Wanna Be Hackers?

Have you ever wanted to know what it takes to be a hacker? Well you’re in luck. I’m here to tell you. I’m going to give you a step-by-step guide to how I got myself reported to the Feds by a major university.

If you don’t already know, I recently received a threatening letter from the University of Queensland which, amongst other things, threatened a lawsuit if I showed anyone the letter. The letter also claimed (IP stands for intellectual property):

5-15-hack

I can’t disclose the domain name of the site I supposedly hacked right now because a clever person could possibly use that information to find the data I supposedly stole. I can, however, tell you it was a super-secret site for the Skeptical Science group.

You see, a couple years ago, the secret forum on the Skeptical Science website was hacked. You can read all about it in a lengthy series of posts they wrote about it, starting here. It’s amusing as it spends tons of time painting a picture of hackers by saying things like:

It was February 20, 8:52 PM CET, the local time in Germany, when The German, or so I’ll call him, first hacked his way into the Skeptical Science web site. If it had happened in America in the nineties, beside his keyboard would have been a can of Coca Cola and a few Twinkies. I guess today the drink would be a Red Bull. I’m not sure what a German might choose.

I’m not sure why they focused so much on things like hackers’ dietary choices. Then again, we later find out they call the hacker “The German” even though they have absolutely no indication he has any connection to Germany. I wouldn’t bother trying to understand their reasoning.

Anyway, the important thing is after their secret forum was hacked, they moved their forum to a new, secret location: http://www.sksforum.org. This secret-secret forum stayed secret for a while because nobody cared. Then one day Skeptical Science published a post with a few links which included the secret-secret forum’s URL. I saw the domain name and decided to check it out.

There wasn’t much to see. There was just a login page with an image on it. The image happened to be located in the directory http://www.sksforum.org/images/. Out of curiosity, I went to that directory. I found a number of images. I didn’t think much of them at first. Then I saw an image of John Cook, owner of the site, photoshopped into a Nazi uniform:

That creeped me out. I was even more creeped out when I found there were other images which depicted the Skeptical Science team with similar Nazi imagery. Naturally, I told people about these images. Most people were either disturbed or amused by the images, but Skeptical Science representatives were upset. They claimed I had hacked them, saying things like:

It was flattering to know people think I have mad haxor skillz. To stroke my ego, I bragged all about how I did it. Later, I pointed out my skillz were enough to match even Google’s skillz as Google had found the same directory the same way I did, saving a copy for everyone to see.

With their secret-secret forum discovered and penetrated by a hacker, what could Skeptical Science do? It’s obvious. They had to create a secret-secret-secret forum. This one was used for a variety of things, such as doing “The Consensus Project” which lead to their famous paper finding a 97% consensus on global warming.

And it was secret. I mean, secret-secret. No wait, secret-secret-secret.

It was so secret they even registered the domain via a third-party company, Domain Privacy Group, so none of their information would be tied to the site. In other words, you could not possibly know the site was theirs.

Except they linked to it in their secret-secret forum. Repeatedly. That was a problem because anyone could view those links. You see, months back I noticed referral links from the secret-secret forum in my logs. They were in the form of, sksforum.org/thread.php?t=14499&p=18772. When I’d click on them, I’d be redirected to one of my own pages.

I quickly realized the links I was seeing were redirection links for the links people were posting in the secret-secret forum. I figured if I could see the ones going to my own site, I could probably see the ones going to other sites. I was right. Changing the number after p= resulted in a different redirection link. Not only that, but each new redirection link was one number higher than the previous.

That meant I could look at every external link anyone posted on the forum by repeatedly adding +1 to that value. I goofed off a bit and found things like:

p=760	http://en.wikipedia.org/wiki/101_Uses_for_a_Dead_Cat

But I lost interest pretty quickly. After a few months passed, I regained interest and decided to make a list of all those redirection links. I thought it’d be amusing to keep track of what the Skeptical Science team was linking to in their secret-secret forum. After all, it’s pretty silly to have a secret-secret forum while making information about what you’re discussing in the forum public.

Once I had my list, I looked through it. Most of it was dull, but I kept seeing one domain pop up over and over and over. Additionally, I noticed a lot of the links to it ended with things like “thread.php?t=1954&r=8#47354.” That was reminiscent of the links from the secret-secret forum. I checked the domain out, thinking it’d be hilarious if there was a secret-secret-secret forum. There was.

I didn’t access it though. I didn’t have any login information. An amateur might try brute-force guessing, but I’m too clever a hacker to resort to such a crude approach. Instead, I grabbed a can of Red Bull, scarfed down a Twinkie and got ready to write some awesome haxor code.

By which I mean, I looked at the list I had, found this entry:

2929	http://.../tcp_results.php

And put it into my browser’s navigation bar. Lo and behold, this page appeared:

5-16-tcp_page

Since the page was publicly accessible, I decided to follow its links. I saved what I saw. And now, the Feds are coming after me. They’re going to shove a black bag shoved over my head, transport to some deep, dark hole into which I’ll disappear for all eternity, and the Skeptical Science team will create a new, secret-secret-secret-secret forum. This time they might even learn not to make pages publicly accessible if they want to keep those pages hidden.

In the meantime, you can be a l33t haxor like me too. The University of Queensland claimed I hacked “the site where the IP was housed.” The site where the data was stored is the site I found URLs for. All I did to that site was try a few pages to see if it’d let me access any. I’m confident you could do that too.

In fact, I think you already have. I’m sure at some point in your life you rose to the level of a stupid script kiddie and copied the URL of a site. I bet you’ve gone beyond that though. I bet you managed, at some point in your life, to rise to the level of true haxor and pasted the URL of a site into your navigation bar.

But I have an inkling you’ve gone beyond that. The inkling is small, but it tells me at some point you became truly l33t and hit the Enter button.

Be careful. The Feds might come after you next.


If people had theme songs, I’d say this would be the one for the people accusing me of hacking:

Advertisements

120 comments

  1. These people appear so paranoid and unstable that if they overheard you say something like ‘I could murder a burger’ they’d have you arrested for making a death threat! Sheesh!

  2. Can you tell us whether the secret-secret-secret site is registered with UQ or SkS?

    There is a question being raised as to why UQ would have ownership rights to this IP.

  3. Carrick, I raised that very issue in my response to the letter. Unfortunately, I can’t prove the site is registered to John Cook:

    It was so secret they even registered the domain via a third-party company, Domain Privacy Group, so none of their information would be tied to the site. In other words, you could not possibly know the site was theirs.

    Even though I know it is.

  4. What a great article! It always amuses me to read what others call as “hacking” or having some sort of “skillz” to breach security. On the other hand.. if there is no security….

    Sheesh, a simple directive in the httpd.conf file or .htaccess would have stopped a directory listing. Hey John Cook, I can help you out!! 🙂

  5. One of my daughters looked at her graduation pics online, by changing the numbers in the url to a number near the one the company sent here. 17 and only curious!

  6. @timo soren: I guess she got access to other people’s images by doing so. Did she go on to publish these photos online while commenting on their looks? – and would it be OK if she had done so?

  7. But according to Dana’s answer to the question I asked about data he said they had built a WHOLE WEBSITE to provide it all. So surely they are super l33t w3b gurus.

    I was neutral on this paper before, they just created a sceptic.

    Well done.

    I hope the taxpayers funding this know where their money is going – calling Mr Bolt – hello colonies…

  8. Be wary…. I know an innocent YouTube video producer who went to jail as a convenient administration scapegoat. Ben Gassy… you might have heard of him ;(

  9. As a moderation note, I edited Anthony Watt’s comment to resize his video. I don’t like editing people’s comments, but WordPress automatically embeds YouTube video at the largest size possible. That bugs me.

  10. Posted at CA but gone into moderation (length perhaps?) so I hope you will excuse my posting here too. The only additional thing I’d note is that the UQ haven’t referred to US law enforces, just that it requires it. Anyway on to what I commented at CA following an earlier comment dealing with your rights of access to information:

    The other thing I would have a poke around in is the following:

    The information they are so up-tight about seems to be related to personal information (if I understand your earlier correspondence). As such they have obligations for the management of it under the Information Privacy Act 2009 so it doesn’t become publicly available. (In fact these may in part be the contractual responsibilities your QU lawyer friend is referring to since they may not want to be crass enough to say we are carrying legal liabilities in this area because we didn’t look after it well enough).

    A search of the UQ site will produce the background on this, and the bits of legislation are on-line. Schedule 3 of the cited Act sets out Information Privacy Principles, and IPP4 requirements related to storage and security. Note too there are special provisions related to transferring personal information out of the country in respect of security, and other provisions relating to service contractors.

    Now I don’t know this area at all, but am reasonably familiar on how things work on the other side of the Tasman. I suspect you could have some fun letting the Privacy Commissioner know that UQ left personal information lying around and you’d be pleased to help them tighten up their sloppy procedures under the Act 🙂

    But as I said – just a possible line of inquiry if you are worried about their forensic analysis (aka spotty faced youth with cap on backwards).

  11. HAS, I had considered the fact they didn’t actually say they will contact any authorities. I decided not to add a caveat for it as I think it is reasonable to assume the University of Queensland will do what it says it believes it is required to do.

    They are, of course, welcome to tell me my assumption was wrong, and they don’t do what they’re required to do.

  12. Just think it is a sign of weakness in a lawyer’s letter, a tactic to get it all buried quickly.

    I would seriously suggest you consider the possibility that they have problems of their own, and if they do they are much more serious than any you might face IMHO, and will spill over to Cook et al..

  13. HAS, I’m not sure why I’d need to consider that possibility. It may be true, but you could say the same for a hundred other possibilities. Unless there’s something specific to hint that or some effect from it I’d want to watch for, I don’t know why I’d think about it.

    Did you have anything in particular on your mind?

  14. Cooks ‘ability’ for web site design & web site security is woefully inadequate
    – yet not as woefully inadequate as his feeble attempts at ‘science’.

    I’m guessing that he also bombed on his ethics studies – or cheated!

  15. Hi, If personal information was able to be accessed because of the way the server was set up, this is of embarrassment to the UQ, particularly if the information had been transferred out from its direct control (or never been under it). Note the rest of the information might be a bit of a commercial embarrassment, but one has to expect that the only party with a commercial interest were the ones who didn’t look after it properly.

    The thing about care of personal information is that its release touches a raw nerve in the public’s mind (as it were), so there are independent statutory bodies set up to be the guardians, who in turn have the power to name and shame. Even if in the particular case the personal info was about willing parties who don’t make a fuss, it raises questions more generally about the quality of UQ’s protection of personal data under research contracts.

    Mightn’t worry Cook et al, but sure as heck will worry the research office – if they’ve done a proper risk analysis (5 minutes with a cup of coffee) they will see they are vulnerable on this score (if they haven’t or don’t the tropical heat must have got to them).

    However I think someone’s misjudged how this will play out – perhaps people not aware of the networks you are in – or they’re listening to others that are arrogant about it all and not advising well. Had it been me and Cook had come into my office saying hey I think we have a problem here with BS, I’d have been looking for ways to settle it all down and get out under the radar rather than try the “muscle my way through” strategy.

    Could be wrong. Need someone closer to the personalities and the actual dynamics to judge (and also assumes personal info’s been let loose). Just a bit of gratuitous advice, and I’m assuming you are getting it from various quarters and not as publicly as this, but if the UQ reads this it will probably help them not make bigger fools of themselves.

    chrs

  16. Part of the reason I’ve not had any fear of legal issues is I’m confident the University of Queensland would suffer too much blowback if it tried to file any lawsuit. If such a suit ever made it to court, I’m sure a number of reporters/journalists would love getting to talk about how silly a case it was.

    Of course, one could argue these posts making them behave better is a bad thing. I might be stopping them from making even bigger fools of themselves!

  17. Just out of curiosity – ‘

    Are there any self-described “skeptics” here that read the following comment (from the thread downstairs) w/o breaking out in laughter?

    –> “Deleting a libelous comment people have already seen, especially when doing so prevents me from showing a record of that comment, hurts my reputation more than it helps.”

    If there are, then turn in your “skeptics” badge immediately.

  18. Don’t worry about UQ backing off, the issue here isn’t with them, it is about improving the quality of research that is done (particularly in this field). You in fact want UQ standing beside you in this endeavor.

    Why their research office went down this rat hole is anyone’s guess – perhaps the publicity so far on Cook’s work has on balance generated more funded grants than it lost them. It I’ll catch up on them, fortunately science is self correcting, and while I haven’t really followed what you’ve done I gather you have had a hand in this as a quasi-gentleman scientist.

  19. “This time they might even learn not to make pages publicly accessible if they want to keep those pages hidden.”

