Matthew Keys Found Guilty Of Criminal 'Hacking' For Sharing News Company Login

from the seems-extreme dept

Two and a half years ago, we wrote about former Reuters editor Matthew Keys being indicted based on charges that he'd shared the login information for the content management system to his former employer, the Tribune Company, in an online forum and then encouraged members of Anonymous in that forum to mess things up. Some people used that access to change a story on the LA Times website. Keys insists that he didn't do this and the feds have no direct evidence linking him to whoever leaked the login (he also claims at the time of the leak he no longer had access to the Tribune Company's systems).

As we noted at the time, if we accept the DOJ's version of what happened, what Keys did definitely was the wrong thing to do. But the result was little more than annoying vandalism -- and nothing Keys did should qualify as "criminal hacking." The changes to the LA Times were up for less than an hour and quickly reverted. There was little evidence that it created any real damage, and certainly no lasting damage. And yet, because this is a "computer crime," the feds came down on Keys as if he was part of some massive criminal conspiracy. In order to use the already problematic CFAA, it needed to show more than $5,000 worth of damage, which is crazy. Even crazier... is that the feds argued $929,977 worth of damage, based on some ridiculously exaggerated estimates of the amount of time people had to work on this issue.

And now a jury has convicted Keys on all three counts. Sentencing will be in January, and while lots of people are throwing around the statutory maximum of 25 years in jail, prosecutors have said they'll likely ask for "less than 5 years" according to Motherboard's Sarah Jeong, who was at the courthouse.

I think it's clear that Keys was in the wrong in handing out the login to the Tribune's systems, if he actually did it. But should that equate to criminal hacking charges and jailtime, because it resulted in a bit of online vandalism and some annoyance for a sys admin somewhere? That seems doubtful. As Keys himself points out in a pinned tweet in his Twitter feed, if sharing logins is a criminal act, all of you who share your HBO Go or Netflix logins may want to be careful.

The problem, once again, comes back to the ridiculous CFAA and the bogeyman of "computer hackers." It was wrong to give out the login, but the idea that it did even $5,000 in damage (as required by the CFAA), let alone nearly a million in damages, is ludicrous. It's even more ludicrous that this should be a criminal offense with any jailtime at stake. Go after him in a civil case for actual damages (of which there would be very little) and move on. Keys, for his part, has said the verdict is "bullshit" and he's planning to appeal.

It's way past time that we fixed the CFAA, and the Matthew Keys verdict is just yet another reminder that Congress needs to do something.

Filed Under: anonymous, cfaa, defacement, hacking, login, matthew keys, vandalism
Companies: tribune company

DailyDirt: How Many Passwords Do You Know?

from the urls-we-dig-up dept

If you've been online for more than a few years, you've probably collected a fairly sizable number of logins for various things. When the next cool social network you discover asks you to register with an email and password, a surprisingly large number of people choose "123456", "p@ssw0rd" or something easy to remember (and use that same password for multiple services). That's not a good idea, especially as more services are being broken into due to bad (or no!) password hashing. Password attackers aren't usually doing trial-and-error to guess your password; they're scraping password databases and doing the brute-force cracking offline, based on all the hints that can be gleaned from a huge pool of passwords that likely have duplicate passwords or passwords susceptible to dictionary-attacks. If you have some time, turn on two-factor authentication and peruse the following links.

• Some password systems allow for convenient variable-length passwords, so users can choose if they want an 8-character password that requires special characters, numbers and an upper/lowercase mix or if they would prefer an all lowercase 20-character password. Allowing for really long passwords makes it possible for people to pick strings like "correct battery horse staple" (which is probably a very insecure password now). [url]
• If you have a gazillion passwords in a plaintext file somewhere, you might want to try a password manager. But if you're not that paranoid about your passwords, you probably can't be bothered to set up a password manager, either. [url]
• Ultimately, humans probably should not be choosing their own passwords for the best security. There really isn't anything preventing people from choosing bad passwords, and longer passwords don't necessarily make for better ones. (eg. facebookpasswordmyname) [url]

If you'd like to read more awesome and interesting stuff, check out this unrelated (but not entirely random!) Techdirt post via StumbleUpon.

