undefined | Better HN

0 pointsjamestnz12y ago0 comments

Well saddle-up, my friend ;-)

In seriousness, recall the weev/AT&T case[1]. As I understand it, the attack was roughly of the sophistication of making a totally unauthenticated request to:

get_user_email_address.php?id=N

(where N was from a series of sequential integers)... and apparently the feds had a colorable argument that N constituted an "access control system", and therefore the act of iterating the entire series of possible N values (and downloading the resulting data) constituted "unauthorized access to a protected system".

Not quite in the same realm as coughing up plain-text passwords, I'll admit. But clearly some relevant authorities would set the bar for "access control system" fairly low. And apparently rank incompetence on the part of the site developer/owner appears not to come into things.

[1] https://news.ycombinator.com/item?id=4808676

0 comments

feralmoan12y ago

Really wish there were better defense attorneys onboard in these cases because at their core these instances boggle the logical mind.

j / k navigate · click thread line to collapse

0 pointsjamestnz12y ago0 comments

Well saddle-up, my friend ;-)

In seriousness, recall the weev/AT&T case[1]. As I understand it, the attack was roughly of the sophistication of making a totally unauthenticated request to:

get_user_email_address.php?id=N

[1] https://news.ycombinator.com/item?id=4808676