    I’m afraid you are deeply mistaken if you think that something like this is a defence against a charge of ‘hacking’. (Perhaps it should be, but it isn’t.)

    The defining characteristic in most jurisdictions is along the lines of knowingly accessing something without authorisation. Much like it’s still an offence to take someone’s bike or car without permission if it isn’t locked, or to go in to someone’s house and help yourself if the keys are in the door.

    ‘Skillz’ don’t enter into it.

  20. frank o’dwyer: “The defining characteristic in most jurisdictions is along the lines of knowingly accessing something without authorisation.”

    Curious, I googled “legal definition of hacking in australia”. This led me here, which notes that the Queensland definition is “the use of a restricted computer without the consent of the computer’s controller. A restricted computer is defined as one that requires a ‘device, code or sequence of electronic impulses’ to gain access.” Sounds like a required characteristic is a password (or equivalent), and Brandon has stated that the relevant webpages were not password-protected.

  21. Frank O’Dwyer, HaroldW, I’m well aware of laws regarding unauthorized access. Access being “unauthorized” is largely irrelevant for them. Unauthorized merely means you aren’t given permission. What actually matters for those laws is that you are told not to do something. The minimum necessary for a person to be charged with a crime is an implicit prohibition against something.

    Putting a password on your home page does not automatically indicate you intend for your entire server to be private. Putting passwords on some parts of your site but not others does not indicate you intend you want your entire server to be private. If anything, it suggests the opposite.

    Put simply, a user does not need to resort to mind-reading to ascertain how the host of a server intends for it to be used.

  22. Brandon

    If you don’t want to sue for libel, you could just request that the comments be deleted, just make a request and see what happens. If you do want to sue, something it seems you have no intention of doing, then it would be required that you make a request that the material be deleted (if the legal adblvice you were given downstairs is accurate).

    How would the comment being deleted prevent you from showing that it once existed?

    How would politely requesting that the comment be delete “hurt, [your] reputation?”

    Were I prone to confusing fact with opinion I might say “that doesn’t make sense.”

    One would think that an honest to God skeptically would see that easily.

  23. Joshua, if you’re going to ask questions while using quotations, I suggest you not misrepresent what was said. I have never claimed politely requesting a comment be deleted would hurt my reputation.

    According to the standards proposed by some, what you just did is manufacture a quote.

  24. Joshua, I’m not sure of the wisdom of saying, “Keep ducking” while avoiding addressing an accusation of having misrepresented the person you’re criticizing. I’m also not sure how responding to one of the two questions you asked by pointing out the question is predicated upon a false statement is “ducking.”

    I suspect most people would share my confusion. Or at least, they would if they could bring themselves to care.

  25. joshua,

    If you do want to sue, something it seems you have no intention of doing, then it would be required that you make a request that the material be deleted (if the legal adblvice you were given downstairs is accurate).

    Why do you think requesting retraction is required? Not all states require retraction. A person who is defamed can generally get jurisdiction in the state where they reside. Can you cite the Illinois statute that requires the plaintiff first request retraction?

  26. HaroldW,

    ” Sounds like a required characteristic is a password (or equivalent), and Brandon has stated that the relevant webpages were not password-protected.”

    The law refers to a *computer* that has to be restricted, and not some underlying URL that needed to be guessed at. According to the account above the URLs accessed were not even public themselves in the first place.

    The controller only has to *attempt* to restrict access to the computer, too, their attempt doesn’t have to be effective. Some jurisdictions don’t even require the attempt.

    To argue that the means that happened to be used in order to gain access wasn’t restricted, is like arguing that someone gave you permission to burgle a house because although the front door was locked, you scouted around and found that they had left the key under a plant pot, or you got in through an open window. “The house let me access it, your honour”.

    Clearly if you’re doorknob-twisting to get access to data that you know the owner hasn’t consented to give you, then you’re on shaky ground arguing that the information was public and that you had legitimately accessed it. It’s not an argument I would like to try myself.

  27. Frank O’Dwyer,
    Interesting analogies. But the analogy of reading material on a billboard that happens to be placed in a remote county seems more apt to me. Analogies are dandy, aren’t they? But merely making one doesn’t mean any court anywhere considers the one you made is the “right” one, particularly as there are others.

    You’ve waved around “some jurisdictions”. Can you name which jurisdictions or even a jurisdiction have interpreted loading a uri on a computer that is hooked to the internet illegal merely because the owner “thought” but failed to communicate that this particular uri should not be loaded or that uri’s on this computer shouldn’t be loaded? Point to the case and we can read the fact pattern of the behavior you say “some” found illegal and see how it might compare to what Brandon did.

  28. Frank O’Dwyer –
    I find your reading of that definition to be rather strained, including inventing terms like “public URL”. Under your definition, Google hacks every second of every day.

    As for your house-breaking analogy, given that the computer in question is accessible to the public in general — that is, it allows Internet access in the usual way — I think a better analogy would be to a restaurant on a public thoroughfare. The restaurant is happy to allow passersby to look through their window into the dining area. They might be less happy if they left the next door open, allowing passersby to see the rats scurrying around in their kitchen, but they can hardly claim trespass if one looks in.

    However, I am not a lawyer, so I will drop my end of this discussion with: You may be right.

    P.S. Apologies for omitting capitalization on your name on my previous post.

  29. HaroldW

    The restaurant is happy to allow passersby to look through their window into the dining area. They might be less happy if they left the next door open, allowing passersby to see the rats scurrying around in their kitchen, but they can hardly claim trespass if one looks in.

    The beauty of analogies! 🙂
    Note also that it would not be illegal for passers-by to take a photo through the window, nor for patrons to snap a photo of the rats they spied when the kitchen door was open. Nor would it be illegal for these passersby to tell people about what they saw, to publish the photos and so on. All of this would be true even if the owner of the restaurant thought he had not “authorized” such a thing.

    In my above billboard example: in the US at least, it would not be illegal for someone to look at a distant billboard on someone’s vast property even if looking at it required binoculars, nor to snap a photo of the billboard using a telephoto lense and so on. And this would be true even if the property owners “thought” the billboard was far enough away from the road that people could not see it or if he thought “they should know” that something that far away from the road was meant to be “private” or meant for “only a subset of people who he considered his friends (who also could only see the billboard using binoculars because they aren’t allowed ‘on the property’ either. The owner just considers him self to have given them but not others permission to point their binoculars at the billboard and look.”

    We can come up with all sorts of analogies and argue for each. But in court, issue would be how a statute about accessing material on the internet is written. And it’s a bit silly if a law is written in a way that every single ordinary use is illegal, with people or authorities picking and choosing who to prosecute based on who they don’t like. Whether one “likes” Frank’s analogy or not, the effect of his argument would be “merely using the internet” would be illegal.

  30. HaroldW,

    “I find your reading of that definition to be rather strained, including inventing terms like “public URL”. Under your definition, Google hacks every second of every day.”

    Google follows published URLs (whether published inadvertently or otherwise), but it doesn’t go around guessing at similar URLs to see if it can find something there too. And it is in fact far from obvious that Google is entitled to hoover up anything it can technically access and make copies of it (http://www.wired.com/2013/09/googles-wifi-wiretapping/ springs to mind).

    In fact i happen to know of a successful prosecution of someone who did nothing more than access a URL by typing it into their browser. This person did not even copy any data. I am not sure that the access even succeeded. Of course it depends on the jurisdiction and the other facts as to what exactly is OK or not.

    Bottom line is that going around doorknob-twisting on sites you don’t own is not a good idea. The law and the HTTP protocol are not the same thing (and even if they weren’t, to rely on some judge understanding the latter and that they will see it your way is stupid.)

    And that’s just the site access. Even if somebody handed you unprotected copyrighted information deliberately, never mind by mistake, it wouldn’t mean you were entitled to make further copies of it or post it somewhere. It’s still not yours.

  31. lucia:

    Why do you think requesting retraction is required? Not all states require retraction. A person who is defamed can generally get jurisdiction in the state where they reside. Can you cite the Illinois statute that requires the plaintiff first request retraction?

    Pretty sure there is no retraction notice required for defamation of character in Illinois.

    I was using this as a source since I’m no lawyer.

  32. Frank, comparing sniffing wireless networks to guessing urls is a bit of stretch.

    In fact i happen to know of a successful prosecution of someone who did nothing more than access a URL by typing it into their browser.

    Link please?

  33. As near as I can tell,the law accessing URLs is, if they are public, it is legal to access them unless you’ve been requested to stop.

    Craigslist vs 3Tap seems to be a defining case in that respect.

    In a defeat for 3Taps, a federal judge has refused to dismiss charges that it violated a computer fraud law by continuing to access Craigslist after the listings site tried to block visits from 3Taps’ IP addresses.

    U.S. District Court Judge Charles Breyer in the Northern District of California ruled on Friday that 3Taps potentially exceeded its “authorized access” to Craigslist by continuing to scrape listings from the service against the site operator’s instructions.

    “Here, under the plain language of the statute, 3Taps was “without authorization” when it continued to pull data off of Craigslist’s Web site after Craigslist revoked its authorization to access the website,” Breyer wrote in an opinion issued on Friday.

    This also has some back info.

    In the ongoing legal battle between craigslist and 3taps, a new court opinion makes clear that people are “authorized” under the Computer Fraud and Abuse Act (CFAA) to access a public website. But what the court gave with one hand it took with the other, as it also ruled that sending a cease-and-desist letter and blocking an IP address is enough to “revoke” this authorization.

  34. Based on what 3Taps was doing, there is no way that under US Federal Statutes that what Brandon did by constructing new URLs was illegal, unless he continued to access the website after being told to stop.

    I wonder if a statement in each document warning that the material is private and confidential would meet that standard? (Think: a comment at the top of each file.)

  35. The issue of “copying” what you see is one I find interesting. Whenever you visit a page, a copy is made. You see that copy. Does saving the copy you’re presented qualify as making a new copy? I can’t see how. It’s possible to save the original file you receive without duplicating it. How could that be copying?

  36. Carrick

    Pretty sure there is no retraction notice required for defamation of character in Illinois.

    We went around on this when Fury was retracted. As far as I could tell, requesting retraction is not required of those filing defamation suits in Illinois. It is required in Michigan. ( Brandon and I live in Illinois, JeffId lives in Michigan.)

    Frank O’Dwyer

    In fact i happen to know of a successful prosecution of someone who did nothing more than access a URL by typing it into their browser. This person did not even copy any data. I am not sure that the access even succeeded. Of course it depends on the jurisdiction and the other facts as to what exactly is OK or not.

    If you know of such a prosecution, the result is presumably public record. Can you cite the case, give a link or provide any information so that the rest of us can learn the details of this case?

  37. Frank

    Even if somebody handed you unprotected copyrighted information deliberately, never mind by mistake, it wouldn’t mean you were entitled to make further copies of it or post it somewhere. It’s still not yours.

    “copyrighted information?” In the US, information cannot be copyrighted. As such no one can hand you “copyrighted information” either intentionally nor by mistake. There are some ways in which collections of data might get some sort of copyright protection, but the protection is very, very thin because copyright only subsists in the copyrightable elements. The “information” is not such an element.

  38. Lucia –

    .–> “Why do you think requesting retraction is required? Not all states require retraction. A person who is defamed can generally get jurisdiction in the state where they reside. Can you cite the Illinois statute that requires the plaintiff first request retraction?”

    I don’t know. But this is what was stated downstairs.

    –> “1) If someone asks you how they are libeling you, you need to tell them. Otherwise you are preventing them from making you whole.”

    I have no legal expertise, and can’t judge the veracity of that statement, but I put a clear caveat indicating “(if the legal adblvice you were given downstairs is accurate).”

    Even if it weren’t true, however, someone who confuses fact with opinion would argue that Brandon’s argument “doesn’t make sense.” S/he would argue that if Brandon doesn’t want to sue, it “doesn’t make sense.” S/he would argue that if he does want to sue, it “doesn’t make sense.” S/he would argue that if Brandon is concerned about his reputation, it “doesn’t make sense.”

    One would think that skeptics would have found that rather obvious, and pointed it out to me. Did any “skeptics” point that out to him, outside of tarran? (Assuming that tarran is a “skeptic”).

    But anyway, do you understand the logic of Brandon’s explanation for why he won’t specify which comments he found libelous? If so, perhaps you could explain to me why Brandon should not simply tell Rachel which comments he finds libelous, as she requested, so she could evaluate them and act respond in a manner she thinks appropriate?

    Brandon –

    Keep ducking.

  39. Carrick,

    “Link please?”

