I was reading the EVE forums this week and yes, I know how dangerous that can be. You see post after post of good and not so good content.
Something caught my eye and yes, I did respond on the forums. Head over and read this thread: http://www.eveonline.com/ingameboard.asp?a=topic&threadID=884478. Tibalt Avalon wrote:
After Emergency Conditions First War Declaration R.E.P.O. have Been Caught Posting Fake Killmails on Our Killboard. Just a Heads Up for Future Reference to Corporations these Guys are and do Post Fake Mails.
Ive Reported the On Our End to our Web Hosts but R.E.P.O’s Childish Move should be Made Public, dont know if anyone else has had the same problem with them. Kinda Sad to be Honest.
Fake Kill Mail Example:
http://img294.imageshack.us/my.php?image=repofakeen7.jpg
Now, there is always smack talk between organizations that are at war with each other and to be honest, I have been a fan or R.E.P.O. from well before their alliance days.
But this is disturbing to me as the first response on this thread was from R.E.P.O. and what is said made me blink. Hans Gates from R.E.P.O. wrote:
I shouldn’t even reply to this, but this guys seems to want to question REPOs reputation.
Your killboard has/had a blank password. WTF…
Our guys seemed compelled to update the board with actual kills, since you don’t seem to post losses.
I’m sure one of my guys posted the kill on your killboard, who wouldn’t screw around with a web site that had a blank password.
Anyways, last thing I need to do is try to defend our rep from you. I’m sure we have enough peeps to vouch for us without your lack of forward thinking about passords and such trying to attack our reputation.
Now for the smack talk, I did call this guy a moron repeatedly in public chat. (ha beat ya to the smack accusations!)
Fly Safe and Good Fights.
I can understand the frustration of a mercenary organization not seeing loss mails posted by their target, but, in case you did not see it, Hans admits that they actually posted kills on someone else’s killboard, without the owners permission. I read further along and Magus Nebula admits to posting kills on their target’s killboard:
I will admit I Did post most of all the legitimate killmails on your board, funny to note how all those were deleted too! And funny no losses at all in your corp, hmmmmm, trying to frame us maybe? but none of that matters, i will be editing this post to reflect everything you have lost to date from us, so the rest of the peeps here can see.
REPO 41 Kills – Emergency Condition 1 Kills
Ixoz – Reaper (Emergency Condition)
Ixoz – Retriever (Emergency Condition)
Jinmei Sang – Brutix (Emergency Condition)
Ngaro – Hurricane + POD (Emergency Condition)
Jinmei Sang - Thorax (Emergency Condition)
EbonWanderer – Condor + POD (Emergency Condition)
Ardaeik Marconea – Ferox + POD (Emergency Condition)
Aurther Haden – Jaguar (Emergency Condition)
Arktour – Rupture (Emergency Condition)
Fionnlagh - Rupture (Emergency Condition)
Aurther Haden – Hound + POD(Emergency Condition)
Jinmei Sang – Thorax (Emergency Condition)
Callus Rem – Cyclone + POD (Emergency Condition)
BY1 – Hurricane + POD (Emergency Condition)
EbonWanderer – Ibis + POD (Emergency Condition)
Jinmei Sang – Thorax (Emergency Condition)
Callus Rem – Rifter + POD (Emergency Condition)
IngenCor – Dominix + POD (Emergency Condition)
Malekev - Hound + POD (Emergency Condition)
Oaack – Tristan + POD (Emergency Condition)
EbonWanderer – Cormorant + POD (Emergency Condition)
Noob Bait – Scorpion + POD (Emergency Condition)
Aurther Haden – Hound + POD (Emergency Condition)
Ardaeik Marconea – Blackbird + POD (Emergency Condition)
Ardaeik Marconea – Drake + POD (Emergency Condition)Magus Nebula – Arbitrator (REPO)
Hacking a person’s website, no matter how soft the security may be, is still a crime. Updating their target’s killboard to reflect the actual outcome of a battle does not justify breaking the laws concerning computer security.
There is no justification in the real world for changing the content of another person’s website without their permission. R.E.P.O. should have stuck to simply updating their own killboard and called them out on the forums for not posting their loss mails.
The only formal statement I could find from CCP was by CCPStevieSG:
Moved to crime and punishment from Corp and Alliances summit- StevieSG
Seriously, that’s all? The thread was moved. Does CCP condone the hacking of a website of another player organization? I would hope not, but we have not seen anything positive so far.
Many of us remember the Ginger Magician incident, where real world threats were made in game. R.E.P.O. has done something similar here, they have admitted to hacking a website, on the forums.
I’ll be keeping an eye on this one as it sets a dangerous precedent. I know that CCP can not be the police for the entire world, but they need to make a statement that they do not condone such real world harassment and hacking of another player organization’s website.
