- From: Dan Connolly <connolly@w3.org>
- Date: Thu, 13 Oct 2005 12:06:44 -0500
- To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
- Cc: Tyler Close <tyler.close@gmail.com>, www-tag@w3.org, Daniel Weitzner <djweitzner@w3.org>, Rigo Wenning <rigo@w3.org>
On Thu, 2005-10-13 at 11:40 +0100, Henry S. Thompson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So I find this both chilling and incomprehensible. > > As I read the record (follow the various pointers back from [1]), the > defendant in the case was sitting at a browser with something along > the lines of > > http://donate.bt.com/tsunami/relief/appeal/confirmDonation.html > > in the address window of his browser, edited this to read > > http://donate.bt.com/tsunami/relief/../../../ > > and hit Return. > > For this he lost his job and has a criminal conviction. > > The apparently relevant section of the Computer Misuse Act [2] reads as > follows: > > 1. (1) A person is guilty of an offence if > > (a) he causes a computer to perform any function with intent to > secure access to any program or data held in any computer; > > (b) the access he intends to secure is unauthorised; and > > (c) he knows at the time when he causes the computer to perform > the function that that is the case. > > How (c) could be said to apply in this case is beyond me. . . He could have known about common bugs in servers, and he could have been trying to exploit that bug, or at least test for its presence. There was another case of some students that applied to get into a business school (MIT sloan, I think) and they found a way to get the web server to get the results of their application before they were supposed to. The students were punished rather severely, and there was a long debate about the ethics of the situation. I'm coming up empty trying to find it, though. Ah... Harvard and MIT Join Carnegie Mellon in Rejecting Applicants Who Broke Into Business-School Networks http://chronicle.com/errors.dir/noauthorization.php3?page=/daily/2005/03/2005030901n.htm The Chronicle, March 4, 2005 > The issue for the TAG is surely that exploratory modifications of URIs > are in a sense _invited_ by their very nature, and thus should never be > describable as unauthorized -- by publishing > http://www.example.com/a/b/c, I implicitly publish all > path-transformed versions of that URL, don't I? No, I don't think so. > Put that way, it > sounds a bit extreme, but surely there's a substantial point at issue > here which needs to be explored. . . I heard Tim talking about this, and he pointed out the safety principle... "Agents do not incur obligations by retrieving a representation." http://www.w3.org/TR/2004/REC-webarch-20041215/#pr-deref-safe Perhaps that could be elaborated to say that we regard it as a privilege/right of users to be able to explore the web, and that it's the server's fault if it gives unauthorized access. But it seems to me that the designers of the Computer Misuse Act would concede that there's a bug in the server; they're saying that it's illegal to exploit bugs in software. > I have to confess I have occasionally done something close to this, > namely just repeatedly truncating a URI in the address window looking > for a directory I can browse. . . At the very least it never occurred > to me that I was running the risk of setting off alarms, much less of > breaking the law . . . Then provision (c) doesn't apply. But look at your server logs, and you'll find tons of bots trying to exploit well-known server bugs. That's clearly anti-social behaviour, and I'm somewhat sympathetic to efforts to outlaw it. > Danny, Rigo, is there a point here the W3C or the TAG should try to > address? > > ht > > [1] http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/ > [2] http://www.opsi.gov.uk/acts/acts1990/Ukpga_19900018_en_2.htm#mdiv1 > - -- > Henry S. Thompson, HCRC Language Technology Group, University of Edinburgh > Half-time member of W3C Team > 2 Buccleuch Place, Edinburgh EH8 9LW, SCOTLAND -- (44) 131 650-4440 > Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk > URL: http://www.ltg.ed.ac.uk/~ht/ > [mail really from me _always_ has this .sig -- mail without it is forged spam] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFDTjm7kjnJixAXWBoRAtBeAJ4nCVk9I+UQ6l+Qlf6Nxu7vN8tOnQCcD0Wz > oT8Q/uFyoIw8T1qhp+EwSVc= > =job5 > -----END PGP SIGNATURE----- -- Dan Connolly, W3C http://www.w3.org/People/Connolly/ D3C2 887B 0F92 6005 C541 0875 0F91 96DE 6E52 C29E
Received on Thursday, 13 October 2005 17:07:02 UTC