Intelligence Analyst Charged With Hacking For Logging Into An Account Sent To Him Via Email
from the where's-the-hacking? dept
Wired has the odd story of a government intelligence analyst who has been charged with unauthorized access to a protected gov't computer involved in an investigation he was not authorized to access. But the problem is that the whole reason he logged in was because he had the login information emailed to him -- and he claims it went to a bunch of other intelligence analysts as well. Given that the login info was widely emailed around, due to what appears to be a breach in security protocol, it seems rather silly to then charge him with any kind of unauthorized access, and have him facing criminal charges. The real question should be why the guy was emailed the login info in the first place.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, intelligence analyst
Reader Comments
Subscribe: RSS
View by: Time | Thread
Government Intelligence at its best
[ link to this | view in chronology ]
Unauthorized access is unauthorized access
A professional analyst should know better.
[ link to this | view in chronology ]
Re: Unauthorized access is unauthorized access
[ link to this | view in chronology ]
For example, we had a scandal here in Sweden where one party used a leaked login to access the other parties plans on how to get elected. Personally I think one shouldn't be allowed to use login credentials that you are not supposed to have access to. It's like dressing up like a cop and misusing the authority that gives you. Just because you (or anyone) can do this doesn't mean you should be allowed to.
The key question I think is whether you realize that you are not allowed to use the login data.
[ link to this | view in chronology ]
Re:
That is the key question. He's a government intelligence analyst, probably use to working with top secret stuff. Did he get the E-Mail and think that it was a message from his boss saying he had to work in there?
Another big question is are the tens of thousands of other people this was sent to getting looked at and what about the person who sent the message in the first place.
I don't know how I feel about this. In a normal job environment, this would be at most a fireable offense. The top secret thing throws a wrench into the works.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I disagree Mike....
Do you think if Mike at techdirt emptied my bank account, that he shouldn't be charged with unauthorized access?
I'd love to tell you to try and find out.. but sadly, I did not make this mistake.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The analogy about using same username and password on multiple websites doesn't hold water. First of all, websites you use should be hoped to keep credentials in a way that the site itself can't determine the password. And the username/password combos used should at least establish bands of security. Maybe you don't care about using the same uname/pw in a few forums, but you have unique uname/pw combos for banking, etc.
This is more reason why access itself is not the crime, it's what you do with the access or how you obtained the access. And more reason why the federal government can be assumed to be among the most moronic large IT operations around.
[ link to this | view in chronology ]
Re:
Except, that's not the case in this case, is it?
[ link to this | view in chronology ]
Depends...
Why should someone who acts in good faith at receiving a legitimate email with legitimate creditials be punished and not the person who sent the email.
[ link to this | view in chronology ]
Trespassing?
FAIL.
As others have said, the issue here is "authorization" and unless he had reason to believe he had authorization, he's boned.
Those in the classified realm also know of a similar standard - "need to know". Just because you have a particular clearance level does not mean you get to have access to everything, and if you pursue access or exposure to things not relevant to your work, you risk being accused of a breach.
[ link to this | view in chronology ]
Re: Trespassing?
[ link to this | view in chronology ]
Re: Re: Trespassing?
Someone who may *or may not* have owned the house, gave you the key, showed how the lock worked, and invited a bunch of people over.
We do not know that the person that sent the email had the authority to authorize others to access the information.
[ link to this | view in chronology ]
wrong
[ link to this | view in chronology ]
Clever hack!
And sorry AC, but you can't just "accidentally" send someone an email with a system login!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The Scenario?
If he received an email with just the details for login and no further details, he may have just signed in to see what the login details were for.
If he got it from a superior with a DO NOT USE THESE DETAILS message attached then obviously he shouldnt have used them.
ultimately, no-one but him knows the circumstances surrounding receiving the login details and no-one but him knows what the rest of the email was about.
its all well and good saying "Having a username and password is not the same as having authorization to access a resource." agreed, but you just dont know the WHOLE story.
Mike I have to say, you're right but you're wrong... using secure login details on face value would be stupid and deserves punishment because the person has not been told to use them.
HOWEVER, i cant honestly say that if someone emailed me login credentials to a secure website (internal or external) whether in error or not, I wouldnt have a peek at the info behind the login screen. I guess i would be punished for this, but i would still argue that someone sent me the details without instruction so i assumed they were for me to use.
[ link to this | view in chronology ]
Re: The Scenario?
See the problem? If you work in the classified arena, authorization to access information is explicit, not tacit (assumed), especially if you encounter the information unexpectedly.
However, I agree that the whole story is not here and he may have had reasonable cause to believe he legitimately had authorization to the material. In which case, he ought to make that case.
[ link to this | view in chronology ]
We don't know
However it smells to me like the person who really caused the problem (the one who sent the message) is trying to cover his back. The wording of the government information looks deliberately contrived to put the worst possible spin on the actions of the guy who received the message.
Clearly SOME recipients of the message had authorisation (otherwise why was it sent) and the exact same message was sent to him as to them. So all those people who likened it to picking up a key in the street are off target. It's more like being served a dish you (think you) didn't order at a restaurant. Is it the restaurant's version of your dish? Is it a complimentary extra? Or does it belong to someone else?
It all hangs on how dissimilar this event was to what this guy could expect in his normal job.
[ link to this | view in chronology ]
Where is the System Security?
What happened to the others or the person that sent the information? If you are going to set an example, slap all involved not just a single person.
Of course, there is probably much more to this story that what was reported.
Isn't "government intelligence" an oxymoron?
[ link to this | view in chronology ]
A Better Analogy
Say someone you didn't know stopped over and say "Here's My WIFI password"
Then you started browsing Facebook and you got criminal charges for unauthorized access.
If you read the story, he did not copy/distribute/whistleblow about any info he learned from his access.
Not to mention that this guy already had Top Secret clearance for his job, so getting this info was not out of the ordinary. He just so happened to not be on the list of people to have access.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Multiple Questions
No, that's yet another question, not "the" question. There can be more than one question involved, so having one "real" question does not meant that there are not also others. Nice try, Mike.
[ link to this | view in chronology ]
But still
If my teacher told me her logins to her email account, and then told me to check it, I would conclude that I was allowed to check it. Who wouldnt in that situation?
[ link to this | view in chronology ]
Authorization..
There is no way this guy can use the "I thought I had clearance" argument. He's government intelligence analyst, he knows what the procedures are.
I agree he shouldn't be charged with hacking, but unauthorized access is valid.
[ link to this | view in chronology ]