ftp sites.........

Printable View

March 26th, 2002, 12:22 AM
pcadmin

ftp sites.........

Hi all.

I have a question.

If a corporation has an ftp site that allows anonymous users, and the corp. has files etc. on that site that really shouldn't be there, is it illegal to download them?

Please let me know your thoughts and if anyone really has a legal answer to this, that would be appreciated too!

Thanks!
March 26th, 2002, 12:28 AM
KorpDeath

It'd be unethical but, it's illegal to host them.

I say if it's there get 'em while you can cause someone is going to report them and they'll be removed.
March 26th, 2002, 12:32 AM
ac1dsp3ctrum

Yeah, if the files are there and not in a hidden folder, IMO it is legal, but like KorpDeath said unethical to download...... Just download them all and blackmail the company.... BTW what company is it? ;)
March 26th, 2002, 12:34 AM
pcadmin

LOL.................hmmmmmmmm............which company was it again.................sorry.......I'm in the middle of a brain cramp right now!
March 26th, 2002, 12:41 AM
zigar

it *might* not be illegal..but if it is a big company...do you have the resources to fight them should they get pissed off...some times they win simply because they can fight the longest...

also...while it may not be illegal to dl the info..it is very likely illegal to do anything with the info..ie post it to a website or irc...they could probably get you for copyright infringement...
March 26th, 2002, 12:43 AM
The3ntropy

Hmm,
The law on 'hacking' basically is obtaining information that is not known nor posted to the public. An ftp server can be construed as a private server through court systems if you are tried. But, if the files on the server are available for download, and could be downloaded by the general public, this means that there has been no steps that have exceeded gerneral knowledge to get to those files. In cruder terms, if you can not click through the web site to get to them, it can be made 'illegal' in the criminal justice system. {IE of something illegal is accessing the cgi-bin of a website, this could be on a website, but if there was not a link somewhere on the website to it, it is not "available to the general public".
But, IMO, if the filez are of use to you, I would download them and use them to the best of my abilities.
March 26th, 2002, 05:27 AM
pcadmin

I understand that if I do anything with these files, which I would not, that that could be illegal.

I didn't hack into anything. I simply went to their FTP site. As far as the FTP server being private........I don't agree. It would be if it required a password but it doesn't. You can just type in the FTP site in windows explorer and get to it. It does allow anonymous access which to me means "public access". I won't say how I decided to visit the ftp site until they secure it.

It is a major corporation! I have informed a few employees of the corporation that this problem exists. I believe I sent an email to a person very high on the totem pole but will they even open it? Time will tell.

The comment in the last post about a big corporation going after me just to go after me is making me nervous. Let's hope they don't do that. Instead they should go after their IT person for being an idiot and divulging, more or less, corporate's private files. There is a kind of humorous side to this.........but.......again......I can't say it yet.

Any lawyers (or friends/relatives/acquaintances of a lawyer) well versed in this area out there or even.......gulp......people in the field of law enforcement out there that could answer this????

Thanks for the input so far.

I'll check back tomorrow! Good Night!
March 26th, 2002, 05:45 AM
zigar

funny how the news almost keeps up with AO ...

http://online.securityfocus.com/news/358
March 26th, 2002, 07:34 AM
cwk9

It’s best to avoid pissing off companies with deep wallets.
March 26th, 2002, 09:08 AM
BrainStop

The legality of the visit to their FTP server can be debated. If you got the address of the server for a legitimate purpose such as downloading a driver or something similar, you were there for a valid reason.

Some companies have anonymous ftp servers to allow you to download files and such instead of going through a web browser. Netscape is an example of this.

On the other hand, if you just decided to see if they had an ftp server, the analogy would be to go check for open windows on a house. It's not because the window is not locked that you have a legal right to enter the house.

So anyway ... the best thing is not to go browsing the ftp site again and to delete the files you downloaded.

Cheers,

BrainStop
March 26th, 2002, 04:48 PM
pcadmin

Zigar..................that article was interesting. Thanks.

I guess I'm feeling a little better after reading it since I did notify the company in a very timely manner. I didn't hack. Plain and simple. I wasn't out looking to do damage.

As of this morning the site was still unsecured. I called the biggest bigwig of the company this morning. (I have his direct line and he answered his phone.) Hopefully they will just be grateful and leave me alone.

Time will tell!
March 26th, 2002, 05:35 PM
gold eagle

Maybe the answer to the ethic questions is related to the medical maxim "first, do no harm"
March 26th, 2002, 05:51 PM
souleman

Anyone remember the 911 vs. phrack battle? There is a perfect example for you. Basically pharck posted a listing from phone company dealling with the 911 system. They were taken to court becaue of it being "propiritary information" They ended up winning the case, because you could dl the information from a public location set up by said phone company. I am not going to take the time to find the links, but I am sure google has something on it.
March 26th, 2002, 07:17 PM
Tedob1

anonymous ftp is public, unless they state otherwise. in order for a company to prosecute anonymous ftp access they must have a warning posted on entry. instead of "welcome too...", it should say something like "for corp use only, all others must leave" unautherized acces forbidden, or some such silly ****.
if their foolish enough to post sensitive materiel in a public place, oh well. if they also allow write access, people ARE going to use it to cache their shady **** on.

If you feel compelled to tell someone of security problems, USE AN ANOMYLIZER. you can get busted. unless of course your looking to make the news and have people notice you.
March 27th, 2002, 02:43 PM
pcadmin

Souleman..........thanks for that info. It's nice to know that there is an existing case out there. I'll see what I come up with on Google.
March 29th, 2002, 03:16 PM
pcadmin

The site is now secure. IT Director now trying to cover his behind!

I came upon the site after installing an FTP client and their site was listed in the program.

According to ZDNet.........around 99,000 other people downloaded the program too. 99k from just one site........

Needless to say, they are now looking at their logs.

Hopefully this is the end of the story for me.