Password Sharing Is a Federal Crime, Appeals Court Rules (vice.com) 165
An anonymous reader writes from a report via Motherboard: An appeals court ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all "hacking" law that has been widely used to prosecute behavior that bears no resemblance to hacking. Motherboard reports: "In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal's use of a former coworker's password to access one of the firm's databases was an 'unauthorized' use of a computer system under the CFAA. In the majority opinion, Judge Margaret McKeown wrote that 'Nosal and various amici spin hypotheticals about the dire consequences of criminalizing password sharing. But these warnings miss the mark in this case. This appeal is not about password sharing.' She then went on to describe a thoroughly run-of-the-mill password sharing scenario -- her argument focuses on the idea that Nosal wasn't authorized by the company to access the database anymore, so he got a password from a friend -- that happens millions of times daily in the United States, leaving little doubt about the thrust of the case. The argument McKeown made is that the employee who shared the password with Nosal 'had no authority from Korn/Ferry to provide her password to former employees.' At issue is language in the CFAA that makes it illegal to access a computer system 'without authorization.' McKeown said that 'without authorization' is 'an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.' The question that legal scholars, groups such as the Electronic Frontier Foundation, and dissenting judge Stephen Reinhardt ask is an important one: Authorization from who?"
No one (Score:2)
Considering he wasn't an employee anymore, it doesn't really matter.
typical half-ass knee-jerk law with no clue (Score:2)
lawyers who only talk to lobbyists, who only talk to money, which is only held by high-up executives who don't know how to log in. that's how the law was crafted. so what did you expect?
Re: (Score:3)
Considering he wasn't an employee anymore, it doesn't really matter.
Of course it matters. We know the person in question committed crimes (stealing trade secrets), the question is whether charges of "computer hacking" aka unauthorized access to a computer with the intent blah blah blah can be added to the charges.
The same thing with authorized access would have still been "stealing trade secrets" but without the additional charge.
A question of definitions? (Score:2)
Re:A question of definitions? (Score:5, Insightful)
Authorization != Authentication
Re:A question of definitions? (Score:5, Insightful)
Re: (Score:3)
I wish I had mod points for this. It's pretty black and white here. Common sense tells you that there is one owner to the account john.smith and that only that specific person is authorized to use it while they are employed.
Re:A question of definitions? (Score:5, Insightful)
I dated a sysadmin and we didn't even share passwords to our home computers, or ask to/let each other use work laptops. Not even "just for a minute."
Password security shows respect, trust.
Which is deeper trust: "I trust you not to hurt me" or "I trust you not to put me in a position where I have to trust you not to hurt me?"
I'll go with the latter one.
Or as my mother taught me regarding financial risk, "Trust is knowing you won't be left out on a limb without the proper paperwork in the first place."
But none of that even matters in this case, because it was the employer who held the prerogative to grant a password permission, or not. The person who "shared" the password was not the owner of the system, there is no actual legit "sharing" there. It is just using a false credential, after having received it from "a person on the inside."
Re: (Score:2)
what about group passwords?
stage 1 vpn passwords?
SA password?
administrator password?
root password?
and so on?
Re: (Score:2)
In the past 15 ye
Re: (Score:2)
Group passwords for VPN are shared among multiple people/systems and are only one part of authentication. So it doesn't matter if multiple people know them. They still have to authenticate using some other method on t
Re: (Score:2)
In the real world, a few people all have the root/sa/admin/whatever passwords, and if one of those people leaves, the rest simply change the passwords.
I will agree that TFA makes for a really shitty test case for whether or not shared passwords violate the CFAA; but not every random data warehouse needs its DBAs to swear a blood-oath and split the holy crysta
Re: (Score:2)
Re: (Score:2)
No, that part counts as a pretty standard practice. The rest of your procedure, however:
in a safe that requires 2+ people to open
Congratulations, no two-out-of-three of you can now go on vacation at the same time, even though it might only take one of you to "keep the lights on" on a day-to-day basis. In fact, you shouldn't even ever ride in the same car together.
