Thursday, July 7, 2016

No, sharing a password isn't "hacking"

Using someone's password to access someone's computer is:
One of the nation’s most powerful appeals courts ruled Wednesday that sharing passwords can be a violation of the Computer Fraud and Abuse Act, a catch-all “hacking” law that has been widely used to prosecute behavior that bears no resemblance to hacking.
In this particular instance, the conviction of David Nosal, a former employee of Korn/Ferry International research firm, was upheld by the Ninth Circuit Court of Appeals, who said that Nosal’s use of a former coworker’s password to access one of the firm’s databases was an “unauthorized” use of a computer system under the CFAA.
Notice that the journalist changes the topic between the first and second paragraphs:

  • "... sharing passwords can be a violation ..."
  • "... use of a former coworker's password to access one of the firm's databases ..."

These things are different, and should be treated differently.  At the end of the day, the law exists to discourage people from acting like dicks.  This guy did exactly that.  While I am not a lawyer, the Court seems exactly right here.


2 comments:

Archer said...

Notice that the journalist changes the topic between the first and second paragraphs

Conflating the two distinct actions is generally what happens when the person doing the reporting has zero knowledge -- let alone expertise -- of the topic on which they're reporting. They don't see the difference ... or they're creating a false dichotomy out of whole cloth.

Neither of those should happen if the reporter knows what they are talking about (assuming he/she is interested in actual reporting, as opposed to promoting an agenda).

FrankC said...

Sloppy IT management there. If the former co-worker had access to the database by his login and password then his account should have been scrubbed as soon as he left. If the database had a single password for access by any user then that is plain stupid.