← Back to context

Comment by dmurray

2 months ago

And this part seems self-defeating:

> Attackers like me use SQL injection attacks to recover SQL schemas. The schema is the product of an attack, not one of its predicates”.

If it's the product of an attack, but not the end goal, surely it's of value to the attacker?

It seems clear to me that the statute does, as worded, in principle allow the city not to disclose the database schema - it would compromise the security of the system, or at the very least, it would for some systems, so each request needs to be litigated individually.

The proposed amendment sounds like a good way to fix this - is it likely that will pass?

16 comments

dmurray

Reply
tptacek  2 months ago

Lots of things are "of value". That's not the bar the statute sets. To the extent something isn't per se exempted by the statute (as the outcome of the case established schemas are), the burden is on the public body to demonstrate that disclosure Would jeopardize the security of the system.

  • hunter2_  2 months ago

    It still seems like a massively gray area: despite the distinction between "would jeopardize" and "could jeopardize" as explained by TFA, the definition of "jeopardize" includes "danger" which means "could lead to harm" not "would lead to harm" at which point it hardly matters whether a thing "could endanger" or "would endanger" the security of the system.

    • tptacek  2 months ago

      "Would" versus "could" has nothing to do with why your analysis doesn't hold. If something doesn't enable people to attack a system, but is merely one of the valuable things you could get from that system, it does not jeopardize that system under Illinois law. The standard of proof for the jeopardy doesn't enter into it, because no claim of jeopardy has been made.

      Again: this part of the case is settled. We didn't lose at the State Supreme Court because the court was worried there was jeopardy, but because they re-read the statute as per se exempting schemas as "file layouts".

      10 replies →

lmm  2 months ago

> If it's the product of an attack, but not the end goal, surely it's of value to the attacker?

Well sure, but it doesn't help them attack. That's like arguing that since the bank robber wants dollar bills, dollar bills must be a useful tool for breaking into bank vaults.

  • dmurray  2 months ago

    If both sides agreed to the analogy of giving the bank robber the blueprints to the vault, I think any lay judge would agree that endangers the bank's security.

    • lmm  2 months ago

      I'd say it's more like knowing the layout of the drawers inside the cage. If a robber is inside the cage, they've already won. And if an auditor is checking the bank has what it says it does, they've got legitimate grounds to ask which money is in which drawer, and "no, it's a security risk" is not a good answer.