What you describe makes a great low-tech way to split a secret into X parts such that it takes
Re: (Score:2)
Fine arts painter, but good guess.
Re: (Score:2)
No. If 1) your company IT policy strictly prohibits sharing your password with anyone, including IT support staff (like many policies do), and 2) you access a database using a co-worker's credentials, then it should be crystal clear to you that this access is unauthorized.
Sorry, but if you are authorized to access the computer, and you were stupid and forgot the password, then you are still authorised to access the computer. And using a co-workers password wouldn't take that authorisation away. It's correct that it doesn't give you authorisation either. The authorisation comes from elsewhere.
Re: A question of definitions? (Score:2)
Re: (Score:2)
You may be authorized access, but that's NOT giving you permission to utilize someone else's account to do so. That breaks rules for logging who's done what on a system, and certainly isn't authorized anywhere that I've seen.
Re: (Score:1)
Yeah ... about that policy ... at a previous employer, they forgot to have me sign the "I agree to X, Y, and Z" security policies until I'd been there a couple of months. Out of the 20 or so conditions, 3 - including password sharing - were broken as SOP by the group.
In part, the security department at this company was manned by mostly incompetents. One of the systems my group accessed ... well, the security group had been unable to create a new ID for that system in three years. So there were a hand
Re: (Score:2)
What if a terrorist has planted a nuke and the only way to avoid mass death is to torture his wife until he tells you where the bomb is?
Re: (Score:2)
Re:A question of definitions? (Score:5, Insightful)
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?
No, if I come to your house and I find a key under your flowerpot, open the door and enter am I authorized because the key gave me access? Clearly not. If simply having a password was authorization then not only every hacker (e.g. brute force) but every stolen ID would be "authorized". Just no.
Re: (Score:2, Insightful)
Your analogy is flawed. Let's amend it to more closely model the specific situation at hand. If you go to an office building, phone a friend who is a current employee at the business housed within said building, ask for and receive an electronic door lock PIN to gain facilities access, and stroll around inside taking pictures of the interior, can your activities be held as criminal trespass? -PCP
Re:A question of definitions? (Score:4, Insightful)
If you go to an office building, phone a friend who is a current employee at the business housed within said building, ask for and receive an electronic door lock PIN to gain facilities access, and stroll around inside taking pictures of the interior, can your activities be held as criminal trespass? -PCP
Yes.
Re: A question of definitions? (Score:2)
YES. This really is old and black and white. Just because people do something doesn't make it legal.
Re: (Score:2)
Re: (Score:2)
Even if the door is open if you have no authorization it's still trespassing and this shows pretty well the issue the EFF is raising.
it's pretty clear you are authorized to enter a restaurant and it's pretty clear you are not authorized to enter a random private home which happens to have the door left open.
What about an anonymous FTP server? It could be argued it's like an open restaurant, or it could be argued it's like a private home with the door left open, so if you apply the "trespassing" analogy it's
Re: (Score:2)
What about an anonymous FTP server? It could be argued it's like an open restaurant, or it could be argued it's like a private home with the door left open, so if you apply the "trespassing" analogy it's not clear at all whether you are "authorized" or not.
The arguing what it's like would be pointless. What counts is whether you have authorisation or not. And whether you have authorisation would depend on the circumstances. For example, if you went to Apple's website and found a page titled "Downloads" you would be authorised. If you found a page titled "Downloads - Employees only" you wouldn't be authorised if you are not an employee.
Re:A question of definitions? (Score:4, Insightful)
Now, for the purposes of the CFAA, exactly what counts as authorization? Traditionally, putting an anonymous FTP server up has been considered to authorize access, but is this so according to the CFAA? As long as "authorization" is vague here, the CFAA will have a chilling effect on what people do.
Re: A question of definitions? (Score:2)
IMHO, anon or no password should equal authorized to all. Any password should mean limited authorization unless the password is anonymously shared.
