Slashdot Mirror
Password Sharing Is a Federal Crime, Appeals Court Rules (vice.com)
An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"
A password doesn't give you authorisation. You get authorisation from your boss, or from your company, to access a computer to do your job. A password is only a means to help keeping unauthorised people out.
If you lose your job, or your position where you need to access the computer, you lost the authorisation. If the company forgets to remove your password, or you find someone else's password, or a password is shared with you, that doesn't give you authorisation. In this case, everything is absolutely clear.
Where this law is abused in some cases is in situations where someone had the authority to access the computer, but abused the authority to commit a crime. Say a bank manager with authorisation to access computers moving money into his own bank account, or a police officer with access to a license plate database abusing his position by finding out the address of his ex's new boyfriend. That's when authorities try to add "computer hacking" to the list of crimes.
Authorization != Authentication
Your hair look like poop, Bob! - Wanker.
No. If 1) your company IT policy strictly prohibits sharing your password with anyone, including IT support staff (like many policies do), and 2) you access a database using a co-worker's credentials, then it should be crystal clear to you that this access is unauthorized. And that goes double if you are no longer an employee at that company.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
So, is it now a federal crime to access someone's social media accounts with passwords that you coerced them to share (schools, companies, CBP, etc.)?
... not only can they hold you indefinitely for *NOT* giving your device's password to them if they want to inspect it, they can even arrest you if you do!
File under 'M' for 'Manic ranting'
"Password Sharing Is a Federal Crime, Appeals Court Rules"
No, the appeals court ruled that borrowing a password to get access to a system you knew you weren't authorized to access is illegal. To use a real world analogy, if I lose my job, and the company takes away my key to the office, it's illegal for me to use a key borrowed from a colleague to get in. I don't have to pick the lock for the access to be illegal.
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?
No, if I come to your house and I find a key under your flowerpot, open the door and enter am I authorized because the key gave me access? Clearly not. If simply having a password was authorization then not only every hacker (e.g. brute force) but every stolen ID would be "authorized". Just no.
--- Tolerance is the axiomatic "virtue" of those without convictions ---
Sharing a password is a federal crime for you or I. But a Secretary of State who willfully and wantonly shares state secrets, repeatedly... for money... that, that right there is just an Oopsie Booboo!. No "harm," no foul. No one goes to jail.
I know...the whole thing is a shameful fucking farce. No jail time, no fines, no censuring, no reprimand. What a sweet deal.
David Comey said she had no "bad intent" when she did it. I'll see how far that excuse gets me the next time I get caught speeding or shoplifting or robbing a mini-market. "But officer, I had no bad intent, so just tell me not to do it again."
Just cruising through this digital world at 33 1/3 rpm...
Your analogy is flawed. Let's amend it to more closely model the specific situation at hand. If you go to an office building, phone a friend who is a current employee at the business housed within said building, ask for and receive an electronic door lock PIN to gain facilities access, and stroll around inside taking pictures of the interior, can your activities be held as criminal trespass? -PCP
From the article:
"Notably, Reinhardt appears to have a commanding knowledge of what constitutes “hacking,” something that comes up over and over again both in the media and in the courts. He said that the decision “loses sight of the anti-hacking purpose of the CFAA.”
“There is no doubt that a typical hacker accesses an account ‘without authorization’: the hacker gains access without permission—either from the system owner or a legitimate account holder,” he wrote. Using someone else’s password with their permission but not the system’s owner isn’t “hacking,” but that’s what the court is treating it as."
Using another person's password with their permission but not with the system owner's permission is definitely a form of hacking. It's called social engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Just because someone easily provided their account information doesn't mean that it was done so legitimately. It is ultimately the system owner who gets to decide who has authorization to their systems and what constitutes authorized access. At the same time, it is the system owner's responsibility to educate it's users as to what is allowed.
I would also take issue with the sentence where the writer claims that the judge has a "commanding knowledge" of "hacking".
"A plan fiendishly clever in its intricacies"- Homer Simpson
I dated a sysadmin and we didn't even share passwords to our home computers, or ask to/let each other use work laptops. Not even "just for a minute."
Password security shows respect, trust.
Which is deeper trust: "I trust you not to hurt me" or "I trust you not to put me in a position where I have to trust you not to hurt me?"
I'll go with the latter one.
Or as my mother taught me regarding financial risk, "Trust is knowing you won't be left out on a limb without the proper paperwork in the first place."
But none of that even matters in this case, because it was the employer who held the prerogative to grant a password permission, or not. The person who "shared" the password was not the owner of the system, there is no actual legit "sharing" there. It is just using a false credential, after having received it from "a person on the inside."
If you go to an office building, phone a friend who is a current employee at the business housed within said building, ask for and receive an electronic door lock PIN to gain facilities access, and stroll around inside taking pictures of the interior, can your activities be held as criminal trespass? -PCP
Yes.
Now, for the purposes of the CFAA, exactly what counts as authorization? Traditionally, putting an anonymous FTP server up has been considered to authorize access, but is this so according to the CFAA? As long as "authorization" is vague here, the CFAA will have a chilling effect on what people do.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
She mishandled classified information, which is a felony (no intent required). The FBI said as much, and said that they'd go after the next person who did this, just not Hillary. Seriously.
The rule of law means the same low applies to the powerful as to the common man. That's been fading in America, and it's not a good thing (drug laws haven't applied equally to celebrities for quite some time, this is just another brick in the wall).
Socialism: a lie told by totalitarians and believed by fools.
Uh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.
Absolutely not. I can give my neighbours my house keys when I go on holiday, so they can enter if there is an emergency. That doesn't give them authority to enter without reason. I had my neighbour's key with authorisation to enter the kitchen to feed the cats while she was on holiday; that didn't give me authorisation to enter her living room or bedroom.
If you are renting, the landlord may have a key, the caretaker may have a key, they both have no authority to enter your home in most situations.
Oh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.
First of all, no I wouldn't. Who said I "gave" you a key? Maybe you found it, maybe you stole it. Maybe someone I gave it to turned around and gave it to you. None of those scenarios gives you "authorization" to unlock my front door and enter my home.
Second, just having the key doesn't automatically grant you authorization, either. Maybe I gave it to you for use only in case of emergency (fire, flood, vacation emergencies, etc).
None of those give you carte blanche to necessarily be in my home either, unless the circumstances warrant. If it's for emergency access, for example, that doesn't give you the right to come over, watch TV and raid my refrigerator.
So no, just having a key doesn't mean you're automatically authorized to use it, even if I gave it to you.
Just cruising through this digital world at 33 1/3 rpm...
No. This means that if you get someone else's password and use that to access a computer system, you have committed unauthorized access. If that isn't a crime, then anyone who can grab your keystrokes and get your password has a free pass to do whatever they want, with no penalty.