| |
| ▲ | mothballed 16 hours ago | parent | next [-] | | Weev 'violated' the CFAA for incrementing a GET request, with his overturned conviction only for wrong jurisdiction. So the government has put us in a position where it's hard to take the CFAA seriously. We also know from prosecutions in other statutes that the government will often prosecute a a broad crime with many separate sub-definitions of the various way you can break it, then refuse to tell you under which sub-definition you're being charged, meaning you have no way to know if the jury even were unanimously convicting for the same thing and no way to know what you're even defending against. | | |
| ▲ | tptacek 16 hours ago | parent | next [-] | | As you probably know, it's everything that happened after they incremented that HTTP request that formed the basis for his charges. Message board discussions tend to want to distill "hacking" CFAA cases down to the specific shell script that ran, but these cases are almost always heavily situational and fact dependent. Interestingly, Rockenhaus's isn't --- it's more or less exactly the circumstance foreseen by the authors of CFAA, who believed that even though existing law covered most hacking-type scenarios, they didn't form a clear basis for felony charges for purely destructive computer abuse. | |
| ▲ | Aurornis 16 hours ago | parent | prev | next [-] | | This case has far more than the CFAA violation, though. There were multiple parole violations after the first incident, multiple attempts to evade the parole restrictions on Internet use, discovery of a pedophilia relate search query on his computer, a history of intentional damage to a company’s infrastructure to disrupt their operations, and more. Being angry at the CFAA is one thing, but this case has no relation to modifying a simple GET request. | |
| ▲ | aw1621107 15 hours ago | parent | prev | next [-] | | > We also know from prosecutions in other statutes that the government will often prosecute a a broad crime with many separate sub-definitions of the various way you can break it, then refuse to tell you under which sub-definition you're being charged, meaning you have no way to know if the jury even were unanimously convicting for the same thing and no way to know what you're even defending against. Could you give some examples of this? | | |
| ▲ | mothballed 15 hours ago | parent [-] | | Yes, https://www.courtlistener.com/docket/63291773/united-states-.... Navy sailor was convicted of possessing machine guns and destructive devices. The ATF for example put back together de-milled RPGs, which could be a destructive device However the statute says the following: (2) any type of weapon by whatever name known which will, or which may be readily converted to, expel a projectile by the action of an explosive or other propellant, the barrel or barrels of which have a bore of more than one-half inch in diameter, except a shotgun or shotgun shell which the Secretary finds is generally recognized as particularly suitable for sporting purposes; and (3) any combination of parts either designed or intended for use in converting any device into a destructive device as defined in subparagraphs (1) and (2) and from which a destructive device may be readily assembled.
The ATF took his demilled RPG, put another gun (owned by the ATF) inside of it, then fired it to prove it had a bore over 0.5 inch capable of expelling projectile.But the state didn't tell him under what definition he was charged, so they didn't know if they were defending against the collection of parts the ATF took (falls under 3), or against the weapon the ATF claimed it was after they put the parts together (which falls under 2). | | |
| ▲ | DannyBee 13 hours ago | parent | next [-] | | The normal answer to this is to request a bill of particulars, which was not requested here (afaict from the docket). I think there is some slightly down-in-the-weeds confusion here - what does an indictment require vs ... I think they screwed this up at trial and then tried to argue the indictment was insufficient, but i doubt they will get any appeals court to bite on this. I posted it elsewhere, but you can listen to the oral argument of the appeal here: https://www.ca4.uscourts.gov/OAarchive/mp3/23-4451-20250912.... It is a very accessible argument (in the sense of not need legal knowledge to usefully process it). You can hear the judges sort of struggle to understand how this is an indicment opportunity, but really do seem to be trying to understand. They give counsel an opportunity to try to distinguish and explain things. Att around 10 minutes, one of the judges asks counsel for the bset case he has that says he's right, and he can't come up with one at all. Which is probably the point at which he lost this appeal. :) As i said elsehwere, i don't blame the lawyer - this seems like it woudl be a very hard case to win because of choices made at the level below. They are essentially arguing things they know will lose because nobody objected to things they should have at the level below. | |
