Stories with Tag information access

• I Went to SQL Injection Court

  permalink

  Posted: 2025-02-25 18:39:10

  Verbose tl;dr

  The author recounts their experience in an Illinois court fighting for access to public records pertaining to the state's Freedom of Information Act (FOIA) request portal. They discovered and reported a SQL injection vulnerability in the portal, which the state acknowledged but failed to fix promptly. After repeated denials of their FOIA requests related to the vulnerability's remediation, they sued. The judge ultimately ruled in their favor, compelling the state to fulfill the request and highlighting the absurdity of the situation: having to sue to get information about how the government plans to fix a security flaw in a system designed for accessing information. The author concludes by advocating for stronger Illinois FOIA laws to prevent similar situations in the future.

  This blog post, titled "I Went to SQL Injection Court," details the author's experience assisting a journalist, named David, in pursuing legal action against the Illinois State Police (ISP) for improperly denying a Freedom of Information Act (FOIA) request. David's request, which sought statistical information about arrests related to traffic stops, was rejected by the ISP due to security concerns, citing the potential for SQL injection vulnerabilities. The author, possessing expertise in database security, analyzed the ISP's web form and determined that it was indeed vulnerable to such attacks. This vulnerability could allow malicious actors to manipulate the form's input fields to execute arbitrary SQL commands, potentially exposing sensitive data from the underlying database.

  The author then meticulously documented this vulnerability, providing a comprehensive explanation of how it could be exploited. This documentation included specific examples of malicious queries that could be entered into the form, demonstrating the real-world risk associated with the flaw. Armed with this evidence, the author and David proceeded to file a lawsuit against the ISP, arguing that their rejection of the FOIA request based on security concerns was invalid because the ISP's own system was insecure. The crux of their argument was that the ISP could not legitimately cite security concerns as a reason for denying the FOIA request while simultaneously neglecting to address a significant vulnerability in their own system.

  The blog post narrates the court proceedings, highlighting the author's testimony as an expert witness. The author explained the nature of SQL injection and the specific vulnerability in the ISP's web form to the judge. The judge, after considering the evidence and testimony, ultimately ruled in favor of David and the author. The judge ordered the ISP to fulfill the FOIA request, implicitly acknowledging the validity of the author's security assessment and the spurious nature of the ISP's initial rejection. The post concludes by expressing the author’s satisfaction with the outcome, viewing it as a victory for transparency and accountability in government agencies. The author further underlines the importance of robust security practices and emphasizes that genuine security concerns should be addressed proactively rather than being used as a pretext for withholding public information. The case underscores the importance of technical expertise in legal battles surrounding technology and access to information.

  • SQL Injection
  • FOIA
  • Illinois
  • Open Records
  • Government Transparency
  • Data Access
  • Legal Case
  • Court Case
  • Public Records
  • Freedom of Information
  • information access
  • transparency
  • Civic Tech
  • government data

  Summary of Comments ( 370 )
  https://news.ycombinator.com/item?id=43175628

  Verbose tl;dr

  HN commenters generally praise the author's persistence and ingenuity in using SQL injection to expose flaws in the Illinois FOIA request system. Some express concern about the legality and ethics of his actions, even if unintentional. Several commenters with legal backgrounds offer perspectives on the potential ramifications, pointing out the complexities of the Computer Fraud and Abuse Act (CFAA) and the potential for prosecution despite claimed good intentions. A few question the author's technical competence, suggesting alternative methods he could have used to achieve the same results without resorting to SQL injection. Others discuss the larger implications for government transparency and the need for robust security practices in public-facing systems. The most compelling comments revolve around the balance between responsible disclosure and the legal risks associated with security research, highlighting the gray area the author occupies.

  The Hacker News post "I Went to SQL Injection Court" (regarding the blog post about FOIA issues in Illinois) has several comments discussing various aspects of the situation.

