About 20 years ago I had a co-worker that would often fly from the west coast to Washington DC. The best flights were direct non-stops, but they were very expensive (about $2K at the time). He found that since Dulles was a hub, if he booked a flight to a smaller airport on the east coast, he could get a ticket for about $500 where he was supposed to "connect" at Dulles, but instead would just leave the airport and not show for the second leg. Only downside is he could only take carry-on luggage since he couldn't check anything, but they were all shorter trips booked last minute so that worked fine for him. Saved a ton of money. He would do the same for the return with the hub being San Francisco of Los Angeles. Airlines never said anything. He even once found out the second leg was oversold (it was the next gate when he deplaned), volunteered his seat, and got a travel and meal voucher, all for not using the ticket he wasn't going to use anyway.
No, being accessible and being published are not the same thing. That is like saying my bank information is published because anyone who uses my username and password can access it from their web browser. If the system is designed to prevent access, even if it is badly flawed, then knowingly bypassing that access control is a crime under US federal law. If the user chooses to place the file directly in public view, like the defendants in this case (although unknowingly), then it isn't a crime nor a violation of the user's privacy. If I have a stolen painting that I hang on the wall of my private residence, the police would normally need a warrant to come in and look for it, but if I forget to close the blinds and they see it from the street, or to bring automation into it, on Google streetview, then I lost my expectation of privacy.
Anyway, Weev had to manipulate a URL to get the information. He even wrote a script to do this.
Police used "an automated P2P query-response tool".
That is like saying the police used a Google search and found some kiddie porn, so they used "an automated" query tool which makes it inadmissible. Using a tool to facilitate the collection of published information doesn't constitute unauthorized access. Writing a script to brute-force a URL field does. By placing the files in the P2P folder for sharing, they published it (intent not required), so in these cases police OK, Weev in violation.
Keep in mind that misusing publicly available information can still be illegal, so if a website accidentally sent you someone else's information when you type a typical search, you haven't broken a law, but then using it to have orders sent to you using their saved card would be, even though the website's programming allowed it.
I haven't read the articles, just the summaries, but I did stay at a Holiday Inn Express last night, so here goes.
There is a significant fundamental difference between these two, as others has tried to express. In the Weev case, he had to figure out how to get to the data which was not directly accessible through normal links. The authorities charged him with hacking since it was an unauthorized access.
In the P2P case, the defendants had placed the files in a location that was both accessible and searchable, which implies consent.
So, by analogy, the Weev case is like a store with a bad push-button lock on the door that takes only a couple digits to open. Making the claim that "anybody could have walked up and entered that combination and gained entry" shows the problem with the "made available" defense for Weev. By that theory, if I guess your bank account password then I haven't broken any laws since anybody who entered the right credentials "could have accessed it". In the P2P case, it is more akin to a store having a public front section and a private back section, and the store owner accidentally put an illegal item in the front section where the police saw it. It doesn't matter that it was a mistake, it was in plain site, and therefore no warrant needed.
The summary says "the Russian government is warning its citizens to not travel to countries that have an extradition treaty with the United States", but the article says:
"The Russian Foreign Ministry posted advice of a somewhat different nature on Monday, cautioning people wanted by the United States not to visit nations that have an extradition treaty with it."
Unfortunately, that small omission significantly changes the meaning of the line.
And cue the conspiracy theories that will say the NSA can break elliptic curve cryptography, so they cause fear that the discrete logarithm problem will soon be solved to get people to migrate to that which they can break. Hell, in today's world it might even be true, though I would bet on it.
China has implemented the Great Firewall of China, both to monitor and control their citizens, as well as to limit the ingress points into China (three major ones if my memory is right) so they can more easily monitor and cut the lines if attacked. Compare that to the United States which has so many major lines running into/out of the country that it would be nearly impossible to block an attack from outside (not that inside versus outside is truly a big difference). Since these attacks are coming from behind the firewall, and little or nothing is being done to stop them, it is easy to conclude that the government is choosing to allow them to happen. Compare this to the news stories of Chinese citizens being arrested, tried and executed for hacking internal Chinese companies.