| ▲ | aw1621107 14 hours ago | parent | prev [-] | | Thanks for the reference! For the convenience of anyone else reading, the appeals docket is at https://www.courtlistener.com/docket/67566242/united-states-.... Note that there are two appeals briefs; it seems the defendant replaced their attorney at some point during the appeals process. For what it's worth, I think this is the government's response to the argument you raise (on page 22 of the response brief, PDF page 30): > Section 5845, captioned “[d]efinitions,” is a definitional provision, not a
criminal prohibition. As relevant here, § 5845(b) defines the term “machinegun,”
and § 5845(f) defines the term “destructive device.” These definitions do not create
additional elements of the offenses charged under §§ 5861(d) and 922(o). Therefore,
the government was not required to charge the applicable definition(s) in the
indictment. See, e.g., Robbins, 476 F.2d at 30 (holding that an indictment under
§ 5861(d) need not refer to the definitions in § 5845 to “fairly notify a defendant of
the charge against him”); United States v. Hoover, 635 F. Supp. 3d 1305, 1316
(M.D. Fla. 2022) (rejecting the argument that the government “was required to plead
the specific facts supporting its contention that the [firearms] at issue fall within the
definition of a machinegun”); cf. United States v. Pennington, 168 F.3d 1060, 1065
(8th Cir. 1999) (“The indictment’s failure to cite [18 U.S.C.] § 1346, a definitional
provision, and to use its specific term, ‘honest’ services, does not mean no crime
was charged.”). And defendant's response, page 5: > The question is whether the
indictment “fully, directly, and expressly, without any uncertainty or
ambiguity, set forth all the elements necessary to constitute the offence
intended to be punished” and whether the indictment complied “with the
necessity of alleging in the indictment all the facts necessary to bring
the case” within the intent of the statute. United States v. Carll, 105 U.S.
611 (1881) (emphasis added). The government’s failure to give any
specificity in the indictment cannot be remedied by wriggling as to
whether the missing information can be considered an “element” or not.
Even if the government were correct that the particular definition (or
definitions) the prosecution is proceeding under does not change
“elements,” it changes the “facts” underlying the scope of the statute. I have no idea who is correct legally, and since oral arguments appear to have been held a few days ago I suppose I'll have to wait to see who is right. | | |
| ▲ | DannyBee 13 hours ago | parent [-] | | The appeals court did not seem very impressed. The oral argument is here:
https://www.ca4.uscourts.gov/OAarchive/mp3/23-4451-20250912.... The first question they asked is "why didn't you ask for a bill of particulars?". Overall, they seemed very confused as to the argument made here - why is the indictment actually insufficient, and what words did you want them to use instead. I don't think this will be a successful appeal at all - they seem to all agree this is not stuff that goes in an indictment, and to the degree that there was ambiguity, the correct answer was to request a bill of particulars. At around 10 minutes, one of the judges asks counsel for the best case he has that says he's right, and he can't come up with one at all. Which is probably the point at which he lost this appeal. :) To be fair, i don't blame the lawyer, and i expect why the judges are being not too hard on him, is because he's doing his best to argue a losing case because of choices made at the district court level. | | |
| ▲ | aw1621107 3 hours ago | parent [-] | | Thanks for the additional info! That does seem like a bit of a sticky situation for the defense. |
|
|
|
| |