  Many commenters focus on the absurdity of the legal arguments and the judge's apparent lack of technical understanding. One commenter highlights the judge's confusion between SQL injection and simply using SQL, pointing out that using SQL isn't inherently malicious. This commenter expresses frustration with the legal system's inability to grasp basic technical concepts, leading to flawed judgments. Another commenter sarcastically suggests that using a web browser constitutes "browser injection" because it involves sending commands to a server, mirroring the faulty logic applied to SQL injection.

  Several comments discuss the implications of this case for security research and vulnerability disclosure. Commenters express concern that this ruling could discourage security researchers from reporting vulnerabilities, fearing legal repercussions for simply demonstrating how an exploit works. They argue that this chilling effect could have detrimental consequences for online security. One commenter draws a parallel to medical research, arguing that prosecuting someone for demonstrating a vulnerability is akin to prosecuting a medical researcher for demonstrating how a virus spreads.

  Another commenter expresses concern over the reliance on "intent" in determining the legality of security testing. They argue that focusing on intent is subjective and difficult to prove, making it a poor basis for legal decisions in technical matters. This commenter suggests that a more objective standard based on the actual actions taken would be preferable.

  Some comments delve into the specifics of Illinois law and the legal arguments presented. One commenter notes the apparent contradiction between the court's ruling and the Illinois Compiled Statutes, suggesting a misinterpretation of the law. Another points out the apparent lack of evidence presented by the prosecution, focusing solely on the method used rather than any demonstrable harm caused.

  A few commenters offer practical advice and alternative perspectives. One commenter suggests that using a proxy server could potentially circumvent the legal issues raised in the case. Another commenter offers a more cynical view, suggesting that the prosecution may be motivated more by politics and personal vendettas than a genuine concern for cybersecurity.

  Finally, some commenters express broader concerns about the increasing criminalization of security research and the potential for chilling effects on legitimate activities. They advocate for clearer legal frameworks and better education within the legal system about technical matters to prevent similar situations in the future.

• Bypass DeepSeek censorship by speaking in hex

  permalink

  Posted: 2025-01-31 19:41:49

  Verbose tl;dr

  The Substack post details how DeepSeek, a video search engine with content filtering, can be circumvented by encoding potentially censored keywords as hexadecimal strings. Because DeepSeek decodes hex before applying its filters, a search for "0x736578" (hex for "sex") will return results that a direct search for "sex" might block. The post argues this reveals a flaw in DeepSeek's censorship implementation, demonstrating that filtering based purely on keyword matching is easily bypassed with simple encoding techniques. This highlights the limitations of automated content moderation and the potential for unintended consequences when relying on simplistic filtering methods.

  The Substack post titled "Bypass DeepSeek censorship by speaking in hex" elaborates on a potential method to circumvent content moderation systems, specifically referencing a hypothetical system named "DeepSeek." The author posits that these advanced censorship mechanisms, which likely employ sophisticated natural language processing and machine learning algorithms, can be tricked by encoding messages in hexadecimal format. The core argument revolves around the idea that while these systems are adept at understanding and flagging problematic phrases or keywords in plain text, they might not be equipped to interpret the same information when presented as a string of hexadecimal characters. Essentially, the hexadecimal representation acts as a camouflage, obscuring the true meaning of the message from the censorship algorithm.

  The author suggests that a user could encode their desired message into hexadecimal, transmit this encoded message, and then rely on the recipient to decode it back into readable text on their end. This process effectively bypasses the content moderation system because the system only "sees" the hexadecimal string, which, in and of itself, is not inherently problematic. The true meaning of the message remains hidden until it is decoded by the intended recipient.

  The post further illustrates this concept with a specific example, encoding the phrase "DeepSeek is watching you" into its hexadecimal equivalent. This example serves to demonstrate the practical application of the proposed method. While the author acknowledges the potential limitations and the possibility that sufficiently advanced systems might eventually adapt to this tactic, they present it as a currently viable workaround for bypassing content moderation. The implication is that this method adds a layer of obfuscation that could be sufficient to evade detection, at least temporarily.

