The fun thing about the computer fraud and abuse act is that just about anything can be made into a federal crime with it!

▲ pcaharrier 4 days ago | parent | next [-]

Just about, indeed!

"Nonprofit hires woman, but she quits after a few days, asks for pay for that time; they refuse, and things get worse from there. But! They don’t turn off her email access to a board member’s email. She and a friend comb through the account, download internal documents, and then ask for a lot of money. Federal crime? Third Circuit: Not until they actually revoked her access."

https://www2.ca3.uscourts.gov/opinarch/233017p.pdf

▲ Someone1234 4 days ago | parent | prev [-]

Considering it was created during a major moral panic after the movie "War Games" came out, by a bunch of politicians who knew nothing about computers (aside from, again, watching the movie War Games).

As a direct result, anything and everything can be a crime (e.g. violating a private company's Terms & Conditions), and the punishments are completely disproportionate to the actual criminality.

See the AT&T/iPad data leak, where AT&T were leaking private information on the internet with no security checks at all. Someone found it, told the press, who in turn told AT&T, but the FBI still investigated it as a "crime", raided their home, charged them with "conspiracy to access a computer without authorization." AT&T go no punishment at all.

▲ pizzalife 4 days ago | parent [-]

  See the AT&T/iPad data leak, where AT&T were leaking private information on the internet with no security checks at all. Someone found it, told the press, who in turn told AT&T, but the FBI still investigated it as a "crime", raided their home, charged them with "conspiracy to access a computer without authorization." AT&T go no punishment at all.

I think you are missing some nuance here. They found a vulnerability where they could just increment an "id" and get access to another user's information. They then went ahead and scraped as much as they could. Also this person (iProphet / weev / Andrew Auernheimer) is awful and certainly not a victim. AT&T did not leak the information, Andrew did!

Should they have had better security? Yes. Was the vulnerability extremely basic? Yes. Doesn't change much, a vulnerability was used to dump a bunch of private data.

	▲	bombcar 4 days ago \| parent \| next [-]
		Exactly. If you find an unlocked warehouse, even if you are supposed to pick up something of yours, and instead of directly complaining you also ransack everything, you’re going to catch some heat.
	▲	Someone1234 3 days ago \| parent \| prev \| next [-]
		> I think you are missing some nuance here. They found a vulnerability where they could just increment an "id" and get access to another user's information. That's not nuance; the information was publically available on the internet without any security. Even search engines had indexed it before it was patched. > They then went ahead and scraped as much as they could. They told the press instead of releasing it. > AT&T did not leak the information, Andrew did! So AT&T dumping it all onto the open internet without any security isn't culpable, but the person who let the press know that their information was available to everyone is. That's quite an interesting take. I'm struggling to see the nuance... You just repeated back what I already said, but added that you dislike the person personally, which is absolutely fine, but we're talking about miscarriages of justice not running a popularity contest. If you feel like they committed other crimes (which they likely did per Wikipedia), that is unrelated to THIS supposed crime. > Was the vulnerability extremely basic? Yes. There was no vulnerability. You just needed to request a record from a public web-server, which the server happily provided with no extra steps. Let me ask this: When you request e.g. google.com, and they return a HTTP response, why is that not a "vulnerability?" Because we'd both agree it objectively is not. So then, why, when AT&T provides a URL with information they're meant to keep private but available to the public, and you then request it, that is suddenly a "vulnerability?" Here is the actual URL you needed to call: https://dcp2.att.com/OEPNDClient/openPage?IMEI=0&ICCID=<consecutive id> You just needed to take any iPad's ICC ID and +1 for the next customer's record. So what is the "vulnerability?" Being able to count consecutively?
	▲	bsimpson 3 days ago \| parent \| prev [-]
		"The guy who did it sucked" is generally not a good justification. It's an easy trap to fall into (we all want consequences for shitty people), but it's also a blurry line to hold. "First they came…"