W3C home > Mailing lists > Public > www-tag@w3.org > October 2005

Re: Computer Misuse Act breaks WebArch (ws Re: Section 5.4.2 of RFC 3986 not actually 'legal' syntax_)

From: Dan Connolly <connolly@w3.org>
Date: Thu, 13 Oct 2005 12:06:44 -0500
To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
Cc: Tyler Close <tyler.close@gmail.com>, www-tag@w3.org, Daniel Weitzner <djweitzner@w3.org>, Rigo Wenning <rigo@w3.org>
Message-Id: <1129223204.28805.765.camel@dirk>

On Thu, 2005-10-13 at 11:40 +0100, Henry S. Thompson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> So I find this both chilling and incomprehensible.
> 
> As I read the record (follow the various pointers back from [1]), the
> defendant in the case was sitting at a browser with something along
> the lines of 
> 
>   http://donate.bt.com/tsunami/relief/appeal/confirmDonation.html
> 
> in the address window of his browser, edited this to read
> 
>   http://donate.bt.com/tsunami/relief/../../../
> 
> and hit Return.
> 
> For this he lost his job and has a criminal conviction.
> 
> The apparently relevant section of the Computer Misuse Act [2] reads as
> follows:
> 
>    1. (1) A person is guilty of an offence if
> 
>        (a) he causes a computer to perform any function with intent to
>            secure access to any program or data held in any computer;
> 
>        (b) the access he intends to secure is unauthorised; and
> 
>        (c) he knows at the time when he causes the computer to perform
>            the function that that is the case.
> 
> How (c) could be said to apply in this case is beyond me. . .

He could have known about common bugs in servers, and he could
have been trying to exploit that bug, or at least test for
its presence.

There was another case of some students that applied to get
into a business school (MIT sloan, I think) and they found a
way to get the web server to get the results of their application
before they were supposed to. The students were punished
rather severely, and there was a long debate about the ethics
of the situation. I'm coming up empty trying to find it, though.
Ah...

Harvard and MIT Join Carnegie Mellon in Rejecting Applicants Who Broke
Into Business-School Networks
http://chronicle.com/errors.dir/noauthorization.php3?page=/daily/2005/03/2005030901n.htm
The Chronicle, March 4, 2005

> The issue for the TAG is surely that exploratory modifications of URIs
> are in a sense _invited_ by their very nature, and thus should never be
> describable as unauthorized -- by publishing
> http://www.example.com/a/b/c, I implicitly publish all
> path-transformed versions of that URL, don't I?

No, I don't think so.

>   Put that way, it
> sounds a bit extreme, but surely there's a substantial point at issue
> here which needs to be explored. . .

I heard Tim talking about this, and he pointed out the safety
principle...

"Agents do not incur obligations by retrieving a representation."
http://www.w3.org/TR/2004/REC-webarch-20041215/#pr-deref-safe

Perhaps that could be elaborated to say that we regard it
as a privilege/right of users to be able to explore the web,
and that it's the server's fault if it gives unauthorized
access.

But it seems to me that the designers of the Computer Misuse Act
would concede that there's a bug in the server; they're
saying that it's illegal to exploit bugs in software.


> I have to confess I have occasionally done something close to this,
> namely just repeatedly truncating a URI in the address window looking
> for a directory I can browse. . .  At the very least it never occurred
> to me that I was running the risk of setting off alarms, much less of
> breaking the law . . .

Then provision (c) doesn't apply.

But look at your server logs, and you'll find tons of bots trying
to exploit well-known server bugs. That's clearly anti-social
behaviour, and I'm somewhat sympathetic to efforts to outlaw it.



> Danny, Rigo, is there a point here the W3C or the TAG should try to
> address?
> 
> ht
> 
> [1] http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/
> [2] http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm#mdiv1
> - -- 
>  Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh
>                      Half-time member of W3C Team
>     2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440
>             Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
>                    URL: http://www.ltg.ed.ac.uk/~ht/
> [mail really from me _always_ has this .sig -- mail without it is forged spam]
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (GNU/Linux)
> 
> iD8DBQFDTjm7kjnJixAXWBoRAtBeAJ4nCVk9I+UQ6l+Qlf6Nxu7vN8tOnQCcD0Wz
> oT8Q/uFyoIw8T1qhp+EwSVc=
> =job5
> -----END PGP SIGNATURE-----
-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E
Received on Thursday, 13 October 2005 17:07:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:37 GMT