This week’s topics include encoding and encryption.
Encoding / Decoding uses an algorithm, but no special “key”, per se. Once someone knows the algorithm (mathematic formula), one can decode the message.
Encryption / Decryption uses an algorithm, but adds a special “key”. A simple password, such as used on your Wireless Access Point when using WPA2, can make the encryption unbreakable because the outside party doesn’t have knowledge of the password that is used as part of the WPA2 encryption. No password = No decryption. (unless you social engineer to get the password)
So, this past week there was a case where a journalist was reviewing data from a publicly-available web site in Missouri, but they noticed that there was a lot of extra data. They used the “View Source” capability of the website, and then noticing a lot of data, ran that data through a decoder program, and then realized that the teachers’ SSNs were being sent to the website.
There are a few questions:
Is this “hacking”?
Who should be liable – the journalist, or the state?
Week 8 Handouts
I would argue that this is definitely not hacking in any definition of the word. It was simply an accidental finding on the internet that led a curious journalist to do a good job in reporting an important issue to the right people. Even if one wants to loosely label it as hacking because it was not exactly the intended use of the website, it does not require any proper knowledge of penetration testing or hacking skill; the judge is clearly imagining it as a malicious activity performed by a black hat hacker, which is extremely far from the truth. Anyone can hit F12 in a browser and view a page’s source code, without any technical skill. I don’t see any logical reason to hold the journalist liable; in fact the state, like the other security personnel who offered their opinions in the article, should praise the journalist for properly disclosing the vulnerability and enabling the resolution of it, rather than attacking him. The state is completely responsible for this, and they should be thankful that it was this journalist who stumbled upon this major oversight rather than a malicious actor. Had this been the case, the state would eventually be issuing payouts to all of the affected teachers. The state should realize that it is the accountable party for this issue.
Hi Antonio,
I agree this is not a form of hacking and was merely an accidental finding as you said. Holding the journalist liable does not seem reasonable, and they should use the journalist’s findings to better protect their systems.
I would say this is not hacking, as the journalist accidentally came across the additional information and decided to conduct further research and report it. The journalist had no malicious intent and did the right thing by informing the appropriate individuals about the vulnerability and reporting about it after it had been fixed.
From my perspective, I don’t think the journalist should have any liability against him. He did nothing wrong, whereas the state is wrongfully attempting to prosecute the journalist who found a vulnerability that likely kept many SSN hidden. To me the state should take responsibility and own up to the fact that the SSN were essentially visible to the public, rather than shifting blame to the individual who found the issue.
I would consider this instance as hacking under our course definition of exploring the difference between how something is intended to work and how it actually works. However, even though the journalist did not have any written approval to explore vulnerabilities, I would argue that this is a form of ethical hacking because the journalist never went into the state’s network, and only used publicly available tools and information. Most importantly, the journalist notified the state of the vulnerability, and did not disclose the story until it had been fixed. Therefore this does not fall under hacking as the malicious definition that the public, and the governor, tend to view the term.
Overall, this was just a very weak vulnerability and the state should consider itself lucky that an ethical journalist found this vulnerability before an unethical hacker did. The state is liable, and the journalist should be commended for finding and bringing awareness to this possibly detrimental vulnerability.
I strongly think that it is absurd to blame the journalist. It is up to the organization (government) to AT LEAST abide by its own rules and regulations. It is not surprising that the involved parties were quick to transfer the fault, and far too often public figures do not get to experience the consequences of their actions and decisions.
As far as classifying the actions of the journalist as hacking, in the strict definition of the term, it is accurate in that the journalist was able to interact with the system not as intended by the creators of the content. However if we use the media’s definition of hacking, which implies malicious intent and sophisticated knowledge/toolset, there is no evidence to claim journalist is guilty of having either.
I don’t believe that this journalist is to blame for the terrible security on the state’s website. View Source is available on any browser for anyone to use. Perhaps the method of telling the state about its bad security on the website may have not been the best thing to write in a public medium, as telling them in private could have hopefully allowed the website to be secured. By telling the public, then anyone who read the article could do the same process, including potential nefarious individuals. The state should still be liable for having that sensitive information unsecured like that.
I do think that this can be considered hacking, defined as exploring the ways things should work and the way that it actually works. I don’t think that the journalist should be held viable, and instead the state should be held accountable for not properly checking their data.
Hi Andrew,
exactly, everything depends on the way that the definition is established. This is the reason that legal documents are go to extremes in defining even most minute terms that would seem to be common sense.
Thanks,
Tal