The Absurdity of Cyber Laws

Infinite Loops, Bugs and Responsibility

Recently a story broke about a 13 year old female student from Japan being charged for publishing a web page that ran a script which showed an alert message in an infinite loop which looked like this.

Frankly, It’s as ridiculous as it gets and at first I figured there was something lost in translation between the original source and Ars Technica’s take on the story but others have been reporting the same story so under the assumption that it’s true I just have to say it’s a truly bizarre case.

Basically the “malicious” code in question boils down to a single line of JavaScript code being hosted on their own webpage.

while (true) { alert("beep"); }

Nothing malicious happens when you run it, at best it’s a mild nuisance. Most browsers will actually present a checkbox as seen in the screenshot above which will prevent further messages from popping up once checked and hey at the end of the day one could always close the browser tab.

The whole case is just bizarre, heck if anything this girl could be a lead developer in Silicon Valley, she’s following the principles of modern web development to the letter.

It’s Your Fault For Downloading Files From Our Public Server

Which brings me to this other story that broke back in 2018 where a young Canadian was charged for downloading files publicly available from Nova Scotia’s freedom-of-information portal.

The teen has been charged with “unauthorized use of a computer,” which carries a possible 10-year prison sentence, for downloading approximately 7,000 freedom-of-information releases.

Yes, you read that right, for downloading freely available documents from a freedom-of-information portal.

Basically what happened was that the site had all the files which they ater claimed were not for public consumption, publicly available on their server where each file was named in a sequence.

Imagine the file was at https://supersecret.com/secret-file-1.pdf and all you had to do was change the digit in the file number to get at the next file. Well that’s basically what he did, he had a knack for scraping and archiving things on the web which, if you ask me there’s nothing wrong with.

Again, another really bizarre case. It’s like being charged for turning the newspaper to a secret page which you aren’t supposed to read but if you read it then you’re in trouble.

Don’t Hit F12

And finally there’s the case of the kid that got arrested for reporting a bug around two years ago. Basically the Budapest Transport Authority wrote their online payment system to be a piece of junk with no server side validation of their prices. So the “hacker” was fiddling around in the browser’s developer tools and changed the prices on the page which let him buy tickets for cheap (anyone with even a moderate knowledge of how a web works could do this). He then reported his findings to them which, drumroll guess what? It got him arrested.

On or about July 14 an unnamed 18-year-old — “The boy is nobody. He’s not even a programmer,” said one Hungarian who wished to remain anonymous — emailed BKK about a hole he found in their system. The hole, if it can be called that, let anyone with passing knowledge of modern browsers to set any price they wanted for any ticket in the system. By simply pressing F12 a “hacker” could change the price of a ticket right in the browser, and because there were no server checks, they could purchase the ticket at that price. The 18-year-old “hacker” discovered this and showed BKK that he was able to buy a monthly ticket. “A monthly pass costs 9500HUF (about 30EUR) and he modified the price to 50HUF,” wrote Laszlo Marai in his post on the attack.

Yay for doing the right thing huh? This one is arguably slightly more malicious but he did disclose it. I guess the moral of the story is that it never pays to do the right thing, never go full white-hat.

Responsibility and Blame

One thing all of these cases have in common is that, in my opinion they should never even have been a thing, I’d think most people will agree with this especially fellow programmers and technically able people who understand what’s going on.

It almost seems like someone who had very little idea on how the technology works was deciding on how to take action. Personally I don’t bother to report bugs anymore, disclosing a bug “responsibly” to a company is quite an annoying and time consuming process. Cases like these don’t exactly make me eager to pay attention to any bugs either when the person finding the issue is the one ends up being blamed for a company’s blatant fuck-ups.