    Sorry, I don’t have a link. It’s just a (UK) case where I happen to know the facts and the outcome. Actually in that case I thought the outcome was unreasonable (the person wasn’t trying to access anything, just briefly checking if the site was secure or not before they used it – and no it wasn’t me :-). But courts decide these things, and they don’t do it based on much in the way of technical considerations.

    In this case you have a guy faced with a login screen (so he knows he isn’t meant to have access) who then proceeds to poke around to see what he can access from the forum anyway. Firstly by using URLs leaked via the forum software (which in itself could be argued to be exploiting a security hole in the forum software) and then by guessing others (which could be argued to be exploiting another security hole in the forum software and/or poor access control on the server).

    After some effort he succeeds in accessing some data, which he actually knows is from the restricted forum, and which he could be expected to know that QU refused to release, citing confidentiality.

    That sure sounds like knowing unauthorised access to me. I wouldn’t like to be in a court trying to argue otherwise.

  40. Joshua

    Even if it weren’t true, however, someone who confuses fact with opinion would argue that Brandon’s argument “doesn’t make sense.”

    This begins a paragraph that I can’t make head of tails of. Who would the “someone” be? And which argument of Brandon’s d you think this confused person would say “doesn’t make sense”?

    You follow that paragraph with “One would think that skeptics would have found that rather obvious,” I don’t know who would have found anything the the previous paragraph obvious. I don’t have a clue what you are even trying to communicate!

    ut anyway, do you understand the logic of Brandon’s explanation for why he won’t specify which comments he found libelous?

    He said he doesn’t want to help her or them. He thinks that for some reason it benefits him for them to be there. I’d have to read them to really know whether this makes sense or not. But I can imagine scenarios where letting libelous statements remain posted could benefit the person libeled. If sufficiently eggregious and obvious, there being their would permit him to show them to more objective parties who would make judgements about those who wrote them. That might benefit Brandon. The fact that Rachel does nothing to clean them up could affect Rachels reputation as a moderator– and if that is harmed through her own inaction, then that could go far in showing people that unjustified claims run rampant on her site. That might benefit Brandon. I don’t know if this scenario fits the current situation, but it’s something that is at hypothetical in some circumstances. When I read what he wrote, I sort of assumed this is what he’s claiming. If so I would say “Yes. I understand the logic.”

    If so, perhaps you could explain to me why Brandon should not simply tell Rachel which comments he finds libelous, as she requested, so she could evaluate them and act respond in a manner she thinks appropriate?

    Well…. as I noted above: if letting them stand might benefit Brandon in at least two ways. A third way could also be inducing Rachel to be more vigilant about moderating on her own so that Brandon doesn’t have to babysit her comments and waste his time objecting when outrageous claims that are both false and defamatory are posted. That would benefit Brandon.

    That is: we can look at the question you asked me another way: l Why shouldn’t Rachel who runs the site learn to read comments sufficiently to identify those that are defamatory, especially as Brandon has alerted to the problem in general? Why should she insist that other people (e.g. Brandon) do the work of finding these issues at her site and wasting their time communicating with her rather than expending the effort required to run her site properly. (Of course, if she’s confident there is no problem, then that should be fine. But it’s not Brandon’s job to inform her of problems at her site.)

    I’m tempted to end this with “Joshua, keep bobbing and weaving” which would complement “Brandon keep ducking”. But I really don’t have any idea why you think he is “ducking”. I especially don’t know that your no longer claiming that one must inform someone of defamation before suing them, which seems not to be the case in Illinois (where Brandon and I happen to live.)

  41. Wait, what? How could I “actually know[]” the data was “from the restricted forum” when it wasn’t from the restricted forum?

    The fact a site’s home page directs you to a forum in no way prevents it from having publicly accessible pages not tied to the forum.

  42. lucia, I agree with pretty much everything in your response to Joshua. There’s one thing I’d like to point out though. The site in question is that of AndThenTheresPhysics (who I call Anders). Rachel only helps moderate the site.

    I point that out because she has a separate site of her own. Her site is the one willard was made a moderator for. Given how incredible an action that is, I don’t want people to incorrectly think it was done at Anders’s blog. I may not like Anders, but I don’t think he deserves to be smeared like that!

  43. @Frank O’Dwyer (@fodwyer)

    Sorry, I don’t have a link. It’s just a (UK) case where I happen to know the facts and the outcome.

    Have you told us all the facts you know about this UK case? If not could you think of some of the remaining facts you may have missed? For instance whether the entity hacked was corporate, media, or government; the location of the hacker and/or hackee; period or how long ago this occurred?

    It seems such a salient case should be documented somewhere, I think a few more facts should help someone reading here to locate some more details.

  44. Frank O’Dwyer

    Sorry, I don’t have a link. It’s just a (UK) case where I happen to know the facts and the outcome.

    Do you mean the Cuthburt case? If yes, just say so. Then we can discuss why that is entirely different from what Brandon did.

    In this case you have a guy faced with a login screen (so he knows he isn’t meant to have access) who then proceeds to poke around to see what he can access from the forum anyway.

    By ‘This case” do you mean the UK case you know the facts and outcome of? If you mean Brandon, what actions do you think constitute “poking around”? Loading links left in people’s referrer logs? Those don’t cause one to access the forum– and clicking them isn’t an attempt to access the forum and it doesn’t cause one to access anything “from” the forum. Those links forward people to third party sites that are generally not the sksforum. For example: one might end up at WUWT, or wikipedia and so on.

    Firstly by using URLs leaked via the forum software (which in itself could be argued to be exploiting a security hole in the forum software)

    The URL’s created by a script at sksforum.org software were not “leaked”. They were urls left in referrer logs of destination sites (like my site, Anthony Watt’s site and so on). Leaving urls in referrer logs is a normal, standard operation in the internet. It’s ridiculous to say a uri that appears as a ‘referer’ in server logs of a destination site has ‘leaked’.

    Given that referrers are passed by default and always appear in apache server logs of a destination site (like my site, WUWT etc), and sksforum went to some trouble to change the default operation to an operation the preferred, it would be more accurate to say these URLs were “advertised”, “promoted” or “disseminated” by SkSforum.org who created and used a script specifically designed to create these referrers rather than ordinary ones that would have pointed to the web page where the link associated with an outlink existed.

    After some effort he succeeds in accessing some data, which he actually knows is from the restricted forum

    The “TCP” project data was not housed at a restricted forum.You are simply mistaken about that. The data was housed on a publicly accessible web page.

  45. tlitb1

    For instance whether the entity hacked was corporate, media, or government;

    I only just asked if Frank means the Cuthburt case– perhaps he does or perhaps not. But looking at the cuthburt case would be enlightening.

    Cuthburt was an IT guy who for reasons of his own elected to do a “directory traversal” to test a site that did not belong to him. “Directory traversal” is a method of gaining access to files outside the web directory. That is: he was doing something that would– if successful– gain access to material that the person running a server has specifically placed in a location that was not web accessible, and could only be made web accessible by exploiting a security hole on the server.

    It happened that Cuthburt was unsuccessful, and claimed to be attempting the traversal for legitimate (to his mind) reasons. But it was still a directory traversal.

    Here is a bit:

    But the prosecution said that Cuthbert must have known the directory traversal was unauthorised. It was this interpretation the court accepted; in effect, overall intent was irrelevant, there were no circumstances in which there was consent for directory traversal.

    Cuthbert’s case continues to be debated within the community of pen-testers. Some are alarmed that the decision potentially affects some of their techniques.Others point out that pen-testing should only ever be carried out against a highly specific set of consents; they also say that directory traversal is not the best or most obvious technical test for “phishing”. (Better tests consist of netstat to establish the IP address of a suspect site, whois to discover who owns the site, plus a certificate verification of any supposedly “secure” site).

    So: here you see he was doing something that one knows is never authorized by a web administrator (well… unless they hired you to test).

    In contrast, Brandon typed in a uri that was absolutely, totally, completely web accessible. The file that uri poited to had been placed in a web accessible folder by the person running the web site. That one would enter a uri like “http://google.com” and hit “enter” to visit google is precisely what one expect to be “authorized” on the web– and the same holds true on any site. What Brandon did was not remotely similar to adding well know illegal hack patterns at the end of a uri to escalate privileges so you can find files google might have placed on their server but outside the web directory path.

  46. Brandon,

    “How could I “actually know[]” the data was “from the restricted forum” when it wasn’t from the restricted forum?”

    I got the impression from the description that the domain names were probably the same. If they were actually pointers to somewhere else then true enough, maybe it was not clear that this other site was restricted. Difficult to say without knowing what the site was and what the normal way to access it is.

    I still think it should have been pretty obvious to you given the circuitous route you took that you were accessing things (or likely to access things) the owner didn’t consent for you to access and thought was restricted.

    Really I am only posting this for anyone who may be tempted to try something like that themselves, thinking it’s probably OK. It really isn’t in general and you can really ruin your day by doing it to the wrong site in the wrong country.

  47. @lucia liljegren (@lucialiljegren)

    Thanks. I also just found an article at El Reg on that Daniel James Cuthbert case (which I suspect spam blocking stopped me posting a link to in a previous attempt) but doesn’t go into details like you have.

    That sounds like it required some technical knowledge a noob couldn’t accidentally attempt. Certainly not someone of my no skilz level , I’ve modified url & page numbers occasionally sometime finding stuff but 403 pages mostly.

  48. tlitb1

    That sounds like it required some technical knowledge a noob couldn’t accidentally attempt

    Absolutely. Also: it’s a sequence of characters that a knowledgeable IT persson would know was not intended to be a valid URI. More specifically, Cuthbert himself knew they wouldn’t be a valid URI, and he knew that the sequences as intended to achieve directory escalation. Hid defense attorney’s may have tried to liken it to “knocking on a door”, but it was a lot more like trying safe cracking tools on a safe to see if a particular safe was vulnerable to that set of cracking tools.

  49. Hey guys. I fished a few comments out of the Spam folder in the last two days, but I didn’t realize that left them in the “Pending” (moderation) folder. I mistakenly didn’t approve them. Ian Scott and Morph had comments in there for a day or so because of that. Sorry!

    Also, tlitb1, I suspect the reason your comment landed in spam is you failed to close the HTML tag when posting a link. I edited the comment to remove the HTML part.

  50. Frank

    Really I am only posting this for anyone who may be tempted to try something like that themselves, thinking it’s probably OK. It really isn’t in general and you can really ruin your day by doing it to the wrong site in the wrong country.

    If your goal is to protect people from doing something illegal, it would help if you said something to make your claims sound remotely credible and also helped people know precisely what acts you claim could get one in trouble.

    It would improve your credibility greatly if you could give any examples of someone doing something like this and finding it was illegal anywhere. So far, you are just telling us you know of a case. But even though you evidently “know” you aren’t doing anything like giving the tiniest snippet of details– like for example naming of the person convicted, identifying the jurisdiction, description of the fact pattern and so on.

    The one specific link you gave was for intercepting wifi, which is totally different and so tends to undermine your credibility as an objective source of information on what is legal or illegal anywhere.

  51. Frank

    I still think it should have been pretty obvious to you given the circuitous route you took that you were accessing things (or likely to access things) the owner didn’t consent for you to access and thought was restricted

    Following the circuitous route also took him to places like WattsUpWithThat.com and Wikipedia. Should someone conclude sksforum.org creating a circuitous route to those sites means Anthony Watts or Wikepedia don’t consent to people visiting their sites? Anyone who concluded that would be flat out wrong and would be for the vast majority of sites this circuitous route led to. So it seems rather odd that anyone would think it’s “obvious” site owners at the end of the path created by sksforum.org didn’t consent to access.

    In fact: sksforum.org creating links to a 3rd party site tells us nothing about the intentions of the owner of the 3rd party site. So imagining sksforum.org’s creating links tells one anything is beyond silly.

  52. lucia, on the topic of Frank O’Dwyer undermining his credibility, we should remember this from his comment:

    “How could I “actually know[]” the data was “from the restricted forum” when it wasn’t from the restricted forum?”

    I got the impression from the description that the domain names were probably the same. If they were actually pointers to somewhere else then true enough, maybe it was not clear that this other site was restricted. Difficult to say without knowing what the site was and what the normal way to access it is.

    O’Dwyer claimed the material I got was taken from a forum. I pointed out it wasn’t. His response was to say “the domain names were probably the same.” Notice the non-sequitur. Two things can be placed within the same domain without being part of one another.

    I can create a forum and PHP game in the same domain, make the forum private, but the game public. That’s true even if I didn’t include a link to the game on the home page. I don’t have to advertise the resource on my home page in order for it to be public. I could advertise it on other sites, by word of mouth or not at all. It doesn’t matter. The resource would still be public.

