.comment-link {margin-left:.6em;}

Friday, September 22, 2006


Here's a thought experiment on the illegality of something. Remember, this is about illegality, not about whether it is ethical to do something.

1. Is it illegal to go to a public website, and generate random webpage requests to see if those pages exist on that website? For example, if you are at www.somesite.com, would it be illegal to request www.somesite.com/a.html, www.somesite.com/b.html, www.somesite.com/c.html, www.somesite.com/jones.html, and so forth? Most of the time, you will get "Page Not Found" errors. If you do find something, it is publicly available even if there are no outside links to it, so you aren't "hacking" anything.

I can't see how this is illegal. Lots of bots, search engines, etc. do these kinds of things. Now, if you were going to generate a million random page requests, somebody is probably going to notice, but is generating those page requests illegal?

2. Now imaging that you create a webpage with a Javascript redirector that takes input and then asks for the appropriate web page. So, you type "a" in a box, and it requests www.somesite.com/a.html. You type "jones" in the box, and it requests www.somesite.com/jones.html. In effect, instead of randomly requesting pages, you are requesting specific pages that you type in. Is this still illegal? If so, what is the change from #1 to #2 that would make this illegal?

3. Finally, imagine that www.somesite.com itself has this box, and you use it to request web pages. Is this now illegal? What are the legal differences between #1, #2, and #3?

I appreciate input. Again, I am not asking if it is ethical to probe public websites in this manner, I am asking about legality.


At 8:40 PM, September 22, 2006, Anonymous Chris said...

Well, I have some political input, if you're interested. If you're not, just skip this. Expressing concern over Noah Kunin on the technical point of whether he's a "hacker" is nice, but completely beside the point. No matter what happens this November, Noah will go on being a DFL activist for years into the future.

At this point, the most important person is Amy Klobuchar, who is actually on the ballot. Any discussion of this matter should go like this.

1. Praise Klobuchar's handling of the matter.

2. Point out Kennedy's support of DeLay, and the fact that he was altering news articles on his website last year into puff pieces on himself. Note the hypocrisy in Kennedy, or any of Kennedy's supporters, lecturing anyone on ethics.

3. After a day or so, move on to other issues. If anyone tries to bring this molehill up again, treat them with amused contempt, and calmly brush them off as obsessed whiners.

Again, politically, writing long, technical, angry, sputtering defenses of Noah Kunin, while I understand where it comes from, is completely beside the point, and probably counter-productive.

At 9:07 PM, September 22, 2006, Blogger Brian Hanna said...

I'd have to agree with Chris on this.

Noah was wrong. Tara was fired. Amy called the FBI. End of story.

To your technical questions: probing a website with a massive number of generated URLs would likely be considered a nuisance waste of bandwidth.

Using a form on your own website to generate URLs is certainly legal.

Using a form on someone else's website with the word "password" on it without permission to do so is likely illegal, no matter what the mechanism is to process the input.

Prosecuting those who do so is often difficult because they rightly hide their identities. I have gotten 1000s of these attempts per day, and I believe the are all illegal. However, they have come from Russian and Korean web hosts which are likely compromised.

Anyone who wants to crack systems should consider the potential downside of getting caught.

I'm really sorry about Noah; I wish him the best. But his actions are indefensible. We should not be trying to make wrong right.

Let's drop this and move on.

At 11:15 AM, September 23, 2006, Blogger Wm said...

Unethical is one thing, Illegal is another. I'm no lawyer, but I doubt it's illegal to "probe" a public website...

Is there someone with a law degree with any input, here?

At 10:25 AM, September 24, 2006, Anonymous Anonymous said...

to start answering your question, go here:


Post a Comment

Links to this post:

Create a Link

<< Home