| ▲ | 1vuio0pswjnm7 6 hours ago | parent | prev | next [-] | | Would the evidence in the Auernheimer case support a CFAA conviction today, after Van Buren (USSC) and HiQ (9th Circuit) The CFAA claim was never decided in HiQ. The chances of success on that claim did not look good and Microsoft settled Even in 2014, 3rd Cir. COA seemed doubtful there was a valid CFAA claim "5 We also note that in order to be guilty of accessing without authorization, or in excess of authorization under New Jersey law, the Government needed to prove that Auernheimer or Spitler circumvented a code- or password-based barrier to access. See State v. Riley, 988 A.2d 1252, 1267 (N.J. Super. Ct. Law Div. 2009). Although we need not resolve whether Auernheimers conduct involved such a breach, no evidence was advanced at trial that the account slurper ever breached any password gate or other code-based barrier. The account slurper simply accessed the publicly facing portion of the login screen and scraped information that AT&T unintentionally published." https://web.archive.org/web/20140513205343if_/http://cdn.ars... | |
| ▲ | akerl_ 16 hours ago | parent | prev | next [-] | | In this case you have the evidence of what he did and it does in fact look pretty serious. | |
| ▲ | stockresearcher 15 hours ago | parent | prev | next [-] | | > his overturned conviction only for wrong jurisdiction What are you getting at? If an appeals court says “wrong jurisdiction”, that’s an “rm -rf” on the whole entire case. There’s nothing left to argue about. | | |
| ▲ | mothballed 15 hours ago | parent | next [-] | | Yes there is, they can reargue the whole thing in another jurisdiction since he was never 'in jeopardy.' Considering he was convicted in another jurisdiction, and they can retry him in the 'right' one, why wouldn't a reasonable person anticipate that might happen? I don't think Weev is living in Ukraine/Transnistria to practice his Slavic languages. And the reason why I brought up it was overturned, was because I knew someone would mention his case was vacated, and I wanted to make clear it wasn't vacated because there was something improper found about the legal question of the CFAA. | | |
| ▲ | stockresearcher 15 hours ago | parent [-] | | They could start over in the correct jurisdiction. Yes. The case that was being appealed is gone. Gone. I think that the type of person that excels at software development would also excel at lawyering. But they should probably go to law school and pay attention in class. | | |
| |
| ▲ | JadeNB 15 hours ago | parent | prev [-] | | > > his overturned conviction only for wrong jurisdiction > What are you getting at? > If an appeals court says “wrong jurisdiction”, that’s an “rm -rf” on the whole entire case. There’s nothing left to argue about. I think your parent comment meant something like "the case wasn't overturned on the basis of deficiencies in the legal theory of the crime." | | |
| ▲ | kemayo 14 hours ago | parent | next [-] | | Generally this is a good thing to happen, because it's fairly quick and easy to argue you're in the wrong jurisdiction... and if that's the case, it doesn't matter what the legal theory was, since the court couldn't convict you anyway. Perhaps selfishly, I'd rather get out of a trial in the motion to dismiss stage, rather than having to very-expensively argue the merits all the way to the end. | |
| ▲ | torstenvl 14 hours ago | parent | prev | next [-] | | "jurisdiction" literally means "the power to say what the law is" If the court had no jurisdiction, it is not possible for them to rule on "deficiencies in the legal theory of the crime" in that case. | |
| ▲ | stockresearcher 15 hours ago | parent | prev [-] | | If it’s in the wrong jurisdiction, the court doesn’t get to the point where they look at the legal theory. | | |
| ▲ | JadeNB 13 hours ago | parent [-] | | Right. I think your parent comment was pointing out that it's not that the legal theory failed, but that it was never tested, and so might (or might not) still be sound. |
|
|
| |
| ▲ | ambicapter 16 hours ago | parent | prev | next [-] | | What does "incrementing a GET request" mean? | | |
| ▲ | kayge 15 hours ago | parent | next [-] | | As an example: Take a look at the URL of this page (https://news.ycombinator.com/item?id=45261163). Add 1 to that ID value (45261164) in your address bar. Hit Enter, your browser will GET whatever exists at the next ID. | | |
| ▲ | rirze 15 hours ago | parent [-] | | Ok, that makes sense but why is this so serious? Is this a grave crime in some context? | | |
| ▲ | ecb_penguin 14 hours ago | parent | next [-] | | Because people think they are clever and are trying to separate the act from the intent. Unlocked doors, open windows, any lack of security doesn't give you permission to enter. Just as "incrementing a GET request" doesn't mean anything outside of the intent. The intent was to do damage. | | |
