Proof
You are looking at the code behind Scott Howell's so-called "password screen." This is the screen that blogger Noah Kunin used to access a Mark Kennedy ad by typing "Allen." (He was looking for Sen. George Allen ads.)
Guess what. This is not a password screen.
The code above confirms my suspicions. An actual password screen gives the user access to a restricted area. The screen above is simply a redirect to a publicly accessible client web page. So, if you enter "Allen" it takes you to "Allen.html" - a publicly viewable page! That's why this page is completely useless and serves no function. Indeed, with a little research at the Internet Archive you can find client web pages and figure out that they're simply named "client.html".
As they say, developing...
posted by Chuck Olsen @ 8:34 AM |
| 
29 Comments:
I'm not a lawyer (and proud of that fact), but I would like to pose this question: If I lock my front door, but leave all the windows wide open, will I still be able to get a conviction for burglary if the police catch someone in my house?
I don't know, can I get a conviction for you being on this public web page? Wrong analogy.
Reminder -- Anonyous comments that aren't signed (you can make up a name) are subject to deletion. Everyone is being perfectly well behaved, but we've had problems in the past. Also, it makes it easier to tell anon commenters apart should we accidentally end up in a conversational thread. :-)
Awwww SNAP!
This is some FINE work Chuck *hatTip*...
http://www.mnpublius.com/2006/09/developing_new_patriot_scott_h.php
Does the /cybersession/ directory allow its contents to be listed? If not, the blogger is probably still on the hook legally. Poor security doesn't absolve the defendant in this case.
Using an unlinked file in a directory that doesn't allow listing is a common method of security for those who don't have the ability to configure server-side password protection. Doing such is amateurish, and more the domain of 15 year olds on GeoCities, but is still a known method.
Just because a server doesn't issue a password challenge on access doesn't mean anything on the server is fair game.
He needs to show that all he had was a direct link, and wasn't aware of the password screen at all. If he followed someone else's direct link, they would be the bypasser, not him. However, it seems he figured out the filename of his own accord here.
Sorry. Guessing part of a URL is not a crime.
I do it regularly - most recently some university site where a link to a faculty member's site didn't work. I looked at some other faculty member URLs and figured it out. Not a crime. Just part of daily life on the internets.
Of course the intent is entirely different in this situation (hmm, although who's to say I wasn't maliciously trying to find this faculty web page? hmmm....)
The Strib has an article on the ethics and legality of this tomorrow.
I think it is telling that you resorted to decompiling the flash (swf) file from their site as your "proof" of their lack of security.
When I try opening that SWF file in my version of Flash, it says it is a secured file that cannot be opened.
These guys may have been clueless about security, but that doesn't mean you can walk in through the screen door without consequence, especially if you're less than forthcoming about it.
this is beyond the pale...
From an ethics standpoint it might not be a good thing to decode a flash file and/or the html.
But... this is 2006. Secruity via obscurity has been debated on sladhdot since 1998.
In other words... the Kennedy web site is being run by clueless dweebs. Right or wrong doesn't matter as the access issues are common and well known problems today.
If you want a bad analogy... you decided to not lock your front door because it's a waste of time. The thieves came in and stole everything. Fine they commited a crime, but your still an idiot.
So, I'm a 'hacker' now?If you don't want something published, don't put it on the internet. Period. This link shows Scott Baio has had piss-poor 'security' for years. There's plenty other stuff cached, by several different sites. I'll let you kids go play.
If what this guy did is illegal, than typing anything in the url area is too. I'll see all of you in prison. Literally, the FBI should be telling the OMG drama-queen Republicans to get a clue. Of course, national security is run by people just like Scott's webmaster. Sleep well.
this was a ploy and Noah walked right into it. No IT professional would find that an acceptable way to secure information. NONE!
It reminds me of an episode of the west wing.
here is a description: (sorry for the length)
The Ritchie campaign retaliated with its own behind-the-scenes political maneuver. Republican campaign staffer Kevin Kahn sends Sam Seaborn a video anonymously which contained an attack ad with no source or sponsor against Bartlet. Sam decides to sit down with Kahn, against the express wishes of Josh Lyman, Toby Ziegler, and Bruno Gianelli, and during the meeting hands the video over to Kahn (trying to show Bartlet wasn't attacking Ritchie, but also saying the Bartlet campaign had an ad like it "in a drawer" if the Ritchie campaign struck first). Unfortunately, Kahn had played Sam the entire time, leaking the video to the press and telling them it was given to the Ritchie campaign by Sam. As such, the news reported on the story of the leaked video, the video got played constantly in primetime on news networks, and the Ritchie campaign remained clean as they had not actually done anything but mail a videotape (which was only privately proven).
