Depends on intent. Connecting just to say "cool it works" - while illegal no one will care. Connecting and making malicious modifications to the system and you might have some unfriendly people knocking on your door.
Intent (or recklessness, negligence, etc..) is and ought to be a fundamental principle of deciding if something is a criminal act. However, we should be clear that Strict Liability crimes do exist by force of (portly-written) statute.
"Oh no... allsprk.koding.io is sleeping right now. Check again a little later?"..
I'm taking a wild guess the host (koding.io) shut this one down, I can't imagine is takes too long to get an abuse request from an app like this..
That said - If this does what I think it does, awesome :) Maybe people will stop exposing systems over the internet like this after 5 or 10 more of these sites/apps?
If you knowingly tinker with a system you're not supposed to have access to --- that is, you either VNC into a system that isn't yours and see things that a reasonable person would react to as an indication that they weren't welcome, or that a prosecutor can claim a reasonable person would react that way to --- you're violating the CFAA.
All current indications are that scanning the whole Internet for open VNC systems is, if not lawful, then at least so close to the line that nobody's going to make an issue of it.
But logging into a VNC server and poking around crosses a bright line. Arguments about the implied welcome given by lack of a login screen will probably not persuade a jury, let alone a prosecutor.
The idea of hooking open VNC servers up to a "roulette" game seems beyond stupid. Maybe someone's thought about this more carefully than I have and can explain why I'm wrong?
China has no extradition treaty with the US, and even if they did, there is no equivalent of the CFAA in China. Extradition treaties usually cover only offenses that are crimes in both countries.
Obviously deeply immoral and unethical, but illegal? No... Not unless there is a warning that what you are doing is wrong. Maybe they are test VNC servers? Scanning is definitely not illegal, nor immoral IMHO. Studying the Internet is a valid exercise when done responsibly.
I would be willing to put some money on you being very, very wrong about it being legal to tinker with passwordless VNC server simply because there was no explicit warning.
Because every reasonable Internet user believes they're allowed to do that, whereas when you get access to a passwordless VNC server, it's so newsworthy that it immediately gets voted onto the front page of Hacker News.
The legal system really doesn't like "cute", "technically-correct" arguments, as a general rule. If you fell afoul of the CFAA on this and were dragged in front of a judge, I'd put good money on that argument being laughed out of court for this particular case. An HTTP server is very different to a VNC server. Misconfiguration doesn't typically grant right to access, in a legal sense anyway.
The problem is that it's not obvious that there is a misconfiguration. Public sandbox environments are not uncommon on the Internet.
I do not support malice or vandalism, but there is no indication that a system is misconfigured merely because it does not have password protection. Users should not be expected to know the intricacies and technical details of every program they use. The responsibility for ensuring that servers are not publicly accessible is on the person running the server. Not requiring a password to access a system on a public network, when you require that only certain people are allowed access to that system, is negligence at best. I'd argue gross negligence.
Would they? Or would they assume that a VNC server was left open either through malice or incompetence, and it's presence therefore not an invitation to be accessed?
This is the difference between a storefront being left unlocked, versus a private home being left unlocked. An unlocked storefront is likely to be open for business, so entering is reasonable. An unlocked house is a security mistake, and entering is trespassing.
You might think you're clever. Hell, you probably are clever. Unfortunately, that's not what matters. What matters is how the owner of the server will react, and how important they are. If you're identified and charged, the DA will levy absurdly burdensome charges against you. You'll be forced to spend thousands of dollars on defense. You'll spend months distracted by the proceedings, and will inevitably be asked about it by peers/employers when the news hits the streets.
But you're right. You may never be convicted. Go ahead and try your luck.
IANAL but I'd have to agree. It reminds me of the time I got money deposited in to my bank account that I knew wasn't mine. I asked my girlfriend's dad - a lawyer - if I could keep it. Of course not, he said. It's like someone parking their car in your driveway, he said, and leaving the keys in the ignition. Are they trespassing on your driveway? Sure. Does that mean this car belongs to you now and you can do with it whatever you please? Of course not.