    As a practical example, I once belonged to a private forum created to coordinate volunteers for the production of a computer game. The home page was a simple login screen. There were, however, some public directories on the server. They were used for files we wanted to share with the public. Promotional artwork, design logs and many other things were placed in these public directories.

    It’s almost an exact parallel to the recent situation.

  53. lucia, an additional issue with the “circuitous route” claim is I could have simply posted the list of URLs I had found. People could have then visited those URLs. According to Frank O’Dwyer’s standard, that’d make them accomplices to a criminal act.

    Choosing not to disclose a URL in no way makes the resource located at it private.

  54. Brandon
    I agree with you on what seems to be your main point about Frank: he’s jumping to conclusions. Plus, his conclusions are wrong– and it’s a bit mysterious how he would jump to the conclusion he jumped to. I thought it was pretty obvious that the domain name for the site you concealed was not the domain name of the site you revealed (that is “notrevealed.com” was not “sksforum.org”).

    I can create a forum and PHP game in the same domain, make the forum private,

    One can– and more over it’s done all the time. Moreover, lots of sites have public and private areas. In fact, SkepticalScience.com ran their original “secret” forum on skepticalscience.com– requiring login for that portion of the site. Meanwhile, they wrote blog posts and had all sorts of public stuff at skepticalscience.com. So the existence of the secret-forum which was private and access control didn’t “imply” that the main site was “private”– in fact the former was private, the latter not only public but massively advertized and promoted by the administrator.

    Later, Cook and the SkS crowd created the “secret-secret” site at sksforum.org. The forum at that site was login only, but the image directory was not, and those images were sometimes used elsewhere– meaning people who otherwise knew nothing about the forum would routinely load images from the image directory. They might not know where they were hosted– but they could easily find out by looking at the image. Once again: the existence of the secret-secret site didn’t imply that the while domain was private– and in fact it was not private.

    And it’s not just sksforum.org that does this. Ebay will have private log in areas only for customers, so does Amazon.com. So does Cloudflare. So do lots and lots and lots and lots of site.

    So not only does the existence of a private area on a domain not imply the whole domain is private, it’s not even the way skeptical science has operated. So it’s not remotely clear why anyone would just “guess” that the existence of an access controlled portion of a site anywhere suggests the whole thing is access control– and it’s certainly unclear how anyone familiar with the operation of skeptical science owned sites would think that applied to a site one suspected might be a skeptical science operated site!

  55. Carrick says:

    I wonder if a statement in each document warning that the material is private and confidential would meet that standard? (Think: a comment at the top of each file.)

    In Sweden such a statement is a sufficient (and necessary) precondition for getting someone convicted for hacking. If there is no indication that a system or site is actually restricted it is not a crime to enter it.

  56. Lucia,

    “Do you mean the Cuthburt case?”

    Yes, that’s the one I was thinking of. (I actually knew the guy at the time and have worked with him in the past – thoroughly nice and very funny guy who really didn’t deserve that.)

    The point the prosecution made in that case was not that a security hole was used (or rather tested for) but that this fact together with Daniel’s expertise implied that Daniel knew it wasn’t authorised. This (“knowing”) was what they needed to establish. The fact that directory traversals are never authorised was handy and sufficient for them but it wasn’t necessary – *any* way of showing the access was unauthorised and Daniel knew that would have done. If Daniel had instead been guessing or fuzzing internal URLs it probably wouldn’t have gone any better for him, because with his expertise they could still have argued he knew that wasn’t OK. But the real problem was that the UK law is very broad and says nothing about security holes or even any requirement for anyone to attempt to prevent access. You don’t even have to actually gain access.

    “what actions do you think constitute “poking around”?”

    Guessing URLs / exploiting a predictable URL scheme. This is the kind of access Andrew Auernheimer was convicted and imprisoned for in the US, for example.

    That conviction was recently overturned on appeal, but on an issue of venue, not on whether he’d broken the law or not, and not before he’d already spent time in prison. He made exactly the same argument, i.e. that the information wasn’t password protected and therefore available to anyone who typed in the URL(s) he guessed / brute forced. Many people would agree with that but the DOJ and the original court clearly thought otherwise and if the prosecution had chosen a different venue he might be still in jail and/or still going through appeals.

    The case of the Scripps reporters is also very similar (and also involved twiddling URLs) but I don’t know if it has been tried in any court.

    The point (again) is that it’s not at all obvious whether that kind of access is legal or not, and it doesn’t matter what you or I think should be the case, nor if the site admins should have known better, as things currently stand the only way you’ll find out is in court. And the courts are working off laws that many people (e.g. the EFF) think are far too broad and vague and want changed/clarified. Until that happens, it’s all fine and dandy to argue about it on a blog, but if you’ve any sense you don’t want to be the one arguing or appealing it in court.

  57. Frank O’Dwyer
    Pretty coy not to mention the word “Cuthburt” so that others had to take wild guesses.

    Daniel knew it wasn’t authorised

    IT guys know directory traversal isn’t authorized. In contrast, there’s no reason for anyone to “know” that loading “http://sksforum.org/thread.php?t=i&p=j isn’t authorized. In fact, even now there is no reason to believe it doing so was not authorized back when Brandon did it. After all: these are uri’s that were left in all our referrers. People often just click URI’s in referrers– there is no reason to believe a uri in a referrer is unauthorized. Equally, there is no reason for anyone to think incrementing the value of i or j is unauthorized and nothing at sksforum.org suggested it was. Clicking the link forwarded you to a site. This is not something that suggests anything about clcking the link is unauthorized.
    So: Brandon didn’t “know” those weren’t “authorized” — and in fact, as far as I can tell, clicking those links was authorized access of the resource at “http://sksforum.org/thread.php?t=i&p=j”.

    If there is something else you think Brandon “knew” was unauthorized, perhaps you can suggest what access you think he made that actuall (a) was unauthorized, (b) he had some means of knowing was unauthorized and that (c) he actually knew was unauthorized, and then tell use when you think he came to “know” it was unauthorized.

    In contrast when we look at Cuthburt: directory traversal is an attempt to access material that is not on the web. So: yes Cutthburt knew that wasn’t authorized and the reason he knew it was unauthorized it that he was an IT professional and knew it wsa never authorized. (Moreover, he would “know” things with /../../ in tha path aren’t even valid uris. So, he wasn’t even guessing valid uris– he was entering something that he knew was a request to access material that was not in the web facing directory.

    The fact that directory traversals are never authorised was handy and sufficient for them but it wasn’t necessary

    Uhmmm… that’s an interesting opinion. After all: the reason Cuthburt “knew” it wasn’t authorized is that those addresses are never authorized.

    If Daniel had instead been guessing or fuzzing internal URLs

    Well, first: that’s an interesting opinion. But second: I wouldn’t call what Brandon was doing guessing ‘fuzzy internal URLs’. But even if you called it that, there was zero reason to believe doing so was unauthorized. These were the URL’s that John Cooks script had been designed to leave in referrrer logs. As far as I can tell, the reason those URL’s were left was precisely so that people would click those rather than the links to the actual forum posts. So it was Cooks intention that admins who saw those referrers would follow those links rather than others which would have been left if Cook had not gone to the trouble to anonymize referrers.

    Guessing URLs / exploiting a predictable URL scheme. This is the kind of access Andrew Auernheimer was convicted and imprisoned for in the US, for example.

    Beyond the fact that the conviction was overturned: even if that conviction had held, there is a big difference. The URL’s used by Auernheimer were intended to be representing access by a specific customer and so if looked at crosseyed might be seen as supplying a “user id”. In contrast, the SkSforum.org uris were in no way customer specific. So the problem for Weev wasn’t merely “guessing” ips, but “guessing” user credentials.

    Beyond that: the wording of the 3rd circuit court did seem to suggest that they are dubious about the notion that there was any violation even apart from the venue issue. One can’t blame them for wishing to keep the ruling narrow, but I really doubt the DOJ is going to pursue this when they can’t even connect it to anyone supplying something that looks remotely like a “userID” or doing anything that looks like they knew they were telling the computer they were accessing “Hey, I’m Joe. Give me Joe’s email!” when they were not Joe. Though that said: we’ll see.

    if you’ve any sense you don’t want to be the one arguing or appealing it in court.

    Maybe. Or not. If you have done something legal, you might very well want to stand up for yourself.

    I would suggest that your tap dancing around actually citing the actual cases– which you could have done immediately– gives the impression that you kinda sorta know that there are big differences between Curthburt’s behavior and Brandons and also big difference between Weev’s access and Brandon’s. Or, you are just odd and think your case is stronger by keeping all the details ambiguous. But the fact is, we all are aware of these cases and know the differences. .

  58. The Nazi theme and the “secrecy” remind me of Animal House, Niedermeier, and “Double Secret Probation”….just about the same level of, erm, sophistication as SKS, Cook, & co….

  59. lucia, it’s worth pointing out what I did at http://www.sksforum.org is largely irrelevant. The University of Queensland claimed it appears the site hosting this data was hacked. The site hosting the data was the one I found via my actions at http://www.sksforum.org. Even if I had hacked the one, that would not make me guilty of hacking the other.

    Jeff, you’re a bit late on that one. Anthony Watts made the same joke earlier, even posting a video for those who didn’t get it.

  60. Looking at the Cuthbert case, one is reminded of the discussions recently with regart to the “Heartbleed” bug (open ssl stale memory state) and the various tools used to look for/test it. Some folks opined that testing for the bug was a problem. I tend to think that dealing with sites with the bug is a bigger problem (e.g. credit institutes, etc. that haven’t patched the code in question, or at least disabled it).

    As noted above, and elsewhere, no room to gripe (much) if you leave something out in the open. Also, Cuthbert is different.

    Still wish that Volokh would comment on it…

  61. Brandon, sorry, my bad…didn’t see that one….oh gosh, TRIPLE secret probation…..(I usually have scripting turned off,so I missed it….)….(so secret I didn’t even see it….).

  62. Cook promotes himself as an internet consultant of seem sort.
    If I was a client, I would absolutely suspend him, bring in a real expert and send Cook the bill for cleaning up his mess.
    Imagine the hazard he could put a client in- Cook is not only a climate kook, he is a nincompoop, to boot.

  63. Jeff

    Still wish that Volokh would comment on it…

    If the DOJ goes after Brandon the way they went after “Weev”, I suspect Orin Kerr of VC will blog about it. See

    http://www.volokh.com/2013/03/21/united-states-v-auernheimer-and-why-i-am-representing-auernheimer-pro-bono-on-appeal-before-the-third-circuit/

    The U Queensland letter hit specialties of several of the conspirators. Orin Kerr would be the main guy who discusses computer fraud and abuse stuff. He also does 4th amendment issues, often focusing on uses of technology in searches. (Orin’s undergraduate degree is engineering– so you can see the technology connection prior to law school.)

    Eugene Volokh tends to discuss copyright and freedom of speech more. He was once a programmer– as a kid.

  64. Lucia –

    ==> ” I especially don’t know that your no longer claiming that one must inform someone of defamation before suing them,”

    Seriously? Again?

    Here.

    ==> “If you do want to sue, something it seems you have no intention of doing, then it would be required that you make a request that the material be deleted (if the legal adblvice you were given downstairs is accurate). ”

    I guess you and I have different definitions of “if,” eh?

  65. Lucia,

    “After all: these are uri’s that were left in all our referrers. People often just click URI’s in referrers– there is no reason to believe a uri in a referrer is unauthorised.”

    But many of the URLs Brandon “clicked”, probably the vast majority, were not in his referrer log. Only the redirects to his own site would have appeared there. The rest he had to infer and construct (not “click”). People don’t typically dig URLs out of referrer logs and start twiddling and scraping them unless they are looking for security flaws, or they’re very sure that variations on those links (page numbers, etc) are intended to be public. It’s very difficult to argue that there was a legitimate reason to do so here.

    I’m sure you’ll try, but unfortunately Brandon has already stated his reasons, so good luck with that. “I figured if I could see the ones going to my own site, I could probably see the ones going to other sites…..that meant I could look at every external link anyone posted on the forum” “I thought it’d be amusing to keep track of what the Skeptical Science team was linking to in their secret-secret forum.”. So there was a flaw in a script and Brandon figured it would be fun to exploit it so he could get information about discussions in a forum he was pretty sure the owners intended to be private, and where he knew the intended authorised access required a login. “After all, it’s pretty silly to have a secret-secret forum while making information about what you’re discussing in the forum public.”. Not exactly the tale of somebody who thought they were engaged in authorised access with the owner’s consent. Not exactly cutting edge security research or a public interest story, either.

