27
votes
Journalist Tim Burke faces charges under the US Computer Fraud and Abuse Act
Link information
This data is scraped automatically and may be incorrect.
- Title
- When does a journalist become a hacker?
- Authors
- Sarah Jeong
- Published
- Feb 23 2024
- Word count
- 965 words
This article seems to be bending over backwards to suggest Burke's innocence. From my understanding he accessed otherwise inaccessible information using login credentials that were not his. While clearly a significant security flaw, exploiting it is obviously still an example of unauthorized access.
This would be like suggesting that because you didn't change the locks on your doors the previous tenant has the right to break into your home.
Ethically there may still be an argument for taking this action as a journalist if the information gained is in the public interest (though I seriously doubt it in this case). Regardless, no one should be surprised that this would be legally considered unauthorized access.
I think if this is the case:
Then it shouldn’t be considered unauthorized access - if a URL is accessible if I can just type it in, that’s authorized access if you ask me.
If that URL brings up a locked page that I have to login to with credentials, if I bypass that login somehow (other than just manipulating the URL), then that’s unauthorized access to me.
But - if credentials that let you log in are floating around on the public web, then that’s a bit more complicated to me. Maybe not authorized, unless they’re explicitly “test” logins or something?
Because I don’t think leaking a login in a GitHub repo should count as making something publicly accessible and anyone can be authorized.
But if you have a page somewhere that gives example login credentials, and those login credentials work…I feel like that’s pretty “authorized” - you’ve intentionally published those credentials.
This is precisely the kind of logic and analysis lawyers and judges use to argue and decide cases. The interesting questions are in the grey areas where the boundary to a category is not clearly defined
And this, to me, feels like the point of the article; it's not "bending over backwards to suggest Burke's innocence," (as another commenter said) it's pointing out the need for specificity in the courts regarding what does and does not constitute a punishable crime. Regardless of where one falls on the matter, hackers are inherently boundary-pushers. Those boundaries need setting so that potential victims know what is considered legally reasonable threat mitigation.
(To again reference up-thread) it's fairly common knowledge that you should change the locks when you move into a new place, but even if you don't, at least lock the damn door.
US Government "Secret" Classified documents are floating around on the Web. If you happen to come across them, you're not authorized to access them, regardless of where you find them.
You, the entity, doesn't have the authorization. Even if you have a badge, credentials, and whatever else that gets you access... You don't have access. The fact that "I realized that the windows were all unlocked upon breaking into the building" doesn't mean you could've just used the window, legally, instead.
That said, I don't believe this should be a criminal matter personally. Let the company sue him instead.
It appears to me you may be confusing "ethical" and "legal."
I don't know this area of the law, however, based on what I do know of the law, especially given leadership's propensities the last few decades, even accessing a non published but open url could be illegal. I believe what used to be considered "war dialing" is illegal in most circumstances, I would not be surprised if an ip address sweep is also illegal.
This is similar to the confusion most people have about 'ownership.' Ownership is what the government says it is, and the government can change it more or less as it likes (side note-some people believe that the judiciary is not the government, but it is. By custom, we let the judiciary decide issues between various government and non-government entities, but make no mistake, judges work for the government).
"property ownership" is often described as a "bundle of rights," government defined and defended.
So to it is with "access." A sad corollary is physical trespass to real property. Once upon a time, you could go on to the land of another pretty much without restriction unless impeded by a fence. We have swung to the opposite end of the spectrum (almost all restrictions are about excluding poor people). Now, you don't even need to have a sign in my state of NC, the law is some vague statement about the trespasser should recognize the property as belonging to another, including commercial property, and stay away. This law was pushed by republicans, and passed over a veto, to allow police to arrest the unhoused who sleep in doorways.
Is any of this ethical or moral? Of course not. But it is the law.
Maybe not so much as confusing “legal” and “ethical” so much as idealistically wishing they were the same.
Thanks for your comment!
This is not as clear-cut as I think you would like to think.
For example: suppose I control the domain example.com, and I place a file at the root whose name is a random UUID (for example,
ef3d276e-c3e2-4a7e-86ac-1032dc2051de) and am careful not to link it from anywhere and share the link only with authorized persons. We would consider that secure, even though anyone with the URL could access it, because there's no way to arrive at that URL short of unauthorized sharing or a web server exploit. There are too many UUIDs to enumerate them all, so knowing it a priori is required."But Will," you say, "that's far too easy to leak. We should insist on requiring credentials separate from the URL!"
Well…
So, suppose I move my secret file to
index.html, and set up HTTP basic auth to access it. Good enough, right? Well, HTTP URLs support credentials embedded within them (e.g.https://username:GJK4V3BVc9OPL8dc1YNu@example.com). If I drop that in a link on my public, search-engine-indexed homepage, it would be tough for me to claim access from following that link was "unauthorized".Ultimately: to access any given resource, some amount of secret and some amount of non-secret information is required. Whether or not an access is "authorized" is a question of how much secret is needed, and how credibly that information is "secret". The "quality" of secrecy (for lack of a better word…) might inform the latter, but isn't otherwise germane.
(FWIW, I think interpretation of the CFAA veers far too far in the direction of considering the barest fig leaf of secrecy to be protective. For instance, if instead of random UUIDs, I used sequential ones starting from 0—e.g.
000000-0000-0000-0000-00000000001—is that secret? Practically speaking, the idea is farcical. Legally speaking, its much less clear-cut. And that's leaving aside the serious need for carve outs for good-faith security research.)Regarding your last point, I seem to recall something about some journalist or maybe just a person who then reported it to a journalist finding out that people’s social security numbers could be leaked from a government record lookup online (of some US state) because it returned a webpage that enumerated an ID at the end, and by adding one to that returned URL they were then able to access someone else’s page.
I can’t recall the official outcome of that, but I think that realistically, there’s no way the person should be considered to be “unauthorized” access of the data in that case. (But legally I don’t remember but it unfortunately wouldn’t surprise me if they did get in some sort of trouble).