We need to stop rewarding stupidity, even if it was unintended.
Re: (Score:2)
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?
No, not any more than owning a key to my front door gives you "authorization" to use it to enter my home.
Re: (Score:1)
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?
No, not any more than owning a key to my front door gives you "authorization" to use it to enter my home.
Uh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.
Re:A question of definitions? (Score:5, Insightful)
Uh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.
Absolutely not. I can give my neighbours my house keys when I go on holiday, so they can enter if there is an emergency. That doesn't give them authority to enter without reason. I had my neighbour's key with authorisation to enter the kitchen to feed the cats while she was on holiday; that didn't give me authorisation to enter her living room or bedroom.
If you are renting, the landlord may have a key, the caretaker may have a key, they both have no authority to enter your home in most situations.
Re: (Score:1)
What if he maid service company (whom I authorized to enter my house) gave you a key to my house? Does that grant you authorization to enter my house?
I'd argue that no, it doesn't.
And nor does one employee giving another person his password constitute authorization to the computer system.
In both cases, the person giving the key/password doesn't have the authority to grant authorization to another party.
Re:A question of definitions? (Score:5, Insightful)
Oh.. you'd have a pretty hard time arguing I wasn't authorized to enter your home if you gave me a key. By virtue of giving me the key you've authorized me to enter your home.
First of all, no I wouldn't. Who said I "gave" you a key? Maybe you found it, maybe you stole it. Maybe someone I gave it to turned around and gave it to you. None of those scenarios gives you "authorization" to unlock my front door and enter my home.
Second, just having the key doesn't automatically grant you authorization, either. Maybe I gave it to you for use only in case of emergency (fire, flood, vacation emergencies, etc).
None of those give you carte blanche to necessarily be in my home either, unless the circumstances warrant. If it's for emergency access, for example, that doesn't give you the right to come over, watch TV and raid my refrigerator.
So no, just having a key doesn't mean you're automatically authorized to use it, even if I gave it to you.
Social Engineering Attacks (Score:2)
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?
If that were the case then social engineering attacks where hackers get a company employee to divulge their password would be entirely legal. Knowing a username and password is no different than having a key and simply having a key does not automatically make it legal for you to access everything it unlocks.
Re: (Score:2)
Couldn't one argue that authorization was granted by the database when a valid login/password pair was provided?
One could argue so, but one would be laughed out of court. Databases are not authorities who can give or deny authorisation. They are not people, they are not employees of the company, and they are not employees high enough up the ladder in the company to give or take away authorisation.
Re: (Score:2)
No, courts don't laugh when you make invalid arguments. You're supposed to make your arguments in filings first, and if they're not valid you won't be allowed to make them in court. If you start blurting it out in open court anyways, they don't laugh.
Obvious to most people (Score:5, Insightful)
If you lose your job, or your position where you need to access the computer, you lost the authorisation. If the company forgets to remove your password, or you find someone else's password, or a password is shared with you, that doesn't give you authorisation. In this case, everything is absolutely clear.
Where this law is abused in some cases is in situations where someone had the authority to access the computer, but abused the authority to commit a crime. Say a bank manager with authorisation to access computers moving money into his own bank account, or a police officer with access to a license plate database abusing his position by finding out the address of his ex's new boyfriend. That's when authorities try to add "computer hacking" to the list of crimes.
Those are the easy cases. Sometimes it's hard. (Score:4, Interesting)
One of the oddities of our current climate is this: How do you know when you're authorized?
Much of the time it's common sense, but if we're talking about DMCA instead of CFAA, it gets very murky, very fast.
You buy a DVD. You pay for a Netflix account every month. Are you authorized to decrypt the content? If you're authorized, then it's ok to watch it. If you're not authorized, then decrypting is circumvention of the DRM.
According to the MPAA-vs-2600 case, you're either not authorized at all, or you're not authorized to do what DeCSS does. You're seemingly violating DMCA every time you watch anything, but of course nobody really believes that. (MPAA hasn't sued all their paying customers yet, and they've had ample time.)