    The redirect URL for the data would not have not been left in “all our referrers”, either, it would only have appeared in the sites own referrer log, which is not any of “ours”. Anyone else would have had to guess/brute force it and would likely have needed to repeatedly exploit the flaw in the script to find the target of the redirect. Judging by the numbers provided above, maybe thousands of times, if so the forum owners will probably be able to show that. That’s no idle innocent click on a link in your referrer log.

    “So the problem for Weev wasn’t merely “guessing” ips, but “guessing” user credentials.”

    The problem for Weev was that he wound up in prison because a real court didn’t buy that URLs being publicly accessible was an automatic defence against a hacking charge, which is the point I made in the first place. If it were as obvious a defence as you and Brandon seem to think it is, he probably would never have seen the inside of a court, never mind a prison.

    The EFF doesn’t seem to agree with you that it’s so clear either. It wants to reform the CFAA, among other reasons because “It should be legal for someone to investigate the URL structure of a website to determine if there are security flaws.”. Why would it say that if it were already obvious that it’s legal to access any valid URL that you can type in and is ‘publicly accessible’? Why don’t you and Brandon go tell Weev and the EFF and all the concerned ‘security researchers’ that they needn’t bother with any of that, that it’s not a problem and all very simple because you say so?

  66. @Frank O’Dwyer (@fodwyer)

    I actually knew the guy at the time…

    Doh! I feel silly now. When I asked you to think of some of the remaining facts you may have missed I forgot to suggest you try to remember if you personally knew the guy involved at the time he was arrested! 😉

  67. Gee, it is all still in google cache and in Web archive, It says “383 URLs have been captured for this domain.”
    So much for the secret thing.

  68. Frank O’Dwyer (@fodwyer)

    eople don’t typically dig URLs out of referrer logs and start twiddling and scraping them unless they are looking for security flaws, or they’re very sure that variations on those links (page numbers, etc) are intended to be public. It’s very difficult to argue that there was a legitimate reason to do so here.

    Wrong: site admins frequently dig urls out of referrer logs and do things like clicking them, trimming them and guessing some other combinations. These people are often not looking for security flaws, but for things like a pointer to the robot.txt file, or site trees that help one find other files. It’s entirely legitimate to do this. (At some sites, it’s the only efficient way to find things in public.) None of the reasons Brandon gave for visiting Sksforum.org sites is illegal.

    And beyond that: the law doesn’t list a set of ‘legitimate’ uses with all uses not on the list being illegal. Even if the mind of “Frank O’Dwyer” doesn’t consider a particular use ‘legitimate’, wearching for public web pages is not illegal; finding them is also not illegal. The uri’s found using Brandon’s method were public web pages– and incrementing is a method of searching. Google uses incrementing things like p=i to p=i+1 when it detects it too.

    Beyond that: you’re overlooking important distinctions. Weev’s difficulty (which I think is what caused the first court to go wrong) was that the specific additions he was making to the uri look like “userid” or “userspecific” information. In contrast, Brandon’s incrementing was not changing anything that could remotely be described as a “userid”. So, the case isn’t merely that he’s guessing, but that he is guessing ‘userids’. Brandon was not doing anything like that.

    Also: As it happens, this guessing of sksforum.org addresses is not at the site UQ describes as exhibiting evidence of “hacking”. So, presumably, they think something else would be “hacking”.

    So there was a flaw in a script

    There was no ‘flaw in the script’. It worked precisely as the developer intended. It was a referrer anonymizer and it did that task 100% correctly. One could not see the ‘true’ referrer. Moreover, this presented zero security threat to sksforum.org. No one could attack the site using the script.

    Not exactly the tale of somebody who thought they were engaged in authorised access with the owner’s consent. Not exactly cutting edge security research or a public interest story, either.

    Huh? I think those are the statements of a person who thought he is engaging in authorized access. He’s accessing entirely public webpages, using a script in exactly the way the owner designed it to find information that is entirely public (i.e. the uri of web pages.)
    As for whether it cutting edge security research: Brandon never suggested it was cutting edge security research. Nor have I. Because the script operation is not a “security flaw”. It may have had an application in a project John Cook didn’t envision, but that doesn’t mean the use is a “security flaw”.

    Why don’t you and Brandon go tell Weev and the EFF and all the concerned ‘security researchers’

    I’m not sure what your point is. I don’t see any reason we can’t say exactly what Orin Kerr argued in the 3rd circuit. And if you argument is “sometimes the DOJ and juries screw up”. Sure. Everyone is aware of that. But no one has said the DOJ and juries can never misapply laws or screw up. Obviously, they did because Weev’s conviction was overturned due to a screw up. That it was a different one less complicated screw up that permitted the 3rd circuit to side step the issue of guessing URIs (commenting in a footnote but not basing their decision on that comment), may be unfortunate for our argument. But that doesn’t mean we can’t be of the opinion– and express the opinion– that the lower court screwed up on both matters.

    As for the EFF wanting to do things: I have no problem with them wanting laws tweaked “to determine if there are security flaws”. But that would mostly apply to the Cuthburt situation, not Weev. And no matter what the EFF gets, the DOJ will still be able to screw up and misapply laws as written. DOJ screwing up happens which we know because they lose cases.

  69. Joshua,

    I guess you and I have different definitions of “if,” eh?

    No. Different definition about what the heck “downstairs” means at a blog and the rethorical impression about your level of endorsement of an idea whcih you re-introduceas your main plank when criticizing Brandon’s choices– which you terminate by silly advice with snarky add ons accusing the person not following your advice with “ducking”.

    As far as I can see, the basis for your “gripe” against Brandon not helping Rachel with Rachel’s job moderating a site is that you think Brandon should help Rachel do the job she has tasked herself to do. Your basis for criticizing his reasons for his decision is pretty much he ends up not doing what you would prefer he do which is grant Rachel a favor.

  70. Oh gawd – Skeptical Science doing a Mosley. And a double take, tryin’ to erase it all. Only he held a private party and it was nobody’s business. But these guys throw their weight around. Neither skeptical (or else they’d spend their time otherwise than donning any kind of uniform) nor science. But we now know why they always have associations with Germany …

  71. btw: For those interested, Orin Kerr’s argument in ‘weev’s’ appeal is here:
    http://www.groklaw.net/articlebasic.php?story=20130702033515452

    There are a few things that could be said with respect to Frank O’Dwyer’s claim that Brandon did something just like or essentially similar to what ‘weev’ did, but with respect to the prosecutors argument during the first criminal trial, there is a major difference, and that relates to this bit of Orin’s appeal:

    C. Auernheimer’s Characterization of Spitler’s Act As “Theft” Does
    Not Make the Access Illegal.

    The government also argued at trial that use of the program was unauthorized because of the words Spitler and Auernheimer chose to describe it. See App2. 132; 606-12. In private e-mails, Auernheimer referred to collection of the e-mail addresses as a “theft.” App2. 166. In his testimony, Spitler agreed with the prosecutor’s view that his program “tricked” and “lied” to the AT&T website. App2. 264. The government argued to the jury that it was these words, “first and foremost,” that proved Auernheimer’s guilt. App2. 132. To the extent the government’s position was clear, it appeared to be that conduct characterized as a theft or a lie is necessarily unauthorized under § 1030. App2. 132, 606-11.

    Setting aside the main point that Orin is making which is that even “tricking” or “lieing” would not be illegal, let’s now compare the case against weev to the characteristics of what Brandon did.

    Contrary to Frank’s claim, the prosecutions case is not merely ‘weev’ merely ‘guessed’ URI’s with the intention of doing something AT&T would have preferred he did not do. Rather, their case was weev actually ‘tricked’ or ‘lied’ to the ATT website causing it to do something as a result of having been “tricked” or “lied to”. (The ‘lie’ or ‘trick’ was spoofing a user agent to appear to be an appropriate mobile device when it was not such a device. Doing so while also visiting the ‘special’ user specific page is what resulted in discovering user specific email addresses.)

    We now see a huge disimilarity between Weev and Brandon: Brandon has not said he “tricked” the computer into doing anything. The reason he has not said he “tricked” or “lied” to the computer is that he did not “trick” it into doing anything. Brandon did not ‘lie’ to the computer in any way: for example, unlike ‘weev’, he didn’t get blocked when using one user agent and so switch to a different ‘special’ one that would work. There was nothing about loading the uris Brandon entered that represented any request other than; “Send me the contents of this web page”.

    Since the prosecutions case was not that what weev did was illegal because he guessed uris but rather because he “lied” or “tricked” the computer, the lack of “trick” or “lie” would be an important if weev conviction had remained some sort of precedent. (Weev’s conviction was overturned in anycase.)

    The remaining of Orin’s argument about ‘tricking’ addresses the question of whether “tricking” or “lieing” to a computer is sufficient to make the use of the computer “unauthorized” and also arguing that spoofing a user agent isn’t a “trick’ in anycase. It’s interesting: but bear in mind the merits of this argument have nothing to do with what Brandon did because there is nothing about loading urls of the sort brandon loaded that constitutes any sort of “trick” or “lie”. So, the theory of why weev did was wrong doesn’t apply to merely “guessing IPs”, but actually “tricking and lying”.

    Here’s more Orin:

    This argument is meritless. Auernheimer’s guilt turns on whether the program accessed AT&T’s website “without authorization” or “exceed[ed] authorized access.” 18 U.S.C. § 1030(a)(2)(C). That depends upon how AT&T’s website worked and what the program did. It does not depend on what words Auernheimer chose or thoughts he had when later describing his conduct to others. “The government cannot punish what it considers to be an immoral thought simply

    28
    by linking it to otherwise innocuous acts, such as walking down the street or chewing gum.” United States v. Tykarsky, 446 F.3d 458, 471 (3d Cir. 2006). To be sure, a defendant’s words can establish his state of mind. See Whitney v. Horn, 280 F.3d 240, 259 (3d Cir. 2002). But the missing element of the crime needed to convict Auernheimer is the absence of authorization, not his intent.

    Auernheimer’s language is irrelevant even if read to reveal his subjective belief that his conduct was illegal. A defendant’s belief as to the criminality of his act is irrelevant. See generally Wayne R. LaFave, Substantive Criminal Law § 5.6 (2012). Ignorance of the law is no excuse, but neither is it an offense: A person who wrongly thinks his conduct was illegal is guilty of no offense. See id.

    Further, the government’s claim that the program tricked and deceived the AT&T computer into giving up information —implicitly rendering the access unauthorized— is false. AT&T programmed its computer to respond to anyone who visited the correct address; it did exactly as it was programmed to do. App2. 514-15. Visiting a website does not carry an implicit promise that the visitor is someone the website owner would like them to be. See EF Cultural Travel, 318 F.3d at 63. Posting data on the web posts that data for everyone. See id.

    The government also claimed that the program tricked AT&T into divulging data because Spitler set his computer web browser’s “user agent string” to appear as an iPad. App2. 264; 610. This claim misunderstands the purpose and function

    29
    of user agent strings. A user agent is a browser setting that tells the website what kind of browser is making a request. App2. 510. The browser setting sends a short string of data along with website requests that allows websites to optimize the presentation of different web pages for different browsers.14

    Most importantly, user agents do not regulate access. App2. 514. They are merely browser settings that allow users to optimize how a webpage looks for the user’s own convenience. And changing a user agent string is both very easy and very common, taking just a few clicks to allow users to pick whatever settings they want. App2. 512. In fact, most browsers have tools that allow users to change their user agent directly built into their browsers.15 Setting the user agent string does not “lie” to a website any more than a Phillies fan lies when wearing a Mets cap.

    Indeed, it has been common for browsers to be configured by their developers to change their user agent strings automatically as part of their design. See Nicholas C. Zakas, History of the User-Agent String, available at http://www.nczonline.net/blog/2010/01/12/ history-of-the-user-agent-string/ (“The history of the user-agent string is marked by browsers trying to convince user-

    30
    agent sniffers that they are what they are not. Internet Explorer wants to be identified as Netscape 4; Konqueror and WebKit want to be identified as Firefox; Chrome wants to be identified as Safari.”); see also App2. 512. If changing a user agent string is a federal crime, millions of Americans may be criminals for the way they routinely surf the Web.

  72. Lucia,

    “Wrong: site admins frequently dig urls….entirely legitimate to do this.”

    That doesn’t even contradict the quote you responded to.

    “There was no ‘flaw in the script’. It worked precisely as the developer intended. ”

    A program that has an unintended side effect of leaking private or confidential information (whether credit card information, passwords, troop movements, cryptographic keys, plans for a surprise party, session IDs, or links people are discussing in private conversations) clearly does have (or is) a security flaw, regardless of anything else it does that’s useful.

    “As for the EFF wanting to do things: I have no problem with them wanting laws tweaked “to determine if there are security flaws”. But that would mostly apply to the Cuthburt situation, not Weev.”

