If The DOJ Gets Its Way, Tweeting Out A List Of The 'Worst Passwords On The Internet' Will Be A Felony
from the because-our-prisons-aren't-at-maximum-capacity dept
Retweet if you want to go to jail! And not regular county jail, but federal prison!
Under the DOJ's CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That's insane. http://t.co/njE8368lxU
— Nate Cardozo (@ncardozo) January 20, 2015
In case you can’t read/see the tweet, it says:
Under the DOJ’s CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That’s insane.
(The link goes to a Techcrunch article featuring SplashData’s list of the “worst passwords on the internet.”)
The DOJ has offered up its preferred version [pdf link] of the CFAA (Computer Fraud and Abuse Act) — under the ridiculous name of “Updated Law Enforcement Tools” — and it indeed would make this sort of thing an instant felony.
Here’s the wording change that does it [strikethrough for deletions; bold for additions]:
(6) knowingly and
with intent to defraudwillfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking;if—
(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
The DOJ removes intent and replaces it with feelings. Sharing a list of common (and stupid) passwords could be construed as “willfully trafficking” passwords while “knowing” a “protected computer” could be “accessed without authorization.”
And that thing about federal prison I opened the post with? That’s the way the DOJ wants it. The CFAA currently allows for misdemeanor charges under certain circumstances. But this proposal does away with that. Instead of a misdemeanor-to-3 year sentence range, punishments start at 3 years and escalate to a 10-year cap. Unless, of course, your hacking is part of the commission of another felony, in which case the government proposes it should get to double dip (at minimum). Here’s Orin Kerr’s take on that part of the proposal:
Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, “unless such violation would be based solely on obtaining the information without authorization or in excess of authorization.” On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony?
But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three. State criminal codes often mirror the federal criminal code. That raises a question: If Congress makes it a crime to commit an act “in furtherance of” a different crime, does the existence of overlapping crimes mean that a person’s conduct violates the first crime because it was “in furtherance of” the second? This is a particular problem because every state has unauthorized access crimes a lot like the CFAA. We saw this in the Auernheimer case, where prosecutors argued that the misdemeanor federal unauthorized access alleged in that case should be a felony because it was “in furtherance of” New Jersey’s nearly identical state unauthorized access law.
As if we didn’t have enough people in prison already, the DOJ proposal mandates felony charges and provides prosecutorial options to ensure very few defendants walk away with short sentences.
The proposal also asks users to perform mind-reading when accessing anything computer-based.
(6) “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in
thesuch computer—(A) that the accesser is not entitled
soto obtain or alter; or(B) for a purpose that the accesser knows is not authorized by the computer owner;
Going back to the Weev case, Andrew Auernheimer obviously knew AT&T would not “authorize” his access of supposedly private information, even if all he did was alter URL components to achieve this. Now, companies’ security failures can be weaponized against those who discover them — making it highly unlikely that flaws and holes will be pointed out to those who can actually close them. Why risk a few years in federal prison (remember: no misdemeanors) just because some entity decided to shoot the messenger rather than thank them for their help?
Filed Under: cfaa, doj, felony, obama administration, passwords
Comments on “If The DOJ Gets Its Way, Tweeting Out A List Of The 'Worst Passwords On The Internet' Will Be A Felony”
What less can you expect from a police state? After all, “it’s for the children.”
Re: Re:
Corponesse translation
For the profit, think of the profit, the profit damn you, the profit
By the profit, for the profit
Shall i compare you to a summers dayPROFIT
I profit threfore i am?
Land of the greed, home to the profit
Profit, ……profit……..PROFITPROOFIT.PROFIT
DOJ to white-hats: If you see something, shut up, or face a felony
If they manage to get this ‘updated’ wording accepted, pretty much the only people ‘hacking’ systems, or checking security, will be those with criminal intentions. If making a security vulnerability known, or even making it known that you found one, is instantly a felony, the only people who would even risk doing so, will be those that are already planning on breaking the law.
Companies may feel like they get egg on their face when they have their shoddy security made public after ignoring the problem, but that is nothing compared to what happens when the person ‘examining’ their security isn’t interested in helping anyone but themselves. And with the law making it essentially illegal for someone to test security on their own, for whatever reason, the number of security holes, and resulting harmful hacks, will likely shoot way up.
Yet again, we’ve got an example of a government agency making things less safe, and more dangerous, for everyone but the criminally inclined.
Re: DOJ to white-hats: If you see something, shut up, or face a felony
“If making a security vulnerability known, or even making it known that you found one, is instantly a felony, the only people who would even risk doing so, will be those that are already planning on breaking the law.”
