[tptacek]

In this case, the problem wasn't so much that Trib Corp had poor security (they probably do though), but rather that an insider exfiltrated credentials to one of their servers to an IRC channel. There are a few companies in our industry where that attack wouldn't be devastating, because of very carefully designed security programs. But there are not many of those companies. Most companies you've heard of are just as vulnerable as Trib Corp was.

[matt_wulfeck]

But charging them with hacking? And putting them in prison for 2 years?

[tptacek]

There's no such charge as "hacking".

[matt_wulfeck]

Of course. We're able to make the distinction of being hacked versus someone crawling through an open window. If only jurors could be expected to do the same.

[tptacek]

What distinction is it that you're trying to make? Crawling into a building through an open window is no less of a crime than picking the locks. In fact: it's exactly the same crime.

[possibility]

Picking the locks is breaking and entering, going through an open window is illegal trespass, assuming you don't have to move any parts of the window. At least where I live. It depends on whether or not you have to use even the slightest amount of force to gain access. It also depends on your intent to commit a crime inside. If I'm looking for you because I've found your toddler wandering around outside and I open an unlocked door to call out your name, it isn't a crime. I'm not sure what happens if I pick a locked door in that situation, getting pretty contrived now. But let's say I heard your kid crying inside that you'd abandoned, it wouldn't be a crime to pick the lock and rescue him/her.

[tptacek]

No, I don't think this is at all correct. Going through a window is breaking and entering.

[baldfat]

Those keys were those of an ex-employee. When you let a person go or they leave the company those credentials should have been changed.

[danielweber]

They should have. He also should not have given out the password.

A failure to change the locks does not mean you have created an attractive nuisance to former employees.

[Retric]

Attractive nuance is supposed to apply to children.

However, failure to collect keys get's into murky situations.

[tptacek]

Can you be more specific about the murky situation we're talking about here? I moved offices from Oak Park back into Chicago a few months back. The landlord never collected the key. My old office was rented out (I can see from the window). Can I go look around inside it?

[Retric]

It's not that you have the right to go back. Rather, by failing to change the locks they might have some liability if you did go back.

If a lessor or landlord in Illinois does not change or rekey the unit's lock before the day the new tenant or lessee takes possession, and a THEFT occurs at that dwelling unit that is attributable to the lessor's failure to change or rekey the lock, the landlord is liable for any damages from the theft that occurs as a result of the lessor's failure to comply with the law http://www.securitydepositlaw.com/blog/chicago-tenants-right...

[tptacek]

No, that's actually not true of commercial leases in Chicago. It's true of residential leases because residential landlords have a whole bunch of very specific issues about key changes.

But stipulate that it was true. What bearing does that have on this case? If I go into that office and steal $5000 worth of computer equipment, am I not liable for felony grand theft because the landlord has civil liability to the tenant?