Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
AnthonyMouse 4 days ago

They're not trying to write a story about the security of the website, they're trying to write a story about the crime the company is committing. They're allegedly poisoning the water and killing people, it's more serious than a website. If they write the first story the company immediately takes the site offline before anybody else can see what's there, or if anyone does then they could get prosecuted.

The analogy to a bank vault doesn't work because it isn't a bank vault and you've never left your office. It's more analogous to finding the mailing address of the company's internal records office and then sending them a letter requesting a copy of their records. You should go to jail for requesting something it's not even illegal for you to have just because they were willing to send them to you without establishing who you are?

tptacek 4 days ago | parent [-]

Yeah, you can't hack into websites to pursue stories about corporate misdeeds, any more than you could break into a company's office and rifle through the files. This is silly.

akerl_ 4 days ago | parent | next [-]

What if I team up with another journalist, and I tell them about curl commands to run but never tell them that they're exploiting vulnerabilities in the company's website? That way they don't have the necessary intent and I never perform any illegal acts?

Do you think the judge would fall for it? Or would we have done a RICO?

tptacek 4 days ago | parent [-]

No, that's exactly how Barrett Brown ended up in federal prison.

AnthonyMouse 4 days ago | parent | prev | next [-]

The question is at what point is it considered "hacking"? There is evidence of corporate misdeeds on the company's computers. Under what circumstances can a journalist view it? At no point would the guilty company want them to for obvious reasons, but if the answer is thereby "never" that seems like a major flaw in the law. Whereas if it isn't never then when is it, and why?

Or to extend your analogy, where's the computer equivalent of an investigative reporter getting let inside under a pretense so they can snoop around wearing a guest badge instead prying open the back door with a crowbar?

tptacek 4 days ago | parent [-]

The question at the trial will be whether a reasonable person would have believed the evil corporation authorized the requests. You seem set on replacing the evil corporation with society, interposing a sort of "it's a public good for this information to come out, and so we'd generally authorize it". But if the company itself clearly wouldn't have intended you to have that access, and you knew that, and you used the access anyways, then yes: you committed a crime.

Again: mere ToS violations are not enough to cross that line.

4 days ago | parent [-]
[deleted]
4 days ago | parent | prev [-]
[deleted]