Hiho,
I'm just back from a longer trip again and in this strange twilight mood
while curing my jetlag I cannot resist answering on this thread (it kind
of asked me to!)
Things are a bit more complicated:
1) Gaining access to a site by faking anything on the Internet is just
fine - be it fake user/pwd, fake HTTP request headers or fake TCP/IP
packets. This is not illegal by itself.
2) It is however illegal for a user to gain unauthorized access to a
site, given that it can be expected of him to know that he is
unauthorized. Using any of the measures in 1) will likely be considered
as an act of illegal hacking. In this context, gaining access without
making an "effort" such as in 1) does not make it more legal though.
Likewise, gaining _authorized_ access by making an effort such as in 1)
doesn't really fall under any regulation I guess (this reminds me more
of Pink Panther's Inspector Clouseau and his friend Mr. Kato :-) ).
3) A user doesn't have to be granted access to a site explicitly. No
court will allow a site to sue a user for accessing their WWW content if
the user found a link to the site say in a search engine and went there,
given that he could not know/guess about this being an unauthorized
access. So the site has to make a "reasonable effort" to a) keep users
out of their system who are not authorized b) inform any users accessing
the site about the non-obvious rules regarding site access. Any hurdle
set up by a site that is _designed_ to keep unauthorized users out, such
as authentication schemes via user/pwd, will easily be recognized as a
reasonable effort. Anyone unauthorized trying to get over that hurdle is
acting illegally no matter if it is super secure or if all passwords are
"123". Important is that from this point the unauthorized user knows
he's an unauthorized user.
4) The WWW was designed with openness in mind and by default all web
links point to Web pages that grant access to anyone. Sites that do not
wish particular content to be accessed by the general public have to
make a dedicated effort to prevent unauthorized use. This can be as
simple as saying: "If you're not an adult, don't follow the link below"
on the entry page and not allowing direct access to the pages that
follow. In the own interest of a site and for more valuable content (eg.
bank account data) the site owners have to make more of an effort, too.
A bank can't claim their site has been hacked if the only protection of
their content is "Please don't press below's link to the account data if
you are not John Smith" on the home page. I very much believe that
people pressing the link will not go to prison for viewing the account
data but the bank's officials will instead. Transferring money is a
different matter. Because of he inherently hyperlinked nature of WWW
sites it cannot be easily claimed that a user 'broke' into a system just
because he entered a URL or followed a link. For a user, the WWW itself
is "the system": The WWW system seen as a collection of Websites doesn't
have as visible boundaries as, say, a collection of corporate mail
servers.
4) An unofficial and otherwise freely accessible i-mode site on the
Internet that does not have any terms and conditions forbidding access
to non-i-mode browsers and just using an HTTP header to identify the
browser type (for whatever reasons - e.g. content adaption) will be
considered as not making a reasonable effort to prevent users entering
from PC browsers. The User-Agent HTTP header was not designed to provide
authorization. In fact, the PC user cannot even assume that it is the
intent of the site to keep him out if he is not explicitly told.
(Compare: Consider a bank having an entrance with two glass door halfes.
The left says "Initials A-M" the other says "Initials N-Z". If the
latter is locked it is reasonable for me to try the other one if both
doors lead to the same place, no? Or am I considered breaking into the
bank then?)
(Compare: Search engines accessing all WWW sites worldwide)
5) Conversely, a Website that is accessed by an i-mode phone (ref.
recent Japan Inc. article) but didn't plan to be used from an i-mode
phone can't really claim to be hacked - what is so different about
mobile access?
6) If DoCoMo were to replace an i-mode phone's User-Agent setting for
one indicating the client is a Netscape browser then a content provider
who tried to prevent access from i-mode phones couldn't claim he has
been hacked either. Can he?
7) Ever looked into the User-Agent setting of Microsoft Internet
Explorer? Mine says: "User-Agent: Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)". Now, isn't that strange? Mozilla is Netscape's
User-Agent setting. Now guess why.
8) Quite obviously, taking copyrighted content from anywhere and
reproducing it elsewhere is not allowed without permission. But that's
an entirely separate issue.
-----------------------
So, in response to the mail:
Juergen Specht wrote:
> 1) Some people write 'fake' headers to request the content
> outside of mobile phones.
