The author recounts their experience in an Illinois court fighting for access to public records pertaining to the state's Freedom of Information Act (FOIA) request portal. They discovered and reported a SQL injection vulnerability in the portal, which the state acknowledged but failed to fix promptly. After repeated denials of their FOIA requests related to the vulnerability's remediation, they sued. The judge ultimately ruled in their favor, compelling the state to fulfill the request and highlighting the absurdity of the situation: having to sue to get information about how the government plans to fix a security flaw in a system designed for accessing information. The author concludes by advocating for stronger Illinois FOIA laws to prevent similar situations in the future.
Chicago is offering an unusual investment opportunity tied to the future revenue of its first casino, the Bally's Chicago casino. Investors can buy a "Chicago Casino Bond" that pays a variable rate based on a percentage of the casino's adjusted gross receipts. While offering potentially high returns, the investment carries significant risk as casino revenue is unpredictable. Factors like competition, economic downturns, and the casino's management could impact payouts, and there's no guarantee of principal return. Essentially, it's a bet on the long-term success of the casino itself.
HN commenters are skeptical of the investment opportunity presented, questioning the projected 16% IRR. Several point out the inherent risks in casino ventures, citing competition, changing regulations, and the reliance on optimistic revenue projections. Some highlight the unusual nature of the offering and the lack of transparency surrounding the investor's identity. The overall sentiment leans towards caution, with commenters advising a thorough due diligence process and expressing doubts about the viability of such a high return in a saturated market like Chicago. Some also suggest exploring publicly traded casino companies as a potentially safer alternative investment in the sector.
Summary of Comments ( 370 )
https://news.ycombinator.com/item?id=43175628
HN commenters generally praise the author's persistence and ingenuity in using SQL injection to expose flaws in the Illinois FOIA request system. Some express concern about the legality and ethics of his actions, even if unintentional. Several commenters with legal backgrounds offer perspectives on the potential ramifications, pointing out the complexities of the Computer Fraud and Abuse Act (CFAA) and the potential for prosecution despite claimed good intentions. A few question the author's technical competence, suggesting alternative methods he could have used to achieve the same results without resorting to SQL injection. Others discuss the larger implications for government transparency and the need for robust security practices in public-facing systems. The most compelling comments revolve around the balance between responsible disclosure and the legal risks associated with security research, highlighting the gray area the author occupies.
The Hacker News post "I Went to SQL Injection Court" (regarding the blog post about FOIA issues in Illinois) has several comments discussing various aspects of the situation.
Many commenters focus on the absurdity of the legal arguments and the judge's apparent lack of technical understanding. One commenter highlights the judge's confusion between SQL injection and simply using SQL, pointing out that using SQL isn't inherently malicious. This commenter expresses frustration with the legal system's inability to grasp basic technical concepts, leading to flawed judgments. Another commenter sarcastically suggests that using a web browser constitutes "browser injection" because it involves sending commands to a server, mirroring the faulty logic applied to SQL injection.
Several comments discuss the implications of this case for security research and vulnerability disclosure. Commenters express concern that this ruling could discourage security researchers from reporting vulnerabilities, fearing legal repercussions for simply demonstrating how an exploit works. They argue that this chilling effect could have detrimental consequences for online security. One commenter draws a parallel to medical research, arguing that prosecuting someone for demonstrating a vulnerability is akin to prosecuting a medical researcher for demonstrating how a virus spreads.
Another commenter expresses concern over the reliance on "intent" in determining the legality of security testing. They argue that focusing on intent is subjective and difficult to prove, making it a poor basis for legal decisions in technical matters. This commenter suggests that a more objective standard based on the actual actions taken would be preferable.
Some comments delve into the specifics of Illinois law and the legal arguments presented. One commenter notes the apparent contradiction between the court's ruling and the Illinois Compiled Statutes, suggesting a misinterpretation of the law. Another points out the apparent lack of evidence presented by the prosecution, focusing solely on the method used rather than any demonstrable harm caused.
A few commenters offer practical advice and alternative perspectives. One commenter suggests that using a proxy server could potentially circumvent the legal issues raised in the case. Another commenter offers a more cynical view, suggesting that the prosecution may be motivated more by politics and personal vendettas than a genuine concern for cybersecurity.
Finally, some commenters express broader concerns about the increasing criminalization of security research and the potential for chilling effects on legitimate activities. They advocate for clearer legal frameworks and better education within the legal system about technical matters to prevent similar situations in the future.