The second person involved in the purported hacking of the Istana website has been convicted. As you recall, this hack involved a Cross-Site Scripting attack (XSS) on the Istana website. Two persons were charged. The other was already convicted early last month.
The ordinary layperson may not understand the issue at hand. I’ll tell you that people in the IT security community, or in fact any person with a appreciable understanding of web security, have been puzzled about the fuss of this hack, and the preposterousness that it can be carried to court and result in a conviction.
Let me explain this to you. I know many people may have tried looking up definitions on the web. They are not wrong, but they don’t put into the right context what the purported Istana hack is about. Classically, XSS is described as an attack on a vulnerable website such that the attacker causes the website to display unintended content, or result in unintended actions on other visitors to the site.
This classical definition already makes it pretty clear that the vulnerable website is not actually attacked. However, security experts do consider this a security problem that vulnerable websites ought to fix.
Now, what is the deal with the Istana website hack? The above standard definition doesn’t put it plainly enough how absurd the situation is. So let me give you an analogy based on real world principles that are easier to grasp.
I give you a pair of special goggles. When you use my special goggles to look at the Istana, the property appears old, dirty, and vandalised. It’s only an imaginary image that you perceive when you look through this special goggles. The actual Istana is perfectly fine, completely untouched. No one else can see this, except only when I give them this goggles to use.
Has a crime been committed? Is there vandalism on any property? Has there been any sort of security breach? Damage? Intrusion?
The two convicted persons were involved in posting a link that, if followed by a visitor, would show them the Istana website in their browser in a manner that appears to be vandalised.
I’m no lawyer, and I suppose there must be a good reason why I’m not one. I just cannot understand how those two persons could be convicted for the purported XSS trickery. I don’t even want to call it an XSS attack. It’s nothing more than a magician’s trick. Please, any lawyers, explain the logic to me.
Convicted for unauthorised access to the web server? Defacement of the webpage?
I wonder, should David Copperfield be convicted for the theft of the Statue of Liberty?
If anyone was guilty of any crime, it’s the incompetent people that made the XSS trickery possible in the first place. But no, seriously, I don’t think it’s their fault either.
Sometimes, I seriously worry about our ability to fight cybercrime.
Perhaps there is a sensible explanation in all this. Some pertinent detail had been left out that we’re not privy to. Maybe.
Well, saying that the web site is “hacked” is more sensational than reporting the relatively harmless truth. Or maybe the press and/or journalists involved should be sued for misreporting too.
Per the David Copperfield example, he got permission from the New York authorities before his magic event, which the authorities granted with the expected understanding that they would get good publicity out of it. Doubt it applies in this case lol.
Thanks for giving a clear explanation, ZS. I’m no lawyer, but one way to argue is that it is a crime to deceive the viewer. If I wear your goggles, I am fully aware that the goggles will alter my perception of the Istana; I have not been deceived. Same with the audience watching Copperfield: they were not deceived because they expected magic. But in the XSS attack, the website viewers did not know they were not looking at the “real thing”. This ignorance creates the deception. Thus the crime is the creation of this deception, however it was done, to mislead people.