So? If content providers or operators don't want this then they should
invent either a decent authorization scheme or design their own private
networks or protocols or representation languages and not take
opportunistic advantage of the existing Internet infrastructure and
intellectual property. Web pages on the Internet are by default open to
anyone. This is true for Netscape browsers, Opera browsers, Spyglass
browsers, Access Netfront browsers, search engines - even for Internet
Explorer!
> --< point 1 >---------
> It's quite common to use scenario 1, but to give
> the tools public away (including source code) in
> a mailing list? Especially one which target is not
> (only) developers? I don't know if I like it too
> much. What's the big difference between simply
> faking some headers and faking some packets
> (except the skills of diving deeeeeeeeeeep into TCP)?
The difference is: the latter is more difficult for people below the
level of advanced god.
I know I'm putting something into your mouth here, but I don't think
that i-... is a hacking tool even if it uses an i-mode User-Agent
setting (NB: when I had tested it, it even had a DoCoMo logo on it as
far as I remember! If at all, this might be a copyright issue).
Of course, I also condemn the posting of tools that for example allow
even novices to develop & spread their won viruses. One just doesn't
offer small simple metallic things to be attached to railtracks - even
if there is the misguidedly 'heroic' intent behind to point out and
proove that the public train system is not 100% secure. As you say:
"Nothing is secure". Particularly in the real world - but some people
think it either does less harm in the virtual world or it is easier to
get away with it
>
> If you check for example this link to the Nokia sponsored
> site TokyoFoodPage (sorry Robb, but your site is way too
> handy NOT to used as an example):
> http://202.221.249.3/lifestyle/mymenu/e_index_food.html
>
> and point your browser to the link 'Registration' you see
> a lot of parameters which will be send to the host w1m.docomo.ne.jp.
>
> This host is not reachable from outside the I-Mode network, so you
> have no luck. But with some nasty tricks and some criminal energy
> you can do a lot with this information...you even can get access
> to this site (which will be a stupid idea, all this work for a
> free site!).
>
> But my point is, that I don't like it too much that information to
> avoid access control to sites is too simply available on this list.
> This is the Internet. *Nothing* is secure.
I wouldn't point to specific weaknesses of individual sites on keitai-l
(as above) but rather inform these sites directly if I knew one. However
with regard to general weaknesses:
The one and only reason why we have reasonable security in the Internet
nowadays is that people talked openly about it. It might have been
painful for individual companies but good for society at large. It would
be way more painful for companies now if there had not been this dialog
in the past. There is no point in hiding facts - even on keitai-l:
People on this list include content providers who might actually not be
too aware about security issues. This discussion hopefully brings these
security issues to their attention. If the press writes about
possibilities to access i-mode from the web, so what? They already write
about how to access the web from an i-mode phone!
If the change of HTTP headers already poses a security threat to content
providers then we better discuss this early! Perhaps this also increases
long-due pressure on carriers to open up for truly end-to-end secure
access.
With reference to the railtrack example above, I agree it has to be
well-considered what is ok to talk about in the public (and this list)
and what not, so some weirdos don't get funny ideas that in the end cost
lives (physical, financial,...). Particularly things that cannot be
changed anyways shouldn't be elaborated on (see ...). I still think its
safe to talk about HTTP headers.
> 2) Some people make screengrabs of content and publish them
> without a basic knowledge of copyright.
>(...)
I agree with your points on this one. Except that for copyright
infringement it doesn't at all matter how one screengrabs - with or
without using headers - just taking and publishing the content is
enough.
> So please guys, not everything which can be done, should be done.
Ok, if you say so.
> PS: This post contains a sublimal message :)
I might have missed it.
Take it easy & sorry for for ranting back ;-)
Best regards,
Marc
PS: In a follow-up mail there was a mention about people having great
business models that had failed: If companies thought they had a good
business model and failed because of others using obscure or even
illegal practices then the business model was quite apparently flawed
(What about opening a bank that doesn't have a safe? You'd blame the
bank if it looses all the money in a robbery. And rightly so). The
business model must fit to the real world, not to Utopia.
[ Did you check the archives? http://www.appelsiini.net/keitai-l/ ]
Received on Sun Mar 18 18:14:13 2001