Additional commentary added 10-23-2009:
I must extend a healthy thank you to everyone who has commented here on this article so far. I do enjoy a good debate and for everything that has been contributed I am thankful. Given what I have seen in the on the comments here, the comments on the thread on the EVE forums and the various communications I have received both in and out of game, I am left a bit puzzled.
Many people seem to not make the distinction between what constitutes is an illegal act. It seems that people only think something is illegal if they can be caught and punished and/or if damage was done.
If you are driving your car and you are exceeding the speed limit, does the fact that you are violating the traffic laws become less a illegal if the cop behind you does not pull you over and issue a speeding citation?
Does something become less illegal if you are not punished for breaking that law? Does it become less illegal if you are not caught? In reality, no, it does not. It just means that you were not held accountable for your actions.
Is this what we have become? Do we honestly believe something is not a crime when the law has been broken but no one was hurt, no damage was done and/or you are not caught?
We have been dancing around many questions on this debate, but the core of the issue is this. Someone put up a website and admittedly did a poor job. They did not engage in good security practices and effectively left the key in the lock on the door. Someone else exploited that weakness to correct an error in data on that website. Someone opened a door that was supposed to be locked, but was not and in reality did no damage, only update some missing data. The owner of the website was upset that these individuals were able to exploit his poor security and correct an inaccuracy in his data which did cast the owner in a poor light, but justly so as we all can agree on that one point.
Was this act of updating a crime? Under the laws we have discussed here, yes. Is this crime one for which these people should be punished? That is a question that should be left to a judge if it were to go that far, however unlikely. A slap on the wrist for exploiting weak security on a website is enough in my mind and honestly, the slap they received on the EVE forums should suffice in this observers opinion.
Should CCP take any action against these individuals? Only as so far as the EVE Online terms of service allow, which in this case amounts to simply talking about an illegal act they committed, which if I am not mistaken, would be a simple forum ban for a few days. Given that this original thread is over a year old, I would be willing to wager that too much time has gone by for that to be done now if it had not already been done. CCP is usually pretty good about that sort of thing.
I will be leaving the comments on this post open for the time being as I know that there are people who still wish to weigh in. Something to note, I have not approved 2 comments that were submitted, both of which were abusive in nature and for the record, one did support my arguments here.
October 22nd, 2009 at 5:41 pm
This isn't "hacking" or intrusion of any sort. One could alternately view this as a web site that allows posting by the public, and it so happens that the site owners decided (after the fact) that they didn't like all the content posted by the public.
And CCP has absolutely zero jurisdiction here. The devs getting involved in disputes totally outside the game and their web sites would set an even more dangerous precedent.
(I don't know any of the individuals or corps involved in this incident, just a friendly response to the post about the general principles involved
)
October 22nd, 2009 at 5:42 pm
Exploiting rubbish security isn't hacking.
October 22nd, 2009 at 5:45 pm
They didn't even have rubbish security. They specifically chose NOT to require even a password, from what I read. If they had done that much, then my opinion would probably reverse.
October 22nd, 2009 at 5:45 pm
So, if you left your door to your home unlocked and open, I go inside and steal all your stuff, that is not a crime?
October 22nd, 2009 at 5:51 pm
I agree with you to a point. Displaying information on a website is a public function. Read this, The Computer Fraud and Abuse Act (http://www.panix.com/~eck/computer-fraud-act.html... (1) having knowingly accessed a computer without authorization or exceeding authorized access, and by means of such conduct having obtained information that has been determined by the United States Government pursuant to an Executive order or statute to require protection against unauthorized disclosure for reasons of national defense or foreign relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy Act of 1954, with reason to believe that such information so obtained could be used to the injury of the United States, or to the advantage of any foreign nation, willfully communicates, delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the same to any person not entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee of the United States entitled to receive it;
Put simply, accessing a website for the purpose reading the content is very much a public thing, but accessing the website's restricted section with permission and altering the content is a crime.
Would you feel the same way if someone changed the content on your blog? I don't think you would.
CCP can't be the police for the world, but the have an obligation here to take action against the two people who admitted to acts of computer fraud and abuse on their forums.
October 22nd, 2009 at 5:57 pm
I'm very very very familiar with the CFAA because it forms a large part of the core of my RL job.
My point is that, if they haven't established a password, then they have a hard case to make that authorized access was exceeded or that the section was restricted.
If somebody changes the contents on my blog (or, to make the comparison more apt, adds posts), then they will by necessity have bypassed a number of security measures. To me, this is more like posting new threads on a public forum.
October 22nd, 2009 at 5:57 pm
Not a good comparison. What data was stolen or erased? If you go in my house and leave some extra books in my shelves, it might be kinda weird, but you didn't steal anything.