The number of white hats would be reduced, no question about it, but there will always be some that keep doing the good work. They’ll just go underground (a bit like they used to be in the old days).
Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
They’ll just go underground (a bit like they used to be in the old days).
Even among those who continue working, probably many will stop contacting the companies with vulnerabilities (how confident are they that their communications are really anonymous once the FBI gets involved?) and just publicize everything immediately. Nobody benefits from such a change.
Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony
True enough. This, too, is pretty much like the old days. Giving software and hardware producers a couple of weeks of advanced notice prior to public disclosure is a very good thing and it would be a shame if that stopped. But the really crucial part is the public disclosure, and that will go on.
If the pattern from the old days repeats, what will happen is that software and hardware producers will end up begging white hats to start giving the advanced notice again.
Re: Re: Re:2 DOJ to white-hats: If you see something, shut up, or face a felony
The rest of the corporations want all security issues swept under the carpet, as it cost them money to fix them. If they can be kept hidden they do not have to spend the money.
Re: Re: Re:3 DOJ to white-hats: If you see something, shut up, or face a felony
If they can be kept hidden they do not have to spend the money.
They can’t of course, so they’ll spend the money to settle class action lawsuits after massive data breaches, rather than spending it ahead of time to fix problems.
Re: Re: Re:4 DOJ to white-hats: If you see something, shut up, or face a felony
That way their lawyer buddies make a lot of money, with a little trickling down to those who have suffered.
Re: Re: Re:3 DOJ to white-hats: If you see something, shut up, or face a felony
That’s why public disclosure is the more important part.
Re: Re: Re:2 DOJ to white-hats: If you see something, shut up, or face a felony
If the pattern from the old days repeats, what will happen is that software and hardware producers will end up begging white hats to start giving the advanced notice again.
At which point, the white hats will say “if I did know anything about a vulnerability, it would be a felony to tell you about it.” Let’s hope this amendment never sees the light of day.
Re: Re: Re:3 DOJ to white-hats: If you see something, shut up, or face a felony
On the contrary, let’s hope it sees as much light as possible, and is shot down and crushed in such a manner that it will be years before anyone even thinks about proposing something as stupid as it again.
Re: Re: Re:4 DOJ to white-hats: If you see something, shut up, or face a felony
“Never see the light of day” as in “never have a chance to exist”. If it doesn’t get passed by Congress, it will never leave that building and thus never be exposed to the light of day.
Re: Re: Re:5 DOJ to white-hats: If you see something, shut up, or face a felony
Having to explain an idiom takes the wind out of your sails and sucks like an Electrolux, doesn’t it?
Re: Re: Re:6 DOJ to white-hats: If you see something, shut up, or face a felony
Having to explain an idiom takes the wind out of your sails and sucks like an Electrolux, doesn’t it?
It’s like grabbing the wrong leg in a pig wrestling contest.
Re: Re: Re:7 DOJ to white-hats: If you see something, shut up, or face a felony
It’s like grabbing the wrong leg in a pig wrestling contest.
Isn’t that what much ‘law enforcement’ consists of, nowadays? Someone wrestling a ‘pig’ on the ground so as to avoid assault, praying that the guy (as they generally are) doesn’t shoot, tase, or pepper spray them.
Re: Re: Re:2 DOJ to white-hats: If you see something, shut up, or face a felony
As long as a potential felony is on the books, they’d have to be fools to give that advanced notice. Between taking the risk of jail time by contacting the company, or anonymously publishing the security vulnerability, I imagine most will choose the latter as the safer option.
Even the ‘promise’ of no charges being brought if a security vulnerability is brought to the attention of a company wouldn’t be worth much, as that wouldn’t stop the DOJ from stepping in and filing their own charges.
Re: DOJ to white-hats: If you see something, shut up, or face a felony
This is truly a terribly crafted piece of legislation that invites every opportunity for its abuse. Hopefully these debates prompt the corrections needed to make it applicable to its goals before it’s submitted.
If anything, law enforcement in the US (and frankly, everywhere) are shooting their feet with such ‘shoot the messenger’ tactics because people are getting more and more wary when it comes to cooperating for fear of interacting with law enforcement and running into trouble. So while they are worrying that encrypted smartphones may get in the way they are silencing witnesses that would probably render such encryption moot. This is just an example. There’s already a general lack of trust from the citizenry towards law enforcement and they and now they are actively ensuring that people will not help on investigations and security flaws out of fear of bad laws. Great.