Nonsense. People put up open systems because they want others to enter them. That's why public wifi is public. That's why public http servers are public. That's why public restrooms are public. Et cetera, ad nauseam.
Just because you can enter someone's home because the door is unlocked does not mean you are invited.
Similarly you will find that trespassing on a system you do not have authorized use of (and no login is not implicit authorized use) is going to get you in trouble pretty much everywhere.
The difference is the degree of knowledge you have of doing something wrong while transgressing the law.
It's like if my grand-mother with alzheimer accidentally entered the wrong apartment room or house where the door was unlocked. It's not like she should go to jail or get shot by the owner pretending she was a threat.
I haven't seen the website, but if they made it really easy to enter remote systems then someone could defend himself saying he didn't know what it was all about.
One could probably argue that some Popcorn Time users would enter this gray zone.
However, the providers of those kind of services are mostly aware of the illegality of their users behaviour, so they are infringing the law clearly.
You don't have a right to mess with things just because they're "in public". If someone's front gate is open, that doesn't mean that you can just walk in and start chopping up their rosebush.
45 comments
[ 3.1 ms ] story [ 94.2 ms ] thread(Or more likely - completely legal unless it affects the government or a big enough US corporation)
This always becomes the main subject by lawyers in courts.
It is trivial to scan the whole ipv4 address space. I think the guys in this video did it in 40mins or so while presenting.
I'm taking a wild guess the host (koding.io) shut this one down, I can't imagine is takes too long to get an abuse request from an app like this..
That said - If this does what I think it does, awesome :) Maybe people will stop exposing systems over the internet like this after 5 or 10 more of these sites/apps?
If you knowingly tinker with a system you're not supposed to have access to --- that is, you either VNC into a system that isn't yours and see things that a reasonable person would react to as an indication that they weren't welcome, or that a prosecutor can claim a reasonable person would react that way to --- you're violating the CFAA.
All current indications are that scanning the whole Internet for open VNC systems is, if not lawful, then at least so close to the line that nobody's going to make an issue of it.
But logging into a VNC server and poking around crosses a bright line. Arguments about the implied welcome given by lack of a login screen will probably not persuade a jury, let alone a prosecutor.
The idea of hooking open VNC servers up to a "roulette" game seems beyond stupid. Maybe someone's thought about this more carefully than I have and can explain why I'm wrong?
Not that that doesn't make it fun, but still.
A reasonable person would assume that a server with no password, intentionally has no password.
I do not support malice or vandalism, but there is no indication that a system is misconfigured merely because it does not have password protection. Users should not be expected to know the intricacies and technical details of every program they use. The responsibility for ensuring that servers are not publicly accessible is on the person running the server. Not requiring a password to access a system on a public network, when you require that only certain people are allowed access to that system, is negligence at best. I'd argue gross negligence.
And there is no indication it's not a misconfiguration. Look, I completely agree with what you're saying, but judges won't (and don't).
This is the difference between a storefront being left unlocked, versus a private home being left unlocked. An unlocked storefront is likely to be open for business, so entering is reasonable. An unlocked house is a security mistake, and entering is trespassing.
But you're right. You may never be convicted. Go ahead and try your luck.
Similarly you will find that trespassing on a system you do not have authorized use of (and no login is not implicit authorized use) is going to get you in trouble pretty much everywhere.
It's like if my grand-mother with alzheimer accidentally entered the wrong apartment room or house where the door was unlocked. It's not like she should go to jail or get shot by the owner pretending she was a threat.
I haven't seen the website, but if they made it really easy to enter remote systems then someone could defend himself saying he didn't know what it was all about.
One could probably argue that some Popcorn Time users would enter this gray zone.
However, the providers of those kind of services are mostly aware of the illegality of their users behaviour, so they are infringing the law clearly.