[217] in Privacy_Forum
[ PRIVACY Forum ] Arnold's audio URL controversy -- hacking or not?
daemon@ATHENA.MIT.EDU (privacy@vortex.com)
Thu Sep 14 14:45:52 2006
Message-Id: <200609141707.k8EH7eWi019523@chrome.vortex.com>
To: privacy-list@vortex.com
Date: Thu, 14 Sep 2006 10:07:40 -0700
From: privacy@vortex.com
Reply-To: PRIVACY Forum Digest mailing list <privacy@vortex.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: privacy-bounces+privacy-forum=mit.edu@vortex.com
Content-Transfer-Encoding: 8bit
Greetings. I've seen various news stories biting around the edges
on this one, but perhaps a few more words now will save some time
later.
As you may know, an mp3 audio file containing a recording of a
private meeting with California's "Governator" was apparently "leaked"
to the press by staffers in the office of his Democratic opponent in
the upcoming election. The tape included Arnold using strong
language and some racially-related discussion that some observers
found disturbing, for which the Governor later apologized (audio of
the meeting:
http://www.latimes.com/news/printedition/la-govmeeting-mp3,1,1268547.mp3file ).
Arnold's team immediately declared that the file had been stolen from
a "password protected" private area of their servers. Later they
changed that story to saying that "information manipulation" had
been involved in gaining access. Now local L.A. radio station KFI says
of the process: "We've been hacking them for years, if this is hacking."
>From everything I've been able to learn about this situation, the
file was reportedly not password protected and the technique
apparently used to gain access -- URL manipulation -- does not
reasonably qualify as hacking under any normal definitions.
What appears to have happened -- again, based on what I know right
now -- is that various people have been exploring the Governor's Web
servers by making slight changes to the URLs on Web pages or from
e-mail. For example, if a (fictitious) promoted URL is:
http://arnoldssite.ca.gov/audio/file01.mp3
an interested party might also try to access file02.mp3, file03.mp3,
and so on.
The same sort of procedure applies to any other types of Web
materials -- file21.html, speech-ab.doc, photos-000.jpg, etc.
You can type anything you want into a Web browser address bar, and
it's the responsibility of the server to determine whether or not you
should have access: browsers request, servers control.
I'll bet that many readers of this message have themselves used
the same technique to explore Web site areas, or have seen the
entries related to such actions in their own Web server logs.
Whether or not it is appropriate to publicly release information
discovered in this manner is a different and more complex issue.
But I believe that it's very important to emphasize that the security
of files on Web servers is solely the responsibility of those
servers and the people who configure them. Relying on the false
assumption that files can't be accessed simply because you have not
promoted their URLs -- particularly if those URLs can be easily
inferred from known URLs -- can lead to some significant surprises.
--Lauren--
Lauren Weinstein
lauren@vortex.com or lauren@pfir.org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
- People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
- International Open Internet Coalition - http://www.ioic.net
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com
_______________________________________________
privacy mailing list
http://lists.vortex.com/mailman/listinfo/privacy
