If The DOJ Gets Its Way, Tweeting Out A List Of The 'Worst Passwords On The Internet' Will Be A Felony
from the because-our-prisons-aren't-at-maximum-capacity dept
Retweet if you want to go to jail! And not regular county jail, but federal prison!
Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane. http://t.co/njE8368lxU
— Nate Cardozo (@ncardozo) January 20, 2015
In case you can't read/see the tweet, it says:
Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane.(The link goes to a Techcrunch article featuring SplashData's list of the "worst passwords on the internet.")
The DOJ has offered up its preferred version [pdf link] of the CFAA (Computer Fraud and Abuse Act) -- under the ridiculous name of "Updated Law Enforcement Tools" -- and it indeed would make this sort of thing an instant felony.
Here's the wording change that does it [strikethrough for deletions; bold for additions]:
(6) knowingly andThe DOJ removes intent and replaces it with feelings. Sharing a list of common (and stupid) passwords could be construed as "willfully trafficking" passwords while "knowing" a "protected computer" could be "accessed without authorization."with intent to defraudwillfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking;if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
And that thing about federal prison I opened the post with? That's the way the DOJ wants it. The CFAA currently allows for misdemeanor charges under certain circumstances. But this proposal does away with that. Instead of a misdemeanor-to-3 year sentence range, punishments start at 3 years and escalate to a 10-year cap. Unless, of course, your hacking is part of the commission of another felony, in which case the government proposes it should get to double dip (at minimum). Here's Orin Kerr's take on that part of the proposal:
Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, “unless such violation would be based solely on obtaining the information without authorization or in excess of authorization.” On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony?As if we didn't have enough people in prison already, the DOJ proposal mandates felony charges and provides prosecutorial options to ensure very few defendants walk away with short sentences.
But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three. State criminal codes often mirror the federal criminal code. That raises a question: If Congress makes it a crime to commit an act “in furtherance of” a different crime, does the existence of overlapping crimes mean that a person’s conduct violates the first crime because it was “in furtherance of” the second? This is a particular problem because every state has unauthorized access crimes a lot like the CFAA. We saw this in the Auernheimer case, where prosecutors argued that the misdemeanor federal unauthorized access alleged in that case should be a felony because it was “in furtherance of” New Jersey’s nearly identical state unauthorized access law.
The proposal also asks users to perform mind-reading when accessing anything computer-based.
(6) “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information inGoing back to the Weev case, Andrew Auernheimer obviously knew AT&T would not "authorize" his access of supposedly private information, even if all he did was alter URL components to achieve this. Now, companies' security failures can be weaponized against those who discover them -- making it highly unlikely that flaws and holes will be pointed out to those who can actually close them. Why risk a few years in federal prison (remember: no misdemeanors) just because some entity decided to shoot the messenger rather than thank them for their help?thesuch computer—
(A) that the accesser is not entitledsoto obtain or alter; or
(B) for a purpose that the accesser knows is not authorized by the computer owner;
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cfaa, doj, felony, obama administration, passwords
Reader Comments
The First Word
“The Emperor's New Password
Crap, turns out our security really sucks. Should we fix it?Let's just make talking about security illegal.
Problem solved!
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
For the profit, think of the profit, the profit damn you, the profit
By the profit, for the profit
Shall i compare you to a summers dayPROFIT
I profit threfore i am?
Land of the greed, home to the profit
Profit, ......profit........PROFITPROOFIT.PROFIT
[ link to this | view in chronology ]
DOJ to white-hats: If you see something, shut up, or face a felony
Companies may feel like they get egg on their face when they have their shoddy security made public after ignoring the problem, but that is nothing compared to what happens when the person 'examining' their security isn't interested in helping anyone but themselves. And with the law making it essentially illegal for someone to test security on their own, for whatever reason, the number of security holes, and resulting harmful hacks, will likely shoot way up.
Yet again, we've got an example of a government agency making things less safe, and more dangerous, for everyone but the criminally inclined.
[ link to this | view in chronology ]
Re: DOJ to white-hats: If you see something, shut up, or face a felony
The number of white hats would be reduced, no question about it, but there will always be some that keep doing the good work. They'll just go underground (a bit like they used to be in the old days).
[ link to this | view in chronology ]
Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
Even among those who continue working, probably many will stop contacting the companies with vulnerabilities (how confident are they that their communications are really anonymous once the FBI gets involved?) and just publicize everything immediately. Nobody benefits from such a change.
