Let’s say there’s an event that is exclusive and invitation only. You sign up via an invitation code sent by email by entering the code on the website. It is free if you are invited and there is no amount of money you can pay to get in if you are not invited.
However, there’s a flaw in the website that allows someone to sign up using any random series of numbers if they select last years event instead of this years event.
Then they are able to login and switch the date to this year and get on the list.
People would pay at least a few hundred dollars to go if they were not invited by selling the ticket on ebay. Let’s say someone sold several of the tickets to this years event on ebay based on the exploit above.
A buddy of mine was seriously considering offering someone cash to take his ex on a few dates, and spend a few overnights. It was going to be a way to get out of his alimony obligation. He asked his divorce attorney if it would be illegal, and discovered “conspiracy to commit fraud” would likely be among his charges.
A true friend would do that for free…
In fact, some friends are happy to do that before the separation, too.
I suppose if the computer produces what is a valid invite and is accepted as such, then I have trouble imagining how it was produced being illegal. After all, if you open a web page and click on a box that says “please invite me” how is that different? If you show up with a valid invite and they let you in presumably they accept the authenticity of teh invite. If the Invite was not created by forgery (i.e. by altering a document yourself) then presumably it’s a valid invite.
If the terms of the invite do not say “not transferrable” then why would you not be allowed to sell the invite? If it’s for a particular person, and ID is required, then producing false ID might constitute fraud.
Maybe this falls in the same category as “the bank puts $10,000 in my account by accident.” It’s not yours but would there be any charges unless you show you tried to get away with it after you were notified it was not yours?
I presume the purpose of the printed invite was to validate your attendance. If they fail at that, well, then they accepted your presence. Prove that the year change was not accidental; prove that you intentionally committed fraud by changing the year, instead of you assuming you could use last year’s code this year for a valid admission…
At a certain point the doorkeeper system and the bouncer are obliged to actually notify someone they are not welcome. Ignoring those messages could get you charged. Selling as valid, an invitation you know will be invalidated at the door could be considered fraud.
Also, I don’t think that there is any way to turn someone away at the door because the VIPs can give their invites to anyone and they don’t have to give the organization a list of who they will give codes to
:smack: Damn! I can’t think of it’s name but I’ll check some statutes. There is a law that might cover this. It was written in response to people who were using fake press pass badges to get into areas they weren’t invited to. But it was also used against some wedding crashers once. It’s not a very old law (10 years? ) and I don’t think it’s used very often. I seem to recall it being nick named the “fake membership” bill or something like that.
Then how would they know you or your customer was there “uninvited”? The only giveaway would be a surplus of invites, unless they had serial-numbered invites and figured out which invitations were incorrect.
What I meant was that unless there was an extreme overage in the amount of people registered that it would be highly unlikely for them to check prior to the event. The actual codes are not serial numbered. They appear to be random but I am sure there is a pattern in them. THe discovery of being “uninvited” would be something determined after the fact if at all.
I still don’t see how this is a crime, unless the “Welcome message” for the site says something like “You are not welcome without a personal code emailed to you” (which of course eliminates transfering the code).
You go to the web site.
You (eventually) enter the correct date for the event.
The web site provides a valid invitation from the event provider.
The invitation is accepted as valid at the door.
Afterwards the inviter finds that some invites were not obtained in the way they wanted people to obtain them.
At a certain point the event provider has to do some sort of due diligence if they really are worried about the attendance issues.
They had plent of opportunity to fix the problem - fix the web site, read the count of invitations from the web site, scan serial numbers at the door, have security go through the building and find the invalid attendees and ask them to leave - they didn’t.
The invitations were not “counterfeit”, they are printed from the web site in the same way as “real” invitations.
Unless you can show something like “the false invitee got an email saying ‘How to steal your way into the soire’ etc.” or some such proof of criminal intent - odds are there is no case.
the question is, what would a jury think about the validity of the invitations? If the DA thinks he can’t easily win, he’ll tell the event people “tough bananas”.
Yes, that’s called ‘hacking’. The legal term is ‘unauthorized access’. While the specifics vary from state to state, here’s an excerpt from the National Conference of State Legislatures site (http://www.ncsl.org/issues-research/telecom/computer-hacking-and-unauthorized-access-laws.aspx: (emphasis mine)
““Unauthorized access” entails approaching, trespassing within, communicating with, storing data in, retrieving data from, or otherwise intercepting and changing computer resources without consent. These laws relate to either or both, or any other actions that interfere with computers, systems, programs or networks.”
What you are describing falls under the storing and retrieving data sections. The fact that you achieved this simply by modifying the url does not mitigate guilt, or even make it anything special; most webservers are hacked by improper URL’s (it’s even possible to encode an entire webpage in a URL with no need for a webserver).
In the interests of full disclosure, I don’t know if that NCSL site is actually a group of the state legislatures or a special interest group masquerading as such, but I do know that’s an accurate description fo the law here in Washington State.
Anyway, this person brought the “exploit” to the attention of the bank, along with some proof that it worked (“Look, I got into Bill Johnson’s account without being asked for authorization!”) and the bank promptly had them arrested and thrown in jail.
From a technical standpoint, this makes no sense. You issued a valid HTTP GET request and the web server duly responded with the data you asked for. It would be like a bouncer saying “No entry without the password!”. But when you skipped the line and instead just walked up and asked “Hey, can I come in?”, he said “No problem”. Is that breaking and entering? Well according to the law, it is a crime when you do it on a computer.
Basically, it’s against the law to take advantage of sysadmin incompetence.