Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
km3r 3 hours ago

"technically he didn't do that. Your sql server followed instructions when they should have just treated them as a string."

Yet, hopefully we can agree that sql injections are illegal.

majormajor 2 hours ago | parent | next [-]

But in this case the author of the project didn't execute the injection code... it's more analagous in some ways to pulling in a project with an example file containing a bunch of useful SQL stuff and then an example of an injection at the bottom, and just (in this case the agent) copy/pasting the whole thing in without reviewing it.

If we're slicing on technicalities, there's a lot of ways to decide. "PROSECUTE THEM!" seems like an extremely hostile one when the website and readme and release notes said "don't do this" already. The agent ignored those things? Is that the author's fault?

infinite_spin an hour ago | parent [-]

This is like saying I can slip malware into a project and so long as the user is the one who executed the code I'm free and clear.. which we both know isn't true.

sumeno 3 hours ago | parent | prev [-]

If I put a project on github that says "don't use this with mysql" and you use it with mysql and it drops your tables is it sql injection? Seems very different to me.

asdfasgasdgasdg 2 hours ago | parent | next [-]

Everything turns on intent. "This is not tested with mysql" is very different from "I'm going to go out of my way to fuck up your mysql."

mapontosevenths 2 hours ago | parent | prev | next [-]

It's certainly unauthorized access if you intentionally built it with the goal of harming other peoples systems, especially if you hid that action from them the way our self-righteous friend here did.

You are authorized to do what the user agreed to, no more. Further the agreement must be reasonable. Exploiting the victims system to intentionally cause harm isn't reasonable.

F-secure once included a clause to use their wifi that you "assign their first born child to us for the duration of eternity." It was funny, but not legally enforceable and would have offered them no legal shelter if they'd gone out on a kidnapping spree that night.

artisin 2 hours ago | parent | prev [-]

As much as I would like to agree, this is a pretty clear CFAA violation. If the intent is to purposefully destroy/delete data, the 'how' really makes no difference. But IANAL.