Well in this case the JavaScript file was on your computer so you had ever right to check it, but as for logging in using the username and password, you were skating on thin ice there and were lucky the company recognized your good intention (or perhaps didn't know you had actually logged in). They could have prosecuted you under the current laws in most countries.
The thing is, you didn't need to log in and access those private files to get the problem fixed, you could have just pointed out to the company their insecure use of JavaScript and explained why anyone could have easily logged in. No illegal, unauthorized access was necessary to prove this point or get the problem corrected.
I've read that sentiment on quite a few articles and I would like to know precisely why this would make any white-hat hacker become black-hat. I just don't see where you're all making the connection. Surely a white-hat hacker, motivated by some good intentions, would not be so easily swayed unless they had a severe personality disorder to start with (which they probably don't). I mean, out of concern you tell a company about their security flaw and they get all hissy at you... then what? Why would you then decide you should now start hacking to cause damage or even steal money? You even make it sound like you think it's a somewhat justified reaction at being spurned like the jilted lover who torches all his girlfriends CDs because she left him and started dating another guy. It doesn't make sense. In fact, it's a little crazy.
Most likely the white-hat hacker gets on with his real programming job and doesn't bother saying anything in future.
Think about it a bit before saying something like this again.
Agreed but with a slight correction: The request was authorized (incorrectly) by the server - the fault of the company.
The act of accessing another customer's account was an action unauthorized explicitly by the terms and conditions of the bank and the law of the land, so that was the fault of Webster.
So while it was indeed "less pernicious" it was still not a permissible action. Technically, both were at fault but while the company were criminally negligent, Webster had only misguided good intentions. The company should be made an example of, not Webster.
"Unsecure" seems more like a verb to me, so "insecure" would indeed correct in describing something such as a computer or bank. Hence (if I am correct) person would unsecure a computer by removing the password and thus make it insecure.
The difference is, there is a clause in your hypothetical bank's terms and conditions saying at under no circumstances should any customer touch or attempt to open another customer's box. Any customer discovered interfering with or opening a box that does not belong to them is liable to their account being closed and prosecution. The hypothetical person who went into the vault knew that it was illegal to attempt to open another customer's box but did so anyway; in fact, he opened around a thousand boxes even though he could have just tested one or just told the bank staff themselves to check that they looked a bit suss and should be checked.
Similarly, the real person could have tested just one access, or none at all and wrote an email or letter to the Bank CEO, manager and IT manager asking if this potential security flaw had been tested and was it safe. A reply might have told him, "yes we have checked it and it's OK" (although they probably would have said the same if it wasn't and they just fixed it). Either way the problem could have been resolved with no law broken. If they had not replied within a given time frame, perhaps then he could have checked one time to see if the flaw was there and wrote again. The first letter would probably cover him a bit better legally given that he tried to warn them and got no response.
Of course, it would be ridiculous to prosecute either hypothetical person or real person - having examined all the facts surrounding the situation and agreed that the actions were with good intention, but I would have no surprise really if the company wrote a letter warning him that what he did was illegal and against their terms; but it does surprise me that any punitive action was taken against him and I would be even more surprised if more action was taken. What should happen is the company hang its head in shame, wring a few necks internally, and count themselves lucky they didn't get caught out with worse.
But I fear, reading some responses, that what some "white-hat hacker" types are more afraid of is that their fun is being taken away from them. Listen: if no one invites you to test their security you have no business doing it - whatever your motive - so don't do it. If you don't agree that this is right and fair, fair enough, but comply with the written law if only just to protect yourself.
Techdirt has not posted any stories submitted by authentictech.
If he had actually stolen 20 million physical journal papers he'd be charged with less and get less time inside.
Well in this case the JavaScript file was on your computer so you had ever right to check it, but as for logging in using the username and password, you were skating on thin ice there and were lucky the company recognized your good intention (or perhaps didn't know you had actually logged in). They could have prosecuted you under the current laws in most countries.
The thing is, you didn't need to log in and access those private files to get the problem fixed, you could have just pointed out to the company their insecure use of JavaScript and explained why anyone could have easily logged in. No illegal, unauthorized access was necessary to prove this point or get the problem corrected.
I've read that sentiment on quite a few articles and I would like to know precisely why this would make any white-hat hacker become black-hat. I just don't see where you're all making the connection. Surely a white-hat hacker, motivated by some good intentions, would not be so easily swayed unless they had a severe personality disorder to start with (which they probably don't). I mean, out of concern you tell a company about their security flaw and they get all hissy at you... then what? Why would you then decide you should now start hacking to cause damage or even steal money? You even make it sound like you think it's a somewhat justified reaction at being spurned like the jilted lover who torches all his girlfriends CDs because she left him and started dating another guy. It doesn't make sense. In fact, it's a little crazy.
Most likely the white-hat hacker gets on with his real programming job and doesn't bother saying anything in future.
Think about it a bit before saying something like this again.
Agreed but with a slight correction: The request was authorized (incorrectly) by the server - the fault of the company.
The act of accessing another customer's account was an action unauthorized explicitly by the terms and conditions of the bank and the law of the land, so that was the fault of Webster.
So while it was indeed "less pernicious" it was still not a permissible action. Technically, both were at fault but while the company were criminally negligent, Webster had only misguided good intentions. The company should be made an example of, not Webster.
Re: Depressed Computers...
"Unsecure" seems more like a verb to me, so "insecure" would indeed correct in describing something such as a computer or bank. Hence (if I am correct) person would unsecure a computer by removing the password and thus make it insecure.
Am I right?
Re: Bank Security
The difference is, there is a clause in your hypothetical bank's terms and conditions saying at under no circumstances should any customer touch or attempt to open another customer's box. Any customer discovered interfering with or opening a box that does not belong to them is liable to their account being closed and prosecution. The hypothetical person who went into the vault knew that it was illegal to attempt to open another customer's box but did so anyway; in fact, he opened around a thousand boxes even though he could have just tested one or just told the bank staff themselves to check that they looked a bit suss and should be checked.
Similarly, the real person could have tested just one access, or none at all and wrote an email or letter to the Bank CEO, manager and IT manager asking if this potential security flaw had been tested and was it safe. A reply might have told him, "yes we have checked it and it's OK" (although they probably would have said the same if it wasn't and they just fixed it). Either way the problem could have been resolved with no law broken. If they had not replied within a given time frame, perhaps then he could have checked one time to see if the flaw was there and wrote again. The first letter would probably cover him a bit better legally given that he tried to warn them and got no response.
Of course, it would be ridiculous to prosecute either hypothetical person or real person - having examined all the facts surrounding the situation and agreed that the actions were with good intention, but I would have no surprise really if the company wrote a letter warning him that what he did was illegal and against their terms; but it does surprise me that any punitive action was taken against him and I would be even more surprised if more action was taken. What should happen is the company hang its head in shame, wring a few necks internally, and count themselves lucky they didn't get caught out with worse.
But I fear, reading some responses, that what some "white-hat hacker" types are more afraid of is that their fun is being taken away from them. Listen: if no one invites you to test their security you have no business doing it - whatever your motive - so don't do it. If you don't agree that this is right and fair, fair enough, but comply with the written law if only just to protect yourself.