The "Hackers" Are Back
Well, the Senate 'hacking' scandal is the story that just won't die. The Sergeant-At-Arms has been investigating for far, far longer than the whole thing is worth, but even more depressing is the fact that any reference to what was technically required for 'hacking' has now been lost.
Let's recap. Unless the investigation reveals something new that I've not seen, the 'hacking' involved searching through a shared server for folders that were unrestricted by the systems administrator. Note that at least as of 1999, securing a share drive against this kind of interference was a standard part of Senate systems administration training. I can say this with some authority because that's where I learned to administer an NT box. Unless Senate systems training has gotten worse since I was there, this drive wasn't 'secure' at all.
The Washington Post doesn't think this is a defense:
It isn't much of a defense to suggest that the material was not adequately protected on a shared network and was therefore fair game. If Democratic staffers had left their office doors unlocked, would it be open season on their file cabinets? Senate staffers appear to have done the electronic equivalent of rifling through one another's desks in a systematic and sustained effort to gather intelligence. Mr. Hatch deserves credit for insisting -- in the face of considerable party pressure -- that, even in the midst of a partisan war over judicial nominations, such behavior will not be tolerated.
Better question: if the Democrats and Republicans shared a filing cabinet to which they both had separate keys, and which had a separate unlocked 'shared' door, would the Republicans be wrong in taking copies of files placed in the unlocked 'shared' drawer? A server isn't a set of desks or rooms--if you really wanted to push the network analogy to an office space, that kind of individualized space would be each staffer's desktop machine--but a single filestore to which everyone has the access that they are specifically given by the sysadmin. Let me be absolutely explicit here: absent some kind of real hacking, no user has any access to a file which has not been affirmatively given to him by a systems administrator. The Democrat's sysadmin was, as everyone agrees, given notice of the problem, and the Dems didn't correct it.
I'll admit that ethically, this is probably sketchy, in the realm of 'ungentlemanly conduct.' But to call this hacking or theft is to put an onus on network browsers that I doubt most Democrats really want to enforce.
For example, go browse some of your favorite websites hosted by the technologically inexperienced. (This may very well include your author, who is less inexperienced than careless.) If you look closely at the code, you'll notice that images, stylesheets, and other files are often left in unprotected directories. To take just one case that I just noticed in researching this article:
http://www.threeyearsofhell.com/images/
Now, suppose I had an image in this directory labelled "MYGRADES.gif", and that this file contained the grades on my recent exams. It's reasonable to expect that I mean to keep these private. And of course, while I've given my visitors leave to visit Three Years of Hell, gentlemanly expectations would counsel that I've not given you permission to go through my collection of images. (OK, I just have in this entry, but you know what I mean.)
Now, answer honestly--how many of you without computer experience would know, prior to finding that file, that this was 'restricted'? The reason one wouldn't expect that is because, when it comes to computers, your machine (the 'client') makes a request to the server, and it's assumed that the server has been told not to give you anything you shouldn't have. If you download a file with my grades in it, is it your fault for looking in a place that I've told you exists--it's in the source code to the webpage--and I've not secured?
If I gave you links to a dozen sites with such unsecured directories, and you went there without knowing that such areas 'should have' been guarded, would you want to be liable for digital trespass? If you downloaded the files I had in there (for instance, if I had copyrighted music in that directory), would you want to be liable for illegally downloading them? What if I'd changed the filenames?
This is why securing a file-server on an otherwise open network is the responsibility of the owner. There's a big leap between taking specific steps to get around security--say, hacking the image directory if I'd put an htaccess password on it--and just poking around somewhere that I've implicitly given you access. Nonetheless, this is the precedent the Democrats are setting now.
Comments
Posted by: Len Cleavelin | February 17, 2004 2:08 PM
Posted by: A. Rickey | February 17, 2004 2:13 PM
Posted by: Toluca Jim/Visible Hand | February 17, 2004 4:21 PM
Posted by: Anthony Rickey | February 17, 2004 4:46 PM
Posted by: Toluca Jim/Visible Hand | February 17, 2004 7:02 PM
Posted by: Anthony Rickey | February 17, 2004 7:21 PM
Posted by: David Mercer | February 18, 2004 8:19 PM
Posted by: A. Rickey | February 18, 2004 8:41 PM
Posted by: Jonathan Link | February 19, 2004 8:09 PM
Posted by: A. Rickey | February 19, 2004 9:01 PM
Posted by: Jonathan Link | February 20, 2004 4:14 PM
Posted by: A. Rickey | February 20, 2004 4:43 PM