October 22nd, 2009 at 5:58 pm
Again, it's the old unlocked door on a bank vault argument. If the door is unlocked, is it a crime to go into the vault and take the money.
The fact that the door is unlocked or the password was blank is not the issue here, the issue is that people who were not in that player organization altered the content of the website. R.E.P.O. had not legal right to change content on a website that did not belong to them.
October 22nd, 2009 at 6:01 pm
Yes and no. The case comes from the people who admitted to making the changes to the data and the statement made by the website owner.
Owner: You don't have permission.
Website content changers: We did it.
October 22nd, 2009 at 6:03 pm
Not stolen and not erased, altered. They changed the killboard data. The fact that they put in valid date is not the issue, they were not authorized by the owner to make those changes.
I'll change my example. You left your door to your home unlocked and I changed the paint on the walls. Perhaps I spray painted obscene remarks on the walls in a color that you do not like.
We are not talking about theft here, we are talking about vandalism.
October 22nd, 2009 at 6:03 pm
Am I hacking your blog by reading the posts and commenting here?
No, because you have made it public and enabled a form to allow people to add content to it. Their KB is the same. If you don't want anyone to comment (or even see the post outside a small group), you can enable functions to close posts or restrict their viewing.
If they'd gone into the KB administration and changed options, or (worse) posted AS a member of the corps in question, that would cast much more doubt on them.
October 22nd, 2009 at 6:12 pm
But that was after the fact. At the time they made the posts, did the site have anything indicating that they didn't want the public posting KMs? Because, in my professional opinion, putting a killboard online with no authentication whatsoever equates to providing a computer service to the public for the purpose of discussion. I cannot imagine any prosecutor choosing to pursue this case in good faith, given the facts as we know them.
(IANAL but I am a licensed investigator working in computer forensics and incident response.)
October 22nd, 2009 at 6:18 pm
No you are not hacking by reading and commenting, but notice that you have to have an account with InteneseDebate. Access to post comments is restricted and you are using authorized credentials to make authorized alterations to the content of this website.
In essence, you are authorized to alter the content here. That was not the case with these poor soul's killboard.
October 22nd, 2009 at 6:24 pm
Unlike what they can do about in-game events (such as RL threats being made in a chat) where they own the data and can verify it, CCP has no way to prove the truth of what really happened here regardless of what either side claims. They neither can act nor should act, considering they have no jurisdiction outside the digital spaces that they own and because there is always room for doubt where you are unable to verify facts.
Was it wrong to take advantage of the lack of security and modify someone else's killboard? Of course. Should legal action be taken against the guilty parties? No. It was game data; no one was hurt in real life by this situation. Had it been personal RL data, I would feel differently.
October 22nd, 2009 at 6:25 pm
It appears that they had simply left the password blank. Given the nature of killboards in EVE, most people do NOT give full public access to posting data, R.E.P.O. included.
Would a prosecutor have a case? That I must agree is questionable although we do have confessions from two of the individuals who made the alterations to the content. At most, it would be a misdemeanor charge of computer vandalism.
October 22nd, 2009 at 6:30 pm
The confession isn't what would give the prosecutor cause; it's the question of whether a crime was committed at all.
By the way, if I wasn't clear, I enjoyed this discussion with you tremendously. Not often do I get to think about my professional issues in an EVE context!
October 22nd, 2009 at 6:31 pm
If somebody had allowed personally identifiable information (PII) to be accessible by the world with no security controls on it at all, then the site administrators would be in real trouble. Possibly not a criminal violation but they would definitely have substantial civil liability.
October 22nd, 2009 at 6:37 pm
I would normally agree with you and having been down this road myself before I am a bit aware of what CCP can legally do. I think you remember that fun I had with a certain someone calling me at home and threatening to rape my wife. CCP had no legal options available to them as it occured outside of the game and nothing happened on their servers.
This situation is a mix of both worlds however. Go back to the thread. CCP does own the data that can verify the event. It's on their forums. "Magus Nebula: I will admit I Did post most of all the legitimate killmails on your board…" CCP has the "confessions of the guilty parties" if you will, on CCP's own forums. No need to look at data that they don't own, they have everything already.
October 22nd, 2009 at 6:45 pm
The question about whether or nor a crime was committed would ultimately fall to jurisdictional context. Here in Georgia in the USA, the persons who did this would be charged with "website vandalism" and changing content on a website without authorization of the owner is a crime.
If you have notices, your rep on IntenseDebate should be going up. I've been hitting the thumbs up icons on your comments as I have enjoyed this discussion as well.
October 22nd, 2009 at 7:24 pm
Confessions don't prove the fact
October 22nd, 2009 at 7:34 pm
True, a confession does not prove the facts. If someone confesses a crime to the police, the police investigate as no one person is taken on their word. If that investigation provides credence to the confession in the way of additional evidence, then that person is charged with the crime they confessed to.