So just what is the mechanism for authorization, and how do you know when it's there, in non-obvious situations? It seems that authorization can be totally implicit, without a single word communicated to tell you whether or not you have it. Indeed, it seems like there might be unspoken and unexpressed conditions. (e.g. We think the conditions are that you're authorized to bypass a DVD's DRM if it's inserted a licensed player, but not if it's an unlicensed player. But is this written anywhere? can you look at a player and even figure out whether its manufacturer got a license or not?)
If authorization is murky for DMCA, then why couldn't it be murky for CFAA too? Let's say you need access to something, to do something that your boss commands. The boss says "clean the dunsel" and you just happen to know that the key to the dunsel bracket's lock is stored in a certain drawer. Authorized? Maybe. Probably. Right?
The truth is, you're going to assume you're authorized and take your chances since it's highly unlikely that the government is coming for you. Or perhaps you're constantly unknowingly committing crimes all day, year after year, where the feds are licking their lips, waiting for the day when you're on some "bad guy" list and they can suddenly throw the book at you. Then 6 years later, you literally don't even remember if the boss said, "Oh, the dunsel bracket key is in that drawer. You may use it." You've just been using it every month for 72 months.
Sharing with your boss/company (Score:5, Insightful)
Re: (Score:2)
So, is it now a federal crime to access someone's social media accounts with passwords that you coerced them to share (schools, companies, CBP, etc.)?
Let us hope this is the case...
Re: (Score:2)
Probably.
Best luck getting anyone to prosecute anyone for doing that, though.
Re: (Score:2)
Re: (Score:2)
is that an American thing?
It's an awful-company thing.
Pro-tip: ask potential employees to give you all their social media passwords. If they do so, don't hire them. If they tell you to go fuck yourself, ask them to pick their parking space.
No, it's a typical Slashdot headline failure (Score:2)
So now..... (Score:5, Insightful)
Terrible headline (Score:5, Insightful)
"Password Sharing Is a Federal Crime, Appeals Court Rules"
No, the appeals court ruled that borrowing a password to get access to a system you knew you weren't authorized to access is illegal. To use a real world analogy, if I lose my job, and the company takes away my key to the office, it's illegal for me to use a key borrowed from a colleague to get in. I don't have to pick the lock for the access to be illegal.
Re: (Score:2)
I should have known better- I came here about to get all upset. Good thing I read the summary before commenting...
Doesn't this also put the current employee who shared the password in hot water too?
Re: (Score:2)
I should have known better- I came here about to get all upset. Good thing I read the summary before commenting...
Doesn't this also put the current employee who shared the password in hot water too?
Certainly with the employer - I don't know if someone could be indicted as an accessory to violation of the statute.
Prophecy foretold (Score:3)
https://www.gnu.org/philosophy... [gnu.org]
Dan resolved the dilemma by doing something even more unthinkableâ"he lent her the computer, and told her his password. This way, if Lissa read his books, Central Licensing would think he was reading them. It was still a crime, but the SPA would not automatically find out about it. They would only find out if Lissa reported him.
Start by Prosecuting Anonymous Coward (Score:5, Funny)
Given the volume of comments from that user, I'm convinced more than one person is using the account!
No shit. (Score:5, Informative)
Real headline: Having a coworker's password doesn't mean having the boss's permission.
What is a "password" is an oil change light reset (Score:2)
What is a "password" is an oil change light reset code an password and one that the car manufacturers can use to shut down 3rd party shops?
Re: (Score:2)
If it is a leased car, then it depends on the terms of the lease.
If the car is owned by the driver, then they are the source of authorization. It would only be a crime if the 3rd party shop didn't have the customer's permission.
Re: (Score:2)
but what if BMW never give permission for that 3rd party shop to use the reset code? and says that is a dealer only code and the shops / websites don't have the permission to have it?
Re: (Score:2)
See my answer above. If you find an additional way to ask the question, see above, the answer will be the same.
