Simply, anyone who "accesses a computer without authorization ... and thereby obtains ... information from any protected computer" is in violation of the CFAA.
If the researchers in question did not download any customer data, nor cause any "damages", I am not sure they are guilty of anything. BUT, if they had, "the victim had insufficient security measures" is not a valid defense. These researchers were not authorized to access this computer, regardless of whether they were technically able to obtain access.
Leaving your door unlocked does not give burglars permission to burgle you.
If I tell you "the password on the postgres account at postgres.jrock.us is blahblah42" and you read the database, it could be argued that you're exceeding your authorized access. The reason people don't tell you their database password on Hacker News is because of countries that don't have that law, I assume.
That's silly, the reason people protect themselves is so that they are protected. Legal protection is another different kind of protection, but I think it's a deep stretch to argue that one can remove all the technical protections and still keep access to the CFAA and obtain meaningful protection from the law.
> protected computer
If you're suggesting that the CFAA itself protects the computer by definition, then you've excluded the possibility of a such thing as an "unprotected computer" which renders the extra word unnecessary. I don't think that's the intention, that all computers gain the implicit protection, I think there actually needs to be a policy or standard enforced, or ownership made clear.
In the tradition of US property law, I think you need to do the bare minimum of posting "NO TRESPASSING" signs at the border so anyone that walks by them can be said to have observed the difference between your space and the public spaces surrounding it (which they are permitted to be in, just like your private property so long as it's unprotected and they haven't been asked to leave before...)
Yeah, of course ;)
> In the tradition of US property law, I think you need to do the bare minimum of posting "NO TRESPASSING" signs at the border
I guess the law went for an allowlist instead of a denylist this time. Plus one point on their security audit!
> protected computer
As an aside, sometimes I wonder why people make threats like "you must not link to this site without permission". It's like saying "you must not look at my house as you walk by it". You can ask, but it's Not A Thing. I worry that the language could potentially confuse a court someday. (Or that it already did.)
Basically its any computer used by a bank, the federal government, or used in interstate commerce.
This is just a quirk of the US system of government. If it doesn't fit those criteria, its going to be up to the state to prosecute based on the state's own version of the cfaa.
[1] https://www.law.cornell.edu/definitions/uscode.php?width=840...
Now, does that mean that if I did, you'd have the right to pickpocket me?
I think, in your scenario, you would have a hard time convincing a jury that Google's access to your computer is unauthorized.
They were authorized, as per the permissions that fizz gave users of the app on firebase. A group of users noticed that it was overly permissive and reported it to them.
> Leaving your door unlocked does not give burglars permission to burgle you.
This is more like giving your stuff away and then reporting it as theft.
A better analogy is that the bank forgot to lock their frontdoor, failed to install a security system, and failed to secure their vault.
That our laws have zero accountability for these “banks”, even for good faith tap on the shoulder, is the ongoing failure of information security and our legal system.
Legally, I think it's also true that an open door looks more like an invitation to enter (and it's different from burglary to simply poke your head in the door, see if anything is wrong, and not breaking or taking anything)
If an API is served on a public network and your client hits that API with a valid request which returns 200 (not 401) and that API is shaped like an open door, such that no "knock" or similar magic or special protection-breaking incantations were required in order to obtain "the access" ...
Then would you concede it's not actually like a burglary, but a bit more like going in through an open door to see if everyone is OK? (It sounds like that's more precisely what happened here, I'll admit I haven't read it all...)
I think that's roughly how it will play out in a CFAA case too: the case will turn on why it was you thought you were authorized to tinker with the things you tinkered with. If, as is so often encouraged on HN, your defense turns on the meanings of HTTP response codes, you'll likely be convicted. On the other hand, if you can tell a convincing story about how anybody who understands a little about how a browser works would think that they were just taking a shortcut to something the site owner wanted them to do anyways, you're much more likely to be OK.
If you create an admin account in the database, it won't much matter what position the door was in, so to speak.
The concept we're dancing around here is mens rea.
(Again: DOJ has issued a policy statement saying they're not going after cases like this Fizz thing, so this is all moot anyways.)
If my neighbor leaves his door open (in the winter, say), and I have cause to believe that something is wrong based on that, is a jury going to convict me for going in there to check on them? It really sounds like that's what was done here.
I guess creating an admin account while I'm in there is a bit like making a key for myself while I look around. That might be over the line. But without that step, I'm not sure how you can have proved that something was even wrong...
I'll go read the article now.
That does not appear to be the case in Massachusetts. Here are the jury instructions relevant to B&E in the nighttime, with the full link below:
To prove the defendant guilty of this offense, the Commonwealth must prove four things beyond a reasonable doubt:
First: That the defendant broke into someone else’s (building) (ship) (vessel) (vehicle);
Second: That the defendant entered that (building) (ship) (vessel) (vehicle);
...
To prove the first element, the Commonwealth must prove beyond a reasonable doubt that the defendant exerted physical force, however slight, and thereby removed an obstruction to gaining entry into someone else’s (building) (ship) (vessel) (vehicle). Breaking includes moving in a significant manner anything that barred the way into the (building) (ship) (vessel) (vehicle). Examples would include such things as (opening a closed door whether locked or unlocked) (opening a closed window whether locked or unlocked) (going in through an open window that is not intended for use as an entrance). On the other hand, going through an unobstructed entrance such as an open door does not constitute a breaking.
(Italicized emphasis is mine.) Entering through an open door appears to be an entering (the second element of the crime), but not a breaking (the first element). IANAL.
https://www.mass.gov/doc/8100-breaking-and-entering-a-buildi...
This definitely must vary by state. At least in Michigan that would just be trespassing. I know, because I had some very in-depth conversations with my lawyer about whether I had committed trespassing or B&E while exploring steam tunnels underneath a university. In my case, B&E couldn't apply because the door was unlocked. I also committed no other crimes besides simple trespassing.
I just wanted to argue against the idea that an unprotected computer is fair game for hacking. Morally and legally, it is not.