| ▲ | Dylan16807 4 hours ago | parent [-] | | He did have permission to "enter". He was authorized to use the server. His intent of releasing the data was bad (assuming he started with that intent!) but he wasn't committing any fraud when collecting it. He didn't bypass any authentication or damage the server. CFAA is the wrong law to use. If a restaurant puts a bunch of proprietary documents in a dusty corner of the public lobby, you shouldn't browse through them but you're not breaking and entering if you do so. No matter what your intent is. |
| |
| ▲ | tptacek 15 hours ago | parent | prev [-] | | It's not about the actual HTTP request. Per se unauthorized access is just one predicate in these kinds of cases. It's about what the prosecutors claim you were doing when you made the access. |
|
| |
| ▲ | mothballed 16 hours ago | parent | prev [-] | | He incremented a number in the query string of a get request https://www.w3schools.com/tags/ref_httpmethods.asp | | |
| ▲ | JambalayaJimbo 14 hours ago | parent [-] | | Okay but what information did he obtain by doing that? If I break into a mistakenly locked police station, surely I cannot use the excuse "I was simply turning a door knob" |
|
| |
| ▲ | VWWHFSfQ 16 hours ago | parent | prev [-] | | The CFAA isn't super complicated. It basically boils down to: Don't fuck with other people's shit if they don't want you to. | | |
| ▲ | tptacek 15 hours ago | parent | next [-] | | The CFAA is in fact pretty complicated. The text of the law isn't, but the implications of that text are, and so is the jurisprudence. Rockenhaus's CFAA case does not appear to have been at all complicated, though. | |
| ▲ | boston_clone 15 hours ago | parent | prev [-] | | Are you a lawyer by chance? I seem to remember cases or interpretations of the CFAA in which even guessing the username password combo of "admin:admin" would violate the act, resulting in teenagers or children being caught up in cYbEr FrAuD | | |
| ▲ | petcat 15 hours ago | parent | next [-] | | It doesn't matter if you brute forced their crappy login with commonly-used credentials. You think it's OK for someone to rummage around in your garage just because they correctly guessed your keycode was 12345? Of course not. | | |
| ▲ | RankingMember 15 hours ago | parent | next [-] | | Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage? | | |
| ▲ | ecb_penguin 14 hours ago | parent | next [-] | | > Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage? There is no law for "white-hat hackers". You don't get to break into a system because the color of your hat. "White-hat hackers" have contracts, or very specific rules of engagement. Having run many a bug bounty, if someone was malicious, we would absolutely work to prosecute. You can also find bugs in software freely, as long as you don't obtain unauthorized access to other people's systems. | | |
| ▲ | tptacek 14 hours ago | parent [-] | | This isn't true: there is, jurisdictionally dependent and I think also dependent on DOJ norms, a broad exception for good-faith white hat vulnerability research that would otherwise violate CFAA. Like I said, CFAA is very complicated in practice. |
| |
| ▲ | dpassens 14 hours ago | parent | prev [-] | | (I don't know enough about the CFAA to know whether this is true so I'll assume it is.) To continue the garage door analogy, you wouldn't walk up to any random garage door and try code 12345 to help protect the owner's stuff, would you? | | |
| ▲ | RankingMember 12 hours ago | parent [-] | | To stick with this analogy: I think a white hat equivalent would be more like driving down the street with a garage door remote set to a default code and then notifying anyone whose door opens in response that they should change their code. I don't think that should be illegal. |
|
| |
| ▲ | account42 14 hours ago | parent | prev | next [-] | | You think walking through an unlocked door should result in federal charges? | | |
| ▲ | ptero 13 hours ago | parent | next [-] | | Walking through an unlocked door that has a sign "private property, do not enter", searching for sensitive information, finding it and exposing it surely could. Or not, depending on how the party who owns what's inside that door feels. But if it feels he should be prosecuted, then hell yes, the state should do that. My 2c. | |
| ▲ | Ekaros 14 hours ago | parent | prev | next [-] | | So what about using rakes or bump keys? Very low tech, very easy. Can defeat some poor quality locks. | |