This makes everybody in tech a felon
As someone who works in cloud this is part of my day to day. So by merely passing this law, anyone with knowledge of a vulnerability would automatically become a felon. There is often a trade-off between security and getting something to market. This would mean even getting it to market would be legally felonious in many if not all cases.
Re: This makes everybody in tech a felon
Same here. Part of my job involves protecting an alarmingly large corpus of diagnosis, treatment and prescription data — but I won’t be able to do that if this passes…well, not without risking prison.
This is not only wrong, it’s insane.
Re: Re: This makes everybody in tech a felon
Or if you’re brave you could use it in your advertising slogans.
“We’re willing to break the law by following standard security practices to make sure your data is secure from hackers”.
Re: Re: Re: This makes everybody in tech a felon
I’d buy it!
The inquisition is back. This time it punishes ‘hacking’ instead of ‘witchcraft’, but the way of determining guilt seems about equivalent to the trials of old.
Re: Re:
It never left, it just takes on different forms as people need it to.
Every culture and politic has a buzz word, card to play, or dogmatic bias against the side they oppose.
Re: Re: Re:
The word you’re looking for is “Boogeyman.”
Ahhh the good ol US Of A.
“A good offense…Is a good offense. What is this “Defense” you speak of?
Ahhh, but Novell Netware of the 1990's
I remember when Novell Netware came into the company where I worked in the 1990’s. Their documentation would run afoul of the DOJ’s current intent. It was a database, and I learned an awful lot when I ran a search with the keywords ‘security,’ ‘password,’ and ‘risk.’ No doubt matters have tightened up now, but that became important for my job back then. I was in R&D, and Production would often massage/tweak/crochet/edit data that went through official channels to claim that tests had a given desired result. Thanks to the Novell documentation, it wasn’t hard to go into sister sites’ networks and get the raw data. Again, those were the old days, and we also had Moe, Larry, and Curly managing our IT.
Seriously, though, this could impact those technical writers and trainers. Reinforcing the need for best practices is difficult when you can’t thoroughly explain the risk of worst practices.
Would be
Sharing a list of common (and stupid) passwords could be construed as “willfully trafficking” passwords while “knowing” a “protected computer” could be “accessed without authorization.”
“Would be”, not “could be”. There’s no need to exaggerate how bad this is.
Manuals
Does this mean that companies publishing a manual which contains the default login/password are commiting a felony? They are after all publishing a password willfully which can be used to access a device without authorization.
If they are I guess they will remove them from the manuals. Would this mean that we have to brute force the password for i.e. a router before we can use it?
Re: Manuals
technically if this passes default router password being printed in manuals would be criminal, yes.
Re: Re: Manuals
then the next question is I guess… are brute force programs legal?
Since the NSA logs everything that goes across the internet and automatically flags anything containing certain key words, I wonder if composing a *bad* password (thinking no one else would ever see it), something like “BombtheBlackhouse” or “KillThePresident” (or whatever) could get a person SWAT’d and a thrown in jail on terrorist charges?
Besides NSA snooping, it would also be an interesting way to test if the website or network administrator is reading [supposedly-confidential] passwords by composing a password consisting of a terrorism or death threat against the person or company you suspect might be snooping passwords and/or logging traffic.
Re: Re:
Do you really want to do this in a country where police officers routinely kill unarmed civilians and walk away with paid vacations and a substantial stash in donations? Where SWAT teams routinely raid the wrong locations and throw grenades at children and walk away with commendations? Where drone operators kill innocent men, women and children in between coffee breaks and receive medals for it? Where those who conduct torture are shielded and protected while those who expose it are persecuted, harassed and jailed?
I didn’t think so.
Re: Re: Re:
umm… too late?
I wonder...
Will this become a first Amendment fight?
2014 maybe *nt* the year of Digital Security?
In the caption it states 2014 was the year of digital security. Robert Cringely blogged on this recently and suggests well see more violations this year, but it won’t be until 2016 till we deal with it.http://www.cringely.com/2015/01/12/2015-will-year-nothing-happened/
http://www.cringely.com/2015/01/16/2015-predictions-money-stupid/
You never expect
You never expect the Spanish Inquisition! Or the DOJ Inquisition now… 🙁
“12345? That’s the same password I have on my luggage.” – President Skroob in Spaceballs
what the hell is wrong with these people? dont they have anything proper to do? there is a multitude of crime going on and they have time to come out with this? not only that but they want to make it a punishable offence? JEEZ! get a grip!!
Motivations
Amongst others:
If this fails, they WILL find another excuse and attempt to encode it into law.
The only reason the DOJ is doing this is because its their passwords on the list.
