White Hat Scratched Incident: The Boundary Between Crime of Getting Computer System Data and Non-crime

Lei Feng network: According to the author of the Beijing (Shenzhen) law firm Liu Huabin, contributed by Bai Maohui Lei Feng network.


The case has already been heatedly discussed in the cyber security community. Because of the information already disclosed in this case, many details have not been officially announced by the judicial authorities. Therefore, based on the principle of recent sources, only limited to the discussion of Yuan Wei's father, "a letter to the 4th Cyber ​​Security Conference - Is the white hat detection loophole a crime? (hereinafter referred to as "open letter") to describe the situation for analysis.

| "Illegal access to computer information system data crime," What is sin?

The open letter mentioned that on March 8, 2016, the Beijing Public Security Bureau Chaoyang Branch criminally detained Yuan Wei on suspicion of illegally obtaining computer information system data; on April 12, the Chaoyang District People's Procuratorate approved the alleged illegal acquisition of computers. Information system data crime arrest.

Article 285 of the "Criminal Law of the People's Republic of China" revised on March 14, 1997 stipulated that "In violation of state regulations, intrusions into computer information systems in the fields of state affairs, national defense construction, and advanced science and technology shall be punished with imprisonment of not more than three years or criminal detention." The crime is called "criminal invasion of computer information system."

In response to the reality of the rapid development of the Internet, on February 28, 2009, the Standing Committee of the National People's Congress promulgated the “Criminal Law Amendment (VII)”, adding two paragraphs as the second and third paragraphs in Article 285 of the Criminal Law. 2 provisions:

Violation of national regulations, invasion of computer information systems other than those provided for in the preceding paragraph, or adoption of other technical means to obtain data stored or processed or transmitted in the computer information system, or illegal control of the computer information system. If the circumstances are serious, the case shall be three years. The following sentences of imprisonment or criminal detention shall be imposed concurrently or with a single fine; if the circumstances are particularly serious, they shall be sentenced to fixed-term imprisonment of not less than three years but not more than seven years and shall be fined.

The crime of illegally acquiring computer information system data is a plot offense , that is, after a certain number of circumstances have been reached, it will be investigated for criminal responsibility.

| Circumstances in which case only the configuration of sin?

"Open Letter" mentioned that during this process, Shanghai Huaqianshu Information Technology Co., Ltd. commissioned Beijing Tongda Shoucheng Judicial Examination Institute to authenticate its server logs. According to the assessment, according to the server log, Century Jiayuan.com was in December 2015. From 17 o'clock on the 3rd to 10 o'clock on the 4th, they were successively subjected to 11 IP addresses (, etc.) (one of which was Beijing, obviously not related to Yuan Wei). The visit request was made by means of SQL injection. The injection request was More than 4400 times. After the SQL injection was successful, the intruder performed a read operation on the website database, and the database data information related to the "read" operation was 932.

The Interpretation of the Supreme People's Court and the Supreme People's Procuratorate on Several Issues Concerning the Application of Laws in Handling Criminal Cases that Hazardous to Computer Information Systems Security (hereinafter abbreviated as “Explanation”) stipulates five situations that can be considered as “serious circumstances” in the judicial context. If any one of the following circumstances is found in the illegal acquisition of computer information system data or the illegal control of computer information systems, it shall be deemed as "serious circumstances" as provided in paragraph 2 of Article 285 of the Criminal Law:

(1) Obtaining more than ten groups of identity authentication information for network financial services such as payment settlement, securities trading, and futures trading;

(2) Obtaining more than 500 sets of identity authentication information other than item (1);

(3) illegally controlling more than 20 computer information systems;

(4) if the illegal income exceeds 5,000 yuan or the economic loss exceeds 10,000 yuan;

(5) Other serious circumstances.

At the same time, the explanation explains at the end: The “identification information” referred to in this explanation refers to the data used to confirm the user's authority on the computer information system, including account number, password, password, and digital certificate. The "economic loss" referred to in this explanation includes the economic loss directly caused to the user by the crime of computer information system, and the necessary expenses for the user to recover the data and function.

Obviously, based on information obtained by Yuan Wei not belonging to financial services, the first scenario can be ruled out; based on uncontrolled computers, the third scenario is excluded; based on unprofitability, no economic loss is caused, eliminating the fourth scenario; The five kinds of legislation are technically authorized and discretionary and will not be discussed for the time being.

Then the greatest possibility is involved in the second case, while the second scenario states that there are two necessary conditions -

One is that the acquired must be identity authentication information, that is, information used by the website for identity authentication;

The second is to reach more than 500 groups.

Returning to the "open letter", it does not indicate whether it belongs to identity authentication information. If the information is not identity authentication information, individuals do not believe that they have committed crimes .

