Slashdot Mirror
Password Sharing Is a Federal Crime, Appeals Court Rules (vice.com)
An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"
fp
Considering he wasn't an employee anymore, it doesn't really matter.
Your hair look like poop, Bob! - Wanker.
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided? I suppose that is a) too technical, and/or b) is a broad enough definition of "authorize" that any successful cracking of a password results in an authorized access.
"Si vis pacem para bellum" -Publius Flavius Vegetius Renatus
What a stupid thing to ask - authorization from who? It would always be the data owner. So in this case the company. Duh! I bet they even had a legal warning banner on login or forms they had to sign that says they won't share the password with anyone.
Sharing a password is a federal crime for you or I. But a Secretary of State who willfully and wantonly shares state secrets, repeatedly... for money... that, that right there is just an Oopsie Booboo!. No "harm," no foul. No one goes to jail.
When will the American people finally have enough of this complete and utter bullshit from our so-called leaders.
A password doesn't give you authorisation. You get authorisation from your boss, or from your company, to access a computer to do your job. A password is only a means to help keeping unauthorised people out.
If you lose your job, or your position where you need to access the computer, you lost the authorisation. If the company forgets to remove your password, or you find someone else's password, or a password is shared with you, that doesn't give you authorisation. In this case, everything is absolutely clear.
Where this law is abused in some cases is in situations where someone had the authority to access the computer, but abused the authority to commit a crime. Say a bank manager with authorisation to access computers moving money into his own bank account, or a police officer with access to a license plate database abusing his position by finding out the address of his ex's new boyfriend. That's when authorities try to add "computer hacking" to the list of crimes.
The sharer knew he was not allowed to share the password, the "hacker" knew he was not supposed to have the password. This was social engineering and stupidity.
lawyers who only talk to lobbyists, who only talk to money, which is only held by high-up executives who don't know how to log in. that's how the law was crafted. so what did you expect?
if this is supposed to be a new economy, how come they still want my old fashioned money?
Just saying
So, is it now a federal crime to access someone's social media accounts with passwords that you coerced them to share (schools, companies, CBP, etc.)?
... not only can they hold you indefinitely for *NOT* giving your device's password to them if they want to inspect it, they can even arrest you if you do!
File under 'M' for 'Manic ranting'
"Password Sharing Is a Federal Crime, Appeals Court Rules"
No, the appeals court ruled that borrowing a password to get access to a system you knew you weren't authorized to access is illegal. To use a real world analogy, if I lose my job, and the company takes away my key to the office, it's illegal for me to use a key borrowed from a colleague to get in. I don't have to pick the lock for the access to be illegal.
https://www.gnu.org/philosophy...
Dan resolved the dilemma by doing something even more unthinkableâ"he lent her the computer, and told her his password. This way, if Lissa read his books, Central Licensing would think he was reading them. It was still a crime, but the SPA would not automatically find out about it. They would only find out if Lissa reported him.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
The summary is pretty clear: The guy that got the password from an ex-employee was not allowed to view the information that password gave him access to. That's not making password sharing a federal crime. That's making unauthorized access to a database with false credentials a federal crime.
The summary writer seems to have missed that distinction initially, and then decided to run with it to make a click-bait headline.
.
.
.
That I fell for. *face-palm*
Given the volume of comments from that user, I'm convinced more than one person is using the account!
Real headline: Having a coworker's password doesn't mean having the boss's permission.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?
If that were the case then social engineering attacks where hackers get a company employee to divulge their password would be entirely legal. Knowing a username and password is no different than having a key and simply having a key does not automatically make it legal for you to access everything it unlocks.
What is a "password" is an oil change light reset code an password and one that the car manufacturers can use to shut down 3rd party shops?
The case as given is clear: someone used social engineering to break into a database of a former employer. This is clearly unauthorized access.
What I worry about with laws like this is where they end. It's fairly common to password-share between employees to get some damn work done, and it's not unheard of to share social site passwords, and I don't think we want these cases to be against the CFAA.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Sad but true. Sheeple are too busy bleating for their next welfare handout to care tho.
They have Privacy rights in their Constitution, whereas we, for the most part, are Serfs.
Except in Washington State, which also has Privacy rights in the State Constitution, as SCOTUS has upheld.
Say Baa, sheep.
-- Tigger warning: This post may contain tiggers! --
that happens millions of times daily in the United States
People access databases that they know they've been excluded from accessing, millions of times daily in the US?
