| |
| ▲ | petcat 15 hours ago | parent | next [-] | | It doesn't matter if you brute forced their crappy login with commonly-used credentials. You think it's OK for someone to rummage around in your garage just because they correctly guessed your keycode was 12345? Of course not. | | |
| ▲ | RankingMember 15 hours ago | parent | next [-] | | Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage? | | |
| ▲ | ecb_penguin 14 hours ago | parent | next [-] | | > Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage? There is no law for "white-hat hackers". You don't get to break into a system because the color of your hat. "White-hat hackers" have contracts, or very specific rules of engagement. Having run many a bug bounty, if someone was malicious, we would absolutely work to prosecute. You can also find bugs in software freely, as long as you don't obtain unauthorized access to other people's systems. | | |
| ▲ | tptacek 14 hours ago | parent [-] | | This isn't true: there is, jurisdictionally dependent and I think also dependent on DOJ norms, a broad exception for good-faith white hat vulnerability research that would otherwise violate CFAA. Like I said, CFAA is very complicated in practice. |
| |
| ▲ | dpassens 14 hours ago | parent | prev [-] | | (I don't know enough about the CFAA to know whether this is true so I'll assume it is.) To continue the garage door analogy, you wouldn't walk up to any random garage door and try code 12345 to help protect the owner's stuff, would you? | | |
| ▲ | RankingMember 12 hours ago | parent [-] | | To stick with this analogy: I think a white hat equivalent would be more like driving down the street with a garage door remote set to a default code and then notifying anyone whose door opens in response that they should change their code. I don't think that should be illegal. |
|
| |
| ▲ | account42 14 hours ago | parent | prev | next [-] | | You think walking through an unlocked door should result in federal charges? | | |
| ▲ | ptero 13 hours ago | parent | next [-] | | Walking through an unlocked door that has a sign "private property, do not enter", searching for sensitive information, finding it and exposing it surely could. Or not, depending on how the party who owns what's inside that door feels. But if it feels he should be prosecuted, then hell yes, the state should do that. My 2c. | |
| ▲ | Ekaros 14 hours ago | parent | prev | next [-] | | So what about using rakes or bump keys? Very low tech, very easy. Can defeat some poor quality locks. | |
| ▲ | petcat 14 hours ago | parent | prev [-] | | So now the door is unlocked?? Where are the goal posts? Don't mess with people's stuff if they don't want you to. This seems very simple to me. But I'm aware that you're trying to find some fringy gray area where you think it will be OK to mess with people's stuff even though they don't want you to. | | |
| ▲ | Dylan16807 4 hours ago | parent [-] | | If we're making an analogy to the Weev case then yes the door was unlocked, with the explicit intent that the general public could come through that door and access some of the documents. |
|
| |
| ▲ | boston_clone 15 hours ago | parent | prev [-] | | I'm more focused on the assertion that "The CFAA isn't super complicated." Which raises sincere doubts about the commenter's credibility to make such a claim. | | |
| |
| ▲ | brookst 14 hours ago | parent | prev | next [-] | | If those teenagers or children enter someone's house and vandalize or steal because the door (or window) isn't locked, is it no big deal? | |
| ▲ | efdee 15 hours ago | parent | prev | next [-] | | Breaking in in a system, whether or not the password was easy to guess, sounds like a crime to me. | | |
| ▲ | ethbr1 14 hours ago | parent | next [-] | | It is a crime! But CFAA charges should, and this is the issue a lot of people have with them afaict, have a sliding scale for premeditation though. If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw. A lot of the CFAA excesses are maximum penalties from the CFAA being thrown at people using minimally sophisticated / premeditated methods, in addition to charges about the underlying crime. That doesn't seem just or fair. In practice it's turned into an if(computer){increase maximum penalty} clause, solely at the government's discretion. | | |
| ▲ | JambalayaJimbo 14 hours ago | parent | next [-] | | >If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw. Why? (I'm not a lawyer...) - shouldn't intent and harm (i.e. the value of the stolen item) be the only relevant details? Now of course its much easier to demonstrate intent if there's a crowbar involved, but once that's already established, it seems irrelevant. | | |
| ▲ | ethbr1 13 hours ago | parent | next [-] | | Because that's the way most method-specific laws work, at least in the US. There's an underlying result crime (eg causing business harm by destroying a database), then the method by which one chose to do it (eg exceeding authorized access to a computer with the intent to cause harm). The CFAA was originally passed under the erroneous worry that existing laws wouldn't be enforceable against cybercrime, which turned out to generally be false. When you cause damage, there's almost always a law by which someone can sue you for those damages. What there wasn't, and what the CFAA created, were extra penalties for computer crimes and an ability to charge people with computer crimes where there were no damages (eg Aaron Swartz). And why should those things need to exist? Theft is theft. Destruction is destruction. It was an underspecified law, ripe for prosecutor overreach. See: https://www.congress.gov/crs_external_products/R/HTML/R47557... It fit with 'premeditated intent' intensifiers (where penalties escalate if premeditated intent can be proven)... but that wasn't actually how it was written or how it is used. Instead, it's a method-based checkbox that allows prosecutors to tack on additional charges / penalties. If a computer was used to destroy this thing, add X years the sentence. | |
| ▲ | Dylan16807 4 hours ago | parent | prev [-] | | If you're saying there should only be theft charges either way, that's fine. But if there are burglary tool charges, they should depend on whether you used burglary tools to burgle, not how much theft you did. |
| |
| ▲ | efdee 14 hours ago | parent | prev [-] | | You have a point. But on the other hand you have no idea of what tools the intruder possesses, only (at best!) what they used. I think intent probably matters a lot more than the technicality of how you succeeded. |
| |
