Hacker News new | past | comments | ask | show | jobs | submit login

Under current U.S. law, I would be extremely hesitant to publish anything like this. How different is U.K. law on the subject?



I don't know what the situation in the UK is, but it is probably safe to say that, while possibly legally in the right, such a publication is risky in most jurisdictions.

Personally, what I'd do in such a situation is to contact a well-renowned hacker organization with experience in these matters (as for instance the CCC here in Germany) and ask for their assistance.

Alternatively, a tech publishing company could also be the right choice, preferably one with a legal department and experience in these things. He mentions that you should buy the issue of "Computer Active" that contains this article, so he probably took this route.


Indeed, I worked with James Temperton - https://twitter.com/jtemperton - an InfoSec journalist before publishing.

I also gave the DoH ample opportunity to fix the sites or shut them down.

I agree that there is a (minor) risk - but offset against hundreds of high profile sites being exploited, I think it's worthwhile.


The Computer Misuse Act is fairly strict - but in this case we haven't accessed anything without permission, nor altered any data.

We spoke to the overall owner of the sites and they did not object to myself or the magazine publishing this information.


An interesting point, but if interpreted by the wrong person, using wpscan (which makes a load of requests to the site) could be considered dubious under the CMA (I definitely wouldn't run in against a site which I wasn't authorised to test)

From what I know vulnerability scanning (which is essentially what wpscan does) is a bit of a grey area under UK law.

It's been likened to someone "rattling the windows" of a house. They may be doing it with the intention of notifying the owner that he's left his house unlocked, or they may be doing it to attempt to gain unauthorised access..

The analogy isn't perfect but it's one I'd step carefully on.


I saw a screenshot of an XSS injection. You don't know that you haven't altered data. You think you haven't, but you don't know it.

I congratulate you for talking to the owners before publication, however.


We spoke to the overall owner of the sites and they did not object to myself or the magazine publishing this information.

That's...astonishing.


We're slightly less litigious this side of the pond... :-)


I'm UKian and I'm astonished. Having worked in the UK Civil Service, sounds to me the person making this decision didn't know what it meant and that it was an actual security issue. Probably they thought it was sort of idly interesting, like speculating how many office computers are still beige. Not that you were listing sites with trusted nhs.uk domains that appear to be easy to hack.


I can assure you that we made it abundantly clear how bad the problem was - including sending link, screenshots, etc. Had phone calls with them where they did sound genuinely concerned.

Sadly, it didn't transform into action.


> We spoke to the overall owner of the sites

What do you mean by this?

In the article you state:

> in many cases there is simply no way to contact the website owners

Do you simply refer to the owner of the parent domain name?


We spoke to HSCIC who manage .nhs.uk. We also spoke to senior civil servants in the Department of Health. We also contacted people who were listed as the owners - but in many cases were no longer responsible for the sites.

With some, we were able to contact the developers behind the sites. Others just didn't respond.

Basically - no one in the NHS or DoH knows who manages the thousands of .nhs.uk websites. We did our best to contact individual site owners and, where that was impossible, alerted the government directly.

Hope that clears it up.


Did you ever manage to get in touch with the breastmilk site? The campaign still seems to be active and has a Facebook group https://www.facebook.com/209991399039700/posts/6874106079644...


I was in contact with the people who claimed to be responsible. They were unable to find out who actually runs the site.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: