The ordinary layperson may not understand the issue at hand. I’ll tell you that people in the IT security community, or in fact any person with a appreciable understanding of web security, have been puzzled about the fuss of this hack, and the preposterousness that it can be carried to court and result in a conviction.
Let me explain this to you. I know many people may have tried looking up definitions on the web. They are not wrong, but they don’t put into the right context what the purported Istana hack is about. Classically, XSS is described as an attack on a vulnerable website such that the attacker causes the website to display unintended content, or result in unintended actions on other visitors to the site.
This classical definition already makes it pretty clear that the vulnerable website is not actually attacked. However, security experts do consider this a security problem that vulnerable websites ought to fix.
Now, what is the deal with the Istana website hack? The above standard definition doesn’t put it plainly enough how absurd the situation is. So let me give you an analogy based on real world principles that are easier to grasp.
I give you a pair of special goggles. When you use my special goggles to look at the Istana, the property appears old, dirty, and vandalised. It’s only an imaginary image that you perceive when you look through this special goggles. The actual Istana is perfectly fine, completely untouched. No one else can see this, except only when I give them this goggles to use.
Has a crime been committed? Is there vandalism on any property? Has there been any sort of security breach? Damage? Intrusion?
The two convicted persons were involved in posting a link that, if followed by a visitor, would show them the Istana website in their browser in a manner that appears to be vandalised.
I’m no lawyer, and I suppose there must be a good reason why I’m not one. I just cannot understand how those two persons could be convicted for the purported XSS trickery. I don’t even want to call it an XSS attack. It’s nothing more than a magician’s trick. Please, any lawyers, explain the logic to me.
Convicted for unauthorised access to the web server? Defacement of the webpage?
I wonder, should David Copperfield be convicted for the theft of the Statue of Liberty?
If anyone was guilty of any crime, it’s the incompetent people that made the XSS trickery possible in the first place. But no, seriously, I don’t think it’s their fault either.
Sometimes, I seriously worry about our ability to fight cybercrime.
Perhaps there is a sensible explanation in all this. Some pertinent detail had been left out that we’re not privy to. Maybe.