If they sold the car, they gave up prerogatives regarding how it is used. If they didn't sell the car, then it depends on the contract who holds which prerogatives.
Whose authorization? (Score:2)
The case as given is clear: someone used social engineering to break into a database of a former employer. This is clearly unauthorized access.
What I worry about with laws like this is where they end. It's fairly common to password-share between employees to get some damn work done, and it's not unheard of to share social site passwords, and I don't think we want these cases to be against the CFAA.
Re: (Score:2)
What I worry about with laws like this is where they end. It's fairly common to password-share between employees to get some damn work done, and it's not unheard of to share social site passwords, and I don't think we want these cases to be against the CFAA.
You should read the court decision, and it is might quite clear. First, it's not just unauthorised access, it's unauthorised access plus causing some kind of damage. So the employees trying to get their job done are fine. (Legally. If the employer made absolutely clear that no passwords are to be shared under any circumstances then they could be fired). The same would apply to the social site password. And violating the terms of service of a website doesn't make access unauthorized.
Likewise, the court de
Jails would be full (Score:2)
Dissenting judge is wrong (Score:5, Insightful)
From the article:
"Notably, Reinhardt appears to have a commanding knowledge of what constitutes “hacking,” something that comes up over and over again both in the media and in the courts. He said that the decision “loses sight of the anti-hacking purpose of the CFAA.”
“There is no doubt that a typical hacker accesses an account ‘without authorization’: the hacker gains access without permission—either from the system owner or a legitimate account holder,” he wrote. Using someone else’s password with their permission but not the system’s owner isn’t “hacking,” but that’s what the court is treating it as."
Using another person's password with their permission but not with the system owner's permission is definitely a form of hacking. It's called social engineering. Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Just because someone easily provided their account information doesn't mean that it was done so legitimately. It is ultimately the system owner who gets to decide who has authorization to their systems and what constitutes authorized access. At the same time, it is the system owner's responsibility to educate it's users as to what is allowed.
I would also take issue with the sentence where the writer claims that the judge has a "commanding knowledge" of "hacking".
Re: (Score:1)
Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. Just because someone easily provided their account information doesn't mean that it was done so legitimately.
If "tricking people" is involved, I doubt any serious person would argue that legitimate permission was given.
We are all a bunch of hardened criminals..... (Score:1)
I rail against password sharing on the regular. It's right up there with with the crafty old hidden under the keyboard bullshit. I have taken the time to setup your user, I have granted all the permissions needed for you to do your job. Use the GD tools I have provided, else request more.
When the surveillance guy sees you using somebody's creds, he is not going smile and ignore it. He is going to come to me with a reprimand, and to many of those means his businessmen stop coming and I don't get a raise nex
'Unauthorized Access' Is Too Broad (Score:2)
Many websites have in their EULA somewhere that using someone else's account is prohibited, or that signing up for a second account, or new account if you've been banned, are prohibited. Doing any of these prohibited things could be legally considered 'unauthorized access', even for a normally public website that anyone is welcome to use (Facebook etc.)
Conflating EULA violations on a public website, with accessing private computer systems containing confidential data, is one of the reasons the CFAA needs to
Re: (Score:3)
Many websites have in their EULA somewhere that using someone else's account is prohibited, or that signing up for a second account, or new account if you've been banned, are prohibited. Doing any of these prohibited things could be legally considered 'unauthorized access', even for a normally public website that anyone is welcome to use (Facebook etc.)
Read the court decision. These things could be considered "unauthorised access" by the company, but not legally by the court.
Easy fix ... (Score:2)
mens rea (Score:3)
Effectively the court has rules that "authorization" for the purpose of computer hacking is mens rea, not actus reus. If you obviously knew you lacked authority (mens rea = mental state) then the element is satisfied regardless of any technicalities about the access control systems (actus reus = actual activity). Crimes require both mens rea (knew you lacked authority) and actus reus (used the computer anyway).