| ▲ | petcat 14 hours ago | parent | prev [-] | | So now the door is unlocked?? Where are the goal posts? Don't mess with people's stuff if they don't want you to. This seems very simple to me. But I'm aware that you're trying to find some fringy gray area where you think it will be OK to mess with people's stuff even though they don't want you to. | | |
| ▲ | Dylan16807 4 hours ago | parent [-] | | If we're making an analogy to the Weev case then yes the door was unlocked, with the explicit intent that the general public could come through that door and access some of the documents. |
|
| |
| ▲ | boston_clone 15 hours ago | parent | prev [-] | | I'm more focused on the assertion that "The CFAA isn't super complicated." Which raises sincere doubts about the commenter's credibility to make such a claim. | | |
| |
| ▲ | brookst 14 hours ago | parent | prev | next [-] | | If those teenagers or children enter someone's house and vandalize or steal because the door (or window) isn't locked, is it no big deal? | |
| ▲ | efdee 15 hours ago | parent | prev | next [-] | | Breaking in in a system, whether or not the password was easy to guess, sounds like a crime to me. | | |
| ▲ | ethbr1 14 hours ago | parent | next [-] | | It is a crime! But CFAA charges should, and this is the issue a lot of people have with them afaict, have a sliding scale for premeditation though. If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw. A lot of the CFAA excesses are maximum penalties from the CFAA being thrown at people using minimally sophisticated / premeditated methods, in addition to charges about the underlying crime. That doesn't seem just or fair. In practice it's turned into an if(computer){increase maximum penalty} clause, solely at the government's discretion. | | |
| ▲ | JambalayaJimbo 14 hours ago | parent | next [-] | | >If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw. Why? (I'm not a lawyer...) - shouldn't intent and harm (i.e. the value of the stolen item) be the only relevant details? Now of course its much easier to demonstrate intent if there's a crowbar involved, but once that's already established, it seems irrelevant. | | |
| ▲ | ethbr1 13 hours ago | parent | next [-] | | Because that's the way most method-specific laws work, at least in the US. There's an underlying result crime (eg causing business harm by destroying a database), then the method by which one chose to do it (eg exceeding authorized access to a computer with the intent to cause harm). The CFAA was originally passed under the erroneous worry that existing laws wouldn't be enforceable against cybercrime, which turned out to generally be false. When you cause damage, there's almost always a law by which someone can sue you for those damages. What there wasn't, and what the CFAA created, were extra penalties for computer crimes and an ability to charge people with computer crimes where there were no damages (eg Aaron Swartz). And why should those things need to exist? Theft is theft. Destruction is destruction. It was an underspecified law, ripe for prosecutor overreach. See: https://www.congress.gov/crs_external_products/R/HTML/R47557... It fit with 'premeditated intent' intensifiers (where penalties escalate if premeditated intent can be proven)... but that wasn't actually how it was written or how it is used. Instead, it's a method-based checkbox that allows prosecutors to tack on additional charges / penalties. If a computer was used to destroy this thing, add X years the sentence. | |
| ▲ | Dylan16807 4 hours ago | parent | prev [-] | | If you're saying there should only be theft charges either way, that's fine. But if there are burglary tool charges, they should depend on whether you used burglary tools to burgle, not how much theft you did. |
| |
| ▲ | efdee 14 hours ago | parent | prev [-] | | You have a point. But on the other hand you have no idea of what tools the intruder possesses, only (at best!) what they used. I think intent probably matters a lot more than the technicality of how you succeeded. |
| |
| ▲ | NoMoreNicksLeft 14 hours ago | parent | prev [-] | | It does sound like a crime to me too. But was it a password or other credential that was guessed, or was it just some sequential primary key? The latter is not an authorization system, and I do not believe it a crime to do that unless you have specific knowledge that it is likely to cause damage and/or the intent to cause that damage. As far as I am concerned, I am allowed to send any traffic I wish to public-facing hosts, and if they respond with content that the owners would not wish me to see, I have no responsibility to refrain. The only traffic I am not permitted to send are credentials I am not authorized to use (this would include password guessing, because if I manage to guess correctly, I was still not permitted to use it). So which was it? | | |