    Not really. Here is an example the EFF themselves give:

    A user finds that her online account with a dating website has been hijacked. In investigating what happened, she begins testing the URL structure for the dating website. She discovers that anyone can access her account, including her private information, contacts and dating history, all without putting in a new password, but simply by typing in the right URL. She determines that she could do this for many other users as well as herself. She wants to inform the company and demonstrate what she discovered so that the company can fix the big security hole she found.

    It should be legal for someone to investigate the URL structure of a website to determine if there are security flaws.

    Nothing there about invalid URLs, directory traversal, SQL injection or the like. Just ‘typing in the right URL’. And note: should be legal, not is legal. The law is so broad and unclear no-one really knows what it makes illegal.

    “Contrary to Frank’s claim, the prosecutions case is not merely ‘weev’ merely ‘guessed’ URI’s with the intention of doing something AT&T would have preferred he did not do”

    I have not made any claim as to what the prosecution’s case was, never mind that one. I’ve pointed out that both cases involved accessing web accessible URLs using predictable URL schemes, which is a technical fact not a legal point. I’ve also noted that the one that’s actually been in court didn’t get immediately thrown out because the URLs were ‘totally web accessible’, which tends to undermine the idea that something like that is a sufficient and obvious *defence* on its own.

    Hence people finding it necessary to argue in court about whether a particular instance of touching an accessible URL was authorised or not instead of just determining the URL was accessible and going home early.

  73. Thanks for clarifying the EFF pseudo example. I agree it looks like ‘weev’. But in that example, someone isn’t just typing in any old uri. Not even a super-secret one. They are typing in something that represents them as someone else– which is rather more than just typing in just a uri.

    It was the element of ‘tricking’, ‘lying’ or providing information that one knew the script would interpret as meaning the person making the request was someone other than the person requesting. The prosecutor goes on about this for 20 pages– so the claim that what weev was doing is representing himself as someone else isn’t just a little accidental unimportant issue to the prosecutions claim. It doesn’t become unimportant even if you want to represent it as ‘just typing in a url’. Specific features of the url matter: in weev: knowingly representing yourself as a different person by using a “trick” or a “lie” to to access to the AT&T site was hammered away very heavily by the prosecutor.

    Trying to collapse this into either EFF or the prosecutor in ‘weev’ thinking just typing in any old uri would be illegal is inaccurate: Neither suggest that. It is the act of misrepresenting oneselfs as a different person– that is identity theft– that is might make the testing of certain specific uri’s illegal. So there’s no evidence of ambiguity in Brandon’s situation: that element is not here.

    I have not made any claim as to what the prosecution’s case was, never mind that one. I’ve pointed out that both cases involved accessing web accessible URLs using predictable URL schemes, which is a technical fact not a legal point.

    Well, you’ve made a claim about that seems to be rather different from what you actually previously wrote. Specifically you wrote

    In fact i happen to know of a successful prosecution of someone who did nothing more than access a URL by typing it into their browser. This person did not even copy any data. I am not sure that the access even succeeded. Of course it depends on the jurisdiction and the other facts as to what exactly is OK or not.

    That seems to suggest that the only thing is required is to access a URL by typing it into a computer and no other elements matter. That is false. Other things matter. And you’ve certainly seemed to suggest that what Brandon did shares the element that cause the prosecutor to claim what weev did was illegal– and it does not.

    Moreover, you ignore things that matter when you recount the significance of these both Cuthburt and weeve. In one: the url was an invalid one that represented a directory traversal– which is never authorized. in the second, the url was one that could be characterized as equivalient to user-id and password. The URI’s brandon loaded were not.

    Very specific features about the URL itself mattered both in the prosecutions case in weev and in cuthburt. The features that mattered in those cases aren’t present in Brandon’s situation. There is no particular reason to think there is any disagreement about loading these sorts of uris. Certainly neither weev nor cuthburt cases suggest there is any confusion.

  74. Frank

    I’ve also noted that the one that’s actually been in court didn’t get immediately thrown out because the URLs were ‘totally web accessible’, which tends to undermine the idea that something like that is a sufficient and obvious *defence* on its own.

    I should add that the point that is escaping you is that the issue with SkSforum.org is that the only thing that was done was type in ‘totally web accessible’ uri’s. These weren’t concealed uris– they were uri’s specifically created to be left in referrer logs– so publicized. These weren’t protected uris’. These weren’t ‘attack’ uris’. There is no ‘mis-representing identity’. There is not even a hint of any of these elements.

    No one is suggesting that if someone types in an accessible uri that act automatically immunizing everything else even if one also does an an sql injection or a directory traversal, or a misrepresentation of identity or something like that. It is merely that you need something more. And you aren’t supplying any of the ‘something more’.

  75. Lucia,

    That seems to suggest that the only thing is required is to access a URL by typing it into a computer and no other elements matter.

    It explicitly states the opposite, so no: “Of course it depends on the jurisdiction and the other facts as to what exactly is OK or not”.

    Specific features of the url matter: in weev: knowingly representing yourself as a different person by using a “trick” or a “lie” to to access to the AT&T site was hammered away very heavily by the prosecutor.

    No, the URL doesn’t need to have any particular features. No, you don’t need to do anything with userids or pass yourself as a different person. The points the prosecution needs to establish made are legal ones, not technical ones. You are confusing the means with the end.

    It’s as if you’ve read a couple of murder cases where one involved a gun and the other a knife, and now you think murder is somehow defined by the use of guns and knives – and then you conclude there’s no such thing as murder by blunt instrument (unless someone was battered to death with a gun), or drowning (unless they were stabbed first).

    The prosecution’s goal is to show things like “knowingly” and “unauthorised”. The court doesn’t care (and likely won’t even understand) exactly what you did to the computer, but they do care if whatever you did was unauthorised and you knew it.

  76. Frank

    No, the URL doesn’t need to have any particular features. No, you don’t need to do anything with userids or pass yourself as a different person. The points the prosecution needs to establish made are legal ones, not technical ones. You are confusing the means with the end.

    And which is it your claiming? That as a legal matter they need do nothing more than access a URL? Or as a techincal one? Because whichever you are claiming, you are wrong.

    In Cuthburt, the http request contianed the ‘feature’ /../../. in the string submitted. Adding /../../ makes the request something that properly programmed servers do not treat as a url, even if ‘.’ and ‘/’ are permitted to be used in urls. I don’t consider submitting this merely accessing a URL from a technical POV because no properly programmed server will treat it as one. ( I guess someone might claim it is ‘accessing a URL’, but in which case, it’s certainly a URL with “particular features” of containing /../../ .) In Cuthburt, the legal point is not ‘accessing a url’ (which would be typing a set of numbers and hitting submit) but in requesting a directory traveral.

    In weev, the technical issues were (a) accessing a URL while als (b) spoofing a user agent. The legal issue is misrepresenting his identity to “trick” the server.

    So:
    (a) on a technical nuts and bolts issues: neither weev nor cuthbert charged or tried for doing nothing more than accessing a url. As technical matters weev conspired with Spitler, and the process involved both accessing a url and spoofing a user agent. The technical issue in cuthburt is to submit a carefully crafted set of characters containing ‘/../../../’ that properly programmed servers will not treat as url. I don’t consider either ‘accessing a url’ as a technical matter.

    (b) on a legal issue: accessing a url alone has never been suggested to be illegal by itself. Heck, even intentionally accessing a url alone has never been suggested to be illegal. In weev the legal issue is ‘misrepresenting’ and in Cuthburt it’s ‘directory traversal’.

    Resorting to murder/knive/gun analogies can’t make you right on this.

    It’s as if you’ve read a couple of murder cases where one involved a gun and the other a knife, and now you think murder is somehow defined by the use of guns and knives – and then you conclude there’s no such thing as murder by blunt instrument (unless someone was battered to death with a gun), or drowning (unless they were stabbed first).
    Oh. Lord. I await your next analogy in which you first claim you know a case where someone was convicted of murder by doing nothing more than giving them a pillow for christmas. Then, when I delve further, it turns out the gift giver’s version of “giving” a pillow as to hold a pillow over face and mouth until the stopped breathing, and I point out that the gift giver also pressed the pillow over the persons face and mouth– and that was a key activity– not the gifting of the pillow. And then you’ll come back and tell me that they did gift them the pillow– and utterly ignoring all the other things– insist that nothing more was required and accuse me of not believing in “murder by suffocation” because I pointed out that the person you said committed murder by doing nothing more than gifting them a pillow actually did rather more than that and that– more importantly– the gifting of the pillow was neither the relevant legal issue nor the relevant technical issue involved.

  77. Frank

    but they do care if whatever you did was unauthorised and you knew it.

    and no court has held that anyone committing the techical act of just accessing a garden variety url resulted in someone having done anything unauthorized. The technical acts by Cuthburt required a special sequence “/../..”. The technical act in weev requried spoofing a user agent.

  78. Lucia,

    “no court has held that anyone committing the techical act of just accessing a garden variety url resulted in someone having done anything unauthorised.”

    If you mean URLs such as a typical user would visit in the usual course of browsing, i.e. no obvious attack sequences like traversal or SQL injection etc, and no switching the user agent – even though that’s not part of the URL – then yes they have.

    e.g. see district court decisions on Facebook vs ConnectU, and from the same court on Facebook vs Power Ventures.

    Interestingly one ruling disagreed with the other, even though it was the same court! (Which shows what a tightrope you walk if you are in court on anything like this.)

    Still, they both held that the accesses were “without permission”, just for different and opposite reasons. The difference was about what “without permission” means and what is sufficient to conclude that an access was not authorised.

    This is from the first:

    California Penal Code Section 502 is entitled “Unauthorized Access to Computers, Computer Systems and Computer Data” (emphasis added in original).

    Focusing on that title and on other provisions within the section relating to accessing computer systems, ConnectU argues that nothing in the FAC suggests its access to the Facebook website was “unauthorized” or undertaken “without permission.” Apparently ConnectU accessed information on the Facebook website that ordinarily would be accessible only to registered users by using log-in information voluntarily supplied by registered users. Thus, ConnectU contends, it did not engage in “hacking” or other “unauthorized” access of a type prohibited by the statute, and Facebook has not alleged otherwise. ConnectU argues that Facebook may have a claim for breach of contract against the registered users who supplied ConnectU with the login information, but that Facebook’s “terms and conditions of use” have no applicability to ConnectU itself, which never registered as a user or agreed to those terms and conditions.

    ConnectU’s argument does not adequately address subdivision (c) of the statute, which makes it a “public offense” if a person:

    (2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system or computer network.
    (Emphasis added in original.)

    The FAC sufficiently alleges that ConnectU “knowingly” accessed Facebook’s website and that it took, copied, or made use of data it found thereon “without permission.” ConnectU’s argument that a private party cannot define what is or is not a criminal offense by unilateral imposition of terms and conditions of use is not persuasive. The statute defines the criminal offense: taking, copying, or using data “without permission.” The fact that private parties are free to set the conditions on which they will grant such permission does not mean that private parties are defining what is criminal and what is not.

    The ruling in the Power Ventures case is rather bizarre, and makes heroic efforts to define ‘without permission’ while avoiding the plain language meaning. It disagreed with the ConnectU decision, because it said ‘without permission’ required circumventing a technical barrier.

    Then they said it was ‘without permission’ anyway because Power Ventures would have been able to circumvent some technical barriers that weren’t there, and which they didn’t actually resort to circumventing.

    So, good luck!

  79. Frank,
    Excuse me?

    In the case you quote, I’m reading “supplied false log in credential”? So that’s not an example of a case where anyone was prosecuted for doing nothing more than entering garden variety urls– Uconnect’s agents used long credentials they were not authorized to use. And afterwards engaged in activities that were not permitted even to those whose login credentials they used. The full document you quoted snippets from is here http://law.justia.com/cases/federal/district-courts/california/candce/5:2007cv01389/189975/73. This is not a case of ‘just entering urls’– it’s a case of first using login credentials to gain access one other wise would be granted.

    I don’t know what you are claiming about the Power Ventures (http://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventures,_Inc.) , but it reads
    “After a user provides his or her user names and passwords to Defendants, the Power.com service
    takes this access information to “scrape” user data from those accounts. Id. ¶¶ 50-52.” So once again, the defendants are using login credentials that do not belong to them and also doing things that violate the TOS after using login credentials. So: even those properly using login credentials would be exceeding authorization if they do things like scrape. This isn’t just entering urls. The steps involve first entering login credentials.

    Whether these rulings “agree” or “disagree” with each other: one thing is clear. In both the defendant did more than enter urls. They also borrowed login credentials that did not belong to them and used those without permission of Facebook.