| ▲ | NoMoreNicksLeft 14 hours ago | parent | prev [-] | | It does sound like a crime to me too. But was it a password or other credential that was guessed, or was it just some sequential primary key? The latter is not an authorization system, and I do not believe it a crime to do that unless you have specific knowledge that it is likely to cause damage and/or the intent to cause that damage. As far as I am concerned, I am allowed to send any traffic I wish to public-facing hosts, and if they respond with content that the owners would not wish me to see, I have no responsibility to refrain. The only traffic I am not permitted to send are credentials I am not authorized to use (this would include password guessing, because if I manage to guess correctly, I was still not permitted to use it). So which was it? | | |
| ▲ | ecb_penguin 14 hours ago | parent | next [-] | | You are not allowed unauthorized access regardless of how the key works. > I am allowed to send any traffic I wish to public-facing hosts No you're not. Denial of service is a federal crime. > I have no responsibility to refrain Yes you do, and this is just beyond silly. The nuance of how you obtained it will be decided in a court. Stop making everything so reductionist and lazy. > The only traffic I am not permitted to send are credentials I am not authorized to use Absolutely not. Use of a vulnerability to cause a data breach is OBVIOUSLY a federal crime. This is beyond absurd. | | |
| ▲ | NoMoreNicksLeft 11 hours ago | parent [-] | | > You are not allowed unauthorized access regardless of how the key works. You and I seem to both speak/write English, but there is a language barrier. For me, "authorization" means that they have given me credentials, and any content locked down under those credentials is off-limits. For you, "authorization" is a magical term that has no real meaning. It means that they want me to have the content. But I am no telepath, and I do not know what they want me to have or do not want me to have. The only way, from my point of view, to know what they want me to have or not is to try to retrieve the content without credentials, and if it succeeds, it's legal. Of course, there are a few corner cases. What if I discover some software defect that very clearly shows they intended to require credentials, and a test without credentials shows that it is indeed off-limits, but exploiting the defect produces that content? I wouldn't do that, that'd be illegal. But your way of (non-)thinking is alien to me, and no reasonable judge or legislator could possibly mean what you claim that law states. Or at least what you seem to claim. >No you're not. Denial of service is a federal crime. Only with intent. If I send reasonable content that shouldn't be DoS, how was I to know? I intend no crime. >Yes you do, and this is just beyond silly. You're the one being silly. You can't even decide what you mean by "authorized". >The nuance of how you obtained it will be decided in a court. I'm never going to trial, I'm not even going to be noticed. >Use of a vulnerability to cause Use of a clear defect. The biggest and most dangerous vulnerabilities are the apathy and stupidity of their employees, their lack of a sane business model and attainable vision, and so on. Using those is just common sense. There is a popular magazine that is subscription only. But they have the pdf download links hidden with display: none CSS. These links require no authorization. Just knowledge. I retrieve those quite punctually. | | |
| ▲ | tptacek 11 hours ago | parent [-] | | You're both veering out of CFAA jurisprudence in different ways. But you know you're in trouble when you start saying things like "I am no telepath", because in fact a big part of an ambiguous CFAA case will be determining what a reasonable person (ie: the jury) would think confronted with the computer system under discussion. There will in fact be mind reading involved; your intent would in fact be tried. There's nothing at all CFAA-specific about this; this is really basic US criminal law and it comes up in all sorts of different criminal justice contexts. The terms you're both dancing around are mens rea and actus reus. | | |
| ▲ | NoMoreNicksLeft 5 hours ago | parent [-] | | >But you know you're in trouble when you start saying things like "I am no telepath", I'm not in trouble. There is virtually zero chance of this ever being noticed by law enforcement, and even less chance than that of them giving a shit. Also note, I am not arguing what the worst possible interpretation might falsely convict someone of, but how the law should be viewed, or, if someone can demonstrate to my satisfaction that the law disagreed with, then how it should be altered. If I have to guess what retards (read: juries) might think is reasonable, then there can be no public internet. We're just a few years after journalists were arrested for looking at html source with "view source", aren't we? >The terms you're both dancing around are mens rea I'm only mildly ignorant. Has CFAA ever been considered to describe strict liability crimes? | | |
| ▲ | tptacek 4 hours ago | parent [-] | | You're in trouble rhetorically, is what I mean, because your argument is completely alien to criminal law. |
|
|
|
| |
| ▲ | efdee 14 hours ago | parent | prev [-] | | Maybe as far as you are concerned, but not as far as the law is concerned ;-) | | |
| ▲ | NoMoreNicksLeft 14 hours ago | parent [-] | | Well, I guess it's a good thing for me that they're unable to notice or care and in general incompetent. I am still permitted to do this. None of the details of this case give me the impression that they're using CFAA in such a way as to offend my sensibilities. Sounds like he sabotaged a former employer and caused hundreds of thousands in (tort not physical) damages. I guessed the urls for some issuu.com links that aren't available in search, and downloaded the page images to make a pdf. I was never prompted for a password. Arrest me, I'm a notorious hacker. |
|
|
| |
| ▲ | codyb 15 hours ago | parent | prev [-] | | I mean... if someone walked into your house cause you only closed the screen door while running to the store quick you'd still call the cops cause there was someone breaking into your house lol. | | |
| ▲ | account42 14 hours ago | parent [-] | | Sure but I wouldn't expect that guy to get locked up on federal charges simply for being in the house without authorization. | | |
| ▲ | codyb 10 hours ago | parent [-] | | Probably depends on the House. I suppose if it's the White House the guy'd just get pardoned by the next president anyways. |
|
|
|