| ▲ | ecb_penguin 14 hours ago | parent | next [-] | | You are not allowed unauthorized access regardless of how the key works. > I am allowed to send any traffic I wish to public-facing hosts No you're not. Denial of service is a federal crime. > I have no responsibility to refrain Yes you do, and this is just beyond silly. The nuance of how you obtained it will be decided in a court. Stop making everything so reductionist and lazy. > The only traffic I am not permitted to send are credentials I am not authorized to use Absolutely not. Use of a vulnerability to cause a data breach is OBVIOUSLY a federal crime. This is beyond absurd. | | |
| ▲ | NoMoreNicksLeft 11 hours ago | parent [-] | | > You are not allowed unauthorized access regardless of how the key works. You and I seem to both speak/write English, but there is a language barrier. For me, "authorization" means that they have given me credentials, and any content locked down under those credentials is off-limits. For you, "authorization" is a magical term that has no real meaning. It means that they want me to have the content. But I am no telepath, and I do not know what they want me to have or do not want me to have. The only way, from my point of view, to know what they want me to have or not is to try to retrieve the content without credentials, and if it succeeds, it's legal. Of course, there are a few corner cases. What if I discover some software defect that very clearly shows they intended to require credentials, and a test without credentials shows that it is indeed off-limits, but exploiting the defect produces that content? I wouldn't do that, that'd be illegal. But your way of (non-)thinking is alien to me, and no reasonable judge or legislator could possibly mean what you claim that law states. Or at least what you seem to claim. >No you're not. Denial of service is a federal crime. Only with intent. If I send reasonable content that shouldn't be DoS, how was I to know? I intend no crime. >Yes you do, and this is just beyond silly. You're the one being silly. You can't even decide what you mean by "authorized". >The nuance of how you obtained it will be decided in a court. I'm never going to trial, I'm not even going to be noticed. >Use of a vulnerability to cause Use of a clear defect. The biggest and most dangerous vulnerabilities are the apathy and stupidity of their employees, their lack of a sane business model and attainable vision, and so on. Using those is just common sense. There is a popular magazine that is subscription only. But they have the pdf download links hidden with display: none CSS. These links require no authorization. Just knowledge. I retrieve those quite punctually. | | |
| ▲ | tptacek 11 hours ago | parent [-] | | You're both veering out of CFAA jurisprudence in different ways. But you know you're in trouble when you start saying things like "I am no telepath", because in fact a big part of an ambiguous CFAA case will be determining what a reasonable person (ie: the jury) would think confronted with the computer system under discussion. There will in fact be mind reading involved; your intent would in fact be tried. There's nothing at all CFAA-specific about this; this is really basic US criminal law and it comes up in all sorts of different criminal justice contexts. The terms you're both dancing around are mens rea and actus reus. | | |
| ▲ | NoMoreNicksLeft 5 hours ago | parent [-] | | >But you know you're in trouble when you start saying things like "I am no telepath", I'm not in trouble. There is virtually zero chance of this ever being noticed by law enforcement, and even less chance than that of them giving a shit. Also note, I am not arguing what the worst possible interpretation might falsely convict someone of, but how the law should be viewed, or, if someone can demonstrate to my satisfaction that the law disagreed with, then how it should be altered. If I have to guess what retards (read: juries) might think is reasonable, then there can be no public internet. We're just a few years after journalists were arrested for looking at html source with "view source", aren't we? >The terms you're both dancing around are mens rea I'm only mildly ignorant. Has CFAA ever been considered to describe strict liability crimes? | | |
