15.04.14

Iterating a number sequence for lulz and jail time

Hello, readers! Today I bring you two posts about law: one Mozilla-related, one not. This is the Mozilla-related post. Mozillians may already know this background, but I’ll review for those who don’t.

The “hack”

In 2010 Goatse Security (don’t look them up) discovered a flaw in AT&T’s website. AT&T’s site detected accesses from iPads, extracted a unique account number sent by the iPad, then replied with a private account email address. Account numbers were guessable, so if someone “spoofed” their UA to look like the iPad browser, they could harvest private email addresses using their guesses.

The lulz

Andrew Auernheimer ("weev") wearing an old-school AT&T baseball cap
Andrew Auernheimer, i.e. weev, CC-BY-SA

The people who figured this out were classic Internet trolls interested (to a degree) in minor mayhem (“lulz”) because they could, and they scraped 114000+ email addresses. Eventually Andrew Auernheimer (known online as “weev”) sent the list to Gawker for an exclusive.

The sky is falling!

AT&T, Apple, the people whose addresses had been scraped, and/or the government panicked and freaked out. The government argued that Auernheimer violated the Computer Fraud and Abuse Act, “exceeding authorized access” by UA-spoofing and loading pages using guessed account numbers.

This is a broad interpretation of “authorized access”. Auernheimer evaded no security measures, only accessed public, non-login-protected pages using common techniques. Anyone who could guess the address could view those pages using common browser addons. People guess at the existence of web addresses all the time. This site’s addresses appear of the form “/year/month/day/post-title/”. The monthly archive links to the side on my site have the form “/year/month/”. It’s a good guess that changing these components does what you expect: no dastardly hacking skills required, just logical guesses and experimentation. And automation’s hardly nefarious.

So what’s Mozilla’s brief with this?

Developers UA-spoof all the time for a variety of innocuous reasons. Newspapers have UA-spoofed during online price discrimination investigations. If UA spoofing is a crime, many people not out for lulz are in trouble, subject to a federal attorney’s whims.

The same is true for constructing addresses by modifying embedded numbers. I’ve provided one example. Jesse once wrote a generic implementation of the technique. Wikipedia uses these tactics internally, for example in the Supreme Court infobox template to linkify docket numbers.

Mozilla thus signed onto an amicus brief in the case. The brief laid out the reasons why the actions the government considered criminal, were “commonplace, legitimate techniques”.

The cool part of the brief

I read the brief last summer through one of Auernheimer’s attorneys at the inestimable Volokh Conspiracy. I’ve been lightly meaning to blog about this discussion of number-changing ever since:

Changing the value of X in the AT&T webpage address is trivial to do. For example, to visit this Court’s homepage, one might type the address “http://www.ca3.uscourts.gov/” into the address bar of the browser window. The browser sends an HTTP request to the Court website, which will respond with this Court’s homepage. Changing the “3” to “4” by typing in the browser window address bar returns the Court of Appeals for the Fourth Circuit’s homepage. Changing the “3” to a “12” returns an error message.

Illustrating the number-guessing technique (and implying its limitations in the “12” part) via the circuit courts’ own websites? Brilliant.

Back to Auernheimer

The court recently threw out Auernheimer’s conviction. Not on CFAA grounds — on more esoteric matters of filing the case in the wrong court. But the opinion contains dicta implying that breaching a password gate or code-based barrier may be necessary to achieve a conviction. The government could bring the case in the right court, but with the implied warning here, it seems risky.

Sympathy

Auernheimer isn’t necessarily a sympathetic defendant. It’s arguably impolite and discourteous to publicly disclose a site vulnerability without giving the site notice and time to fix the issue. It may be “hard to feel sorry for them being handed federal criminal charges” as Ars Technica suggested.

But that doesn’t mean he committed a crime or shouldn’t be defended for doing things web developers often do. Justice means defending people who have broken no laws, when they are threatened with prosecution. It doesn’t mean failing to defend someone just because you don’t like his (legal) actions. Prosecution here was wrong.

One final note

I heard about the AT&T issue and the brief outside Mozilla. I’m unsure what Mozilla channel I should have followed, to observe or discuss the decision to sign onto this brief. Mozilla was right to sign on here. But our input processes for that decision could be better.

6 Comments »

  1. I agree that the CFAA is used to broardly and to harshly, but

    > Auernheimer evaded no security measures, only accessed public, non-login-protected pages using common techniques.

