Hacker News new | past | comments | ask | show | jobs | submit login

I certainly applaud the author’s creativity, but aren’t there potential very significant downsides to using abusing an account linked to your identity in order to fraudulently obtain services?

And then to write about it under one’s own name?

Isn’t this kind of thing that goes against the CFAA?

PRs can wait — not worth criminal charges.




He notes in the blog post that he didn't actually use his airmiles account more than a couple proof of concepts (the IM stage) - he also says not to actually do this - it was just a creative bit of hacking.


It's very interesting how afraid we've become, as a culture, of legal repercussions if you "mess with computer stuff in any way".

Changing your first name field on a form too often? Welcome to prison!


> It's very interesting how afraid we've become

You make it sound as if this is some kind of irrational response to nothing.

When in reality it's an entirely reasonable response to the 1986 Computer Fraud and Abuse Act [1].

The interesting observation here wouldn't be about us "as a culture", it would be about the government.

Because obviously it's not about "changing your first name field on a form too often", it's about using that field for an unintended use, in order to bypass controls to give yourself access to communications the company didn't authorize you for.

I don't know why you think a kind of cultural fear is the thing to focus on here, rather than the very real law that sends people to very real prison.

[1] https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act


I think you're probably right, but the thing that always gets me is this: if nothing in their terms or UI prohibits you from encoding data into your name and changing it as often as possible, then is doing so actually unauthorized? I can't imagine that every conceivable activity you might perform with a computer system would need to be explicitly documented as ok before you can perform it. In other words, if the system owner lists things you can do and things you can't do, then are you in trouble for doing things not mentioned? They never authorized me to use the brightness control on the entertainment system, but I did anyway, uh oh!

They're charging money for normal easy communication with the ground, and they're not charging for slow convoluted communication with the ground. I see the problem with getting the former without paying, but it's harder to find a problem with getting the latter without paying. They configured their system to allow it, and then failed to list rapid changes and encoding as either authorized or unauthorized.


The intent to bypass the paywall is extraordinarily clear here. The name field is obviously not being used for its intended purpose.

I don't know how a court would actually decide, and that would depend on the precise jury as well.

But the point is that it's entirely reasonable to be scared that this could land you in jail. Cases are decided by people who have common sense.


I would hope the server literally authorizing the user to modify the field after correctly authenticating the user implies "authorized use" under the CFAA, but I'm not a lawyer and I'm not familiar with the law here.


> how afraid we've become

Widespread proliferation of pseudonyms modeling/nudging self-censorship is not a proxy for fear in humans-who-hack.


Not in hackers, the population.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: