If The DOJ Gets Its Way, Tweeting Out A List Of The 'Worst Passwords On The Internet' Will Be A Felony

from the because-our-prisons-aren't-at-maximum-capacity dept

Retweet if you want to go to jail! And not regular county jail, but federal prison!


In case you can’t read/see the tweet, it says:

Under the DOJ’s CFAA proposal, this article (and this tweet linking to it) could be a 10 year felony. That’s insane.

(The link goes to a Techcrunch article featuring SplashData’s list of the “worst passwords on the internet.”)

The DOJ has offered up its preferred version [pdf link] of the CFAA (Computer Fraud and Abuse Act) — under the ridiculous name of “Updated Law Enforcement Tools” — and it indeed would make this sort of thing an instant felony.

Here’s the wording change that does it [strikethrough for deletions; bold for additions]:

(6) knowingly and with intent to defraud willfully traffics (as defined in section 1029) in any password or similar information, or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking; if—

(A) such trafficking affects interstate or foreign commerce; or

(B) such computer is used by or for the Government of the United States;

The DOJ removes intent and replaces it with feelings. Sharing a list of common (and stupid) passwords could be construed as “willfully trafficking” passwords while “knowing” a “protected computer” could be “accessed without authorization.”

And that thing about federal prison I opened the post with? That’s the way the DOJ wants it. The CFAA currently allows for misdemeanor charges under certain circumstances. But this proposal does away with that. Instead of a misdemeanor-to-3 year sentence range, punishments start at 3 years and escalate to a 10-year cap. Unless, of course, your hacking is part of the commission of another felony, in which case the government proposes it should get to double dip (at minimum). Here’s Orin Kerr’s take on that part of the proposal:

Under the proposal, breaching a written restriction is a crime if the user violated the written condition in furtherance of a state or federal felony crime, “unless such violation would be based solely on obtaining the information without authorization or in excess of authorization.” On one hand, this might seem kind of harmless, or at least redundant: The proposal makes it a felony to break a promise on a computer in furtherance of a felony. One wonders what the point is: Why not just punish the underlying felony?

But the real problem is the double-counting issue. Federal and state law is filled with overlapping crimes. Congress might enact three crimes that do the same basic thing, giving prosecutors the choice of which to charge or allowing them to charge all three. State criminal codes often mirror the federal criminal code. That raises a question: If Congress makes it a crime to commit an act “in furtherance of” a different crime, does the existence of overlapping crimes mean that a person’s conduct violates the first crime because it was “in furtherance of” the second? This is a particular problem because every state has unauthorized access crimes a lot like the CFAA. We saw this in the Auernheimer case, where prosecutors argued that the misdemeanor federal unauthorized access alleged in that case should be a felony because it was “in furtherance of” New Jersey’s nearly identical state unauthorized access law.

As if we didn’t have enough people in prison already, the DOJ proposal mandates felony charges and provides prosecutorial options to ensure very few defendants walk away with short sentences.

The proposal also asks users to perform mind-reading when accessing anything computer-based.

(6) “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the such computer—

(A) that the accesser is not entitled so to obtain or alter; or

(B) for a purpose that the accesser knows is not authorized by the computer owner;

Going back to the Weev case, Andrew Auernheimer obviously knew AT&T would not “authorize” his access of supposedly private information, even if all he did was alter URL components to achieve this. Now, companies’ security failures can be weaponized against those who discover them — making it highly unlikely that flaws and holes will be pointed out to those who can actually close them. Why risk a few years in federal prison (remember: no misdemeanors) just because some entity decided to shoot the messenger rather than thank them for their help?

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “If The DOJ Gets Its Way, Tweeting Out A List Of The 'Worst Passwords On The Internet' Will Be A Felony”

Subscribe: RSS Leave a comment
69 Comments
That One Guy (profile) says:

DOJ to white-hats: If you see something, shut up, or face a felony

If they manage to get this ‘updated’ wording accepted, pretty much the only people ‘hacking’ systems, or checking security, will be those with criminal intentions. If making a security vulnerability known, or even making it known that you found one, is instantly a felony, the only people who would even risk doing so, will be those that are already planning on breaking the law.

Companies may feel like they get egg on their face when they have their shoddy security made public after ignoring the problem, but that is nothing compared to what happens when the person ‘examining’ their security isn’t interested in helping anyone but themselves. And with the law making it essentially illegal for someone to test security on their own, for whatever reason, the number of security holes, and resulting harmful hacks, will likely shoot way up.

Yet again, we’ve got an example of a government agency making things less safe, and more dangerous, for everyone but the criminally inclined.

John Fenderson (profile) says:

Re: DOJ to white-hats: If you see something, shut up, or face a felony

“If making a security vulnerability known, or even making it known that you found one, is instantly a felony, the only people who would even risk doing so, will be those that are already planning on breaking the law.”