    Do you really want to make a legal difference between, and having to explain and argue it to a judge, these:

    --- 1 ---
    GET /login/admin/secret HTTP/1.1
    Host: www.example.com

    --- 2 ---
    GET /login?u=admin&p=secret HTTP/1.1
    Host: www.example.com

    --- 3 ---
    POST /login HTTP/1.1
    Host: www.example.com

    u=admin&p=secret
    --- 4 ---
    GET /login/ HTTP/1.1
    Host: www.example.com
    Authorization: Basic YWRtaW46c2VjcmV0

    ---------

    username/password authorization, as used in many places, is just security-by-obscurity.

    I don’t assume that you nor Auernheimer for a second believed that the site owner would consider the access to be authorized, regardless that the actual access control implementation was less than optimal.

    (your blog should really have an preview option)

    Comment by Anders — 15.04.14 @ 11:39

  2. “authorized” must have some sort of bar to it, else it’ll sweep in too much. Just because a URL isn’t published anywhere, doesn’t mean that someone visiting it is exceeding authorized access. If someone wants to take advantage of the law and make misuse of their site into a prosecutable crime, they should have to do a little work (relatively easy work) to make that happen, rather than depend on subjective judgments of intent. So yes, I do think we have to make and argue distinctions between different manners of access.

    Example 1 is just obscurity — anyone can visit that. The differences in manner for your examples 2-4 aren’t relevant for most sites — while in theory those could all access different virtual resources, in practice the substance is the user requesting a page and providing login credentials. Providing secret credentials tips the scale if access is over a secure connection, and perhaps (although less clearly) does so over insecure connections, too.

    Comment by Jeff — 15.04.14 @ 12:01

  3. My point is that your line of argumentation is not founded in common sense, but in a irrelevant technicality.

    Your argument seems to be that Auernheimer used a technique that is very similar to what web developers and security researchers do, therefor we should look very closely at tiny syntactical differences to infer the question of authorization.

    But all my examples of course encode the same information and at least 1-3 have not differences as to intend only some assumptions about the context. You might be able to use some technobable to confuse a judge into thinking there is a difference, but it would be contrary to common sense, a perversion of law and may create a dangerous precedent and therefor hurt the web.

    But you do not need to align yourself with Auernheimer and put yourself in the position of making the pseudo-technical argument. The argument could be that the technique used is very what web developers and security researchers do, therefor we should look elsewhere to determine the question of authorization of access.

    If someone is accused of throwing a rock through a window, you don’t see curling athletes stepping up in defense saying, “we also throw rocks, therefor this should be legal”, or firemen saying “we also sometimes, need to break windows, therefor this should be legal”.

    I seems the question in this case ought to be something like: did the server owner have a reasonable reason to consider that the access was restricted (not just “this journalist is not allowed to access our press releases, because we don’t like him”), did the defendant know this and did the defendant lack a valid reason to access the information anyway.

    Comment by Anders — 16.04.14 @ 09:39

  4. I tried making the argument as precisely as possible, but in the process I guess I made it harsh and antagonistic. I am sorry about that. And sorry to spam your blog.

    Comment by Anders — 17.04.14 @ 01:24

  5. You’re not spamming at all! What gave you that impression? (If it’s because I hadn’t immediately responded, that’s partly because my email’s been going through backend server migrations lately, and I mostly haven’t been able to read it this week as a result.)

    I don’t think the difference between no authentication, and authentication, is a tiny syntactical difference. It makes all the difference in the world. And in general, when possible, it seems better to me to have bright-line rules about when access is “authorized”, than to ask whether the server owner could “reasonably” believe access was restricted. For all such distinctions can be “objectively” described as reasonable in the context of Fourth Amendment law, it doesn’t make for simply judiciable standards.

    Comment by Jeff — 17.04.14 @ 10:30

  6. The volume of my posting. (I did not requite/demand a reply, but am grateful that you did)

    > I don’t think the difference between no authentication, and authentication, is a tiny syntactical difference. It makes all the difference in the world.
    I agree.

    > And in general, when possible, it seems better to me to have bright-line rules about when access is “authorized”, than to ask whether the server owner could “reasonably” believe access was restricted.
    I agree, but codifying common sense is the hard part. In this case it seems to me that you are using a mostly unrelated tiny syntactical difference in the technical means as an indicator of the important question of authentication.

    Comment by Anders — 18.04.14 @ 07:51

RSS feed for comments on this post. TrackBack URI

Leave a comment

HTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>