People really don't understand how the web works. I don't want to be on any kind of high horse though - in fact I'm really trying to educate people that have better things to do.
That Flash file, and every web page you visit, is downloaded on your computer. You bet your ass I can rip apart any file sitting on my hard drive. By the way, designers do this all the time with Flash files to learn how they work. Just like in the old days, you learned how to make web pages by viewing the source of other web pages.
Yep, this really is a tragicomedy for geeks!
Chuck I think you are missing something important here. Just because something is easy does not make it legal. J-walking is easy, speeding is easy, but our society has deemed both illegal. And I don't buy your argument that if it is on my computer "I can rip apart any file sitting on my hard drive" and neither does the law. If this was the case the music companies wouldn't have any recourse from people copying/sharing music CD's on the net.
You also might try reading the Flash End-User License Agreement. It states in there that the "End User Product" "shall not be reverse compiled or disassembled". You should consult with your lawyer regarding your "proof" at the top of this page and whether you are breaking the law.
Just to nit pick... but the Flash End User License appies to the Flash software, not the content created by and displayed with it.
I think it's hard to say what is exactly legal and illegal with the internet. Using metaphors of illegal actions outside of the internet don't necessarily fit because they don't necessarily follow logically. The internet isn't like jaywalking, finding lost keys, or breaking a window - it's not like anything we've experienced before. So claiming someting is illegal because it sounds like something in the real world that is illegal is a poor argument.
Besides, the counterargument to you, Mr Anonymous, is that while true that something easy doesn't make it legal, it is also true that something hard to find doesn't make it illegal.
- Joseph X
I never said "Because it's easy, it's legal."
In fact these web pages were easy to find - but more importantly they were public web pages accessible by anyone.
Why make this point at all? Because there are a lot of people claiming the site was "hacked." Which leads to saying it was illegal. I'm trying to provide information that suggests the opposite may be true. I'll let Noah's lawyer defend Noah - I'm out to correct disinformation and lack of understanding.
For example, without even seeing that client redirect page I was able to find another campaign video on Howell's web site. All I had to do was bring up his site in the Internet Archive - there are client page URLs there, clear as day for anyone to see. Furthermore, it's pretty clear from the URLs of those client pages that they're simply named "/cybersession/clientname.html". With that hunch, if I'm looking for a George Allen ad all I have to do is type "/cybersession/allen.html" and - whaddya know! There's the page, and there are the links to Kennedy Ads.
Yes, there are so many bad analogies. Pies, locked houses with signs... none of these analogies work. Can't we just talk about the reality of web pages, which obviously function differently than objects in the physical world?
That said, I have another anology to throw on the pile. :-) Think of a library that's open 24/7. You can go ask the bored librarian to direct you to a particular book, or you can just go look for it yourself. The books are there, available to anyone. Regardless of whether the librarian directs you to a book, or you just go find it yourself, the book is sitting there on the shelf, available for anyone to look at.
Of course there are some differences, but generally the library analogy works. The main difference is the "librarian" is wearing a badge that says "security guard." He's not actually a security guard, and he's not really protecting anything, but he has a badge on to make people think that.
I have more to say but, gotta get back to work.
Beyond the whole legel/illegel debate, the larger question is was what was done ethical or not? Since the campaign person was fired and the FBI is being asked to look into it would be hard to argue that it is the right action.
This was so wrong, to try to spin otherwise says much about your morals and ethics.
Dave
Well Dave, I'm very comfortable with my morals and ethics.
And I think it's sad that someone got fired and that tax money is going toward any FBI energy.
Do I think it's unethical to try to find previous negative ads that are publicly available? Of course not. Kennedy's ad man, if I'm not mistaken, drew comparisons between Max Cleland and Osama bin Laden + Saddam Hussein. I think the public has a right to know what kind of mudsligner Kennedy has hired. So yes, I think any legal means of finding that information is entirely ethical and in the public interest.
Clearly it was unethical. That's why they fired the staff person.
None of this, however, proves that Klobuchar herself is unethical or unfit to be a Senator. To try and spin otherwise says much about your partisanship.