CCP needs to speak with all parties involved and confirm if what is on the EVE forums is in fact the truth. I would find it hard to believe that these two people from R.E.P.O. are lying about what they did. I've flown with R.E.P.O. in my time in EVE and I have found them to be some of the more honorable people in game.
This whole turn of events frankly surprises me. Normally when an opponent is failing to post their loss mails, you name and shame them with links to your own killboard showing the stats and you let the community call them out for failing in the ways of e-honor.
October 22nd, 2009 at 7:56 pm
Personal opinion, per what Galen quoted above, what they did was wrong, it does not matter how we interpret it. Letter of the law was violated, no matter what the particulars.
Should CCP do something…..Well, when the banker ran away with the ISK, they were not banned for running away with money in game, they were banned for breaking real life laws, which this does. So, precedent my be considered to be set for this kind of thing. However, does CCP intervening in this contravene the "sandbox" approach they have taken to EVEOnline,…..maybe.
Can CCP do something…. I doubt there is enough hard evidence to even make this worth prosecuting.
I do hope the EVE community makes their evaluation of the rightness or wrongness of these actions felt to the parties involved.
October 22nd, 2009 at 8:23 pm
I understand that mercenaries need to prove their efficiency to their employer. But don't they have their own killboard for that?
I do think it's perfectly cool to complete the data on other non-PW protected killboards… some people just do not think about posting (forgetting or not caring about internet trophies in the first place).
I do also think it's a legitimate choice for a corporation to erase lossmails in order to preserve morale (whatever) or to prevent the casual passersby from knowing everybody's loadout. My personal choice would be full disclosure.
October 22nd, 2009 at 8:52 pm
It's not a crime to add information to a website that invites submissions. If the owner of the website wanted it to be 'secure', then it's their responsibility to put up a password. The fact they didn't could be construed as an invitation to anyone to add information.
The website itself was not 'hacked'. All that happened was that data was added to the website through the established submission process, a valid and public function of the website itself.
A website is not a computer. Crimes against hacking computers do not apply to submitting data onto a website through its public submission process.
There's nothing about what REPO did that's 'illegal'.
October 22nd, 2009 at 9:11 pm
I have to disagree with you there. Altering content without permission of the website owner is vandalism under the law, public access or otherwise.
As for data added to the website, the process was open to the corporation members only as it was a corporate killboard, not a public resource.
So let me understand this point, not securing a website is in invitation to be hacked? I agree that it's stupid to not ensure you are using the correct security for a website, but that "invitation" does not make hacking that website any less illegal.
October 22nd, 2009 at 9:12 pm
Yes, they do have their own killboards. As to why they needed to go further than that, I am not sure.
October 22nd, 2009 at 9:13 pm
Thank you. I am sure that CCP will do what is appropriate concerning this issue.
October 22nd, 2009 at 10:37 pm
but the content of the website is not 'altered'. All that's being done is extra data is being added to the site through the public submission point (which anyone can do if they know the password, or if there's no password enabled). The site is designed to have data added and…. data is thus added. The actual base coding and display of the site was not hacked or changed in any way.
Just because a process was supposed to be for corp members only does not make it illegal in the real world for anyone else to add data as well.
The only real issue here is one of ethics. Was it right for REPO to do what they did? No, it wasn't. Was it a criminal offence? Absolutely not.
October 22nd, 2009 at 11:04 pm
People seems to not be able to graps the concept that changing content is altering a website just so much as changing the coding on the webpage on a server. Changing the content from what was there to something else is alterartion.
I do agree with you that what was done is ethically wrong. The issue of legality however, is miered in the semantics and jurisdictional context.
In the USA, there are laws that allow for the authorities to shutdown owners of mail servers that are used for the proliferation of spam email. In Austrailia, as you are aware, there are similar laws.
I think one of the issues that is blocking people from seeing the legal issue here is the extent of the 'damage' that was done. Updating a killboard with data (and I will submit that the data added in this case was in fact valid data, but that's not the point) and say entering an unlocked, open door of a person's residence and adding spray paint to the walls do not compare in degrees of severity, however, the law does not provide for that.
It's all about permission to access, whether it be a physical home, a hard drive in your desktop computer or a website running on a server.
Entering a website or a home uninvited, regardless of the door being wide open, is still trespassing.
Here in the USA, a person who enters a password restricted section of a website or a server, without permission of the owner (meaning the are using credentials that were not issued to them) can be charged with the digital version of 'breaking and entering'.
Look, just because all these things are digital in nature, not actual physical things in the real world, does not make the legalities of this any less true. People have a hard time equating the concept of digital property to real property. The principles are the same and in many countries, there are laws that treat such things in the same fashion.
October 23rd, 2009 at 2:09 am
Confirming that OP is an idiot.