    If a case that involves nothing more than entering urls exists, you certainly haven’t brought one forward. But try again.

  80. I posted a comment over at lucia’s Blackboard. It’s relevant here:

    lucia, here’s an amusing note. I just uploaded a post responding to an annoying piece of e-mail trying to get support for a petition to fire a guy for what he said about global warming alarmists. As it happens, that e-mail had several links like:

    http://act.forecastthefacts.org/go/732?t=6
    http://act.forecastthefacts.org/go/733?t=8

    To the people suggesting I misbehaved, I have to ask, would it be hacking for me to type in:

    http://act.forecastthefacts.org/go/717

    Because that’s the extent of my heinous, criminal activities.

  81. Lucia,

    “In the case you quote, I’m reading “supplied false log in credential”?”

    Further evidence your reading comprehension is pretty poor then.

    The credentials were not false. The users had volunteered and entered them themselves.

    “The steps involve first entering login credentials.”

    You are making it up as you go along.

  82. Frank O’Dwyer, I believe you will find more success if you explain things and cite text or references you say support your claims.

    The only way I can see that wouldn’t be true is if you’re completely wrong.

  83. Frank
    This is a reference to ConnectU using false credentials which would be defined as ” credentials that did not belong to Connect U.”
    Apparently ConnectU accessed information on the Facebook website that ordinarily would be accessible only to registered users by using log-in information voluntarily supplied by registered users.
    That is: ConnectU used log-in credential that did not belong to ConnectU. This information is contained in the bit you quoted. If you think it doesn’t mean they used “false credentials” please explain why you think that sentence does not state the case involve allegations ConnectU used supplied false credentials rather than merely suggesting that my reading comprehension is poor.

    The credentials were not false. The users had volunteered and entered them themselves

    (a) If a 18 year old goes to a bar and presents her older similar looking sisters ID to buy beer, that is “presenting false credentials”. They are false because they do not belong to her.
    (b) Even if your definition of “false” credentials means that (a) is not so, this is still doing something other than merely entering a url. It is “The accused (connectU) presenting credentials that did not belong to them to obtain access which was only authorized to the person to whom the credentials belonged”

    Given (b) at best you could win a ‘semantic’ victory about the meaning of ‘false credentials’ which would mean I need a different word to describe the additional action beyond entering a url required on ConnectU’s part to be accused of unauthorized access. The fact would remain that this additional step was taken and featured prominently in the allegation. Without this extra step the loading of a garden variety url alone was not alleged to be a violation of the CFA. So: you still have no examples of alleged violations of the CFA that do not involve another step.

    Try again.

  84. BTW: on false credentials

    http://www.dailyillini.com/news/state/article_8e098c6e-dfbc-11e3-b8c8-001a4bcf6878.html

    The Senate unanimously passed House Bill 4090 Monday, a measure that will make it a crime to present false credentials to obtain employment.

    The bill, sponsored by State Rep. Naomi Jakobsson, D-Urbana, in the house and Sen. Chapin Rose, R-Mahomet, amends the Criminal Code of 2012. In addition to making it a crime to present false credentials for employment, it will be unlawful to use those credentials to obtain admission to an institution of higher education or for the purpose of obtaining a promotion or higher compensation in employment.

    Rose sponsored the resolution in response to the employment of James Kilgore, research associate for the Center for African Studies and instructor in FAA and LAS, at the University.

    “Dr. Kilgore fraudulently stole the identity of a deceased child to obtain his degree under false pretenses,” Rose said. “The University has said that it is working on comprehensive background checks for employees. I look forward to working with them on this point. Should their initiative have some ‘teeth’ to it, this may not be necessary.”

    Rose said with the session winding down, the bill needed to be advanced back to the House of Representatives for concurrence.

    In this story, ‘false credentials’ is used to describe Dr. Kilgore taking actual existing true credentials that would have been “true” credentials if presented by a particular person (who happened to be deceased) and presented them as his own. His using credentials that would be entirely “true” credentials if used by the deceased is presenting “false credentials”. If you have some other definition of ‘false credentials’, well… dandy. Maybe you can supply us “the Frank O’Dwyer dictionary of language” and explain why your definition must be used in all conversations.

    But my use is common enough in English, especially as used in Illinios where I (and Brandon who runs this blog) both reside. If you have trouble understanding what I might mean by “false credentials” you might wish to get a hold of an American idiom book to do “American to Frank” translations.

  85. More details on the “power” case

    https://www.eff.org/document/order-granting-facebooks-motion-summary-judgment-and-denying-power-ventures-motion-summary
    1) Facebook blocked Power.inc’s IPs. Power was alleged to be taking steps to circumvent IP blocking. This is an ‘action’ or ‘technique’ representing something “they did” and it’s in addition to merely “loading urls”.

    The expert of report of Bob Zeidman and Lawrence Melling, who analyzed
    the code and software used by Power.com to determine if it was designed to
    circumvent technical barriers.37 The report concludes that the code used a number of
    routines to avoid being blocked by websites like Facebook, including the use of proxy
    servers if one server was blocked by a website. (Id. ¶¶ 55-60.) The code would
    routinely monitor each server to see if an IP address was blocked and change the IP
    address if it was. (Id. ¶¶ 59-60.) The report concludes that substantial effort went into designing the proxy system and that one of the objectives of the design was to
    reconfigure the IP connections if an IP address was blocked. (Id. ¶ 61.)

    The above, by itself, shows that Facebook at least alleged power did something more than merely load URLs– and it shows that at least with respect to what people were arguing about in this case, the alleged CFA violation did not involve merely loading urls. It involved allegations that power violated technological barriers. ( There were various allegations at different points of the trials. The IP blocking allegations persisted and were considered relevant in the ultimate trial.)

    Of course, if Frank’s argument is that even though an actual violation might require more than merely loading a url, people get charged when all they did was load a url. Well.. what one actually did are generally disputes over facts. And in this case, evidence of the fact of the blocking is above. Evidence that the motive was directed at Facebook was:

    An e-mail from Vachani to members of his staff, sent after Vachani received a
    cease and desist letter from Plaintiff, stating “we need to be prepared for Facebook to
    try and block us and then turn this into a national battle that gets us huge attention.”38

    Here, this shows that the President of power.inc explained that power would need to take steps to get around blocking by Facebook. Vachani doesn’t mention “IP blocking” or a technological barrier, but given that the Power’s code wsa designed to get around Facebook blocking, I think most triers of fact would connect the dots and think this is pretty good evidence Vachani wanted to use whatever means available to use the sort of blocking Facebook was using. In this case, that happened to be IP blocking.

    Vachani’s defense against Facebooks’ allegation they were trying to get around IP blocking seems to be that they didn’t need to do anything to get around it because Facebook’s list of IP’s was not up to snuff and only blocked one IP address.:

    Vachani’s testimony that in December 2008, Facebook attempted to prevent Power’s
    users from accessing Facebook through Power.com by blocking one IP address utilized by
    Power.40 “Facebook’s IP block was ineffective because it blocked only one outdated IP
    address Power had used, and did not block other IPs that Power was using in the normal
    course of business.” (Id. ¶ 11.) “Power did not undertake any effort to circumvent that
    block, and did not provide users with any tools designed to circumvent it.” (Id.) After it became aware of the attempted IP blocking, Power undertook efforts to implement Facebook
    Connect as Facebook had requested. (Id. ¶ 12.)41

    The court then finds

    Upon review, the Court finds that the undisputed facts establish that Defendants
    circumvented technical barriers to access Facebook site, and thus accessed the site “without
    permission.”
    Although the evidence shows that Defendants did not take additional steps to
    circumvent individual IP blocks imposed by Plaintiff after the fact, this does nothing to cast doubt
    on the overwhelming evidence that Defendants designed their system to render such blocks
    ineffective. The Court finds no reason to distinguish between methods of circumvention built into a
    software system to render barriers ineffective and those which respond to barriers after they have
    been imposed. This is particularly true where, as here, Defendant Vachani’s own statements provide
    compelling evidence that he anticipated attempts to block access by network owners and
    intentionally implemented a system that would be immune to such technical barriers.
    42 Thus, in light
    of the undisputed evidence that Defendants anticipated attempts to block their access by Plaintiff,
    and utilized multiple IP addresses to effectively circumvent these barriers, the Court finds that
    Defendants violated Section 502 by accessing Plaintiff’s network without permission.

    This is simply not a case where Power did nothing other than load urls.

  86. Brandon,

    Frank O’Dwyer, I believe you will find more success if you explain things and cite text or references you say support your claims.

    The only way I can see that wouldn’t be true is if you’re completely wrong.

    Sadly your post didn’t explain things and didn’t cite anything in support of its claims, so is something of a Cretan Paradox.

    And I’ve already explained things at length and provided plenty of support. Sometimes the problem is at the receiving end.

  87. Frank O’Dwyer, I struggle to imagine how you concluded my “post didn’t explain things” when the entire post was an explanation.

    You can suggest the problem in your exchanges are with other people, but I don’t think you’ll find many who agree.

  88. Brandon,

    “I struggle to imagine how you concluded my “post didn’t explain things” when the entire post was an explanation”

    A clearer explanation from you might help. For example, you could mention what things you would like explained to you that you think I haven’t already explained. (IMO it would also be courteous to acknowledge what I think are rather obvious efforts to explain and clarify, but do what you like.)

    You could also point to these claims of mine where you think I have not provided any text/references that I say supports it.

  89. Frank O’Dwyer, I can’t understand what you just said. In response to me pointing out my entire post was an explanation, you suggest a “clearer explanation from [me] might help,” yet as an example, you suggest I “could mention what things [I] would like explained.” I have no idea why you think things would have been better if I had asked you to explain things in my post I wrote before you had written anything.

    You may think you’ve offered “rather obvious efforts to explain and clarify,” but not only do I struggle to understand most of what you say, you’ve directly responded to multiple requests for information from lucia in unhelpful ways.

    I get the impression whatever you may think is obvious in your comments isn’t obvious to anyone else commenting here.

  90. Brandon,

    I think I see where the confusion lies here. The only way I can understand your 5.06 is if you thought by ‘post’ I meant your original blog post. I didn’t. In my 3.41 I was referring to the text you had just posted and that I was quoting.

    When I reply to something I usually follow the Internet convention of quoting what I’m talking about, or specifically reference it, and in this case I’d quoted it in its entirety.

    If I’d meant the original post I would have said ‘original post’ or ‘blog post’ or similar. However I can see the ambiguity. Hopefully this clarifies.

  91. I never cease to be amazed by how utterly stupid certain people are when putting code online. Just because you can knock up some Php script tied to a database online does _not_ qualify you to be able to do so securely – it requires real skill & experience to do so, and a certain mental ‘twist’ to defeat hackers consistently.

    I confidently predict this will happen again; as security engineers have to be critically minded, objective and detail orientated to do it well – which is the diametric opposite of the mindset on SkS.

    Given how ‘lax’ the security is/was – I wonder what else has been archived or indexed by various crawlers, just waiting to be discovered.. Guys, we will need a bigger fan!

  92. Frank,

    When I reply to something I usually follow the Internet convention of quoting what I’m talking about, or specifically reference it, and in this case I’d quoted it in its entirety.

    I”d suggest that’s not exactly been your style in this thread. But beyond that, I do see you are no longer trying to defend your contention that

    In fact i happen to know of a successful prosecution of someone who did nothing more than access a URL by typing it into their browser. This person did not even copy any data. I am not sure that the access even succeeded. Of course it depends on the jurisdiction and the other facts as to what exactly is OK or not.

    In fact you do not know of ” know of a successful prosecution of someone who did nothing more than access a URL by typing it into their browse”. You don’t know of such a person in any jurisdiciton or with any other “facts”. In all case, the person did something in addition to access a URL– like spoof a user agent, or tack on a pattern creating an escallation (i.e. /../../../) or use a third parties credentials, or use a program to evade an IP block. These aren’t just issues of “mens rea”, they are actions falling under the verb “to do”.

  93. Frank O’Dwyer, the distinction between a post and comment on a blog is pretty well known, but your comment makes less sense if we interpret it they way you say we should now.

    There is absolutely no reason I would be expected to cite things in order to tell you what I believe would make your comments more effective.

  94. Lucia,

    you do not know of ” know of a successful prosecution of someone who did nothing more than access a URL by typing it into their browse”. […] In all case, the person did something in addition to access a URL– like […] tack on a pattern creating an escallation (i.e. /../../../)

    Sure I do because firing up a browser and typing in a URL (actually, 2) is still all Daniel actually did, in plain english. A URL with .. characters is still a URL.

