Kennedy 0 #1 February 10, 2014 QuoteFrench journalist "hacks" govt by inputting correct URL, later fined $4,000+ A Google search turned up public files that Olivier Laurelli is accused of publishing. In 2012, French blogger, activist, and businessman Olivier Laurelli sat down at his computer. It automatically connected to his VPN on boot (he owns a small security services company, called Toonux, which was providing a connection via a Panamanian IP address) and began surfing the Web. Laurelli, who goes by the alias “Bluetouff” in most circles (including on Ars Technica), is something of a presence among the French tech-savvy community. Besides managing Toonux, he also co-founded the French-language activist news site Reflets.info, which describes itself as a “community project to connect journalists and computer networking specialists.” As such, Laurelli initiated a Google search on other subjects, but what he stumbled on was perhaps more interesting: a link that led to 7.7 Gb of internal documents from the French National Agency for Food Safety, Environment, and Labor (the acronym is ANSES in French). Although the documents were openly indexed by Google, Laurelli would soon be in the French government’s crosshairs for publishing them. He eventually faced criminal charges, though he was later acquitted of those. However, a separate government agency pursued a civil appeal. And last Tuesday, a French appeals court fined Laurelli 3,000 Euros (or a little over $4,000), meaning he likely made one of the more expensive Google searches to date. (Snip)witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
labrys 0 #2 February 10, 2014 Quote It automatically connected to his VPN on boot (he owns a small security services company, called Toonux, which was providing a connection via a Panamanian IP address) and began surfing the Web. Sounds completely legit Owned by Remi #? Quote Share this post Link to post Share on other sites
Kennedy 0 #3 February 10, 2014 [complete side note] What, you've never used a VPN? I have. In fact I run one at home that I only use for laptop and mobiles when using other wifi (unlike the ignorant, I prefer not to broadcast my passwords, emails, and other data in the open). I've also used foreign ones to see content that I don't see from home, or to see what happens when a foreign IP looks at a domestic project, and if I go overseas again, just using my home VPN will be "using a foreign IP" in that country's eyes. Do you think krebs or anyone else in security work only use their local IP? Add to that the fact that the guy wants to connect with journalists. Any journalist worth his notebook should know about establishing (relatively) safe and private communications. Back to the point: do you think punishing someone for looking at data published to the internet and cached by Google should be a crime? Seems to me that the crime (I any) was commited by whatever dumbass published private or protected data to the internet.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
davjohns 1 #4 February 10, 2014 Most everyone from the US that is stationed in Europe uses one. You can't watch netflix and other video from home unless you have one.I know it just wouldnt be right to kill all the stupid people that we meet.. But do you think it would be appropriate to just remove all of the warning labels and let nature take its course. Quote Share this post Link to post Share on other sites
Skyrad 0 #5 February 10, 2014 Sounds like the Government IT screwed up and now they're trying to save face (But looking even further like idiots).When an author is too meticulous about his style, you may presume that his mind is frivolous and his content flimsy. Lucius Annaeus Seneca Quote Share this post Link to post Share on other sites
NewGuy2005 53 #6 February 10, 2014 I use a VPN for work. Quote Share this post Link to post Share on other sites
Andy9o8 2 #7 February 10, 2014 Quotedo you think punishing someone for looking at data published to the internet and cached by Google should be a crime? Just as a side note (it doesn't really speak to your point), and FWIW, let's not forget that in many jurisdictions merely looking at, and especially downloading, child porn obtained via openly-accessible internet sites is a criminal offense. Quote Share this post Link to post Share on other sites
Kennedy 0 #8 February 10, 2014 Granted. But at least in that case both server and client are involved in and charged with a crime. I really don't see how receiving can be a crime when sharing isn't.witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
champu 1 #9 February 10, 2014 Andy9o8Quotedo you think punishing someone for looking at data published to the internet and cached by Google should be a crime? Just as a side note (it doesn't really speak to your point), and FWIW, let's not forget that in many jurisdictions merely looking at, and especially downloading, child porn obtained via openly-accessible internet sites is a criminal offense. Is the criminal offense downloading the material though or possession of the material regardless of where you got it from? Just having leaked documents like in this story is not necessarily a crime, particularly if you've not previously entered into any kind of NDA that covers them. If you break into a building and take documents that's obviously a chargeable offense. If you walk into a building uninvited, and sneak into an office area by following people, grabbing doors before they close, generally abusing crap security practices, and take documents that's still probably still the same chargeable offense. If the entity inside the building just throws unshredded copies of the documents in a recycle bin and puts it out on the curb and you reach into the bin and take them, then I'm not sure you've done anything illegal (my wild guess would be this varies by jurisdiction.) The question, in my opinion, is to which of the above is "directory diving," or going through publicly accessible but unadvertised unlinked content, analogous. Quote Share this post Link to post Share on other sites
