tag:blogger.com,1999:blog-9060198.post111825525336563819..comments2024-02-14T12:37:14.887+00:00Comments on IT Law in Ireland: Morris Tribunal learns pitfalls of security through obscurityTJ McIntyrehttp://www.blogger.com/profile/16565959875438814437noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-9060198.post-1118673217160861422005-06-13T15:33:00.000+01:002005-06-13T15:33:00.000+01:00Planetpotato - you might well make that argument i...Planetpotato - you might well make that argument in a civil context. I don't think it would be successful in a criminal matter. It's unlikely that a court will be prepared to convict a person based on the uncertain parameters of the implied permissions of public sites, particularly when <A HREF="http://www.google.com/search?num=100&hl=en&lr=&q=url+guessing&btnG=Search" REL="nofollow">URL guessing</A> is a well established web convention. Granted, an AUP could displace that implied permission, but in that case you'd have to demonstrate that the user read the AUP and realised that access was forbidden.TJ McIntyrehttps://www.blogger.com/profile/16565959875438814437noreply@blogger.comtag:blogger.com,1999:blog-9060198.post-1118411655585260372005-06-10T14:54:00.000+01:002005-06-10T14:54:00.000+01:00TJ - thanx for the link. I hadn't seen the Sunset ...TJ - thanx for the link. I hadn't seen the Sunset Times piece, this was just a story I knew from the grapevine, but there's some additional info in that Sunset Times piece that amuses me, partic McDowell's allegation that "there were more than 350 separate attempts [...] to overcome internet security measures guarding a web version of the report." What he means is that the report was accessed 350 times. There was no security.<BR/><BR/>For those who are curious as to how to "hack" like the Morris Tribunal "hacker", you might to like to visit the report's site (www.morristribunal.ie) and go to the download area (left nav, second from bottom). If you have a look in your browser's URL bar, you'll see that the URL contains certain info. The piece of info that interests you is the RecordID. Start changing that RecordID yourself, and you'll pull back the info behind that RecordID. Given the actual URL of the unpblished Morris tribunal report, I imagine that this is how it was found. So be careful, if you find something that isn't yet published, Minister McDowell will send you to sing-sing as a hacker.<BR/><BR/>But is this hacking? I firmly believe it is not and think McDowell will have a hard time proving it is. If you asked me for the URL of the Morris tribunal download area, and I typed it rather that cutting and pasting it, but inadvertently made an error when it came to the RecordID part of the URL, would that error qualify me as a hacker? That would mean that every time any of us mistype any URL we are hacking.<BR/><BR/>The people who supplied the Morris tribunal software could have avoided this issue by designing their content management system a little bit better. As a web developer, I am conscious of the fact that users will routinely delibverately or accidently change elements of URLs. It happens. You design against it happening in a way as would cause damage or embarassment.<BR/><BR/>Alternatively, the Morris tribunal staff could have avoided this issue by not being so stupid as to leave their report sitting on a publicly accessible web server so far in advance of its publication date.Anonymousnoreply@blogger.com