This proposal appears to criminalize being 0wned
The removal of the word “intent” seems to imply that the intention here is to hold computer owners responsible for what their systems do without their knowledge. And in a perfect world, that might not be a bad idea. However, in this world, where there are a few hundred million botted systems on the Internet, it’s a horrible idea.
Look what happened to Julie Amero, and that wasn’t even her system. The combination of a grandstanding prosecutor, utterly incompetent “forensic experts” and clueless newspaper editors destroyed her life — over someone else’s mistake. (And a rather common mistake, at that.)
This proposal could be used to go after everyone whose system has been botted, and since it can be, it will be. When convenient. When expedient. When politically desirable.
The Emperor's New Password
Crap, turns out our security really sucks. Should we fix it?
Let’s just make talking about security illegal.
Problem solved!
enemy of the american people...
IS the DOJ
Wait isn't everything capable of being a password
Couldn’t this sentence technically be a password? Crap wouldn’t typing out the previous sentence be a felony if the law is changed because I know it could technically be a password? Crap wouldn’t typing out the previous sentence be a felony if the law is changed because I know it could technically be a password? Crap isn’t anything I could possibly type out be a felony because I know it could be used as a password.
Re: Wait isn't everything capable of being a password
I was thinking about this as well. A “password” is just arbitrary characters strung together (if it’s actual words, then you’re doing it wrong).
A list of nothing but passwords isn’t even that useful (except to compile a dictionary to be used in a dictionary attack). What is useful is a list of services and user IDs with their passwords.
Re: Re: Wait isn't everything capable of being a password
A “password” is just arbitrary characters strung together (if it’s actual words, then you’re doing it wrong).
That’s not true; a long string of dictionary words is a very secure password. Forexamplethisrightherewouldbevirtuallyimpossibletocrackjustbecauseit’ssolong.
Re: Re: Wait isn't everything capable of being a password
A list of nothing but passwords isn’t even that useful (except to compile a dictionary to be used in a dictionary attack).
Why’d you have to point this out? Now they’re going to ban the dictionary! Oh, wait, aren’t there password crackers that utilize Wikipedia?
BAN IT ALL! BAN ALL THE WORDS!
Re: Re: Re: Wait isn't everything capable of being a password
come on politicians of the world, lets get our stones, pitchforks, and lanterns, burn it, burn it, burn it all to hell…..politicians of the world unite, we can do this, come on
Re: Re: Wait isn't everything capable of being a password
This is the correct angle on this I think, a list of “potential bad passwords” is just a list of combinations of letters and numbers (not likely to be any special chars in there). They do not become passwords until connected with a username and an account at a specified service.
To bring the idea proposed by the law into the real world, would a list of gases used in various types of blowtorch be considered an intentional aid to safecrackers?
Re: Wait isn't everything capable of being a password
Please find your nearest authoritarian representatives so you can begin your gazzilion bajillion sentence, thankyou for your servitude peasant
Why are they under the impression that they own the internet?
Its based on freedom expression, freedom to create…..not an entitlement to restrict, to profit, or too monopolise
retards of the world unite
so they want to put people in jail for ten years cause they are stupid or daft. GO FOR IT les of em out side the better
Nobody wants to see their paswords posted online, but this is not about passwords, its about the attempts to use an event to demand , yes demand the ability, an ability that is so beyond anything like it, to put people who “dont do as they say” in jail, for the crime of presenting a bunch of characters in a certain way, bypassing the human right laws protecting inocent suspicion, or bringing to light questionable laws
The next step or after other several steps in this obvious ploy will be to put in jail anybody who opposes bad laws, policies, actions, bills, ideas etc etc………i dont want to pass my own policy, i have no policy by CHOICE, i certainly dont want to see BAD “policies” being passed or manipulated into impressionable minds, and certainly not by people who OBVIOUSLY through the very action they incessantly keep pushing dont give a shit about the rights and freedoms of the individual
how long for default passwords, 15 years?
Pssh, as if I would ever let anyone else see my hunter2-ing password.
And this is why Snowden fled to Russia, hippies aren’t the only domestic flag burners in the USA, and the military’s approval rating of the President is at an all time low.
They’re trying to mold younger generations in their image. All they’re doing is creating a generation who consider the US government worse than the Soviet Union. At least Stalin’s bad ideas couldn’t spread globally due to his toxic reputation.