X was former employee and clearly had no authorization to access db. Y was not authorized as well. He got password from X and used it. How is this legal? If this is legal, then selling stolen password would be legal as well. In the case of Netflix, the primary account holder is authorized to access Netflix and he is sharing with someone and that is not criminalized by this verdict (though the writing is ambiguous) . This is different than a thief who got hold of my Netflix password and selling it and that is criminalized by this verdict.
Authorization from who?
I'm reminded of Louis CK's daughter's joke : "Who told the gorilla that he couldn't go to the ballet? - Just the people who are in charge of that decision."
But in all seriousness, there *are* people who are in charge of the decision of who gets access to a computer system, and in this case it's pretty clear that Nosal didn't have permission. After all, if he had permission, he would have had a password of his own and/or his old password wouldn't have been revoked. There's certainly gray areas - if you have a system with a shared password (e.g. some point-of-sale setups), then things might be different. But in a system where personal passwords are used, not having a password of your own is a pretty strong indication that you're not authorized to access the system.
Who has responsibility for making corporate decisions (i.e. who *can* make decisions on behalf of the company) is pretty well-trod legal territory. You can't just go up to a minimum-wage receptionist and get her to sign a contract for the company. Even if she does sign, courts are going to tell you that it should have been obvious that she didn't have that ability, and void the contract. (I can't get my friend who works at Best Buy to sign a purchase order for a million units of my Kickstarter gadget, and then expect Best Buy to be bound by the contract. I'd be laughed out of court if I tried.) Likewise here. Korn/Ferry International's argument is probably that it should have been obvious that the coworker didn't have the ability to grant access on behalf of the company.
Obligatory car analogy time. Say you go to a friend and say "Hey man, I want to drive down to Tijuana for the weekend. Can I borrow a car?" and your friend goes "No problem! There's company cars in the parking lot. The keys are stored above the visor." Now, if you take the car to Tijuana and total it, is the company going to say "well, he's an authorized user, c'est la vie" or are they going to report you to the police for stealing the car?
Authorization from WHOM.
The number of employees that share passwords (and usernames) is huge, the jails would be overflowing... Oh wait, they are with drug related crimes already.
From the article:
"Notably, Reinhardt appears to have a commanding knowledge of what constitutes “hacking,” something that comes up over and over again both in the media and in the courts. He said that the decision “loses sight of the anti-hacking purpose of the CFAA.”
“There is no doubt that a typical hacker accesses an account ‘without authorization’: the hacker gains access without permission—either from the system owner or a legitimate account holder,” he wrote. Using someone else’s password with their permission but not the system’s owner isn’t “hacking,” but that’s what the court is treating it as."
Using another person's password with their permission but not with the system owner's permission is definitely a form of hacking. It's called social engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Just because someone easily provided their account information doesn't mean that it was done so legitimately. It is ultimately the system owner who gets to decide who has authorization to their systems and what constitutes authorized access. At the same time, it is the system owner's responsibility to educate it's users as to what is allowed.
I would also take issue with the sentence where the writer claims that the judge has a "commanding knowledge" of "hacking".
"A plan fiendishly clever in its intricacies"- Homer Simpson
I rail against password sharing on the regular. It's right up there with with the crafty old hidden under the keyboard bullshit. I have taken the time to setup your user, I have granted all the permissions needed for you to do your job. Use the GD tools I have provided, else request more.
When the surveillance guy sees you using somebody's creds, he is not going smile and ignore it. He is going to come to me with a reprimand, and to many of those means his businessmen stop coming and I don't get a raise next year. Then, if for some reason your system leaves the GD building (like I know its going to) and I lose physical control of it, I bet your going to spill all those (other peoples) passwords all over the net cuz your GD eyes gloss over when I explain to you what scary VPN shortcut on your fucking desktop is for, and I will find myself answering for it.
You are being ripped off every second of every day, so that advertisers can help rip you off even more tomorrow.
Many websites have in their EULA somewhere that using someone else's account is prohibited, or that signing up for a second account, or new account if you've been banned, are prohibited. Doing any of these prohibited things could be legally considered 'unauthorized access', even for a normally public website that anyone is welcome to use (Facebook etc.)
Conflating EULA violations on a public website, with accessing private computer systems containing confidential data, is one of the reasons the CFAA needs to be updated to reflect the realities of the current internet.