That's why it's OK for the wife to log in and pay the husband's credit card bill: she has a _reasonable_ belief that it's OK to do so, thus the mens rea element of the crime is not proven.
Is there really a debate to this? (Score:2)
a former employee of Korn/Ferry International research firm,
This person was not an employee of the company. Any reasonable person would conclude that using another employee's password to access a database to a company that you no longer work for is not authorized. Authorization would be acquiring your own password from the company's IT staff, or a direct statement from management that you could use the employee's credentials to access said database.
Trying to equate this with sharing my Netflix account is wrong. The Netflix account belongs to me, so I can give a
I don't get it (Score:2)
Like many posters above, I'm a little dismayed this made news. The title of the article is clickbait. We share passwords all the time at work -- heck, we have a password sharing application to make it easy to do so. But we only share passwords with people authorized to use them. If someone who wasn't authorized to use them is given one to access services, and is caught, then both that person and the person who gave the password to an unauthorized user broke the rules.
Dumbest quote: The question that leg
Next time, print it out (Score:1)
Wi-Fi Sense (Score:2)
Re: (Score:2)
Re: (Score:2)
Objection: General Case with Exceptions (Score:2)
In i would bet more that one State /Country the law is written so that unless you have highly visible signs every X yards/meters you can't have a person charged with Trespassing.
a 20 second google says basically all 50 states have requirements
Re: (Score:2)
Not necessarily the data owner. Authorization from one of the owners of the computers/data/account/something or that entity's duly designated representative. Authorization from -somebody- who might reasonably have the right to grant authorization.
The folks involved in this scheme clearly understood that they lacked valid authorization to access those computers in the manner they did. It wasn't even subtle or gray-area.
Re: (Score:2)
Did you ask for permission to visit Slashdot? I posit that you don't have authorization to be here, and since Slashdot is owned by a for profit company (BIZX media) and since you are using a false identity (an alias), I accuse you of committing wire fraud under the Computer Fraud and Abuse Act.
I'm not trying to get you indicted (I'm committing the same crime), just saying the CFAA is a terribly written law [digitaltrends.com] that used another terrible law as a template (the Espionage Act of 1917). The Authorization section wa
Re: (Score:1)
Seriously, the Secretary of State you're talking about exists only in your imagination. Clinton didn't violate security willfully, and shared state secrets with those authorized to see them, not wantonly. What she did wasn't good, but if you have to stretch things that far you've lost touch with reality.
Re: (Score:2)
Clinton didn't violate security willfully, and shared state secrets with those authorized to see them, not wantonly.
Neither of these things are true.
Setting up the server itself was the act that violated security. The server was set up because Clinton ordered it to be set up. Ergo, Clinton ordered the security violation. (The individual emails themselves also show evidence of Clinton specifically ordering subordinates to send classified info through unclassified channels.)
Among those who had access to classified information on the Clinton Email server was Sydney Blumenthal, who has been a Clinton lackey for years. He
Re: (Score:2, Insightful)
She mishandled classified information, which is a felony (no intent required). The FBI said as much, and said that they'd go after the next person who did this, just not Hillary. Seriously.
The rule of law means the same low applies to the powerful as to the common man. That's been fading in America, and it's not a good thing (drug laws haven't applied equally to celebrities for quite some time, this is just another brick in the wall).
Re: (Score:3)
They said there were no cases where failing to follow handling rules for a small amount of classified information (without additional intent to pass it on to spies or similar) had been considered worthy of criminal prosecution as opposed to administrative sanction / employee disciplinary action.
Blatantly untrue - last year a sailor (Machinist Mate 1st Class Kristian Saucier) was recently prosecuted for taking a picture of his buddies on his submarine. Storing classified information (pictures showing interior of the sub) on an insecure device (the camera). They also prosecuted him for obstruction for the same sort of destruction of information (plus some pile-on charges). He took a plea bargain just 2 weeks ago.
Happens all the time - the laws about handling of classified information do have teet
Re: (Score:2)
Clinton didn't violate security willfully, and shared state secrets with those authorized to see them, not wantonly.
