IANAL, but the law does not require you to "circumvent" anything[1].
Simply, anyone who "accesses a computer without authorization ... and thereby obtains ... information from any protected computer" is in violation of the CFAA.
If the researchers in question did not download any customer data, nor cause any "damages", I am not sure they are guilty of anything. BUT, if they had, "the victim had insufficient security measures" is not a valid defense. These researchers were not authorized to access this computer, regardless of whether they were technically able to obtain access.
Leaving your door unlocked does not give burglars permission to burgle you.
That's my understanding of the law. Even the "merge this PR without review using your administrator privileges" is potentially a crime if the company policy doesn't allow you to take that action. Basically, what the code does or intends is not a factor at all, only the potentially-implicit authorization policy controls.
If I tell you "the password on the postgres account at postgres.jrock.us is blahblah42" and you read the database, it could be argued that you're exceeding your authorized access. The reason people don't tell you their database password on Hacker News is because of countries that don't have that law, I assume.
> The reason people don't tell you their database password on Hacker News is because of countries that don't have that law, I assume.
That's silly, the reason people protect themselves is so that they are protected. Legal protection is another different kind of protection, but I think it's a deep stretch to argue that one can remove all the technical protections and still keep access to the CFAA and obtain meaningful protection from the law.
> protected computer
If you're suggesting that the CFAA itself protects the computer by definition, then you've excluded the possibility of a such thing as an "unprotected computer" which renders the extra word unnecessary. I don't think that's the intention, that all computers gain the implicit protection, I think there actually needs to be a policy or standard enforced, or ownership made clear.
In the tradition of US property law, I think you need to do the bare minimum of posting "NO TRESPASSING" signs at the border so anyone that walks by them can be said to have observed the difference between your space and the public spaces surrounding it (which they are permitted to be in, just like your private property so long as it's unprotected and they haven't been asked to leave before...)
> In the tradition of US property law, I think you need to do the bare minimum of posting "NO TRESPASSING" signs at the border
I guess the law went for an allowlist instead of a denylist this time. Plus one point on their security audit!
> protected computer
As an aside, sometimes I wonder why people make threats like "you must not link to this site without permission". It's like saying "you must not look at my house as you walk by it". You can ask, but it's Not A Thing. I worry that the language could potentially confuse a court someday. (Or that it already did.)
The term "protected computer" is defined in the CFAA act[1].
Basically its any computer used by a bank, the federal government, or used in interstate commerce.
This is just a quirk of the US system of government. If it doesn't fit those criteria, its going to be up to the state to prosecute based on the state's own version of the cfaa.
This is such a horrible standard. Imagine I put up a web server and only intend myself to access it. I put no security on the pages. Is Google guilty of a CFAA violation for visiting the site?
The law is not a computer program. It sometimes relies on the ambiguity of human language, and uses human judges & juries to make reasonable decisions within that ambiguity.
I think, in your scenario, you would have a hard time convincing a jury that Google's access to your computer is unauthorized.
The same argument could be made about the security research in the article. I think the majority of potential juror would never find someone guilty or liable for this, but there is always the risk that you are unlucky and end up with 12 who would.
They were authorized, as per the permissions that fizz gave users of the app on firebase. A group of users noticed that it was overly permissive and reported it to them.
> Leaving your door unlocked does not give burglars permission to burgle you.
This is more like giving your stuff away and then reporting it as theft.
It's nothing like that. Fizz did not want these people making admin accounts on their server. That's the bottom line. They failed to prevent it (forgot to lock their door), but in no way did they actively "give their stuff away". No judge would see it that way.
> That's the bottom line. They failed to prevent it (forgot to lock their door) but in no way did they actively "give their stuff away"
A better analogy is that the bank forgot to lock their frontdoor, failed to install a security system, and failed to secure their vault.
That our laws have zero accountability for these “banks”, even for good faith tap on the shoulder, is the ongoing failure of information security and our legal system.
It is true that leaving your door unlocked does not give burglars permission to burgle you, but how is an open door different than a closed door?
Legally, I think it's also true that an open door looks more like an invitation to enter (and it's different from burglary to simply poke your head in the door, see if anything is wrong, and not breaking or taking anything)
If an API is served on a public network and your client hits that API with a valid request which returns 200 (not 401) and that API is shaped like an open door, such that no "knock" or similar magic or special protection-breaking incantations were required in order to obtain "the access" ...
Then would you concede it's not actually like a burglary, but a bit more like going in through an open door to see if everyone is OK? (It sounds like that's more precisely what happened here, I'll admit I haven't read it all...)
This isn't complicated. You can be convicted of breaking & entering through an open door. At trial, your defense will have to convince a jury that a reasonable person would believe they were entitled to go through the door. If the door was to, say, a Starbucks, that defense will be compelling indeed. If it is to a private home owned by strangers, you'll be convicted.
I think that's roughly how it will play out in a CFAA case too: the case will turn on why it was you thought you were authorized to tinker with the things you tinkered with. If, as is so often encouraged on HN, your defense turns on the meanings of HTTP response codes, you'll likely be convicted. On the other hand, if you can tell a convincing story about how anybody who understands a little about how a browser works would think that they were just taking a shortcut to something the site owner wanted them to do anyways, you're much more likely to be OK.