The solution is not to end up arresting 50% of your population if its not already 100%, the solution is to recognize how important it is to beef up defensive security, whther those devices be in a company or somebodies home……..but because its harder by your standards you take the easy route, by arresting people……….there is, aswell as bad, a good thing when a “hacker” attempts to test how secure something is with the idea to inform the target of the vulnrability……….bit bit by bit, that software becomes more and more secure, and malicious opportunity deminishes, as malicious hackers with ill intent need to find more unique ways to exploit……..what their advocating is reducing the ammount people with expertise who do this to contribute to the security community drastically, which in some cases will probably give that one malicious hacker, lets say ten years of use for an exploit he found instead of 8,5,4 2 years? i just had a thought, its funny how this would also reduce the likelyness of good hackers finding intelligence service crimes, yes crimes not hacks…..
Security/privacy updates/patches should be a right not a privellage, it deals with information belonging to the individual, and so by this extension, security/privacy should be seen as a right, as is the right to not be searched without suspicion…….but with this kind of behaviour you expect to see in oppressed governments, you shoot your selves in the foot…..by your-self……..because now, your suspicions are suspect…….you either dont care if we trust you, or, the more relieving of the two, you’re too stupid to realise how important it is to have the trust of those you represent……appologies for my frustrated chosen words, but not the drive behind it
Re: Re:
then what would they use as an excuse to arrest people they do not like
Okay so lets say, supposedly that the pure possesion of this “material”, material made up of random characters next to other random characters, is a felony punishable by ten years……in this imaginary world, i’d like to start with the intelligence centers harddrive’s first please…..complete and utter unrestricted access please……no, but thats suspiciously similar to someone looking like their hidding something……and we all know what you say that means, right!
years of reporting America’s slide into a fascist police state and the tone of these articles always sound so shocked the worse things get
Re: Re:
It’s when you stop being shocked and disgusted, and instead respond with resigned anger and annoyance that things have gotten really bad. Shock and disgust come from expecting better, hoping for people to act rationally, and having them not. Shock is good, gives people motivation to do something about the cause of the shock.
Resignation though, when it reaches that point, that’s because you no longer expect anything good, because you expect the worst, and are no longer surprised by it. And at that point, the drive to fix the situation is pretty much gone, because why would you even try when you know that that’s just what they do?
Another day another law the DOJ writes for itself to assist in making the functions that it performs easier, for itself.
The further that “Justice” can distance itself from “Department of” then the more just our society will become.
written language is banned
Since any and all words can be used as passwords.
Hmm, would spoken language count as trafficking?
So that means..
IF you, at the end of your article, or any one of us at the end of our comments write “all of the words above, including even these, COULD be passwords somewhere on some machine” we’re culpable?
So even if you LEFT OUT that part at the end, anyone with more than two brain cells would know those all were possible passwords, so even without the advice, these are all passwords (including the word password) and therefore anyone writing ANYTHING is a criminal.
Re: So that means..
You do realize that the members of the NSA, FBI, CIA, HLS, and their extra-national affiliates around the world scanning this comments page, have all just wet themselves reading your words – which point out that writing any string of words would be a criminal act under this legislation and thus, describes nicely the near-ultimate wet dream of any fascist….
That the creation and or publishing of any “unauthorized” literature, is automatically a major criminal act, punishable by maximum legal reaction.
This is of course only the for-runner legislation of the true ultimate wet dream laws of fascism…
That all unauthorized speech is automatically a major criminal act, punishable by maximum legal reaction.
Peasants need only labor for the state, sleep and eat, and need no voice or thought beyond that necessary to fulfilling the task assigned them by the state to insure the continuity of the state. That is the goal of fascism – that the state becomes a commercial operation owned and run by the ruling class and the peasants become the feedstock from which the wealth of the ruling class is derived.
This is the way life has been on earth for most of human history.
The fact that fascism always leads directly to dissolution of the nation in which it flourishes changes nothing, as fascists have no plan beyond draining a place of its wealth before moving on to greener pastures.
The resemblance to a virus, or the legendary vampires of Hollywood is telling.
The last thing the fascist owned state needs is uppity peasants discussing the fact – verbally or in writing – that the state is nothing more than a gang of lizard brained greedy millionaires mindlessly sucking the life out of the earth like fleas on a dog.
It would be lovely to perceive a future where the heads of tycoon CEOs, mob bosses, billionaire politicians, lawyers and their kin, could be seen adorning the pointy ends of pikes along the roads of a nation awakened from a nightmare, but all my limited fore-sight conjures up is empty streets.
—
They said ‘would’ (indicating certainty) but you paraphrased it as’could’ meaning within the realm of possibility.
Big difference. Very big difference. Very,very big difference, actually.
And Pastebin will shutdown.