The number of white hats would be reduced, no question about it, but there will always be some that keep doing the good work. They’ll just go underground (a bit like they used to be in the old days).

nasch (profile) says:

Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony

They’ll just go underground (a bit like they used to be in the old days).

Even among those who continue working, probably many will stop contacting the companies with vulnerabilities (how confident are they that their communications are really anonymous once the FBI gets involved?) and just publicize everything immediately. Nobody benefits from such a change.

John Fenderson (profile) says:

Re: Re: Re: DOJ to white-hats: If you see something, shut up, or face a felony

True enough. This, too, is pretty much like the old days. Giving software and hardware producers a couple of weeks of advanced notice prior to public disclosure is a very good thing and it would be a shame if that stopped. But the really crucial part is the public disclosure, and that will go on.

If the pattern from the old days repeats, what will happen is that software and hardware producers will end up begging white hats to start giving the advanced notice again.

Anonymous Coward says:

Re: Re: Re:2 DOJ to white-hats: If you see something, shut up, or face a felony

If the pattern from the old days repeats, what will happen is that software and hardware producers will end up begging white hats to start giving the advanced notice again.

The rest of the corporations want all security issues swept under the carpet, as it cost them money to fix them. If they can be kept hidden they do not have to spend the money.

nasch (profile) says:

Re: Re: Re:2 DOJ to white-hats: If you see something, shut up, or face a felony

If the pattern from the old days repeats, what will happen is that software and hardware producers will end up begging white hats to start giving the advanced notice again.

At which point, the white hats will say “if I did know anything about a vulnerability, it would be a felony to tell you about it.” Let’s hope this amendment never sees the light of day.

Sheogorath (profile) says:

Re: Re: Re:7 DOJ to white-hats: If you see something, shut up, or face a felony

It’s like grabbing the wrong leg in a pig wrestling contest.
Isn’t that what much ‘law enforcement’ consists of, nowadays? Someone wrestling a ‘pig’ on the ground so as to avoid assault, praying that the guy (as they generally are) doesn’t shoot, tase, or pepper spray them.

That One Guy (profile) says:

Re: Re: Re:2 DOJ to white-hats: If you see something, shut up, or face a felony

As long as a potential felony is on the books, they’d have to be fools to give that advanced notice. Between taking the risk of jail time by contacting the company, or anonymously publishing the security vulnerability, I imagine most will choose the latter as the safer option.

Even the ‘promise’ of no charges being brought if a security vulnerability is brought to the attention of a company wouldn’t be worth much, as that wouldn’t stop the DOJ from stepping in and filing their own charges.

Ninja (profile) says:

If anything, law enforcement in the US (and frankly, everywhere) are shooting their feet with such ‘shoot the messenger’ tactics because people are getting more and more wary when it comes to cooperating for fear of interacting with law enforcement and running into trouble. So while they are worrying that encrypted smartphones may get in the way they are silencing witnesses that would probably render such encryption moot. This is just an example. There’s already a general lack of trust from the citizenry towards law enforcement and they and now they are actively ensuring that people will not help on investigations and security flaws out of fear of bad laws. Great.

Anonymous Coward says:

This makes everybody in tech a felon

or any other means of access, knowing or having reason to know that a protected computer would be accessed or damaged without authorization in a manner prohibited by this section as the result of such trafficking

As someone who works in cloud this is part of my day to day. So by merely passing this law, anyone with knowledge of a vulnerability would automatically become a felon. There is often a trade-off between security and getting something to market. This would mean even getting it to market would be legally felonious in many if not all cases.

mcinsand (profile) says:

Ahhh, but Novell Netware of the 1990's

I remember when Novell Netware came into the company where I worked in the 1990’s. Their documentation would run afoul of the DOJ’s current intent. It was a database, and I learned an awful lot when I ran a search with the keywords ‘security,’ ‘password,’ and ‘risk.’ No doubt matters have tightened up now, but that became important for my job back then. I was in R&D, and Production would often massage/tweak/crochet/edit data that went through official channels to claim that tests had a given desired result. Thanks to the Novell documentation, it wasn’t hard to go into sister sites’ networks and get the raw data. Again, those were the old days, and we also had Moe, Larry, and Curly managing our IT.

Seriously, though, this could impact those technical writers and trainers. Reinforcing the need for best practices is difficult when you can’t thoroughly explain the risk of worst practices.

Anonymous Coward says:

Manuals

Does this mean that companies publishing a manual which contains the default login/password are commiting a felony? They are after all publishing a password willfully which can be used to access a device without authorization.

If they are I guess they will remove them from the manuals. Would this mean that we have to brute force the password for i.e. a router before we can use it?

