Noteworthy [Ir]relevance [See Updates]
Just when I was beginning to worry about the relevance of my note topic, something much like it hits the news. [Please see the UPDATES below: it appears that Kos got some of his story wrong.]
According to various links from Kos, there's a potential scandal brewing over the outing of Alan Keyes daughter through her blog. I can't confirm a bit of this, but it seems that a young lady who may or may not be Maya Keyes kept a 'diary-style' site on Xanga, where she posted some rather personal stories which indicate she is a lesbian. According to Kos:
The evidence comes from Maya's very public blog (first discovered by Modern Vertebrate). Xanga apparently allows parts of the site to be "protected" from those not on a special list, but Xanga has poor technology, as some of that protected content can be easily found. For example, here's the post where she hides parts of her site.
(links removed) Now, please note again that I can't confirm any of this. Indeed, it does appear that sites like chillinois are linking to some of these entries by exploiting a very strange security flaw. (The August 21st entry appears on the link but not the main blog.) But at this time of night, I couldn't tell you one way or the other, or how they're doing it. (Yes, it appears to be passing a userid in the URL, but certainly Xanga's security ain't that bad, is it?) Whatever the case, I feel sorry for the blog owner, whoever she is: she's about to get a lot more attention than she bargained for.
But that's an aside: I'm not that interested in 'outing' anyone, and I'd not even mention this if it hadn't been on Kos. (The guy's huge. If he's 'broken' the story, it's out. My silence would have no effect.) I'm interested in the technological question.
You see, I'm looking into the relationship between 'unauthorized access' (as ther term and terms like it are used in the Computer Fraud and Abuse Act) and its courtroom interpretation. I first grew interested after studying the case of Manuel Miranda and the Senate 'hacking' scandal, but wondered if another topical case would ever arrive. To me, this might be such a case (although Xanga might not be covered by the CFAA).
Assume that what Kos says is true: that the security was 'broken.' The question would become how it was broken. It could be by traditional 'hacking': a user figures out how to outsmart Xanga's security. Or it could be by finding a valid user ID and logon, say stealing one from the young lady's friends. Or one might make a Xanga account, email the young lady kindly, and ask her to become part of her 'friends' list. All of these would fall outside my legal problem.
But suppose that the user who first came across this did so knowing that these were supposed to be protected (there's an entry to that respect), but it just so happened that his account was given access it shouldn't have by Xanga's servers. He downloads the information, publishes it on his blog, and scandal ensues. Has he 'hacked' anything, or rather exceeded his 'authorized access?' Or is the operator of the server the one that should be civilly or criminally responsible?
Anyway, I'll have to watch this story, to see how the technical details pan out. Should be interesting.
Update: In case this ever gets back to the young lady in question--unlikely, but stranger things have happened--shoot me an email and I'll be happy to look into making the blog more secure. As I said, I hate that this kind of thing happens.
Update II: Taking a look at it in the cold light of day, it doesn't look like the entries were protected at all, at least from this side. So whilst it might be an interesting hypothetical situation, it's probably irrelevant to my research.
Update III: I spent a few minutes IMing the young lady whose ID is on the blog, and confirmed that there are some protected entries, and Xanga's protection seems to be working. It appears that what chillinois quoted is indeed set to 'public.' Please note that I did not ask for confirmation as to who the person on the other end of the AIM was: first of all, it's not the element in which I'm interested, and secondly, it wouldn't really go any length to determining if this is a hoax.
Update IV: For what it's worth, I just contacted the author of the blog in question and asked her permission to leave this post up. Which makes me feel a bit better about the whole thing, though not much. Most of her site is now being reset to "private." As this looks less and less like a hoax, the young lady has my sympathy: this is probably more attention than she bargained for.