Well, let's see. According to Comey's statement, she had emails containing information that in some cases bore classified markings, and in come cases were of a nature that "a reasonable person would understand that the information was classified." These emails were stored on her personal server. The person who set up and administered the server, and who had unlimited access to the information on the server, was not cleared for classified information, nor did he have a need to know. This is commonly known as
Re: (Score:2)
The FBI found no criminal intent, and could not come up with leaks. Are you saying that I'm in my private fantasy world, and nobody else believes in the FBI or the space unicorns?
Re: (Score:2, Insightful)
Sharing a password is a federal crime for you or I. But a Secretary of State who willfully and wantonly shares state secrets, repeatedly... for money... that, that right there is just an Oopsie Booboo!. No "harm," no foul. No one goes to jail.
I know...the whole thing is a shameful fucking farce. No jail time, no fines, no censuring, no reprimand. What a sweet deal.
David Comey said she had no "bad intent" when she did it. I'll see how far that excuse gets me the next time I get caught speeding or shoplifting or robbing a mini-market. "But officer, I had no bad intent, so just tell me not to do it again."
Re: (Score:2)
Re: (Score:3)
Sharing a password is a federal crime for you or I.
As the court made clear, no, if by sharing you mean "handing over your password to an unauthorised outsider". It may get you fired, but it is not a crime.
Being given a shared password doesn't give you authorisation. Not when the person giving you the password didn't want to give you authorisation, or didn't have the authority to give you authorisation. Using a shared password to gain unauthorised access can of course be a federal crime. Any means to gain unauthorised access can be a federal crime.
Re: (Score:2)
Yeah, the Espionage Act of 1917 pretty much says that accessing classified data that you are not supposed to have is espionage, even if you are an ally. Kind of funny that sharing a password violates the CFAA, which used the Espionage Act as a template, and accessing that data likely violates the Espionage Act itself (for sure if any of it is classified).
Re: (Score:2)
Re: (Score:1)
You know how I know you didn't RTFA?
Because you're being a humorless pedant?
Re: fp (Score:1)
Does this mean that checking "remember me" is now a crime too?
Re: fp (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
You know, a major property of the security of a password is the fact that it's something you know. If you write it down, it's something you have.
Except for the fact that with the various rules for passwords that differ from site to site, I have over 100 passwords that often need to be changed every quarter. Am I supposed to memorize all of those? This is a key failure of the current paradigm.
Re: (Score:2)
You know, a major property of the security of a password is the fact that it's something you know. If you write it down, it's something you have.
Except for the fact that with the various rules for passwords that differ from site to site, I have over 100 passwords that often need to be changed every quarter. Am I supposed to memorize all of those? This is a key failure of the current paradigm.
Why yes.. you are supposed to recall them all.
Any individual with over 100 passwords is in an interesting position.
The 100 passwords are likely enabling access to a long list of data and your employers need to have
a policy to sustain this data. One policy is "keys" need to be shared with management. But if sharing
is tacitly illegal management has a problem. N.B. Rightly so there are managers with no permission to access
data that their employees have access to. So these managers need to manage differ
Re: fp (Score:5, Insightful)
No. This means that if you get someone else's password and use that to access a computer system, you have committed unauthorized access. If that isn't a crime, then anyone who can grab your keystrokes and get your password has a free pass to do whatever they want, with no penalty.
Re: (Score:2)
Re: (Score:2)
Does this mean that checking "remember me" is now a crime too?
No, because you have authorized its use.
Re: (Score:2)
Does this mean that checking "remember me" is now a crime too?
No, because you have authorized its use.
That depends if you're authorized to authorize them. Just because you have an account doesn't mean you can share access with those who don't.
Re: (Score:3)
Re: (Score:2)
Actually, AC is wrong for an entirely different reason. In the case AC mentions, you own the computer and are giving up the password which is granting access. In the story, it was an employee who was not someone who was allowed to authorize the access.