Anonymous Coward says:

Since the NSA logs everything that goes across the internet and automatically flags anything containing certain key words, I wonder if composing a *bad* password (thinking no one else would ever see it), something like “BombtheBlackhouse” or “KillThePresident” (or whatever) could get a person SWAT’d and a thrown in jail on terrorist charges?

Besides NSA snooping, it would also be an interesting way to test if the website or network administrator is reading [supposedly-confidential] passwords by composing a password consisting of a terrorism or death threat against the person or company you suspect might be snooping passwords and/or logging traffic.

Anonymous Coward says:

Re: Re:

Do you really want to do this in a country where police officers routinely kill unarmed civilians and walk away with paid vacations and a substantial stash in donations? Where SWAT teams routinely raid the wrong locations and throw grenades at children and walk away with commendations? Where drone operators kill innocent men, women and children in between coffee breaks and receive medals for it? Where those who conduct torture are shielded and protected while those who expose it are persecuted, harassed and jailed?

I didn’t think so.

joe says:

2014 maybe *nt* the year of Digital Security?

In the caption it states 2014 was the year of digital security. Robert Cringely blogged on this recently and suggests well see more violations this year, but it won’t be until 2016 till we deal with it.http://www.cringely.com/2015/01/12/2015-will-year-nothing-happened/

http://www.cringely.com/2015/01/16/2015-predictions-money-stupid/

Anonymous Anonymous Coward says:

Motivations

Amongst others:

Our prisons are populated with many people on marijuana violations.

Our prisons are becoming private entities.

Several states have legalized recreational marijuana, and more to come, eventually all of them, then the Federal laws will follow.

The corporations who own privatized prisons are in need of a new source for occupancy, because profit.

The DOJ, doing their masters bidding, are merely trying to create a new source for prison occupancy.

Computers are not going away.

If this fails, they WILL find another excuse and attempt to encode it into law.

Rich Kulawiec (profile) says:

This proposal appears to criminalize being 0wned

The removal of the word “intent” seems to imply that the intention here is to hold computer owners responsible for what their systems do without their knowledge. And in a perfect world, that might not be a bad idea. However, in this world, where there are a few hundred million botted systems on the Internet, it’s a horrible idea.

Look what happened to Julie Amero, and that wasn’t even her system. The combination of a grandstanding prosecutor, utterly incompetent “forensic experts” and clueless newspaper editors destroyed her life — over someone else’s mistake. (And a rather common mistake, at that.)

This proposal could be used to go after everyone whose system has been botted, and since it can be, it will be. When convenient. When expedient. When politically desirable.

RK57957 (profile) says:

Wait isn't everything capable of being a password

Couldn’t this sentence technically be a password? Crap wouldn’t typing out the previous sentence be a felony if the law is changed because I know it could technically be a password? Crap wouldn’t typing out the previous sentence be a felony if the law is changed because I know it could technically be a password? Crap isn’t anything I could possibly type out be a felony because I know it could be used as a password.

John Fenderson (profile) says:

Re: Wait isn't everything capable of being a password

I was thinking about this as well. A “password” is just arbitrary characters strung together (if it’s actual words, then you’re doing it wrong).

A list of nothing but passwords isn’t even that useful (except to compile a dictionary to be used in a dictionary attack). What is useful is a list of services and user IDs with their passwords.

JP Jones (profile) says:

Re: Re: Wait isn't everything capable of being a password

A list of nothing but passwords isn’t even that useful (except to compile a dictionary to be used in a dictionary attack).

Why’d you have to point this out? Now they’re going to ban the dictionary! Oh, wait, aren’t there password crackers that utilize Wikipedia?

BAN IT ALL! BAN ALL THE WORDS!

Jake says:

Re: Re: Wait isn't everything capable of being a password

This is the correct angle on this I think, a list of “potential bad passwords” is just a list of combinations of letters and numbers (not likely to be any special chars in there). They do not become passwords until connected with a username and an account at a specified service.

To bring the idea proposed by the law into the real world, would a list of gases used in various types of blowtorch be considered an intentional aid to safecrackers?

Anonymous Coward says:

Nobody wants to see their paswords posted online, but this is not about passwords, its about the attempts to use an event to demand , yes demand the ability, an ability that is so beyond anything like it, to put people who “dont do as they say” in jail, for the crime of presenting a bunch of characters in a certain way, bypassing the human right laws protecting inocent suspicion, or bringing to light questionable laws

The next step or after other several steps in this obvious ploy will be to put in jail anybody who opposes bad laws, policies, actions, bills, ideas etc etc………i dont want to pass my own policy, i have no policy by CHOICE, i certainly dont want to see BAD “policies” being passed or manipulated into impressionable minds, and certainly not by people who OBVIOUSLY through the very action they incessantly keep pushing dont give a shit about the rights and freedoms of the individual

Anonymous Coward says:

And this is why Snowden fled to Russia, hippies aren’t the only domestic flag burners in the USA, and the military’s approval rating of the President is at an all time low.

