Those “Worst Password” Lists Could Be Felonies Under Department of Justice Proposal
As opposed to just criminally stupid.
A proposed alteration to the Computer Fraud and Abuse Act (CFAA) from the Department of Justice would turn the dissemination of any information or passwords that could be used to compromise a protected computer into a crime—including those horrendous “worst password” lists. This may sound like a stupid move for cyber security, but on the bright side, at least something would finally be stupider than those passwords.
In the interest of clamping down on the flow of exploit information, the DOJ wants to change the language of the CFAA that specifies that intent should be a factor in the unauthorized dispersal of computer security information. Under the new proposal, spreading such information around would be a crime even if you’re trying to help companies fix software or help people choose passwords that aren’t pointless.
Here’s the pertinent passage from their proposal with deletions marked with strikethrough and additions in bold:
(6) knowingly and
with intent to defraudwillfully traffics (as defined in section
1029) in any password or similar information, or any other means of access,
knowing or having reason to know that a protected computer would be
accessed or damaged without authorization in a manner prohibited by this
section as the result of such trafficking;, if—
(A) such trafficking affects interstate or foreign commerce;or
(B) such computer is used by or for the Government of the United States;
Of course, it shouldn’t come as a huge surprise that this kind of thing is on the table when prosecutors in hacking cases admit that they don’t even understand what the defendant did, but it’s still disheartening. We wouldn’t even have to worry about getting thrown in jail over sharing “worst passwords” lists like we all did yesterday, because those lists are compiled from password data taken from compromised systems, and sharing that data in the first place would be a crime. Someone would get arrested long before the data got compiled for use in witty blog posts.
At best, it looks like this would tie the hands of white hat hackers who make noise about security flaws in order to get them fixed in a timely manner and protect people. Say, for example, the way that Google has been pointing out bugs in Microsoft’s operating system. To be fair, Microsoft, along with other tech companies, takes issue with the practice of public disclosure of bugs and would prefer for Google not to let the public know even after their current 90-day “fix it or we’ll tell everyone” policy.
Still, it’s more than likely that hackers ready and willing to do damage with information on security holes aren’t worried about what’s legal or getting caught, though the good ones might balk at the minimum 3-year, maximum 10-year, federal prison sentence mandated in the new proposal. The disclosure of security flaws to help keep the public aware of threats that more malicious entities might already know about anyway shouldn’t be criminalized.
Have a tip we should know? [email protected]