[ link to this | view in chronology ]
Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
If the pattern from the old days repeats, what will happen is that software and hardware producers will end up begging white hats to start giving the advanced notice again.
[ link to this | view in chronology ]
Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
The rest of the corporations want all security issues swept under the carpet, as it cost them money to fix them. If they can be kept hidden they do not have to spend the money.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
They can't of course, so they'll spend the money to settle class action lawsuits after massive data breaches, rather than spending it ahead of time to fix problems.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
[ link to this | view in chronology ]
Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
At which point, the white hats will say "if I did know anything about a vulnerability, it would be a felony to tell you about it." Let's hope this amendment never sees the light of day.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
It's like grabbing the wrong leg in a pig wrestling contest.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
Isn't that what much 'law enforcement' consists of, nowadays? Someone wrestling a 'pig' on the ground so as to avoid assault, praying that the guy (as they generally are) doesn't shoot, tase, or pepper spray them.
[ link to this | view in chronology ]
Re: Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
Even the 'promise' of no charges being brought if a security vulnerability is brought to the attention of a company wouldn't be worth much, as that wouldn't stop the DOJ from stepping in and filing their own charges.
[ link to this | view in chronology ]
Re: DOJ to white-hats: If you see something, shut up, or face a felony
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This makes everybody in tech a felon
As someone who works in cloud this is part of my day to day. So by merely passing this law, anyone with knowledge of a vulnerability would automatically become a felon. There is often a trade-off between security and getting something to market. This would mean even getting it to market would be legally felonious in many if not all cases.
[ link to this | view in chronology ]
Re: This makes everybody in tech a felon
This is not only wrong, it's insane.
[ link to this | view in chronology ]
Re: Re: This makes everybody in tech a felon
"We're willing to break the law by following standard security practices to make sure your data is secure from hackers".
[ link to this | view in chronology ]
Re: Re: Re: This makes everybody in tech a felon
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Every culture and politic has a buzz word, card to play, or dogmatic bias against the side they oppose.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
"A good offense...Is a good offense. What is this "Defense" you speak of?
[ link to this | view in chronology ]
Ahhh, but Novell Netware of the 1990's
Seriously, though, this could impact those technical writers and trainers. Reinforcing the need for best practices is difficult when you can't thoroughly explain the risk of worst practices.
[ link to this | view in chronology ]
Would be
"Would be", not "could be". There's no need to exaggerate how bad this is.
[ link to this | view in chronology ]
Manuals
If they are I guess they will remove them from the manuals. Would this mean that we have to brute force the password for i.e. a router before we can use it?
[ link to this | view in chronology ]
Re: Manuals
[ link to this | view in chronology ]
Re: Re: Manuals
[ link to this | view in chronology ]
Besides NSA snooping, it would also be an interesting way to test if the website or network administrator is reading [supposedly-confidential] passwords by composing a password consisting of a terrorism or death threat against the person or company you suspect might be snooping passwords and/or logging traffic.
[ link to this | view in chronology ]
Re:
I didn't think so.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
I wonder...
[ link to this | view in chronology ]
2014 maybe *nt* the year of Digital Security?
http://www.cringely.com/2015/0 1/16/2015-predictions-money-stupid/
[ link to this | view in chronology ]
You never expect
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Motivations
If this fails, they WILL find another excuse and attempt to encode it into law.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
This proposal appears to criminalize being 0wned
Look what happened to Julie Amero, and that wasn't even her system. The combination of a grandstanding prosecutor, utterly incompetent "forensic experts" and clueless newspaper editors destroyed her life -- over someone else's mistake. (And a rather common mistake, at that.)
This proposal could be used to go after everyone whose system has been botted, and since it can be, it will be. When convenient. When expedient. When politically desirable.
[ link to this | view in chronology ]
The Emperor's New Password
Let's just make talking about security illegal.
Problem solved!
[ link to this | view in chronology ]
enemy of the american people...
[ link to this | view in chronology ]
Wait isn't everything capable of being a password
[ link to this | view in chronology ]
Re: Wait isn't everything capable of being a password
A list of nothing but passwords isn't even that useful (except to compile a dictionary to be used in a dictionary attack). What is useful is a list of services and user IDs with their passwords.
