnerabilities in the company's website? That way they don't have the necessary intent and I never perform any illegal acts?

Do you think the judge would fall for it? Or would we have done a RICO?

tptacek 4 days ago | parent [-]

No, that's exactly how Barrett Brown ended up in federal prison.

AnthonyMouse 4 days ago | parent | prev | next [-]

The question is at what point is it considered "hacking"? There is evidence of corporate misdeeds on the company's computers. Under what circumstances can a journalist view it? At no point would the guilty company want them to for obvious reasons, but if the answer is thereby "never" that seems like a major flaw in the law. Whereas if it isn't never then when is it, and why?

Or to extend your analogy, where's the computer equivalent of an investigative reporter getting let inside under a pretense so they can snoop around wearing a guest badge instead prying open the back door with a crowbar?

tptacek 4 days ago | parent [-]

The question at the trial will be whether a reasonable person would have believed the evil corporation authorized the requests. You seem set on replacing the evil corporation with society, interposing a sort of "it's a public good for this information to come out, and so we'd generally authorize it". But if the company itself clearly wouldn't have intended you to have that access, and you knew that, and you used the access anyways, then yes: you committed a crime.

Again: mere ToS violations are not enough to cross that line.

4 days ago | parent [-]
[deleted]
4 days ago | parent | prev [-]
[deleted]