Now consider the philosophy difference between the Chinese and Americans, where the Chinese people are raised to believe they have a duty to perform actions to help their country. The government doesn't have to tell people to hack into systems in other countries to collect useful information (which they also do), they just have to make it known that the information is desirable, then not block the attempts by the "non-government" hackers (see my first paragraph). If a citizen later has come into possession of valuable information which they choose to share with the government, then they are just being a good citizen. We call it hacking, China calls it patriotism.
So why does China now respond? Because they are walking a tightrope. They are seeing how far they can push things before it has an unacceptable consequence. That is also why I think we chose to speak up this time, because to always remain silent just lets China continue doing their antics with no real consequences. So why this time and not others? Because if you keep telling the attacker what you saw, and by implication what you didn't, you give him valuable information that can make him more effective and more stealthy.
It may not be the classic form or war, but it follows a lot of the same rules. And because of the difference of philosophies, it is a somewhat asymmetric war.
This is basically a supply chain attack. People worry about others breaking into their devices, but the user has to trust the device supplier not to tamper with it before they receive it. This situation is analogous to your PC phoning home to Microsoft for updates, then having a special version sent to your machine at the request of the FBI. No matter how careful you are about what software you run or what security software you employ, Microsoft can compromise your machine.
Congressmen demanding the White House give citizens due process, the Obama Administration petitioning the court so that people are free to photograph police, and now the courts saying the 4th Amendment applies to people at the border? What is next, cats and dogs sleeping together?
I mean really, I have complete faith in those automotive engineers to have envisioned every single possible condition the system will have to deal with. And also to have designed the electronics so that even if a component or wire fails, hell, even if a bunch of them fail, the system will automatically do the right thing.
Don't you?
Slashdot Mirror
About 20 years ago I had a co-worker that would often fly from the west coast to Washington DC. The best flights were direct non-stops, but they were very expensive (about $2K at the time). He found that since Dulles was a hub, if he booked a flight to a smaller airport on the east coast, he could get a ticket for about $500 where he was supposed to "connect" at Dulles, but instead would just leave the airport and not show for the second leg. Only downside is he could only take carry-on luggage since he couldn't check anything, but they were all shorter trips booked last minute so that worked fine for him. Saved a ton of money. He would do the same for the return with the hub being San Francisco of Los Angeles. Airlines never said anything. He even once found out the second leg was oversold (it was the next gate when he deplaned), volunteered his seat, and got a travel and meal voucher, all for not using the ticket he wasn't going to use anyway.
No, being accessible and being published are not the same thing. That is like saying my bank information is published because anyone who uses my username and password can access it from their web browser. If the system is designed to prevent access, even if it is badly flawed, then knowingly bypassing that access control is a crime under US federal law. If the user chooses to place the file directly in public view, like the defendants in this case (although unknowingly), then it isn't a crime nor a violation of the user's privacy. If I have a stolen painting that I hang on the wall of my private residence, the police would normally need a warrant to come in and look for it, but if I forget to close the blinds and they see it from the street, or to bring automation into it, on Google streetview, then I lost my expectation of privacy.
Anyway, Weev had to manipulate a URL to get the information. He even wrote a script to do this.
Police used "an automated P2P query-response tool".
That is like saying the police used a Google search and found some kiddie porn, so they used "an automated" query tool which makes it inadmissible. Using a tool to facilitate the collection of published information doesn't constitute unauthorized access. Writing a script to brute-force a URL field does. By placing the files in the P2P folder for sharing, they published it (intent not required), so in these cases police OK, Weev in violation.
Keep in mind that misusing publicly available information can still be illegal, so if a website accidentally sent you someone else's information when you type a typical search, you haven't broken a law, but then using it to have orders sent to you using their saved card would be, even though the website's programming allowed it.