They’re trying to mold younger generations in their image. All they’re doing is creating a generation who consider the US government worse than the Soviet Union. At least Stalin’s bad ideas couldn’t spread globally due to his toxic reputation.

Anonymous Coward says:

The solution is not to end up arresting 50% of your population if its not already 100%, the solution is to recognize how important it is to beef up defensive security, whther those devices be in a company or somebodies home……..but because its harder by your standards you take the easy route, by arresting people……….there is, aswell as bad, a good thing when a “hacker” attempts to test how secure something is with the idea to inform the target of the vulnrability……….bit bit by bit, that software becomes more and more secure, and malicious opportunity deminishes, as malicious hackers with ill intent need to find more unique ways to exploit……..what their advocating is reducing the ammount people with expertise who do this to contribute to the security community drastically, which in some cases will probably give that one malicious hacker, lets say ten years of use for an exploit he found instead of 8,5,4 2 years? i just had a thought, its funny how this would also reduce the likelyness of good hackers finding intelligence service crimes, yes crimes not hacks…..

Security/privacy updates/patches should be a right not a privellage, it deals with information belonging to the individual, and so by this extension, security/privacy should be seen as a right, as is the right to not be searched without suspicion…….but with this kind of behaviour you expect to see in oppressed governments, you shoot your selves in the foot…..by your-self……..because now, your suspicions are suspect…….you either dont care if we trust you, or, the more relieving of the two, you’re too stupid to realise how important it is to have the trust of those you represent……appologies for my frustrated chosen words, but not the drive behind it

Anonymous Coward says:

Okay so lets say, supposedly that the pure possesion of this “material”, material made up of random characters next to other random characters, is a felony punishable by ten years……in this imaginary world, i’d like to start with the intelligence centers harddrive’s first please…..complete and utter unrestricted access please……no, but thats suspiciously similar to someone looking like their hidding something……and we all know what you say that means, right!

That One Guy (profile) says:

Re: Re:

It’s when you stop being shocked and disgusted, and instead respond with resigned anger and annoyance that things have gotten really bad. Shock and disgust come from expecting better, hoping for people to act rationally, and having them not. Shock is good, gives people motivation to do something about the cause of the shock.

Resignation though, when it reaches that point, that’s because you no longer expect anything good, because you expect the worst, and are no longer surprised by it. And at that point, the drive to fix the situation is pretty much gone, because why would you even try when you know that that’s just what they do?

Tom Joad says:

So that means..

IF you, at the end of your article, or any one of us at the end of our comments write “all of the words above, including even these, COULD be passwords somewhere on some machine” we’re culpable?
So even if you LEFT OUT that part at the end, anyone with more than two brain cells would know those all were possible passwords, so even without the advice, these are all passwords (including the word password) and therefore anyone writing ANYTHING is a criminal.

GEMont (profile) says:

Re: So that means..

You do realize that the members of the NSA, FBI, CIA, HLS, and their extra-national affiliates around the world scanning this comments page, have all just wet themselves reading your words – which point out that writing any string of words would be a criminal act under this legislation and thus, describes nicely the near-ultimate wet dream of any fascist….

That the creation and or publishing of any “unauthorized” literature, is automatically a major criminal act, punishable by maximum legal reaction.

This is of course only the for-runner legislation of the true ultimate wet dream laws of fascism…

That all unauthorized speech is automatically a major criminal act, punishable by maximum legal reaction.

Peasants need only labor for the state, sleep and eat, and need no voice or thought beyond that necessary to fulfilling the task assigned them by the state to insure the continuity of the state. That is the goal of fascism – that the state becomes a commercial operation owned and run by the ruling class and the peasants become the feedstock from which the wealth of the ruling class is derived.

This is the way life has been on earth for most of human history.

The fact that fascism always leads directly to dissolution of the nation in which it flourishes changes nothing, as fascists have no plan beyond draining a place of its wealth before moving on to greener pastures.

The resemblance to a virus, or the legendary vampires of Hollywood is telling.

The last thing the fascist owned state needs is uppity peasants discussing the fact – verbally or in writing – that the state is nothing more than a gang of lizard brained greedy millionaires mindlessly sucking the life out of the earth like fleas on a dog.

It would be lovely to perceive a future where the heads of tycoon CEOs, mob bosses, billionaire politicians, lawyers and their kin, could be seen adorning the pointy ends of pikes along the roads of a nation awakened from a nightmare, but all my limited fore-sight conjures up is empty streets.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...