Hacker News new | past | comments | ask | show | jobs | submit login

It is absolutely, unquestionably unethical to do that. There's a huge, huge difference between proving a concept and stealing user data -- no matter what your end goal is. What possible positive outcome could he be looking for in taking this data?



Anyone know if this was illegal, then? Or will his status as a security researcher (albeit one with poor judgement) protect him?


>Or will his status as a security researcher (albeit one with poor judgement) protect him?

It usually doesn't protect you even if you don't take anything.

That's why there's a huge backlash against "responsible disclosure".


There is no such thing as "status as a security researcher". If you want to research security, I suggest you do it in your lab or with consenting adults.


The only legal security researcher is the one hired by a company to identify issues during a security audit.


It's a whole lot safer doing attacks on a device you own (or downloaded software you run on your own infrastructure) -- live pentests on someone else's network infrastructure and hosted applications is pretty similar to a "real" attack.


Penetration "testing" networks you have no permission to use looks identical to a real attack. I doubt Apple will look at him any differently than an attacker if they decide to pursue him.

He refers to Facebook's whitehat list too. Facebook does allow people to try to break parts of their application if they're responsible about the disclosure. To my knowledge Apple doesn't have such a policy so can't have given any implied permission to attempt to attack them.


>> "Anyone know if this was illegal, then?"

I don't know the full details of the case but didn't the hacker weev get imprisoned for downloading 100k user records from AT&T?


He did. It'll be interesting to see how sophisticated this attack is compared to the AT&T one. It looks like there's Java code used to dump this, rather than just using wget.

I think part of weev's downfall was the subsequent conversation he had discussing what he could hypothetically do with the data though.


> Anyone know if this was illegal, then?

That likely depends on the laws of the country he was in when the incident occurred.


The US has argued that they have jurisdiction over any cyber crime which affects a US company or institution, regardless of where the person was - e.g. Gary McKinnon [1] was indicted by a grand jury in Virginia for hacks on computers owned by NASA and the Pentagon despite never having visited the US.

What really matters in cases like these is whether the country in question will arrest and extradite the individual to the US - this is far less clear cut - see the Snowden case for an example of someone attempting to evade US extradition law.

Some countries (notably China) have been fairly opaque from a US judicial perspective - see hacks on Google, the New York Times blamed on the Chinese - which have ended up with no visible action.

1: http://en.wikipedia.org/wiki/Gary_McKinnon


It's almost definitely a violation of the CFAA.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: