Intelligence Analyst Charged With Hacking For Logging Into An Account Sent To Him Via Email
from the where's-the-hacking? dept
Wired has the odd story of a government intelligence analyst who has been charged with unauthorized access to a protected gov’t computer involved in an investigation he was not authorized to access. But the problem is that the whole reason he logged in was because he had the login information emailed to him — and he claims it went to a bunch of other intelligence analysts as well. Given that the login info was widely emailed around, due to what appears to be a breach in security protocol, it seems rather silly to then charge him with any kind of unauthorized access, and have him facing criminal charges. The real question should be why the guy was emailed the login info in the first place.
Filed Under: hacking, intelligence analyst
Comments on “Intelligence Analyst Charged With Hacking For Logging Into An Account Sent To Him Via Email”
Government Intelligence at its best
It was probably emailed by someone higher up the food chain so they need a scape goat a little lower down. It would make too much sense to go after the person who actually emailed the credentials.
Unauthorized access is unauthorized access
Having a username and password is not the same as having authorization to access a resource.
A professional analyst should know better.
Re: Unauthorized access is unauthorized access
Quite right from a computer perspective. He was the Authentication, not the Authorization.
If he understood what the login data represented and that he was not supposed to have access, then I don’t see why he should go free of charges.
For example, we had a scandal here in Sweden where one party used a leaked login to access the other parties plans on how to get elected. Personally I think one shouldn’t be allowed to use login credentials that you are not supposed to have access to. It’s like dressing up like a cop and misusing the authority that gives you. Just because you (or anyone) can do this doesn’t mean you should be allowed to.
The key question I think is whether you realize that you are not allowed to use the login data.
Re: Re:
“The key question I think is whether you realize that you are not allowed to use the login data.”
That is the key question. He’s a government intelligence analyst, probably use to working with top secret stuff. Did he get the E-Mail and think that it was a message from his boss saying he had to work in there?
Another big question is are the tens of thousands of other people this was sent to getting looked at and what about the person who sent the message in the first place.
I don’t know how I feel about this. In a normal job environment, this would be at most a fireable offense. The top secret thing throws a wrench into the works.
Re:
Why are spam bots coming to TechDirt? Wtf.
Re: Re:
And what are they trying to tell us? I just don’t understand the point.
Re: Re: Re:
That capitalism, being paid according to contract, and making money through smart investments is EVIL and LAZY! After all, it’s so EASY being an investor that everyone who tries just falls into wealth! Those cheaters! (end sarcasm, for those whose detectors are permanently broken)
On ALL Government systems there is a “Login Warning” that states if you are not authorized access to that system you can be prosecuted if you proceed. He ignored the warning. He should have instead notified his supervisor that he had received the login information.
I disagree Mike....
If I accidentally use the same username and password on techdirt that I do on my banks website, does that mean that anyone at techdirt has authorization to access my account?
Do you think if Mike at techdirt emptied my bank account, that he shouldn’t be charged with unauthorized access?
I’d love to tell you to try and find out.. but sadly, I did not make this mistake.
Unauthorized access yes. Hacking? No. If I drop my house key outside my house and someone wanders by, picks it up and enters my house he didn’t ‘pick the lock’. But he/she sure as hell not authorized to be in there!
Re: Re:
I also had trouble finding where the hacking occurred. Good analogy with the lock. But that would have been called cracking, not hacking.
If someone gives you a username and password for a intranet website, particularly if the source is one of your bosses, it makes complete sense to assume that they’ve granted you authorization to whatever that website is. Even if it says in large letters “do not access without proper auth” I’m sure that will make it completely clear that the credentials the boss sent are bad…..
The analogy about using same username and password on multiple websites doesn’t hold water. First of all, websites you use should be hoped to keep credentials in a way that the site itself can’t determine the password. And the username/password combos used should at least establish bands of security. Maybe you don’t care about using the same uname/pw in a few forums, but you have unique uname/pw combos for banking, etc.
This is more reason why access itself is not the crime, it’s what you do with the access or how you obtained the access. And more reason why the federal government can be assumed to be among the most moronic large IT operations around.
Re: Re:
If someone gives you a username and password for a intranet website, particularly if the source is one of your bosses…
Except, that’s not the case in this case, is it?
Depends...
If my boss sent me an email with a user name and password to a system I didn’t normally have access to with a note to login and do something, I would assume that I was authorized.
Why should someone who acts in good faith at receiving a legitimate email with legitimate creditials be punished and not the person who sent the email.
Trespassing?
If you find a key to someone’s house in the public street, and then use the key to enter their home, does that mean you’re not trespassing?
FAIL.
As others have said, the issue here is “authorization” and unless he had reason to believe he had authorization, he’s boned.
Those in the classified realm also know of a similar standard – “need to know”. Just because you have a particular clearance level does not mean you get to have access to everything, and if you pursue access or exposure to things not relevant to your work, you risk being accused of a breach.
Re: Trespassing?