Instead of 'unauthorized access', the standard should be 'harm intentionally caused by access'. If you make it strict liability, then people will be legally liable for being part of a botnet, which is absurd considering the millions of machines currently part of botnets, and the penalties of the CFAA; it'd also make Tor exit nodes liable for hacking. A security researcher who finds a security hole in a system, causes no harm, and leaves, would also not be punishable. Harm would have to be significantly above the standard set by normal usage of the computer system; so, say, someone making a new account on a forum where they'd been banned wouldn't be punishable simply because they consumed bandwidth and server CPU time typical of other forum users, or because they took up space in the forum with posts. The CFAA only needs to exist in order to discourage crimes that civil law penalties can't: intentional sabotage of competitors' computer systems, or of infrastructure by domestic terrorists.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Now when HR asks for your passwords when interviewing for a job you should give it to them. By everyone's terms of service, you are not allowed to access someone else's account nor can you give someone access to your account. When HR logs into to your account, they've just committed a federal crime and getting the proof that it was them should be easy. What's the damage? They didn't hire you or a breach of your privacy, let your lawyer decide.
Sharing passwords is not sharing authorization to access an account.
oh please, you know this case was just an excuse to criminalize the sharing of netflix and other streaming services passwords
the whole case was probably bankrolled by hbo, netflix, and hulu
wow, dumb as fuck
no wonder you posted it as AC
If it is a leased car, then it depends on the terms of the lease.
If the car is owned by the driver, then they are the source of authorization. It would only be a crime if the 3rd party shop didn't have the customer's permission.
You've already been told that you're ignorant on this issue, you don't need to repeat yourself. We're already quite aware.
Besides you do need to learn to distinguish between accessing a database owned by a company, and a product owned by a consumer.
You know how I know you didn't RTFA?
This is a mistake. The reporter is deluding himself and misleading everybody else. This is best current industry practice for the computer security industry and lawmakers, but still.
According to the law, "hacking" means whatever the prosecutor wants it to mean. It has been left undefined and quite deliberately so. This again is according to best current computer security industry practice, so no complaining now. The chickens have come home to roost. Thanks, "ethical white hat hackers". You are none of these things and this is what your posing resulted in. Thank you so much.
*RING*RING*RING*
Hello, Mohammed, Mohammed and Mohammed, how may I help you?
Let me speak to Mohammed.
Sorry, he's in a meeting.
What about Mohammed?
Sorry, he's on vacation till next week.
Well then, connect me to Mohammed.
Speaking.
One of the oddities of our current climate is this: How do you know when you're authorized?
Much of the time it's common sense, but if we're talking about DMCA instead of CFAA, it gets very murky, very fast.
You buy a DVD. You pay for a Netflix account every month. Are you authorized to decrypt the content? If you're authorized, then it's ok to watch it. If you're not authorized, then decrypting is circumvention of the DRM.
According to the MPAA-vs-2600 case, you're either not authorized at all, or you're not authorized to do what DeCSS does. You're seemingly violating DMCA every time you watch anything, but of course nobody really believes that. (MPAA hasn't sued all their paying customers yet, and they've had ample time.)
So just what is the mechanism for authorization, and how do you know when it's there, in non-obvious situations? It seems that authorization can be totally implicit, without a single word communicated to tell you whether or not you have it. Indeed, it seems like there might be unspoken and unexpressed conditions. (e.g. We think the conditions are that you're authorized to bypass a DVD's DRM if it's inserted a licensed player, but not if it's an unlicensed player. But is this written anywhere? can you look at a player and even figure out whether its manufacturer got a license or not?)
If authorization is murky for DMCA, then why couldn't it be murky for CFAA too? Let's say you need access to something, to do something that your boss commands. The boss says "clean the dunsel" and you just happen to know that the key to the dunsel bracket's lock is stored in a certain drawer. Authorized? Maybe. Probably. Right?
The truth is, you're going to assume you're authorized and take your chances since it's highly unlikely that the government is coming for you. Or perhaps you're constantly unknowingly committing crimes all day, year after year, where the feds are licking their lips, waiting for the day when you're on some "bad guy" list and they can suddenly throw the book at you. Then 6 years later, you literally don't even remember if the boss said, "Oh, the dunsel bracket key is in that drawer. You may use it." You've just been using it every month for 72 months.
This story is just clickbait. The guy was a FORMER EMPLOYEE. Using a FORMER COWORKERS password. That sounds like unauthorized access to me. This has little to do with "password sharing" and everything to do with accessing systems he no longer should have had access to. Sure passwords should have been changed, but that's sort of besides the point.
