Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You are explicitly authorized by the specified policy that uses SSN to look up the data. If you aren't authorized, why is it sending you the data?

If you make no effort to authenticate requests, I find it very unreasonable to act like any requests are unauthorized.



So what about denial of service attacks going against just the public unauthenticated API?

Just because AT&T does a boneheaded security implementation for which they deserve sanction, does not entitle weev or anyone else to go beyond ethical boundaries in discovering (and in weev's case, abusing) that security lapse.


I think DoS is covered by clauses other than just authorized or unauthorized. You can't legally DoS people even if you are an authorized user.

> that security lapse.

I don't think you can call this a lapse. It's not like they had passwords but forgot to change them. They designed it without any security.


> They designed it without any security.

Is that the only criterion now? You'll only do the ethical thing if someone else remembered to bake in technical safeguards?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: