[betterunix]

Yes, because organizations that use simple password-based authentication to secure important things (bank accounts, private messages, etc.) should be held responsible for the outcomes of such attacks. In such a world the state of computer security would not be so pitiful.

[twoodfin]

You and sneak seem to be proposing a legal regime under which no "hacking" of any kind is illegal. If the system will perform action B given request A, issuing request A, no matter the intent, cannot be a crime?

If I'm missing an important distinction you'd make, I'd very much like to hear what it is.

[betterunix]

I would prefer if the system punished people for what they did with their access to data, not simply for having that access; organizations that hold private or sensitive information should be punished if unauthorized people can access it by any means. Having email addresses or credit card numbers should not be the crime, regardless of how you obtained that information. Committing credit card fraud or selling credit card information to other unauthorized people should be crimes (or failing to secure your computer where you store said information).

So Weev should not be punished for downloading the email addresses. AT&T should be punished for making the list available to him (and likewise, if Weev made the list available to others, he should be punished for that).

[twoodfin]

Apologies for crossing threads, but aren't you pretty upset that the NSA simply has Verizon phone records, despite a lack of evidence they're planning on doing anything nefarious with them?

Anyway, as I understand it, weev did speculate about selling the information. And would you be so sanguine if this were health records or private photographs? I'm not seeing a plausible guiding principle here.

[betterunix]

We hold the government to a different standard. I am free to forbid atheists from entering my home, and nobody can complain about it beyond calling me an asshole. The government cannot ban atheists from its buildings. Many people have pointed out that the NSA was collecting information that privacy industry already had -- yet we are still angry about the NSA having it.

I also draw a line between what makes me upset and what should be a crime. I do not think that everything that makes me upset should be illegal. Frankly, while I would be angry at Weev if he downloaded hospital records, I would be much more angry at the hospital that failed to secure those records. I believe that the law should draw the line at how the information is secured and how it is used, not how it is obtained.

[xyandnoz]

@betterunix-- seriously? It's OK with you if they get your private data, no matter how they acquire it? Spoken like someone who has never had exposure of private data used as a THREAT... something weev is known for. If someone uses illegal means to obtain your private data, they can exploit/weaponize that acquisition without having to then use the private data to commit a different crime. (different from the crime -- usually fraud -- in how they obtained it).

Weev has taught many of us that acquiring your private data is enough to make you wonder when, exactly, he will decide to use it. Or in my case, to publish it and encourage the whole WORLD to use it. And don't get me started on medical records... If you honestly believe that acquiring private data shouldn't be illegal until it is used in a crime, you have obviously never been threatened with exposure from someone who did just that. (but again, I don't think this applies to the AT&T case) -- Kathy Sierra

[betterunix]

Blackmail and harassment are both crimes, you know. If someone is threatening to expose your private data, it makes no difference how they acquired it -- it is a crime regardless of whether or not they were authorized to have it.

The problem with charging hackers for having information they are not supposed to have is that it takes the responsibility to keep data secure away from those who are entrusted with it. Take medical records as an example. Yes, we want them to be kept private, but that should be the responsibility of hospitals, doctors, etc. If some hacker downloads those files, the hospital should be punished for their failure to keep the files secure. If we want to believe that hackers are magicians and that any Internet-connected system can be compromised, don't connect systems with medical records to the Internet.

What is wrong with making it the responsibility of anyone who has private information to keep that information private? If a hacker downloads a hospital's records, I think it is fair to expect that hacker to keep those records private, and to prosecute the hacker if they are revealed to anyone for any reason (even if the hacker is himself a victim of another hacker).

People should not have to be afraid to run a web crawler out of their own house. Yes, a web crawler is going to find private information that was not properly secured. That should not make the person running the crawler a criminal.

[Zigurd]

Hacking as a crime is almost entirely an economic crime. So it is pretty easy to distinguish hacking that deserves to be a felony from hacking that, at worst, should be a low-grade misdemeanor, by requiring actual profit for the criminal or actual loss from loss of data or exploitation of data acquired by hacking (not what it costs to fix incompetent security).

[walid]

WRONG!

"Brute force" is literally an attack. However what AT&T did was only use the equivalent of usernames just like http://www.mailinator.com/ does.

[betterunix]

We know how to stop brute force attacks; we have known for years how to stop them. I see brute force attacks on my SSH servers all the time, and I ignore them. I am comfortable ignoring brute force attacks because I do not allow password authentication at all. The attacker would have to try to guess one of the users' secret keys -- and that is beyond just a long shot.

So why have we not deployed this "amazing" technology, or similar technology, everywhere? A lack of incentive. If a hacker successfully carries out a brute force attack, the company running the systems does not suffer at all; they just pass it off as "some dark wizard hacker pwned us, sorry!" Nobody is spending the money to deploy smartcards far and wide because nobody has any reason to. It is less expensive to pay the pittance required to clean up after a hack than to stop hacks in the first place. If banks had no legal recourse when some script kiddie hacked a customer account, they would be far more likely to give customers smartcards and use more secure authentication mechanisms.

To put it another way, making a brute-force attack a crime is placing responsibility for securing the system on the people who want to attack it. It should be obvious why that makes no sense.