If you use the “If I leave my door unlocked you don;t have the right to walk in…” analogy when discussing web disclosures, you really need to stop. Bad analogies are bad.
You know the cases, folks find things on the Internet that people didn’t mean to make public, and a storm ensues and all kinds of people say all kinds of naïve stuff, including people who should know better.
Your website is not a house, and not just because of the physical vs. virtual difference. If we have to use this analogy, let’s at least get it more accurate.
You live on a road, it may be public, or it may be private, but either way it is open to the public- in fact public use is encouraged. That’s why you put your house there, because of good access in and out to the rest of the world. You put sensitive data on signs in your yard, visible from the road. There might even be a sign that says “only read your own data”, but it is all visible. Someone drives by and reads someone else’s sign from the road. Maybe they take pictures of the signs.
Still imperfect, but much more accurate. And so convoluted it doesn’t help make any point. These issues are not simple and misrepresenting them and oversimplifying things does not help.
Note that I have not made any judgements about who exposed what where, and who drove by and looked at it. If it is your house and you post my data in an irresponsible manner, you are being irresponsible. If someone feels the need to copy everything to prove a point, that causes problems, even when their intentions are good.
Without picking any specific cases, most of the ones that make the news are a combination of errors on both sides. You should act like sensitive data is, I don’t know, sensitive. And when you stumble across things like that (and you will if you use the Internet and pay attention), you should think about how folks will react, and keep the CFAA in mind. Right or wrong, that’s the world we live in. I think the CFAA is horrible and horribly out of date, as is the DMCA- but while they are the law and enforced, ignore them at your peril. It is worth considering that when people find stuff that shouldn’t be posted publicly, it generally doesn’t require downloading the entire dataset to report the problem, in fact that is likely to create problems for everyone.
And yes, that’s a gross oversimplification from me in a post where I decry gross oversimplification. Literary license or something.
And because I actually care about this mess we’re in, I’ll make an offer I hope I don’t regret: if you stumble across things which are exposed and you really don’t know how to handle it please pause and reach out to me. I’ll ask friends in law enforcement for guidance for you if you wish to remain anonymous, or I’ll try to help you find the right folks to work with. If you are outside of the US, I’m unlikely to be if much help, but I’ll still make inquiries.
Note that if you are on any side of one of these situations and act like a dumbass, I reserve the right to call you a dumbass. I’ll still try to help, but I’m calling you a dumbass if you deserve it. That’s as close to idealistic as you’ll get from me.
This is a Security Bloggers Network syndicated blog post authored by Jack Daniel. Read the original post at: Uncommon Sense Security