Hackers aquitted because of welcome message on server

I have been studying information security. A common anecdote I have read many is that hackers broke into the server of a college and did a lot of damage. When they ended up in court, they went free because the first thing they saw was the word “Welcome”. Is this true? If so, when and where did it happen?

Uh, you’re going to have to explain this better.

Supposedly, the hackers saw a message like “welcome to our system” after they broke in. The court ruled this meant that they were free to enter and do what they wanted.

That seems rather insane. If I have a welcome mat on my front step that doesn’t mean you can just come on in and do whatever you like in my house.

I’ve heard this before. Basically, the idea is that the welcome message basically said “welcome to our system” instead of “Unauthorized use prohibited” or something along those lines. The story is featured in several books and training manuals. It’s always just an anecdote, though. I’ve never seen the specific case that this supposedly refers to.

I suspect that the real story was more along the lines of someone hacking into a system, and was then prosecuted for unauthorized access, and got off because the welcome message said “welcome to our system” as if anyone was welcome to use it instead of saying “unauthorized use prohibited”. All of the stuff about the hacker then wreaking havoc on their system could easily just be an embellishment of the truth.

I’ve heard this story as happening back during the day when cyber security was an unlisted number on your modem line, with no user ID or password required. If you knew the phone number (or guessed it), you were in. So, no hacking or subterfuge, just dial in and have fun.

While some aspects of law can seem ridiculous at times, in general it follows a standard of reasonableness. I feel quite confident saying there’s no way this happened. To take Raygun99’s thought a bit further, a sign that says “Welcome to our home” inside your house doesn’t mean that once a burglar is inside reading the sign he has legal freedom to damage and/or steal stuff.

I’m a security guy, and that story seems unlikely to me. A cursory Googling suggests it is probably an urban legend.


(Too much a pain in the ass to copy and paste it on my phone, but the gist is that it calls the story an urban legend.)

I find it hard to believe, if only because I know a whole lot of sites that welcome you to the site. Why would they still be doing this? If there were such a precedent, wouldn’t we see stuff about unauthorized use all the time?

Heck, when I log in here, I get a welcome message. When I log into my computer, I see a Welcome message.

Unless it’s something that used to be true, or a one-off case where there are more details than we have now. (Like the unauthorized user had reason to think they were allowed to use it–that the server had been set up for public use. Kinda like how you can use open Wi-Fi–hence no one using it anymore.)

You get welcome messages here and other front-end sites because you ARE welcome and there is very little, if any, access to the back-end systems. When you log onto back end stuff, you will certainly see “unathorized access not permitted” type of warnings.

Yeah my VPS linux login prints out a rather long legal boiler plate in all caps **** CEASE AND DESIST **** etc etc. What I can believe might have happened is that there may have been a university shared unix system where the user had an account already and used an exploit to gain root access. Police may have declined to prosecute in such a case, especially if it was in the 90s when they really didn’t take computer crime very seriously. There was plenty of shared unix systems used by comp sci students around 1992-1995 where this might have happened

This story goes back a lot further.

The risks digest has it here, with a followup here.

Neither are what you would call a solid citation.

The default VMS login screen did simply say “Welcome to VAX/VMS version x.x” So there were a lot of machines back then that did welcome users.

I’ve heard so many of these stories where people get off on a technicality, or even get to sue the victim, and so far every time it’s turned out to be a myth or massively embellished.

In this case the origin is still a little up for grabs, so I’ll make a guess as to what happened (assuming there is a real case): accidental hacking.
Some user(s) were granted privileges they were not supposed to have, they did damage but were able to plausibly claim no malicious intent, and that they were just trying out some of the functionality available. This seems like something that could happen and could, after chinese whispers, become “The bad guys got off because of a welcome message”.

My impression has always been that these kinds of things aren’t ‘someone went to trial and got off on a technicality,’ which leaves a big easily verifiable record. Instead, it’s more like ‘when we were trying to get the police or FBI to look into or prosecute the guy, they said they couldn’t do anything because we said ‘welcome’’ or ‘our lawyer didn’t think we could really sue this guy because of a variety of things including the welcome message, so we settled, and now we have this message to prevent that from happening’. I would be surprised if there was a trial where something like this was a major point in getting a not guilty verdict, because there are so many other steps along the way before you get to a trial. Also, putting a ‘no authorized access’ message on a login screen has almost zero cost, so it doesn’t really need a really strong justification to make it into a company or IT group’s SOP.

God I hated VAX systems. The old Cyber or the newer Cray were great. As were the Sun SGIs.

But VAX?

God I hated that POS.

In my imagining, the welcome message may have come up during a trial or investigation as an incidental point, and got re-imagined after the fact as the most important part, perhaps by the party unsatisfied with the outcome to make the process seem silly.

Like how the twinkie defense translated from “my client was depressed at the time, as is evidenced by his switching from being a healthy eater to eating twinkies all the time” to the much less reasonable “the twinkies drove my client crazy” in the retelling.

Prior to 1978, there were no computer crime laws in the United States (Florida adopted the first legislation that made it a crime to access a network without authorization that year, and the Feds followed with the Computer Fraud & Abuse Act in 1986).* The Florida law reads:

Unfortunately, the state never defined “authorization” (and no Florida case ever has either). The federal law and almost every state computer crime law were based on the Florida law, but the federal legislative history makes it clear that the federal crime was intented to be analogous to “electronic trespass.” Authorization is a well-defined issue in the trespass context, so at that point a definition was not hard to find.

The point is that somebody may well have hacked a computer system prior to 1986 and gotten away with it because of the murky “authorization” issue. But not because the system said “welcome.” You can’t claim authorization after the fact.

If anyone is interested in the history of the law in this field, I recommend Orin S. Kerr, Cybercrime’s Scope: Interpreting “Access” and “Authorization” in Computer Misuse Statutes, 78 N.Y.U.L. REV. 1596 (2003). Or my own slightly less authoritative magnum opus. :wink:

*There had been some prosecutions prior to 1978 for computer crimes, but they were “traditional” crimes like theft which just happened to have been done with a computer.

On a related note, I have always asserted that the recorded message “This call may be recorded for quality control purposes” gave me permission to record the call. It does say it may be recorded, after all.