Andy9o8 2 #10 February 10, 2014 champu***Quotedo you think punishing someone for looking at data published to the internet and cached by Google should be a crime? Just as a side note (it doesn't really speak to your point), and FWIW, let's not forget that in many jurisdictions merely looking at, and especially downloading, child porn obtained via openly-accessible internet sites is a criminal offense. Is the criminal offense downloading the material though or possession of the material regardless of where you got it from? Just having leaked documents like in this story is not necessarily a crime, particularly if you've not previously entered into any kind of NDA that covers them. In the very narrow example I mentioned, most statutes in the US I'm familiar with make even the mere possession (although it usually must be knowing possession) of child porn unlawful, regardless of the means or source by which you came to possess it. But that might be more of an exception to the broader points that the OP and you are each discussing. I don't want to distract too much from the point of that discussion. Quote Share this post Link to post Share on other sites
Kennedy 0 #11 February 10, 2014 QuoteIf you break into a building and take documents that's obviously a chargeable offense. If you walk into a building uninvited, and sneak into an office area by following people, grabbing doors before they close, generally abusing crap security practices, and take documents that's still probably still the same chargeable offense. If the entity inside the building just throws unshredded copies of the documents in a recycle bin and puts it out on the curb and you reach into the bin and take them, then I'm not sure you've done anything illegal (my wild guess would be this varies by jurisdiction.) The question, in my opinion, is to which of the above is "directory diving," or going through publicly accessible but unadvertised unlinked content, analogous. Abandoned property is fair game in pretty much every jurisdiction. If it weren't, how could law enforcement ever use that exception to fourth amendment protections? Coming back to data (not physical property), if it is published to public facing internet, there cannot be any reasonable argument that reading it is stealing. (courts have not caught up to this fact yet, but courts have been wrong before and will be again)witty subliminal message Guard your honor, let your reputation fall where it will, and outlast the bastards. 1* Quote Share this post Link to post Share on other sites
Stumpy 284 #12 February 10, 2014 SkyradSounds like the Government IT screwed up and now they're trying to save face (But looking even further like idiots). Exactly this.Never try to eat more than you can lift Quote Share this post Link to post Share on other sites
champu 1 #13 February 10, 2014 KennedyQuoteIf you break into a building and take documents that's obviously a chargeable offense. If you walk into a building uninvited, and sneak into an office area by following people, grabbing doors before they close, generally abusing crap security practices, and take documents that's still probably still the same chargeable offense. If the entity inside the building just throws unshredded copies of the documents in a recycle bin and puts it out on the curb and you reach into the bin and take them, then I'm not sure you've done anything illegal (my wild guess would be this varies by jurisdiction.) The question, in my opinion, is to which of the above is "directory diving," or going through publicly accessible but unadvertised unlinked content, analogous. Abandoned property is fair game in pretty much every jurisdiction. If it weren't, how could law enforcement ever use that exception to fourth amendment protections? That's my take on it too, I just stated it very weakly. The parenthetical comment was just to say I'm not sure there aren't some corner cases where this would be a crime. I can't think of any examples though. KennedyComing back to data (not physical property), if it is published to public facing internet, there cannot be any reasonable argument that reading it is stealing. (courts have not caught up to this fact yet, but courts have been wrong before and will be again) I agree with you here, and my three cases were meant to represent, respectively, actively breaking security (stolen credentials, exploiting a zero day vulnerability, etc.), taking advantage of lax security (using known broken software, wi-fi with no VPN, password is '12345', etc.), and simply accessing published files (even if they were published by mistake.) As I said, I think the battle is between how much behavior to include in each of the last two categories. Quote Share this post Link to post Share on other sites