Friday, April 20, 2018
When is taking advantage of a Security Failure not a crime? An old and well (or at least frequently) documented problem.
Is Enumerating Resources on a Website "Hacking"?
I saw a story pop up this week which made a bunch of headlines and upon sharing it, also sparked some vigorous debate. It all had to do with a 19-year-old bloke in Canada downloading some publicly accessible documents which, as it later turned out, shouldn't have been publicly accessible. Let's start with this video as it pretty succinctly explains the issue in consumer-friendly terms:
… This was public data. Whether it was intended to be public or not does not change the fact that it was published to a location which exposed it to the world without any requirement for authorisation whatsoever. His "crime" was simply to use the technology as it was designed to work. There was a lot of support for this position
For my Ethical Hacking students. Be sure to wear the electronic equivalent of a bio-hazard suit.
I’m sure my lawyer friends will be able to explain this one. Sure.
Matt Burgess reports:
“Do not pretend that I do not exist, do not ignore me or break the deadlines,” was the message from one unknown hacker to a British company targeted in February 2018. The person stole a “very large quantity of data”.
Both the hacker and the hacked company are the subject of a High Court injunction. The legal ruling from judge Matthew Nicklin, has been taken out to stop the company being named and prohibits hacked data from being stolen.
The case gives an insight into one hacker’s demands to a company and how it responded. It is the latest in a number of injunctions being taken out by companies that are looking to protect information that has been stolen from their servers.
Read more on Wired (UK).
OK, I don’t see how this is going to stop the hackers from dumping data if they don’t get paid. Maybe some web hosts will honor/comply with an injunction and remove data, but there are just too many ways/places to dump data for this to really make a serious dent in the problem. And what would stop a U.S. journalist from reporting on the breach, naming the company, and discussing any stolen data???
Good news for the White House? (Where would the President be without “Fake News” to blame?)
Americans Favor Protecting Information Freedoms Over Government Steps to Restrict False News Online
… Nearly six-in-ten Americans (58%) say they prefer to protect the public’s freedom to access and publish information online, including on social media, even if it means false information can also be published. Roughly four-in-ten (39%) fall the other way, preferring that the U.S. government take steps to restrict false information even if it limits those freedoms, according to a survey
I’ll believe it when my students start reading ToS.
The ‘Terms and Conditions’ Reckoning Is Coming
Eleanor Margolis had used PayPal for more than a decade when the online payment provider blocked her account in January. The reason: She was 16 years old when she signed up, and PayPal Holdings Inc. insists she should have known the minimum age is 18, because the rule is clearly stated in terms and conditions she agreed to. Clearly stated, that is, in a document longer than The Great Gatsby—almost 50,000 words spread across 21 separate web pages. “They didn’t have any checks in place to make sure I was over 18,” says Margolis, now 28. “Instead, they contact me 12 years later. It’s completely absurd.”
… GDPR, which comes into force in Europe in May and calls for fines as high as 4 percent of a company’s global revenue for violations, will make it tougher to get away with book-length user agreements, says Eduardo Ustaran, co-director of the cybersecurity practice at law firm Hogan Lovells. He suggests that companies streamline their rules and make sure they’re written in plain English. If a typical user wouldn’t understand the documents, the consent that companies rely on for their business activities would be legally invalid. “Your whole basis for using people’s personal data would disappear,” Ustaran says.
No other comment.
The FBI Restored Its Missing Crime Data
On Tuesday, the FBI restored 70 data tables that were missing from the 2016 Crime in the United States report, providing data that researchers consider crucial to their understanding of crime trends in the U.S. over time. The yearly report is considered the gold standard for tracking crime statistics in the United States, gathered from over 18,000 law-enforcement agencies in cities around the country. But the 2016 report, the first compiled under the Trump administration, was missing dozens of data tables that researchers rely on.