  • Censorship
  • circumvention
  • deepseek
  • hexadecimal
  • Encoding
  • decoding
  • online censorship
  • Free Speech
  • internet freedom
  • privacy
  • Security
  • text encoding
  • digital rights
  • information access
  • Data Encoding

  Summary of Comments ( 320 )
  https://news.ycombinator.com/item?id=42891042

  Verbose tl;dr

  Hacker News users discuss potential censorship evasion techniques, prompted by an article detailing how DeepSeek, a coder-focused search engine, appears to suppress results related to specific topics. Several commenters explore the idea of encoding sensitive queries in hexadecimal format as a workaround. However, skepticism arises regarding the long-term effectiveness of such a tactic, predicting that DeepSeek would likely adapt and detect such encoding methods. The discussion also touches upon the broader implications of censorship in code search engines, with some arguing that DeepSeek's approach might hinder access to valuable information while others emphasize the platform's right to curate its content. The efficacy and ethics of censorship are debated, with no clear consensus emerging. A few comments delve into alternative evasion strategies and the general limitations of censorship in a determined community.

  The Hacker News post titled "Bypass DeepSeek censorship by speaking in hex" with the ID 42891042 has several comments discussing the practicality and implications of bypassing censorship using hexadecimal representation of text.

  Several commenters point out that this method is not a robust solution for bypassing censorship. They argue that any sophisticated censorship system would easily detect and block such obvious encoding. One commenter specifically mentions that converting to hex is a trivial transformation and easily reversible, making it a poor choice for evading censorship. This sentiment is echoed by others who suggest that such a simple encoding would be quickly identified and added to the censorship criteria.

  Another line of discussion revolves around the concept of security through obscurity. Commenters debate whether this method could be considered a form of security through obscurity, and generally agree that it is. They highlight the weakness of such an approach, emphasizing that relying on the censor's ignorance of a simple encoding is not a reliable strategy.

  The discussion also touches upon the broader implications of censorship and the cat-and-mouse game between censors and those trying to circumvent them. One commenter suggests that this highlights the futility of trying to censor information in the digital age, as new methods of bypassing restrictions will continually emerge.

  Some commenters explore alternative, more robust methods of bypassing censorship, such as using strong encryption or steganography. They point out that these techniques are significantly more difficult to detect and block than simple hex encoding.

  A few comments delve into the technical aspects of encoding and decoding hexadecimal strings, including mentioning specific programming languages and libraries that can be used for this purpose.

  Finally, some comments express a degree of amusement at the simplicity of the proposed method, with one commenter ironically suggesting speaking in binary as an even more "secure" alternative. This underscores the general consensus that while encoding text in hex might be a clever workaround in a very limited context, it is not a practical or reliable solution for bypassing sophisticated censorship mechanisms.

• Former tech CEO suing to get the record of his arrest removed from the internet

  permalink

  Posted: 2025-01-26 19:32:53

  Verbose tl;dr

  Former tech CEO and founder of online invitation company Evite, Al Lieb, is suing to have records of his 2016 domestic violence arrest expunged from the internet. Despite charges being dropped and the case dismissed, Lieb argues that the persistent online presence of his arrest record unfairly damages his reputation and career prospects. He's targeting websites like Mugshots.com that publish arrest information, claiming they profit from this information and refuse to remove it even after legal proceedings conclude. Lieb believes individuals have a right to privacy and to move on from past mistakes when charges are dropped.

  In a legal battle that intersects the realms of personal reputation, internet permanence, and the right to be forgotten, a former Chief Executive Officer of a technology company has embarked upon a crusade against the ubiquitous nature of online information. He seeks judicial intervention to expunge from the digital ether any and all records pertaining to his prior arrest. The former executive, whose identity the article refrains from explicitly disclosing, argues that the continued presence of this information online represents an undue burden, unfairly impacting his present circumstances and future prospects.

