Anti-security

Don’t Hate the Player, Hate the Game

Can you change the URL in a web browser? Do you live in Canada? If you answered ‘yes!’ to these questions then you too, can help an organization avoid responsibility for their insecure computer systems by taking the blame when you find their security flaws. As an added bonus, you might even face criminal charges for a vague, overly broad notion of unauthorized computer use!

This is exactly what happened in April 2018, when a teenager in Nova Scotia, Canada made international headlines for uncovering sensitive government documents with a simple script. The teen was initially charged with unauthorized use of a computer after getting access to documents from — irony of ironies — the province’s freedom-of-information website.

The teen’s “crime” was simple: he altered the ending of a URL to access sequentially organized webpages. I’ve done the same thing to find the next episode of my latest streamed TV show, or to bypass page 1 when I look up stain removal instructions or how to make my two cats get along.

The Nova Scotian teen went a step further by allegedly using a script to automate the process of changing the URL endings. Turns out it’s not so difficult to do:

programs like the Chrome browser extension URL Incrementer automatically navigate URL databases. Anyone who wants to download data from sequentially organized webpages can easily do so using the command line or data scraping tools like Scrapy.

Many organizations practice security through obscurity — a belief that merely hiding something can protect it. As one software engineer put it: “Security through obscurity would be burying your money under a tree. The only thing that makes it safe is no one knows it’s there.” Yet website designers and security researchers have pointed out numerous times that the use of predictable, sequential URL endings fails to ensure adequate user privacy and data protection.

The absurdity at the heart of this case is that simply altering a URL can make someone a “hacker” who is responsible for an organization’s flawed information security practices. The teen faced up to 10 years in prison under the charge of unauthorized computer use. His charges were dropped only after security experts from the US and Canada rallied to support him. In the end, Nova Scotia’s privacy commissioner concluded that the website designers were to blame. Many would applaud this decision; more still would wish the teen had never been charged.

Soccer players who score the winning goal are praised for their ingenuity. Whistleblowers receive protection for exposing egregious behavior. In an era where seemingly everything can be hacked, there is no place for security through obscurity — and no one should be prosecuted for something as simple as changing a URL.

Back to Anti-security