I haven't read the articles, just the summaries, but I did stay at a Holiday Inn Express last night, so here goes.
There is a significant fundamental difference between these two, as others has tried to express. In the Weev case, he had to figure out how to get to the data which was not directly accessible through normal links. The authorities charged him with hacking since it was an unauthorized access.
In the P2P case, the defendants had placed the files in a location that was both accessible and searchable, which implies consent.
So, by analogy, the Weev case is like a store with a bad push-button lock on the door that takes only a couple digits to open. Making the claim that "anybody could have walked up and entered that combination and gained entry" shows the problem with the "made available" defense for Weev. By that theory, if I guess your bank account password then I haven't broken any laws since anybody who entered the right credentials "could have accessed it". In the P2P case, it is more akin to a store having a public front section and a private back section, and the store owner accidentally put an illegal item in the front section where the police saw it. It doesn't matter that it was a mistake, it was in plain site, and therefore no warrant needed.
Nuke it from orbit, it's the only way!
Oh, wait...
The summary says "the Russian government is warning its citizens to not travel to countries that have an extradition treaty with the United States", but the article says:
"The Russian Foreign Ministry posted advice of a somewhat different nature on Monday, cautioning people wanted by the United States not to visit nations that have an extradition treaty with it."
Unfortunately, that small omission significantly changes the meaning of the line.
And cue the conspiracy theories that will say the NSA can break elliptic curve cryptography, so they cause fear that the discrete logarithm problem will soon be solved to get people to migrate to that which they can break. Hell, in today's world it might even be true, though I would bet on it.
China has implemented the Great Firewall of China, both to monitor and control their citizens, as well as to limit the ingress points into China (three major ones if my memory is right) so they can more easily monitor and cut the lines if attacked. Compare that to the United States which has so many major lines running into/out of the country that it would be nearly impossible to block an attack from outside (not that inside versus outside is truly a big difference). Since these attacks are coming from behind the firewall, and little or nothing is being done to stop them, it is easy to conclude that the government is choosing to allow them to happen. Compare this to the news stories of Chinese citizens being arrested, tried and executed for hacking internal Chinese companies.
Now consider the philosophy difference between the Chinese and Americans, where the Chinese people are raised to believe they have a duty to perform actions to help their country. The government doesn't have to tell people to hack into systems in other countries to collect useful information (which they also do), they just have to make it known that the information is desirable, then not block the attempts by the "non-government" hackers (see my first paragraph). If a citizen later has come into possession of valuable information which they choose to share with the government, then they are just being a good citizen. We call it hacking, China calls it patriotism.
So why does China now respond? Because they are walking a tightrope. They are seeing how far they can push things before it has an unacceptable consequence. That is also why I think we chose to speak up this time, because to always remain silent just lets China continue doing their antics with no real consequences. So why this time and not others? Because if you keep telling the attacker what you saw, and by implication what you didn't, you give him valuable information that can make him more effective and more stealthy.
It may not be the classic form or war, but it follows a lot of the same rules. And because of the difference of philosophies, it is a somewhat asymmetric war.
This is basically a supply chain attack. People worry about others breaking into their devices, but the user has to trust the device supplier not to tamper with it before they receive it. This situation is analogous to your PC phoning home to Microsoft for updates, then having a special version sent to your machine at the request of the FBI. No matter how careful you are about what software you run or what security software you employ, Microsoft can compromise your machine.
Don't each of those genes have prior art? In what way have these companies created a new and innovative device?
Congressmen demanding the White House give citizens due process, the Obama Administration petitioning the court so that people are free to photograph police, and now the courts saying the 4th Amendment applies to people at the border? What is next, cats and dogs sleeping together?
I mean really, I have complete faith in those automotive engineers to have envisioned every single possible condition the system will have to deal with. And also to have designed the electronics so that even if a component or wire fails, hell, even if a bunch of them fail, the system will automatically do the right thing. Don't you?