Hey, Judge Stephen Reinhardt...
Can I share your bank card and PIN? Maybe it will help you learn how "harmless" this practice is.
A man who used his colleagues' passwords to swipe confidential information from his employer has failed to overturn his computer hacking conviction. In a 2-1 decision [PDF] today, the California 9th Circuit Court of Appeals agreed with a lower court's judgment that David Nosal broke the Computer Fraud and Abuse Act (CFAA). In …
The practice is actually stupid particularly sharing passwords with coworkers, family and friends is dim enough. The CFAA may be correct because most corporate policies I have seen do not allow workers to share their login credentials so he was an unauthorized user by definition.
Usually, sharing passwords is a firing offense. If a user shares the password with a company support person, it's normally mandatory that they change the password when the session is over. But I think those days of techs getting the passwords are long gone in most places.
Where I worked last, the user had to do the login's etc. A PITA many times when setting up a laptop in the shop and they had to be called in to login frequently. Before this policy, we had a couple of techs fired for using the password during testing to go "snoop".
I know of at least one "enterprise level" software supplier who can only give one login ID for their support portal.
Try managing that in an organisation spread across 6 sites.
They (surprisingly, *not* a US outfit) "can't see what's wrong with it ?". Clearly their in-house software is far shitter than the CMS system they are flogging (which *does* allow multiple IDs to access content).
> I know of at least one "enterprise level" software supplier who can only give one login ID for their support portal.
That's different. If it's a role login, then the intention is that it is shared by authorized users.
This article was about a *personal* login, tied to an individual, which had been revoked - so they circumvented it by using other peoples' logins.
er, not on my watch ....
One person=one login.
Anything else is just storing up trouble when you have to dig through records of logins from 6 months ago, and have to tell the police "well, it could have been any one one of ten people".
Sharing logins is a Bad Idea, in *any* language.
Agreed. Am getting a bit fed up of being asked to look though logs to see who did what (when no-one owns up), only to find it was a service account that many people use. More annoying is that it's something that we inherited from our parent company and are unable to change. Though elsewhere I do frequently manage to lock things down more than they have been due to security/compliance/audit reasons.
That's probably the only time I'm thankful for the increased regulations nowadays, as I'm a paranoid sys admin who is convinced that there's always a small subset of users who will try and subvert whatever you've implemented as they can't be bothered ti type their password or type a few extra characters.
@LosD - "I'm going to go with the dissenter here: As soon as it was willingly shared, it is "just" theft of confidential information."
It was NOT willingly shared by the organisation who owned the information and the computers that were infiltrated. In fact, it was specifically *against* their wishes as they had rules prohibiting the practice. That the employees were willing to share their logins does not constitute consent by the data owner.
It was still unauthorised entry, regardless of how easy the employees (accomplices?) made it.
I can see what the Judge getting at as to how this could set a precedent. On one hand, the password-sharing was done for nefarious reasons, and that needs to be punished. On the other, it could have drastic repercussions for non-nefarious sharing...
We (most of us on here) are but Human, and when it comes to being pressured by overbearing boss, spouse, moody teenagers, etc., quite a few of us will eventually buckle under the relentless onslaught. When/If we do share, we are likely to be on the hook for anything they get up to, like when you share an Internet connection with others for instance. Thankfully there are still a few sensible Judges out there - https://torrentfreak.com/judge-dismisses-movie-piracy-case-ip-address-doesnt-prove-anything-160627/
Some people do/will share personal passwords no matter what the consequences. Full disclosure: I have shared a personal password, and probably will be stupid enough to do it again at some point.
You can never be absolute when it comes to Justice, that's why Judges are given leeway in their sentencing, but the Precedent situation still scares the crud out of me - so much potential for misuse! At least one Judge seems cognisant of the down-side.
As the saying is, circumstances alter cases. If the sharing was contrary to the business's explicit rules then that's one circumstance. In the case of the overbearing boss that would be another - it would be quite reasonable to convict the boss and not the employee.
This post has been deleted by its author
Judge Stephen Reinhardt is a technological idiot. Accounts and privileges provided to employees to access systems aren't owned by the employee, they are owned by the company. If an employee provides the keys to a building over to someone else and this person gains access with malicious intent, he will be prosecuted for trespassing among other things. So, why would turning over a password, as well as using another's password be any different?
An employee isn't given permission to give access to an employer's assets (in this case, enterprise network) to another person.
I'm sure if Judge Reinhardt's maid gave a copy of his house key to a friend, or even allowed the friend complete access to his property by opening the front door... he'd be rather upset.
The 9th Circuit is infamous for it's far left-sided decisions and often doesn't read the intent of the legislative law as written. Reinhardt only looked at the possibility of something which is out of the scope for this act, as well as attempting to change the law by adding a possibility. Something judges aren't supposed to do, but have started to do so with alarming frequency.
The right decision here, but some caution required as the CFAA is still ripe for abuse. For example, have you ever copied contact information from Linked-In? You have technically violated the CFAA (at least if you are unfortunate enough to be in the US) because the LI terms of service say you cannot copy their data.. See
https://www.aclu.org/cases/sandvig-v-lynch-challenge-cfaa-prohibition-uncovering-racial-discrimination-online