I watched with what admittedly was some bemusement last week as security researcher and Twitter-friend Mark Burnett released 10M passwords upon the unsuspecting public. It wasn’t the releasing of passwords themselves that sparked my interest (and, even then, they only appear against very generic usernames); rather, it was his concern about the possibility of the feds knocking on his door as they did with Barrett Brown. Mark went on to devote a big chunk of his blog post to explaining why he shouldn’t be arrested. Now that, I find intriguing.
Only last month, Barrett copped a five-year prison sentence and close to a million bucks in fines for “posting a link.” The reaction from the security community, media and free speech proponents has been a mix of outrage and a telling of cautionary tales to the rest of us: “You can go to jail for merely linking to a data breach,” they say. However, there’s a bit more to it than that.
Barrett had often been referred to as “The Spokesperson for Anonymous,” and while probably nobody but Barrett himself knows quite how embedded he was in the hacktivist movement or to what extent his actions fell into the shady side of things, clearly there was a strong association. The YouTube videos on Why I’m Going to Destroy FBI Agent Robert Smith probably didn’t do his credibility any favors, nor did his self-professed history of heroin addiction. Now, none of this is to say that his sentence was just, but let’s not get too carried away with thinking “you post a link and go directly to jail.”
There are many other similar precedents--a notable one being Andrew Auernheimer, or, as he’s more commonly known, “weev.” A few years back, weev found a vulnerability within AT&T that allowed him to enumerate through the identifiers of iPad SIM cards and retrieve the email addresses of the owners. He notified AT&T of the vulnerability, and, if you take the headlines at their word, was subsequently indicted for conspiracy for accessing a computer without authorization. Now, querying an API in the way it was designed to be queried (give it an ID, get back an email) is not what most reasonable people would class as “without authorization,” and some degree of outrage ensued.
However, in weev’s case, just to make sure it really was a risk, he checked about 114,000 IDs against the service--presumably, just in case the first 10K or so was a fluke. Then he sent it all to the media before notifying AT&T. There’s much more to weev’s history that has antagonized the law in a very confrontational way. (Just listen to his interview on the Risky Business podcast and you’ll get a sense of how much his legal issues were related to simply finding a vulnerability versus being a ... well, just have a listen.)
Without question, some of the penalties being handed down for these sorts of activities are entirely incommensurate with the crime. But, equally, there’s usually a lot more to the case than what hits the headlines. Assuming Mark isn’t a closet hacktivist who’s spent the last few years antagonizing the feds, his future still looks pretty rosy.
Troy Hunt
http://troyhunt.com
@troyhunt
Microsoft MVP - Developer Security
