Guessing URLs isn't hacking. You of all people should know that. Some hacking can involve that, but it's as unrelated as noting that hackers eat.
Visiting a URL is like asking an employee to photocopy a document for you. As long as you don't misrepresent yourself it's absolutely reasonable.
We don't need people in your position adding to this culture of ignorance. The pathnames and parameters in a good web api are human readable, and human guessable, for a reason. The web is supposed to be human navigable.
If you (generically) don't like this, don't implement a plaintext service over a human readable protocol that almost everyone on the planet has a debugger for. If you must use this api, and place it in the midst of URLs you intend to be public, you must implement a password or use another intentional security feature.
Malls must mark private doors because the expectation otherwise (that they create) is that the mall is free to explore. By using http, and readable paths, and sequential record IDs, returning valid markup and unencrypted content, you're running a mall. Mark your doors or realize every area will be visited and plan accordingly.
Quit defending this legal nonsense or it'll soon be 'hacking' to ask for the next book in a series.
This was an unfriendly comment. People here obviously think I'm pretty snarky and a bit of an asshole and I'm fine with that, but I don't generally write comments singling people who disagree with me out by name and demanding that some circumstance of their career or status or upbringing requires them to agree with me at their own moral peril. I wish you could just disagree with me objectively.
Calling arguments I've made "nonsense" and "ignorance" doesn't make your argument stronger. It makes you sound emotional. That can be an effective card to play if you think your emotions are going to cow your opponent into shutting up. Is that what you're trying to do?
Moving on, you haven't addressed my point at all. URLs are human readable. We test a couple hundred web applications in any given year. How many ridiculous URLs do you think I've seen? I provided specific examples: human-readable URLs that human-readably gave up whole filesystems. Human-readable URLs that human-readably gave up SQL queries. Human-readable URLs that human-readably gave up private messages.
To follow your logic to its reasonable conclusion, all those vulnerable URLs were open season for Internet attacker^H^H^H^H^H^H^Husers; shame on those companies for over-exposing resources in URLs and then expecting the legal system to clean up after them! If that's what you believe, fine, but you're arguing for the decriminalization of a whole lot of very damaging attacks. And to what end? I guess my bill rate would go way up when people realized they had even less recourse against exploitation of bugs in their system.
Meanwhile, you've followed my logic to an improper conclusion. As Rayiner has tried to explain on numerous threads, the legal system is not a programming environment that evaluates objectively observable facts and spits out conclusions based solely on them. Crimes are (i) an intent to break the law and (ii) actions in furtherance of that attempt. It is not illegal to "ask for the next book in a series". But if an abortion clinic used a case management application with a bug that disclosed --- via human-readable URL --- the identities of all its patients, it absolutely should be a crime to use those URLs to dump confidential patient information to Pastebin.
None of this means I think Aurenheimer deserves prison time for getting email addresses from AT&T. He was charged with identity theft, in part (I think) because the CFAA has a badly written 1-up mushroom clause that says computer fraud is extra bad when charged alongside another felony. The idea that email addresses of iPad subscribers constitute "identities" is ludicrous.
I was addressing your ideas, not you. But everything you say comes with an aura of wizard and that's why I'm taking issue to you saying things that would merely be opinion from someone else.
The idea that incrementing a URL is hacking goes against the designing principles of the web. Intended behavior isn't hacking. By either definition. Telling people that this is special creates a culture of ignorance where they think there's magic under the hood and never try to learn.
The idea that URL manipulation is hacking is factually incorrect and you hurt people by saying it.
This doesn't mean it's not an exploit, depending on circumstances. Many exploits don't require hacking. For instance, item cloning in a mmorpg. That something is exploitable doesn't mean you need to hack it. A "take a penny" dish is exploitable but taking the pennies isn't hacking.
As for emotional arguments, you responded to me with one. I know many sites do things their maintainers wouldn't want them to do, but sympathy doesn't justify bad laws.
I'm not arguing for decriminalization of hacking, but that this isn't hacking.
I feel like I was pretty clear, so I'm puzzled by this response. Let me distill my last comment.
There are applications with human-readable URL schemes that will, with trivial manipulation of URLs, cough up arbitrary files from the server filesystem. Are those URLs OK to play with because of the "design principles of the web"?
But not lock-picking. Why are you trying so hard to label this hacking?
Earlier you argued by fear, that a badly configured server could send private data, and therefore editing URLs is hacking. Hell, I've seen servers with private data in the root dir. This is disconcerting, and bad for the company, but not hacking if you view the documents.
Similarly, incrementing as number, turning a page, clicking next, those are the expected, default, uses. They don't magically become a cyber attack simply because your software does exactly what you told it to.
Why are you unwilling to separate questions of legality long enough to make it clear that anyone in the world who can place one number after another could have done exactly the same?
Someone who unintentionally released private documents but thought they were hacked wouldn't have any incentive to change, or idea how. But if we were honest with them, they would.
Visiting a URL is like asking an employee to photocopy a document for you. As long as you don't misrepresent yourself it's absolutely reasonable.
We don't need people in your position adding to this culture of ignorance. The pathnames and parameters in a good web api are human readable, and human guessable, for a reason. The web is supposed to be human navigable.
If you (generically) don't like this, don't implement a plaintext service over a human readable protocol that almost everyone on the planet has a debugger for. If you must use this api, and place it in the midst of URLs you intend to be public, you must implement a password or use another intentional security feature.
Malls must mark private doors because the expectation otherwise (that they create) is that the mall is free to explore. By using http, and readable paths, and sequential record IDs, returning valid markup and unencrypted content, you're running a mall. Mark your doors or realize every area will be visited and plan accordingly.
Quit defending this legal nonsense or it'll soon be 'hacking' to ask for the next book in a series.