| ▲ | tptacek 4 hours ago | parent [-] | | You're in trouble rhetorically, is what I mean, because your argument is completely alien to criminal law. |
|
|
|
| |
| ▲ | efdee 14 hours ago | parent | prev [-] | | Maybe as far as you are concerned, but not as far as the law is concerned ;-) | | |
| ▲ | NoMoreNicksLeft 14 hours ago | parent [-] | | Well, I guess it's a good thing for me that they're unable to notice or care and in general incompetent. I am still permitted to do this. None of the details of this case give me the impression that they're using CFAA in such a way as to offend my sensibilities. Sounds like he sabotaged a former employer and caused hundreds of thousands in (tort not physical) damages. I guessed the urls for some issuu.com links that aren't available in search, and downloaded the page images to make a pdf. I was never prompted for a password. Arrest me, I'm a notorious hacker. |
|
|
| |
| ▲ | codyb 15 hours ago | parent | prev [-] | | I mean... if someone walked into your house cause you only closed the screen door while running to the store quick you'd still call the cops cause there was someone breaking into your house lol. | | |
| ▲ | account42 14 hours ago | parent [-] | | Sure but I wouldn't expect that guy to get locked up on federal charges simply for being in the house without authorization. | | |
| ▲ | codyb 10 hours ago | parent [-] | | Probably depends on the House. I suppose if it's the White House the guy'd just get pardoned by the next president anyways. |
|
|
|
|
| |
| ▲ | ajsnigrutin 16 hours ago | parent | prev | next [-] | | Yep... Shutting down the server (you solely maintained) before leaving would be "minor" to me... intentionally causing damage, earning money from that, getting caught, and again causing physical damage.. that's pretty "major" to me. | |
| ▲ | nerdponx 16 hours ago | parent | prev [-] | | And yet fraudulent warrants, if they are indeed fraudulent, are still illegal and immoral and a violation of this criminal's rights. | | |
| ▲ | DannyBee 15 hours ago | parent [-] | | As far as i can discern, the warrants aren't fraudulent. Warrants (in the US anyway) require reasonable belief that the crimes listed were committed. They don't have to be right, mind you (after all, that's what trial is for), they just need reasonable belief. They also can't recklessly disregard the truth (IE deliberately write lies they know are wrong). Again, it's okay for them to be wrong about their belief. It's just not okay to know they are wrong and write it anyway. Here, reading the warrant, etc, there is nothing obviously fraudulent here. Perhaps it is, of course, but i read everything i could find and it's completely non-obvious which part of the warrant is supposed to be fraudulent. Even the sort of retaliation claim made here is strange - Arresting you when you appear to actually hvae broken the law is generally only considered retaliation if (among other things) the enforcement of the law is uneven - IE targeted at you and nobody else. Given the arrest was for a parole violation and they arrest parole violations like this all the time, .... Like if you are at a traffic stop becuase you ran a red light, call a cop an asshole, and they arrest you because you have 50kg of cocaine bricks in your back seat, it's not retaliation. Retaliation would be if you call a cop an asshole on facebook, and they come arrest you for violation of an 1825 law that hasn't been used against anyone in 200 years. | | |
| ▲ | nerdponx 11 hours ago | parent [-] | | Totally valid. And I also didn't check into the warrants themselves. I was responding to the implication I keep seeing here that it's OK that he got arrested because he did bad things, regardless of how the arrest came about. |
|
|
|
| |
| ▲ | everforward 15 hours ago | parent | next [-] | | I also follow the closely related addendum: I do not want standing admin access to your system, unless I need it often enough it really impacts my productivity. Doubly so if it's not hooked up to SSO. If the database gets breached, I don't want my name on the list of people who had the admin password. Most big businesses are good about that, but I've helped a couple family members with their business' WordPress and just have standing access that I really don't want. They don't want to juggle activating/de-activating my account though, so /shrug. | | |