- Joseph X
The biggest mistake Noah made, especially for the Klobuchar campaign, was sending it to them. Even there, I don't think it was unethical so much as bad judgement. There's nothing wrong with sending a link to an ad that's publicly accessible. Nor, in my opinion, is there anything wrong with clicking on such a link.
The person was fired out of a need to save face and disassociate from the whole event, an event which I don't think they really understood fully but they understood that it looks bad. In any case, there's nothing but praise for the way Klobuchar handled this for the most part, and her campaign has hopefully moved on.
If I constructed a huge, massive dual-encrypted, reverse-quadratic, ultimo security page (read-way hard to crack), but then someone figured out how, broke all the codes, and found--behind all the security--my link to www.Google.com, is what they did illegal?
In response to J.Roth: YES!
Chuck I think your library analogy is a good one. However, in this case, the book in question was behind the desk, where you are not supposed to be. You can ask the librarian if you can have the book or you can go around the counter and grab the book yourself.
I think Noah went around the counter and grabbed the book himself.
Chuck I think your library analogy is a good one. However in this case the book in question was behind the counter where you clearly are not supposed to be. You can ask the librarian for the book OR you can go around the counter and grab the book yourself.
I think Noah would grab the book himself.
J. Roth: Good question! Usual disclaimer ("I'm not a lawyer") but from what I've read, regardless of content, if you are accessing a private password protected area (as opposed to publicly accessible) then it would be a crime to bypass the secruity measure.
Two differences I'm arguing here. (1) While there was an attempt to look like a security measure, there was really only a redirect page. (2) There was no private area, only publicly accessible web pages.
Unsigned library anon: Yes, that's probably a better way to characterize it.
First off, I am a lawyer. The aid was fired to save face and the FBI called so it looks like someone is doing something about it. The guy is totally innocent, but the prosecutor can easily make him look guilty by throwing jargon and bad analogies at the jury. So, to all those posting that it is wrong and such, its not. It was public domain and thats the fact. Don't be like the prosecutor and lie and manipulate it to your own means just to get a conviction, thus, more money. As you can tell, I'm a defense attorney.
I'm aghast at the lack of critical thinking around this.
I could wear a sign that says "I'm Chinese" but I'm not Chinese. For that matter, you could replace the word "name" with "password" on this blog comment form -- that obviously doesn't make it a password field.
I've used this kind of client redirect script myself, and know full well the reason to use such a script is because (a) It's easy, (b) It might make clients feel there's some kind of security at work, even though there is none.
Leave the legal analysis to the lawyers - probably good advice for everyone. But I won't leave the technology to the lawyers.
Right-wing bloggers think this post is funny. I'm sure the DFL would rather everyone just drop it and move on, since Klobuchar already took action and comes out looking peachy.
That won't stop me from showing the facts of how this stuff actually works. There's a huge amount of disinformation and mischaracterization around most aspects of these web pages. Whether it's a simple lack of understanding or partisan malicioiusness, I'm out to educate and set the record straight.
For the 15 people who care.
Bowser, I can tell from your comment that if you are a lawyer, you are a piss poor one. The simple way to check it out is almost every public web site has terms of use. I have yet to ever read that these terms reserve ownership. Why? Simply because the content already belongs to the web page holder.
The fancy terminology about calling it a re-direct page is a useless excuse. The page asked for a password and reportedly Noah tried 18 times before succeeding. The page was not an open public page when the door is closed.
Second, he downloaded and shared a copy of the ad. That my friend is a Federal Offense. Just recently a Federal Prosecutor in Virginia charged a man for hacking into the American College of Physicians database and d/l email addresses. Relatively similar cases.
http://www.justice.gov/criminal/cybercrime/baileyCharge.htm
I easily found video ads on Howell's web site, for a different client, without ever seeing the redirect page. And indeed, without even guessing any URLs - I just looked up his site in the Internet Archive. This, my friend, is NOT a Federal Offense. It's called looking at a public web page. I could also easily find the same page Noah found, as could anyone, by guessing the URL. In this case, guessing the URL and guessing what word to type in the redirect page are exactly the same thing.
Obviously you can rightly question the ethics of what Noah did, but everyone needs to understand what he did before you can pass judgement on ethics or legality.
Jason Heiser has a great comment on Shot in the Dark about all this.
In response to Anon, and J. Roth....
No.
And I would make fun of you for getting pwned by google.
Post a Comment
<< Home