Announcement

Collapse
No announcement yet.

Is accessing a public website 'hacking'?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Re: Is accessing a public website 'hacking'?

    Originally posted by Deviant Ollam View Post
    interesting... so this was an HTML page that hotlinked some content via that method? thus, making it not clear to the people viewing the page that they were using credentials, etc.

    pretty sneaky, heh. that in itself is a spiffy little hack, i'd have to say.
    to be honest I wasn't even aware that a browser would allow this to be used for linking images, yet then again it makes perfect sense.
    I'm still quite amazed that a person with a severe lack of technical skills came up with this method for fixing the "why doesn't my website work" issue. I'm thinking that it was made using some WYSIWYG webpage-o-tronic software and that he filled this in as the website URL instead of the HTTP link, thus having everything autocreated in this manner.

    Originally posted by Deviant Ollam View Post
    nod. however, that same evidence (if the system logs on the FTP server were being generated in a way that makes sense) would also likely have indicated that the accessing was done with client software that wasn't all that typical... a web browser instead of an FTP client.
    well if you isolate a login entry there's really no difference to be seen, and they kept refusing to show him the full log, only the logs from his IP address. It showed a lot of consecutive logins, so "he must have been hacking really hard" ;)

    connecting to an ftpd with a browser just results in this being logged, so no real visible difference: (just tested it, vsftpd by the way)
    Tue Mar 16 08:54:59 2010 [pid 15609] CONNECT: Client "xxx.xxx.xxx.xxx"
    Tue Mar 16 08:55:03 2010 [pid 15608] [username] OK LOGIN: Client "xxx.xxx.xxx.xxx"

    Originally posted by Deviant Ollam View Post
    it sounds like this is one of those situations where properly fighting it in court could have had the matter thrown out. i don't know Belgian law, but possibly if a lawyer were to demonstrate:

    1. there was this joke page that existed (if someone saved a copy)

    2. viewing that page automatically causes the FTP logins

    3. the FTP logs show it was a web browser logging in

    4. the FTP logs show multiple logins within less than a second (something no human would want to do or even could do manually) and data was only read, not modified

    5. the FTP logs showed scores of other such logins all at the same time, then never happening again

    6. someone, somewhere was irresponsible with keeping their login credentials secret

    ... there's a chance the case would have been dismissed. chances are, however, that it would have cost more than 250 Euro in legal fees. it's all a matter of how much a lack of a criminal record is worth to someone.
    possibly, however by then the page was gone and nobody saved a copy (which probably wouldn't really hold up in court anyway). This also happened in a time where most people didn't even know what the Internet was. The police officers involved in this would be acting like expert witnesses (they were with the FCCU, federal computer crime unit, and therefore were supposed to know everything about this, only they probably still got lost in minesweeper) saying that the logs certainly indicated an evil super hacker "because he logged in so many times"... and people would probably believe this.

    Yet if it was me in that situation I'd have fought it to the bitter end, I'd never take risks resulting in losing my clearance.

    Basically it can all be attributed to the sheer stupidity of the officials involved (I've since met some other people from the FCCU and they knew their stuff, and when I told them about this incident they replied that they have a lot of really dumb people there as well) and of course of the guy who created the website and basically put his credentials online for everyone to use. They should've given him a good taste of the LART.

    Originally posted by Deviant Ollam View Post
    hopefully, this person won't click random links on IRC or will at least have the good sense to enable Tor before doing so.

    i'm glad that they weren't hit with other fines or any incarceration or confiscation of equipment. it's a shame it got that far, but technically someone else's login was "used" even if it could be proven to have been accidental/unintentional.
    I also hope for him that having this on his record won't harm him in the future. However in that time this was only a minor mischief (therefore the low fine and no court involvement) so it could be OK.

    Comment


    • #17
      Re: Is accessing a public website 'hacking'?

      If your site is so insecure that you dont need at least one tool, or you can type in admin admin and log in, your not secure, and thats not hacking, a small child could do that, its not the fact that routed around security if there was none to begin with.

      Comment


      • #18
        Re: Is accessing a public website 'hacking'?

        Originally posted by Fallenour View Post
        If your site is so insecure that you dont need at least one tool, or you can type in admin admin and log in, your not secure, and thats not hacking, a small child could do that, its not the fact that routed around security if there was none to begin with.
        Technically you're not correct with that theory. While it is incredibly weak security, it is security all the same. Unauthorized trespass is still unauthorized trespass no matter how weak the security is. The current laws in the US do not clarify whether or not 'strong' security was bypassed or 'weak' security was, just that security was bypassed. Actually it defines it as "exceeding authority on a protected system", meaning if you were not granted authority to be there, you shouldn't be there.
        A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

        Comment

        Working...
        X