| ▲ | kstrauser 15 hours ago | parent [-] | | Same all around for me. I have a couple of longstanding accounts on local businesses I help out, but it’s all via VPNs that send the owner an email when I connect. I also refuse to do any work unless they ask me in writing. Text is OK, and I screenshot it. “Why did you give such-and-such rights to that employee?” “I have it in writing where the owner asked me to, Your Honor.” This has never come up before, but it’s easy enough to be diligent about it. Also: I keep a little paper notebook where I log the work I do for everyone, and occasionally have someone else sign and date it. It’s basically a cheap blockchain IRL. “How do you know you did this before you stopped doing work for them?” “Because the owner signed and dated the logbook after I did the work but before they hired the new IT person.” I’m suuuuuper nitpicky about diligence in all this, for the protection of everyone involved, and especially me. |
| |
| ▲ | dsr_ 16 hours ago | parent | prev | next [-] | | That shouldn't require a pact, that should be part of the standard check list for ending employment. (The list is longer for those who have root, but it should still be a list.) | | |
| ▲ | kstrauser 15 hours ago | parent [-] | | For sure, and I’m often the one who makes the list, and one with root. But the big thing is to do it quickly, like within the hour, and diligently. Don’t say, oh, I’ll give him a chance to access his email and download stuff, or whatever. No! Like, cut me off completely right now. Then, if something breaks down the road, there’s no temptation for them to wonder if I had anything to do with that weird failure. (And obviously, don’t freaking hack your ex employers! But also don’t even leave the impression that you could.) | | |
| ▲ | terminalshort 14 hours ago | parent | next [-] | | I agree with the overall point. (And WTH would you ever have things you need to download in your work email?) But there's not an employer I have ever left that I couldn't have done extensive damage to without any permissions at all. Not that I would ever add a felony charge to even the most bitter firing, but I could. | | |
| ▲ | nerdsniper 13 hours ago | parent | next [-] | | > And WTH would you ever have things you need to download in your work email? Because you got a university email as a student 20-30 years ago back when .edu emails were "for life". Then you started working at the university as a staff-person under the same email. Then 20-30 years later you're leaving, and much of your digital identity is inextricably linked to that old "personal" email. | | | |
| ▲ | kstrauser 14 hours ago | parent | prev [-] | | I'm sure that's probably true for all of us, to some extent. Things holding me back: 1. It's wrong. That's not how my parents raised me. 2. I value and protect my reputation. 3. I want to be able to have another job in the field without being permanently deny-listed. 4. Prison sounds awful. |
| |
| ▲ | vidarh 14 hours ago | parent | prev [-] | | Yeah, I usually stress to employers and clients that I want to be cut off quickly, and usually remind them of what they need to lock me out of when I leave. Even then, I've had clients for whom things have broken come to me in despair hoping I'd kept access. The day one of them for whatever reason decides to suspect that I was the one to break things, I will be very happy to be able to point to consistently having done what I can to ensure I get locked out. | | |
| ▲ | kstrauser 14 hours ago | parent [-] | | I've had that, too! Fairly recently, an ex client who sold their business to someone with a full-time IT staff asked me if I had the password to unlock their NAS. No, I didn't. I turned all those over to the IT staff, strongly recommended that they change them, and deleted my local copies. Sorry, but no, I can't help you with that. |
|
|
| |
| ▲ | Almondsetat 15 hours ago | parent | prev [-] | | This is exactly what all big corporations (rightly) do, and when layoffs come around you see waves of people making sob stories about how nobody told them and suddenly their work laptop stopped working from one minute to the next, or they didn't even let them inside the office because they were terminated during their morning commute. | | |
| ▲ | kstrauser 14 hours ago | parent [-] | | Yeah. That’s actually a favor in disguise. Now they can’t accuse you of stealing or destroying stuff on your way out. BTW, last time I posted stuff like this, someone thought I was treating this like an alibi: “ah ha! Now I can run amok and not get blamed for it!” No. Don’t do that, lest ye end up with a felony and permanent unemployability. I just mean that when things inevitably break due to natural entropy, the first question is often of who had access, and you don’t ever want your name to be on that list. |
|
|