In detail, based on 11 IPs in this case for injection-based access, it is necessary to investigate in detail, specifically which IP reads much information, and which specific IP is actually used by Yuan Wei .

| Where legal and illegal border?

In the friendly test, the individual understands that the most important thing is “permission”, that is, to obtain the legitimate invitation or authorization of the subject of the website being tested.

According to the "contravene state regulations" in the constitution of the crime, it mainly refers to the "Measures for the Management of International Network Security Protection of Computer Information Networks" of the Ministry of Public Security (2011 edition). Article 6 "No unit or individual may engage in the following hazards to computer information network security. Activities: (1) Entering computer information networks or using computer information network resources without permission;".

Is the behavior of the white hat considered to have been allowed by the Jiayuan Century?

According to Yuan Wei's family open letter, and after querying the manufacturers' records of Wuyun.com, on January 21, 2012, Jiayuan was registered as an enterprise user of Wuyun.com. The registered white hat of Wuyun.com has submitted 42 vulnerabilities information to Century Jiayuan. After Jiayuan verified it, it repaired the related vulnerabilities and thanked the many white hats of Wuyun.com.

In this case, Century Jiayuan was registered as a manufacturer on Wuyun.com.

In the introduction of the vendor page, Wuyun.com stated that “ you can register as a vendor in WooYun to pay attention to and fix the security issues of your company ”. Century Jiayuan is registered as a manufacturer user. It also knows that Wuyun Network is a security feedback platform between vendors and security researchers. In other words, the manufacturer users want to know if there are loopholes in their own operating websites. , and further the benevolent mutual help with the white hat, open letter, "the black cloud network registration white hat has submitted to the century Jiayuan 42 vulnerability information, Century Jiayuan verified the relevant loopholes and to the black cloud network to thank a number of white hats. "This point can be found in the dark cloud network corresponding records.

Judging by the general public's acceptance or appearance of "permitting", perhaps Yuan Wei did not seek permission from Jiayuan Jiayuan, but at least before the occurrence of the Yuan Wei incident, this kind of communication method for the cloud network of the Century Jiayuan Network did not exist. Make explicit objections . Obviously, Yuan Wei is also a registered internship white hat of Wuyun. Its relationship with Century Jiayuan should be applicable to both previous behavioral practices.

Just as the general public has the same understanding of contracts, only formal written contracts can be called contracts. In judicial practice, oral contracts and even behavioral contracts are also contracts. For example, if we buy a newspaper at a news kiosk, we do not need words or even eye contact. We only need to put a dollar and we can take away a newspaper.

As of July 1st of this incident, a very interesting disclaimer was issued after the white hat “Road Renjia” of Wuyun Online submitted another high-risk vulnerabilities in Century Jiayuan’s “An interface can traverse arbitrary user information”.

"If the vendor is unwilling to accept the Rush test from the Internet, after the bug is fixed (or the offline server), click to ignore the vulnerability and leave a reply at the vendor: 'Please do not test the company, the company will take the law The means to constrain your test behavior is at your own risk.'' After taking the international blacklist practice, there will be no more attention to the security risks of your company's information systems."

After Jiayuan Network received information on the 42 previous loopholes, it could have made a written statement in the opposite direction and rejected the white hats of Wuyun.com again to detect its loopholes .

According to the civil law of the civil law countries, the use of representationism means that when the actor's effect is not consistent with his stated behavior, the law gives the action a legal effect in accordance with the meaning expressed by the actor. Its purpose is to focus on protecting the trust of relatives and transaction security. The meaning of the expression is also divided into specific relatives and no specific counterparts.

Finally, I ended up with a line of "Detective Di Renjie." Yuan Fang asks Di Renjie every time he has a suspicion. “The meaning of an adult is...” The Dementor’s standard replied “I don’t mean anything”. Here the mystery, only the talented people of Dean know that...

Lei Feng Network (Search "Lei Feng Network" public concern) Note: Please contact us for authorization, marked the source and author, not delete the content.

Motorcycle Battery

The FirstPower Motorcycle battery is engineered to protect against seepage and corrosion, deliver high cranking power, even when the weather`s dealing its worst. It's the rugged, reliable and dependable battery that customers are looking for. The high-tech. Power-boosting design, FirstPower Motorcycle battery can provide right battery for right job – that's where it all starts.
The industry standard for motorcycles snowmobile and riding mowers, our motorcycle battery offers high cranking power, nice cold cranking performance, minimal internal resistance, maximum power.
With the lead-calcium technology and the AGM used, our Maintenance-free VRLA type motorcycle battery assume really sealed, Never needs refilling, offer a really maintenance-free battery for you.
Non-spillable (no acid leakage).

Motorcycle Battery,High Performance Motorcycle Battery,Lead Acid Gel Motorcycle Battery,Maintenance Free Motorcycle Battery

Firstpower Tech. Co., Ltd. , https://www.firstpowersales.com