  The core of his argument hinges on the assertion that the arrest, which did not result in a conviction, constitutes an outdated and irrelevant piece of information that should no longer be readily accessible via online searches. He posits that the persistence of this data online constitutes an ongoing and unwarranted invasion of his privacy, effectively hindering his ability to move forward with his life and career. He contends that the ease with which individuals can access arrest records, regardless of the outcome of the legal proceedings, perpetuates a digital scarlet letter that can stigmatize and unfairly prejudice an individual indefinitely.

  This case raises complex questions about the balance between public access to information and an individual's right to privacy in the digital age. It highlights the challenges posed by the enduring nature of online data and the difficulty of effectively erasing information once it has been disseminated across the internet. The former executive's legal pursuit brings to the forefront the ongoing debate regarding the "right to be forgotten," a concept that seeks to empower individuals with greater control over their online presence and the ability to request the removal of outdated or irrelevant information from search engine results. The outcome of this case could have significant implications for future legal interpretations of this evolving digital right and the broader landscape of online reputation management. Furthermore, the legal action underscores the growing tension between the principles of transparency and the potential for lasting harm caused by the readily available and often-permanent record of past events, particularly in the context of arrests that did not lead to convictions.

  • tech CEO
  • arrest record
  • internet removal
  • Lawsuit
  • right to be forgotten
  • online reputation management
  • privacy
  • public record
  • legal battle
  • digital footprint
  • Censorship
  • Free Speech
  • information access

  Summary of Comments ( 88 )
  https://news.ycombinator.com/item?id=42833193

  Verbose tl;dr

  Hacker News commenters largely discuss the legal and ethical implications of attempting to remove public arrest records from the internet. Several express skepticism about the plaintiff's chances of success, citing the importance of public access to such information and the established difficulty of removing content once it's online (the Streisand effect is mentioned). Some debate the merits of his arguments regarding potential harm to his reputation and career, while others suggest alternative strategies like focusing on SEO to bury the negative information. A few comments highlight the tension between individual privacy rights and the public's right to know, with some arguing that the nature of the alleged crime should influence the decision of whether to unseal or remove the record. There's also discussion about the potential for abuse if such removals become commonplace, with concerns about powerful individuals manipulating public perception. A common thread is the acknowledgment that the internet has fundamentally changed the landscape of information accessibility and permanence.

  The Hacker News post discussing the article about a former tech CEO attempting to remove his arrest record from the internet generated a substantial discussion with a variety of viewpoints. Many commenters focus on the implications of such a legal action and the potential ramifications for freedom of information and the right to be forgotten.

  Several commenters express skepticism about the CEO's chances of success, citing the established difficulty of removing information from the internet and the public's right to access public records. They argue that the legal system is designed to ensure transparency and accountability, and that attempting to erase one's past actions sets a dangerous precedent. Some point out the irony of a tech CEO, who likely profited from the vastness and permanence of the internet, now seeking to control its narrative.

  Others discuss the ethical considerations of permanently storing and disseminating arrest records, particularly for individuals who were never charged or convicted. They raise concerns about the potential for such records to unfairly impact individuals' lives, affecting their employment prospects, social standing, and overall well-being. Some suggest that a system for expunging or sealing certain records after a period of time might be more appropriate.

  The potential for abuse of such a legal precedent is also a recurring theme. Commenters worry that wealthy and influential individuals could use similar tactics to suppress negative information about themselves, creating a tiered system of justice where the powerful can manipulate the public record while ordinary citizens cannot.

  There's a debate about the scope of the "right to be forgotten." Some argue it should apply only to private information, while others believe it should extend to publicly available information like arrest records, particularly in cases where the charges were dropped or the individual was acquitted.

  A few commenters express sympathy for the CEO, suggesting that everyone makes mistakes and deserves a second chance. They argue that the internet's tendency to permanently record and amplify past errors can be unduly harsh and disproportionate to the offense.

  Finally, some commenters discuss the technical challenges of removing information from the internet, highlighting the decentralized nature of the web and the existence of numerous archives and backups. They point out that even if the original source of the information is removed, copies are likely to persist, making complete erasure practically impossible. This raises questions about the efficacy and enforceability of any legal ruling in the CEO's favor.