If you create an admin account in the database, it won't much matter what position the door was in, so to speak.
The concept we're dancing around here is mens rea.
(Again: DOJ has issued a policy statement saying they're not going after cases like this Fizz thing, so this is all moot anyways.)
I don't think it's that simple. The prosecution will have to prove the intent to commit a crime. If it looks like a service that should require authorization, and the door is swinging wide open, I think there's a decent argument to be made that you can't prove a reasonable neighbor's intent wasn't to perform a welfare check, and with no criminal intent there is no crime of burglary.
If my neighbor leaves his door open (in the winter, say), and I have cause to believe that something is wrong based on that, is a jury going to convict me for going in there to check on them? It really sounds like that's what was done here.
I guess creating an admin account while I'm in there is a bit like making a key for myself while I look around. That might be over the line. But without that step, I'm not sure how you can have proved that something was even wrong...
The crime in this case is accessing software running on someone else's computer without their authorization. The "someone else" in this case vehemently objects to the access at issue. The burden of proof is on the prosecution, but their argument is compelling enough that it's the defendant who'd have to do the explaining.
No: you will not get convicted checking on your neighbor. Everybody involved in that fact pattern will believe that you at the time believed it was OK for you to peek into their house. Now change the fact pattern slightly: you're not a neighbor at all, but rather some random person walking down the street. A lot less clear, right?
Anyways that's what these cases are often about: the defendant's state of mind.
Note here that this is a Firebase app, so while it's super obvious to me that issuing an INSERT or UPDATE on a SQL database would cross a line, jiggling the JSON arguments to a Firebase API call to flip a boolean is less problematic, since that's how you test these things. The problem in the SQL case is that as soon as you're speaking SQL, you know you've game-overed the application; you stop there.
> Now change the fact pattern slightly: you're not a neighbor at all, but rather some random person walking
It's times like these I regret that neighbors don't talk to each other anymore. How can we even have functioning internet if we don't have network neighborhood...
> The prosecution will have to prove the intent to commit a crime.
Friendly amendment: Generally, the prosecution must prove only the intent to take the action that's proscribed by law (and sometimes, the intent to achieve the specific outcome of the action). Proving that the actor intended to commit a crime is usually not part of the prosecution's burden. [0]
> You can be convicted of breaking & entering through an open door.
That does not appear to be the case in Massachusetts. Here are the jury instructions relevant to B&E in the nighttime, with the full link below:
To prove the defendant guilty of this offense, the
Commonwealth must prove four things beyond a reasonable doubt:
First: That the defendant broke into someone else’s (building)
(ship) (vessel) (vehicle);
Second: That the defendant entered that (building) (ship) (vessel)
(vehicle);
...
To prove the first element, the Commonwealth must prove
beyond a reasonable doubt that the defendant exerted physical force,
however slight, and thereby removed an obstruction to gaining entry
into someone else’s (building) (ship) (vessel) (vehicle). Breaking
includes moving in a significant manner anything that barred the way
into the (building) (ship) (vessel) (vehicle). Examples would include
such things as (opening a closed door whether locked or unlocked)
(opening a closed window whether locked or unlocked) (going in
through an open window that is not intended for use as an entrance).
On the other hand, going through an unobstructed entrance such as
an open door does not constitute a breaking.
(Italicized emphasis is mine.) Entering through an open door appears to be an entering (the second element of the crime), but not a breaking (the first element). IANAL.
> You can be convicted of breaking & entering through an open door.
This definitely must vary by state. At least in Michigan that would just be trespassing. I know, because I had some very in-depth conversations with my lawyer about whether I had committed trespassing or B&E while exploring steam tunnels underneath a university. In my case, B&E couldn't apply because the door was unlocked. I also committed no other crimes besides simple trespassing.
You're totally right. The more accurate thing to say is "you could be convicted of residential burglary by walking through an open door if the prosecution could convince a jury you did so with the intent to commit a further crime".
That sounds right. I also appreciate how much you regularly add to discussion about the CFAA. I personally think it's a horrible law, but for the most part my understanding of it matches yours. Too many people mix up what "should be" vs. "what is".
In general, I've learned that if you ever wonder whether you might be breaking the CFAA, you are in violation of the CFAA. The only time this logic has ever failed that I've seen was HiQ vs. LinkedIn.
Yes, I think your description is perfectly reasonable. You could make a convincing argument that the researchers poked their head in to an open door. The fact that the law requires you to steal data or otherwise cause damages would support this idea.
I just wanted to argue against the idea that an unprotected computer is fair game for hacking. Morally and legally, it is not.
I do think you adding "if they took data" to this is a bit odd given the original post makes it very clear their defense relied on not taking data or changing anything.
Simply, anyone who "accesses a computer without authorization ... and thereby obtains ... information from any protected computer" is in violation of the CFAA.
If the researchers in question did not download any customer data, nor cause any "damages", I am not sure they are guilty of anything. BUT, if they had, "the victim had insufficient security measures" is not a valid defense. These researchers were not authorized to access this computer, regardless of whether they were technically able to obtain access.
Leaving your door unlocked does not give burglars permission to burgle you.
[1] https://www.law.cornell.edu/uscode/text/18/1030