Filed Under: breach, hashing, login, password manager, passwords, salting, security, two-factor authentication

DMCA Nonsense: Your Default Login Page Is A Ripoff Of Our Default Login Page!

from the username-then-password,-what-a-work-of-art dept

No matter how brazenly people abuse the DMCA takedown process, and no matter how ridiculous the notices get, it seems like there's always someone waiting to do something even stupider. This latest incident, submitted by Anonymous American, is a serious contender for the crown dunce cap: a DMCA takedown over a login page.

And not just any login page, but the barely-modified default login page of an open source website platform, which the operators of iPhotographyCourse.com claim infringes on... their own barely-modified default login page of a different open source website platform. Yeah. Jenny McCann, who runs the Institute of Photography website built on the Moodle content management system, received a takedown notice claiming that her login page was infringing. When she asked for clarification, she was simply told "entire page copied". Here's the supposedly infringing page:

And here's the "original":

Even at first glance, the claim is obviously idiotic. There is nothing similar about the pages beyond the purely functional login page elements. But things get really amusing when you realize that the iPhotographyCourse page is virtually unaltered from the default Wordpress login page:

The only expressive choices—a requirement of copyright protection—are the inclusion of the logo (the rather poor inclusion, as there are visible artifacts at the top of the image that show the logo was sloppily clipped from the site's front page banner, meaning the designer didn't even have a copy of it on hand) and the rounding of the button corners (which may actually just be a Wordpress version discrepancy). As if that wasn't enough, the supposedly infringing login page is itself just a minor modification of the default Moodle page:

A new frame, color scheme and accent image—nothing major, but actually significantly more design changes than the iPhotographyCourse page, and far more likely to qualify for some level of copyright protection. And, quite clearly, in no way an infringing copy.

According to later comments from McCann on the Moodle forum thread, the login page was specifically included among other items in the takedown which related to actual content on the site. It could be that there is more merit to the other complaints, but McCann does not believe there is, and judging from the utter stupidity of this example, I'm inclined to suspect she's right. Either way, the people behind iPhotographyCourse, like so many before them, have exposed their true intentions by targeting such an obviously non-infringing page: this isn't about protecting intellectual property, but interfering with competition by abusing the DMCA process. Either that, or they are tragic victims of our ownership culture who also haven't logged into a website in the past ten years.

Filed Under: abuse, censorship, dmca, iphotographycourse, login

Is Accessing A Website Using Someone Else's Login Copyright Infringement?

from the novel-arguments dept

Damon calls our attention to a rather novel (and potentially far reaching) claim of copyright infringement by a real estate information company called CoStar. CoStar provides subscription-based real estate information, which companies pay hundreds of dollars a month for in subscription fees. Not surprisingly, some customers have passed around their login information to others, leading to the lawsuit. However, rather than going after them for breach of contract or theft of services, CoStar is claiming that both handing over your login and accessing the content with someone else's login is copyright infringement. Thus, CoStar is asking for the statutory maximum of $150,000 for every access. Of course, there are already questions about whether that $150k number is constitutionally acceptable, but this lawsuit seems like a stretch no matter what.

I could understand a breach of contract claim, but CoStar is saying that anyone who passed on their logins or accessed the content using someone else's login effectively made an "unauthorized copy" of the content, which definitely seems like quite a stretch in interpreting copyright law. You have to wonder if the firm in question will fight back or settle, but if this case moves forward and accessing content under someone else's login is considered copyright infringement, potentially subject to fines of up to $150,000 per instance, it could lead to some fairly nasty unintended consequences. What if you use someone else's computer and they've logged themselves into a site with a cookie? If you visit that site, are you guilty of copyright infringement? This seems to clearly go beyond copyright's intended purpose.

Filed Under: copyright, login
Companies: costar