[ link to this | view in chronology ]
Re: Re: Wait isn't everything capable of being a password
That's not true; a long string of dictionary words is a very secure password. Forexamplethisrightherewouldbevirtuallyimpossibletocrackjustbecauseit'ssolong.
[ link to this | view in chronology ]
Re: Re: Wait isn't everything capable of being a password
Why'd you have to point this out? Now they're going to ban the dictionary! Oh, wait, aren't there password crackers that utilize Wikipedia?
BAN IT ALL! BAN ALL THE WORDS!
[ link to this | view in chronology ]
Re: Re: Re: Wait isn't everything capable of being a password
[ link to this | view in chronology ]
Re: Re: Wait isn't everything capable of being a password
To bring the idea proposed by the law into the real world, would a list of gases used in various types of blowtorch be considered an intentional aid to safecrackers?
[ link to this | view in chronology ]
Re: Wait isn't everything capable of being a password
[ link to this | view in chronology ]
Its based on freedom expression, freedom to create.....not an entitlement to restrict, to profit, or too monopolise
[ link to this | view in chronology ]
retards of the world unite
[ link to this | view in chronology ]
The next step or after other several steps in this obvious ploy will be to put in jail anybody who opposes bad laws, policies, actions, bills, ideas etc etc.........i dont want to pass my own policy, i have no policy by CHOICE, i certainly dont want to see BAD "policies" being passed or manipulated into impressionable minds, and certainly not by people who OBVIOUSLY through the very action they incessantly keep pushing dont give a shit about the rights and freedoms of the individual
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
They're trying to mold younger generations in their image. All they're doing is creating a generation who consider the US government worse than the Soviet Union. At least Stalin's bad ideas couldn't spread globally due to his toxic reputation.
[ link to this | view in chronology ]
Security/privacy updates/patches should be a right not a privellage, it deals with information belonging to the individual, and so by this extension, security/privacy should be seen as a right, as is the right to not be searched without suspicion.......but with this kind of behaviour you expect to see in oppressed governments, you shoot your selves in the foot.....by your-self........because now, your suspicions are suspect.......you either dont care if we trust you, or, the more relieving of the two, you're too stupid to realise how important it is to have the trust of those you represent......appologies for my frustrated chosen words, but not the drive behind it
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Resignation though, when it reaches that point, that's because you no longer expect anything good, because you expect the worst, and are no longer surprised by it. And at that point, the drive to fix the situation is pretty much gone, because why would you even try when you know that that's just what they do?
[ link to this | view in chronology ]
The further that "Justice" can distance itself from "Department of" then the more just our society will become.
[ link to this | view in chronology ]
written language is banned
Hmm, would spoken language count as trafficking?
[ link to this | view in chronology ]
So that means..
So even if you LEFT OUT that part at the end, anyone with more than two brain cells would know those all were possible passwords, so even without the advice, these are all passwords (including the word password) and therefore anyone writing ANYTHING is a criminal.
[ link to this | view in chronology ]
Re: So that means..
That the creation and or publishing of any "unauthorized" literature, is automatically a major criminal act, punishable by maximum legal reaction.
This is of course only the for-runner legislation of the true ultimate wet dream laws of fascism...
That all unauthorized speech is automatically a major criminal act, punishable by maximum legal reaction.
Peasants need only labor for the state, sleep and eat, and need no voice or thought beyond that necessary to fulfilling the task assigned them by the state to insure the continuity of the state. That is the goal of fascism - that the state becomes a commercial operation owned and run by the ruling class and the peasants become the feedstock from which the wealth of the ruling class is derived.
This is the way life has been on earth for most of human history.
The fact that fascism always leads directly to dissolution of the nation in which it flourishes changes nothing, as fascists have no plan beyond draining a place of its wealth before moving on to greener pastures.
The resemblance to a virus, or the legendary vampires of Hollywood is telling.
The last thing the fascist owned state needs is uppity peasants discussing the fact - verbally or in writing - that the state is nothing more than a gang of lizard brained greedy millionaires mindlessly sucking the life out of the earth like fleas on a dog.
It would be lovely to perceive a future where the heads of tycoon CEOs, mob bosses, billionaire politicians, lawyers and their kin, could be seen adorning the pointy ends of pikes along the roads of a nation awakened from a nightmare, but all my limited fore-sight conjures up is empty streets.
---
[ link to this | view in chronology ]
Big difference. Very big difference. Very,very big difference, actually.
[ link to this | view in chronology ]
[ link to this | view in chronology ]