This would be no different than having kept a copy of a key for a door and once you were no longer an employee, using said key to allow yourself into the building and taking whatever you want.
but what if BMW never give permission for that 3rd party shop to use the reset code? and says that is a dealer only code and the shops / websites don't have the permission to have it?
Stop using passwords. It really doesn't protect any of your personal devices, and if you can't trust the people you work with, they should be fired.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Effectively the court has rules that "authorization" for the purpose of computer hacking is mens rea, not actus reus. If you obviously knew you lacked authority (mens rea = mental state) then the element is satisfied regardless of any technicalities about the access control systems (actus reus = actual activity). Crimes require both mens rea (knew you lacked authority) and actus reus (used the computer anyway).
That's why it's OK for the wife to log in and pay the husband's credit card bill: she has a _reasonable_ belief that it's OK to do so, thus the mens rea element of the crime is not proven.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
You know how I know you didn't RTFA?
Because you're being a humorless pedant?
Just cruising through this digital world at 33 1/3 rpm...
The court ruled no such thing. Is Slashdot a giant idiot that prints anything some anonymous coward submits? Make a headline true and quit propagating a lie.
a former employee of Korn/Ferry International research firm,
This person was not an employee of the company. Any reasonable person would conclude that using another employee's password to access a database to a company that you no longer work for is not authorized. Authorization would be acquiring your own password from the company's IT staff, or a direct statement from management that you could use the employee's credentials to access said database.
Trying to equate this with sharing my Netflix account is wrong. The Netflix account belongs to me, so I can give authorization for another person to use it. I paid for access to Netflix.
In i would bet more that one State /Country the law is written so that unless you have highly visible signs every X yards/meters you can't have a person charged with Trespassing.
a 20 second google says basically all 50 states have requirements
Like many posters above, I'm a little dismayed this made news. The title of the article is clickbait. We share passwords all the time at work -- heck, we have a password sharing application to make it easy to do so. But we only share passwords with people authorized to use them. If someone who wasn't authorized to use them is given one to access services, and is caught, then both that person and the person who gave the password to an unauthorized user broke the rules.
Dumbest quote: The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"
The question is asked as if it's a mystery fit for Sherlock Holmes. To pretty much everyone involved in every scenario...ever...they know who authorizes access. My house? Me. My company's financial records? CFO. My company's file server at work? Probably a bunch of people for different pieces of it (depending on the groups who are accessing: HR, Finance, Accounting, etc) and not the IT guys. Sure, the IT guys HAVE access (usually to the whole thing), and you could even say they hand out the keys. But someone authorizes them to do so.
So this is dumb. Guy is not authorized to access his old company's servers. Some friend who IS authorized gives him his password. Both should be penalized. And both are technically hackers as they are allowing unauthorized access to data.
Quick tip: Next time you want to steal your employers trade secrets, remember to have the admin print out the records and give them to you in paper. Then you're only violating the EEA and don't have to worry about these pesky, overly-broad interpretations of the CFAA causing you to be convicted as a hacker instead of just a thief.
If they force you to tell them your password and they use it to search your computer, they have just committed a crime.
The dystopian world depicted by Richard Stallman in his short tale "The right to read" (https://www.gnu.org/philosophy/right-to-read.html) is slowly coming. We already have DRM - Digital Restriction Management - now, sharing password has been turned into a crime. This has to be stopped. Now.
It's yet another case where the headline says something different than the article, as is unfortunately often the case here. Reading comprehension is in general getting worse everywhere and we see that happen a lot at Slashdot.
Based on this ruling, it sounds like Microsoft has been violating the CFAA with Wi-Fi Sense in Windows 10.
Sharing a password is not a crime, it's simply dumb.
Using an unauthorized password is a crime, definitely.
I'm far more interested in the question "Authorization from whom?".
(If you can't be pointlessly prescriptive about usage from "legal scholars", when can you be?)
See my answer above. If you find an additional way to ask the question, see above, the answer will be the same.
If they sold the car, they gave up prerogatives regarding how it is used. If they didn't sell the car, then it depends on the contract who holds which prerogatives.
In this case there are over 100 soon to be fellons at my workplace..
It's funny how the first people on make an obvious mistake in taking the headline at face value, then others get on and explain the actual situation, then a bit further more get on and post the same mistaken words. And it sort of cycles back and forth, down the thread list... 8-P
If the password in question was "password" is it still a crime?
So, According to a court ruling, I'm not allowed to share my password with federal agents or the court because the law says I cannot share my password with anyone?
Sadly, a Libertarian cannot force his views on another, and freedom cannot spread as does the cancer known as religion.