    Maybe it’s clearer if you consider that *none* of the technical actions in these cases are illegal in themselves. They’d all (including what Daniel did) be perfectly fine if you had permission to do them. I’ve worked on a project with a team that did much more than type in .. and indeed actually broke into computers that didn’t belong to us and whose owners hadn’t hired us to do it. They had however given us written permission and even invited us on their premises to do it, so it wasn’t illegal. The critical detail that the cases we’ve discussed have in common is not technical, it’s the lack of authorisation and the knowing/intent.

    It’s clearly possible to try to access any URL at all, including a ‘garden variety’ one. That doesn’t stop it being ‘access’ and it doesn’t stop it from being illegal if you do it without permission, and the prosecution can prove you did so knowingly. It’s not a defence if other people have permission. This is the case in the UK and many jurisdictions have similar open-ended provisions, with some requiring a particular effect (e.g. damage or harm). Even making a computer ‘perform a function’ to help you get unauthorised access to material is illegal here.

    The prosecution needs to show all that of course, and for them to prove things like intent and unauthorised is difficult. So they try to establish other facts that point to it, such as:

    – Circumvention of a technical barrier, or an attempt to do so (e.g. Daniel, Power Ventures, the 3Taps case, Weev)
    – Use of brute force (e.g Weev)
    – The defendant’s own words (e.g. Weev)
    – A cease and desist letter (e.g. 3Taps, also Power Ventures IIRC though I think the judge ignored it there)
    – A TOS (e.g. ConnectU, Power Ventures)
    – “Reasonable expectations” (held by some courts, e.g. EF Cultural Travel B.V, et al vs Explorica, rejected by others, e.g. EF Cultural Travel B.V, et al v. Zefer)
    – Implicit lack of authorisation, e.g. because of password controls (e.g. EF Cultural Travel B.V, et al v. Zefer)
    – A confidentiality agreement (e.g. EF Cultural Travel B.V, et al v. Zefer)

    That’s not an exhaustive list. Nothing stops a prosecutor from mentioning any fact at all they have which makes the same point and that they think the court might buy. It doesn’t have to be one that has been used in a precedent, either. After all, there is a first time for everything and precedents also get set.

    What you refer to as ‘false credentials’ is what I would call acting as an agent or proxy, and is anyway a red herring no matter what you call it. Whether or not the courts considered it a deciding or contributing factor indicating lack of permission (and if they did, the judges seem to have forgotten to mention that it was in their decisions?), the point would still be what that helped to establish: lack of permission. I don’t see how it would point to lack of permission on its own anyway, since it’s very common and Facebook do it themselves in their ‘find friends’ function. Showing a site acts as a proxy just leaves you trying to establish the same thing, i.e. that in this instance acting as a proxy wasn’t allowed. So you need some other evidence anyway.

    Bottom line is if you did something to someone else’s computer that you hadn’t got permission for, you better hope nobody can convince a court you knew that at the time.

  95. Brandon,

    Frank O’Dwyer, the distinction between a post and comment on a blog is pretty well known

    It’s also no secret that anything posted in an online discussion is often referred to as a post. I’ve been doing it for decades and you’re the first person to be confused by it.

    Not a big deal. I already said I get how it could be misinterpreted. But if you were looking for a sympathetic reading, I’d say the one that implies your interlocutor believes you are capable of time travel isn’t it.

    your comment makes less sense if we interpret it they way you say we should now. There is absolutely no reason I would be expected to cite things in order to tell you what I believe would make your comments more effective.

    Good grief. Next time I’ll put a smiley.

    Look: When you tell me that you believe something, I assume you are not merely blurting out a profession of faith, but actually have some evidence you think supports your belief and the things suggested by it.

    Specifically, if you say you believe I’d “find success” if I did X and Y, it suggests you think I haven’t done X and Y yet. But I think I have.

    So if you were really hoping to advance the discussion by having me “explain things” it would be helpful if you would be more specific as to what those “things” are.

  96. Frank O’Dwyer, your postings here have ranged from incoherent to inane to me. Maybe someone else can get value out of them. I can’t. I don’t intend to try any further.

    Maybe you should focus on trying to resolve things with lucia. She seems to have more patience for your commenting style.

  97. Frank
    Much of your argument is circular. You are assuming (claiming) the government’s motive in showing IP blocking, user agent spoofing and such is intent. In fact, the governments motive in showing these is to show the computer was protected as required for access to violate 2(c) of the CFAA which is here http://www.law.cornell.edu/uscode/text/18/1030 So, for example: the governments reason for discussing IP blocking in 3Taps is not to “show intent” but to show the computer was protected. If the computer had not been ‘protected’ the ‘intent’ would not be sufficient to result in a violation. With respect to all previously discussed cases in your long list of cases that supposedly show that knowingly accessing a url which is unauthorized is sufficient: your list fails because in those casea (i.e. 3Taps, Power Ventures, Connect U, Weve) there is an element of bypassing a code based restriction. Doing so appears to be a requirement to create a violation under 2(c) of the CFAA or any entry involving the word ‘protected computer’.

    That intent is required is true. But it is not sufficient under our laws.

    Youve added the siamese-twin cases involving the travel agencies to the list. All I can say is: violating an confidentiality agreement is an action and can itself represent an ‘attempt to defraud’. And note that the court you think supports your view about merely accessing urls “knowing” is “we do not reach the more general arguments made about statutory meaning, including whether use of a scraper alone renders access unauthorized”.

    Moreover, in addition to possibly “knowing” access was not authorized, Gormley one of the appellants had signed a confidentiality agreement. Signing and entering into an agreement is ‘an action’, it doesn’t merely show ‘intent’. Moreover, violating a confidentiality agreement often implies ‘fraud’. Moreover the first case states “Finally, the district court noted without elaboration that the scraper bypassed technical restrictions“.

    So this looks a lot like a case where — once again– at least two relevent ‘actions’ were either committed by or alleged to be committed by the defendant. One of them appears to be bypassing a codebased restriction. That’s not discussed to show ‘intent’. It is discussed as an action that is itself an element of the crime.

  98. Lucia,

    In fact, the governments motive in showing these is to show the computer was protected as required for access to violate 2(c) of the CFAA which is here http://www.law.cornell.edu/uscode/text/18/1030 So, for example: the governments reason for discussing IP blocking in 3Taps is not to “show intent” but to show the computer was protected.

    No, in the CFAA, ‘protected computer’ means protected by the law, not protected by technical controls.

    The term is defined in the law itself:

    (2) the term “protected computer” means a computer—
    (A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or
    (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

  99. Lucia,

    “One of them appears to be bypassing a codebased restriction.”

    I already mentioned that circumventing a technical control is one way the prosecution can argue that “merely accessing a URL” was unauthorised.

    You are also overlooking that the SkS forum was protected by technical controls.

    When the average person visits the SkS forum, they are presented with a login page, not a list of links they are discussing. If you want to know what links they are discussing, you have to circumvent or bypass (“go around”) that.

    Someone with authorised access would simply login.

  100. Frank

    You are also overlooking that the SkS forum was protected by technical controls.

    The sksforum portion has access controls. The other part is not.

    I guess I do concede I misundersood the ‘protected computer’ bit. I’ll plead “2 am in the morning.” The issue is what does it take for material to actually be unauthorized.

    Nevertheless, those actions were not provided as showing intent, but as indicating that the access was unauthorized not to show intent. You can tell that if you read the actual arguments of the government– I posted some from weve prosecution. And you can read the judges ruling in 3TAp where he writes

    The parties agree that 3Taps intentionally accessed Craigslist’s protected computer
    and obtained information from it. The only dispute is whether 3Taps did so “without
    authorization.”

    The judge has identified the relevant questions in that bit. The judge isn’t saying the relevant bit was whether 3Taps “knew” or “was aware” the access wasn’t authorized. The judge is discussing that it is important to figure out whether or not it was unauthorized. (3Taps argues not that they didn’t know, but that Craigslist doesn’t have the right to de-authorize.)
    You can find the link to the ruling here http://www.volokh.com/2013/08/18/district-court-holds-that-intentionally-circumventing-ip-address-block-is-unauthorized-access-under-the-cfaa/ .

    You can see over and over in the prosecutors argument in weve, that Spitler’s actions are not said to be showing ‘intent’ but rather those actions are the unauthorized access. “As the jury instructions make clear, “impersonating an authorized user” is “access without authorization.” A706” This is not a statement that impersonating shows ‘intent’ or ‘knowledge’ it is saying that doing so is unauthorized.

    “The jury was entitled to conclude, as Spitler himself concluded, see A264, A318, that AT&T had not made this
    information publicly available, and the conspirators’ access of this information was unauthorized.”
    The statement “this information was unauthorized” indicating that the jury concluded the access was unauthorized– not that they concluded weve “knew” it was unauthorized. In this regard, the spoofing of the agent is brought as evidence not that Spitler knew it was unauthorized but that it was. (Spitler’s knowing it’s unauthorized can be evidence weve also knew. But the fact is: the court needed to make a case that the access was unauthorized. The issue of the user agent control is evidence that is was unauthorized.

    The language in the various ruling (or both presecutors and defense arguments) is similar. The issue is establishing whether the access was unauthorized and much of the evidence you site is advanced for that purpose — not to show “intent”.

  101. Lucia,

    “The sksforum portion has access controls.”

    So going around them to find out what people are discussing there can be argued to be unauthorised access.

    The average person without access to a private forum does not go through referrer logs and brute force a buggy anonymizer in order to find out what is being discussed in private, and an authorised user has no need to do that.

    Anyone else who wanted to know would just ask, unless of course they knew they’d be TTFO.

    “The other part is not.”

    Impossible to say without knowing the site setup. In any case knowing the URL certainly did require going through or around a login to discover what was being discussed in a private form. That is clue #1 the material is not intended to be accessed unless you have a login to the forum.

    Also, If the results URL was genuinely publicly accessible, I would be able to type it in and access it. I can’t because I don’t know what it is. I don’t know what it is because the owners haven’t told me and I don’t have a login for the forum. That is clue #2.

    Clue #3 is that anyone clicking on the results URL with knowledge of the TCP controversy would immediately recognise what they were looking at, and know that the owners were on public record refusing to provide it (at least, not all of it). To go further and click on the deeper links in order to download the material anyway could be argued to be implicitly unauthorised access for that reason. Especially if one has left evidence in discussions all over the Internet that one knew that, as Brandon presumably has.

  102. Frank

    So going around them to find out what people are discussing there can be argued to be unauthorised access.

    No one went around the controls for the sksforum.

    The average person without access to a private forum does not go through referrer logs and brute force a buggy anonymizer in order to find out what is being discussed in private, and an authorised user has no need to do that.

    I have no idea what you think is abnormal about someone looking referrers in their own server logs. Not only do normal people go through referrer logs, it’s considered advisable to look at ones server logs to see what sorts of thing are accessing ones site. People who advise this activity include those working in security, those working in SEO and those working in various types of marketing areas.

    I’m not sure who you think wrote a “buggy anonymizer”. It appears John Cook wrote an anonymizer that did just what he intended: that is hid the urls of the sites where the links were embedded. His anonymizer worked perfectly. Beyond that: no one was able to find out what was discussed in private. But we all guessed that we could find out what sites they linked.

    As for this: “an authorised user has no need to do that”. So what? An authorized user has no need to visit cat videos on YouTube; those visits are authorized nonetheless. Heck, an authorized user has no need to visit skepticalscience.com or nearly any site on the web– but visits are implicitly authorized by virtue of the page being public facing.

    As for sksforum.org/thread.php?p=i&t=j type pages: They were not protected in anyway. You can keep verbally stomping feet and writing things like “Impossible to say without knowing the site setup”. But I visited some manually, so I saw the set up. Those pages were not protected. You entered the uri, the page forwarded you to a 3rd party site.

    Also, If the results URL was genuinely publicly accessible, I would be able to type it in and access it. I can’t because I don’t know what it is. I don’t know what it is because the owners haven’t told me and I don’t have a login for the forum. That is clue #2.

    Huh? It was perfectly possible to type in urls of the form “sksforum.org/thread.php?p=i&t=j” and access them. I visited some by typing the url way back in February.

    Clue #3 is that anyone clicking on the results URL with knowledge of the TCP controversy would immediately recognise what they were looking at, and know that the owners were on public record refusing to provide it

    You are confusing the question of whether someone would want a person to know something with whether they visits were authorized. If someone puts something on a billboard, looking at the billboard is “authorized” even if it turns out that the person who put the material on the billboard was hoping only his friends would drive way while hoping others would not find the billboard.

    Those pages were not access controlled. Visits were implicitly authorized. You (or John Cook) may regret that visits were authorized but they were authorized at the time the visits occurred.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s