Anonymizing RFI Attacks Through Google

netbuzz writes "Noam Rathaus on his SecuriTeam blog describes a technique by which 'Google can be utilized to hack into websites — actively exploiting them (not information gathering by the use of "Google hacking," although that is how most of the sites vulnerable to RFI attacks are found).' He cites examples in the wild and even mentions that the technique could be used as a 'covert' communications channel."

In reality...

[lpiob]

It's a feature, not a bug.

Re:but is it a crime...

[Not_Wiggins]

but could you prove the case if you left a note in your "private" diary that you thought someone could be killed in a certain fashion...

I'll preface this by saying IANAL...
Prove? No. Provide circumstancial evidence? Yup.

As the grandparent stated, the real judgment behind this crime is one of intent. The nature of these links is so specific, targeted and intentional, that even if one didn't get accused of willful attacking, he'd be guilty of negligence.

Maybe it doesn't seem as clear-cut because we're "just talking about words."

But the web provides action to words, real things that can happen based on materials produced. So, if we put the question within a different context, maybe the "crime" part becomes more apparent:

How you you feel about a nuclear materials researcher leaving weapons grade plutonium in an unlocked box in his back yard while posting a notice in the local paper that such material exists unprotected for anyone to harvest? Would he be making the bomb himself and destroying people with it? No. Would it be tantamount to such an act? Yes.

I don't know how it would be prosecuted, but there's no doubt that it would be.

I think the reason there's even question of legality to these types of attacks isn't because the moral implications are ambiguous, but because the law hasn't been able to keep up with the latest in cybercrime.