Except that in this case someone who you thought owned the house gave you the key, showed you how the lock worked, and invited a bunch of people over.
Re: Re: Trespassing?
That’s a good point, however, I think we need to adjust it even further…
Someone who may *or may not* have owned the house, gave you the key, showed how the lock worked, and invited a bunch of people over.
We do not know that the person that sent the email had the authority to authorize others to access the information.
wrong
The point everyone is missing…..log in credentials, i.e. passwords, shouldn’t be exchanged/sent via email in the first place. That should have been a red flag!
Clever hack!
It sounds to me that someone had that login sent to a bunch of people to cover his own tracks. When there’s multiple users accessing the same login, it’s harder to tell what any one of them is doing! Of course, the person who emailed the login should be brought up on charges.
And sorry AC, but you can’t just “accidentally” send someone an email with a system login!
He claims he had thought he had permission in the article. If I was sent an email and I had clearance above what was needed I would probably research the subject as well, especially if I was being brought on to a new project. Either way this is an internal matter not a matter for the courts.
The Scenario?
Surely the main question is under what pretence the information was provided to this guy?
If he received an email with just the details for login and no further details, he may have just signed in to see what the login details were for.
If he got it from a superior with a DO NOT USE THESE DETAILS message attached then obviously he shouldnt have used them.
ultimately, no-one but him knows the circumstances surrounding receiving the login details and no-one but him knows what the rest of the email was about.
its all well and good saying “Having a username and password is not the same as having authorization to access a resource.” agreed, but you just dont know the WHOLE story.
Mike I have to say, you’re right but you’re wrong… using secure login details on face value would be stupid and deserves punishment because the person has not been told to use them.
HOWEVER, i cant honestly say that if someone emailed me login credentials to a secure website (internal or external) whether in error or not, I wouldnt have a peek at the info behind the login screen. I guess i would be punished for this, but i would still argue that someone sent me the details without instruction so i assumed they were for me to use.
Re: The Scenario?
“[…] so I *assumed* they were for me to use.”
See the problem? If you work in the classified arena, authorization to access information is explicit, not tacit (assumed), especially if you encounter the information unexpectedly.
However, I agree that the whole story is not here and he may have had reasonable cause to believe he legitimately had authorization to the material. In which case, he ought to make that case.
We don't know
Let’s face it we don’t know the wording of the “warning”, where the messages came from, what the “normal practice” of authorisation was or anything. So all these comments are really flailing around in a vacuum of ignorance of the important facts.
However it smells to me like the person who really caused the problem (the one who sent the message) is trying to cover his back. The wording of the government information looks deliberately contrived to put the worst possible spin on the actions of the guy who received the message.
Clearly SOME recipients of the message had authorisation (otherwise why was it sent) and the exact same message was sent to him as to them. So all those people who likened it to picking up a key in the street are off target. It’s more like being served a dish you (think you) didn’t order at a restaurant. Is it the restaurant’s version of your dish? Is it a complimentary extra? Or does it belong to someone else?
It all hangs on how dissimilar this event was to what this guy could expect in his normal job.
Where is the System Security?
If he wasn’t allowed to log into the system in question, why did the system allow him to (assuming he used his own ID)?
What happened to the others or the person that sent the information? If you are going to set an example, slap all involved not just a single person.
Of course, there is probably much more to this story that what was reported.
Isn’t “government intelligence” an oxymoron?
A Better Analogy
A better way to describe what happened.
Say someone you didn’t know stopped over and say “Here’s My WIFI password”
Then you started browsing Facebook and you got criminal charges for unauthorized access.
If you read the story, he did not copy/distribute/whistleblow about any info he learned from his access.
Not to mention that this guy already had Top Secret clearance for his job, so getting this info was not out of the ordinary. He just so happened to not be on the list of people to have access.
Having worked at a few gov sites when you are brought to the login screen of a government system it is clearly stated that it is illegal to login to the system unless you have authorization. Having a user/pass to access the system does not mean you are authorized to access the system, regardless of security level.
Re:
And what in the hell does this have to do with the article????
Multiple Questions
The real question should be why the guy was emailed the login info in the first place.
No, that’s yet another question, not “the” question. There can be more than one question involved, so having one “real” question does not meant that there are not also others. Nice try, Mike.
But still
without reading the email, we cant come to a good conclusion. If he recieved an email telling him to log in from one of his superiors, then why would he question whether or not he had authorization.
If my teacher told me her logins to her email account, and then told me to check it, I would conclude that I was allowed to check it. Who wouldnt in that situation?
Authorization..
The thing everyone here doesn’t seem to understand is that this was a government site. There are warnings all over the place when logging on. It doesn’t matter what your clearances is, you do not get authorization from an email – you read disclaimers and sign papers.
There is no way this guy can use the “I thought I had clearance” argument. He’s government intelligence analyst, he knows what the procedures are.
I agree he shouldn’t be charged with hacking, but unauthorized access is valid.