Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Log In

Log In

Create Account  |  Retrieve Password


posted by hubie on Sunday March 17, @01:02AM   Printer-friendly
from the everything-is-fine dept.

https://arstechnica.com/tech-policy/2024/03/charges-against-journalist-tim-burke-are-a-hack-job/

Caitlin Vogus is the deputy director of advocacy at Freedom of the Press Foundation and a First Amendment lawyer. Jennifer Stisa Granick is the surveillance and cybersecurity counsel with the ACLU's Speech, Privacy, and Technology Project. The opinions in this piece do not necessarily reflect the views of Ars Technica.

Imagine a journalist finds a folder on a park bench, opens it, and sees a telephone number inside. She dials the number. A famous rapper answers and spews a racist rant. If no one gave her permission to open the folder and the rapper's telephone number was unlisted, should the reporter go to jail for publishing what she heard?

If that sounds ridiculous, it's because it is. And yet, add in a computer and the Internet, and that's basically what a newly unsealed federal indictment accuses Florida journalist Tim Burke of doing when he found and disseminated outtakes of Tucker Carlson's Fox News interview with Ye, the artist formerly known as Kanye West, going on the first of many antisemitic diatribes.
[...]
According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.

The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters. Using the demo username and password, Burke logged into the website, and, Burke's lawyer claims, the list of URLs for video streams automatically downloaded to his computer.

And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.

[...] Using a published demo password to get a list of URLs, which anyone could have used a software program to guess and access, isn't that big of a deal. What was a big deal is that Burke's research embarrassed Fox News. But that's what journalists are supposed to do—uncover questionable practices of powerful entities.

Journalists need never ask corporations for permission to investigate or embarrass them, and the law shouldn't encourage or force them to. Just because someone doesn't like what a reporter does online doesn't mean that it's without authorization and that what he did is therefore a crime.

Still, this isn't the first time that prosecutors have abused computer hacking laws to go after journalists and others, like security researchers. Until a 2021 Supreme Court ruling, researchers and journalists worried that their good faith investigations of algorithmic discrimination could expose them to CFAA liability for exceeding sites' terms of service.
[...]
If journalists must seek permission to publish information they find online from the very people they're exposing, as the government's indictment of Burke suggests, it's a good bet that most information from the obscure but public corners of the Internet will never see the light of day. That would endanger both journalism and public access to important truths. The court reviewing Burke's case should dismiss the charges.

Related Stories on SoylentNews:
No NGO Has Been Allowed to See Julian Assange Since Four Years Ago - 20230410
Federal Court Says Scraping Court Records is Most Likely Protected by the First Amendment - 20230126
'The Government Killed Him': A Tribute to Activist and Programmer Aaron Swartz - 20230112
DOJ Announces It Won't Prosecute White Hat Security Researchers - 20220522
LinkedIn Can't Use Anti-Hacking Law to Block Web Scraping, Judges Rule - 20220420
Supreme Court Overturns Overbroad Interpretation of CFAA, Protecting Researchers and Users - 20210709
China, Coronavirus and Censorship - 20201231
Court: Violating a Site's Terms of Service Isn't Criminal Hacking - 20200401
Web Scraping Doesn't Violate Anti-Hacking Law, Appeals Court Rules - 20190910
The FBI Secretly Collected Data on Aaron Swartz Earlier Than We Thought—in a Case Involving Al Qaeda - 20181214
Court Says Scraping Websites and Creating Fake Profiles Can be Protected by the First Amendment - 20180404
Matthew Keys Leaves Jail but CFAA Reform Will have to Wait - 20180313
Ninth Circuit Doubles Down: Violating a Website's Terms of Service Is Not a Crime - 20180111
Man Gets Threats-Not Bug Bounty-After Finding DJI Customer Data in Public View - 20171121
UK Gov: Journalists Who Obtain Leaked Official Material Could be Sent to Prison Under New Proposals - 20170213
Protection of White-Hat Hackers is Slow in Coming - 20161105
Sharing Your Netflix Password Is Now a Federal Crime - 20160711
When can Password Sharing put you in Prison? - 20160707
ACLU Drags Feds to Court Challenging Hacking Laws - 20160701
14 Pulitzer Winners Call on the Justice Dept to End its Pursuit of James Risen - 20140814
The Aaron Swartz Documentary: Review - 20140808
US DOJ drops 11 of 12 charges against journalist - 20140405


Original Submission

Related Stories

US DOJ drops 11 of 12 charges against journalist 20 comments

The US DOJ has agreed to drop 11 of 12 charges against journalist Barrett Brown. He was indicted on many charges when he provided a hyperlink to data that was claimed to have been stolen, even though he was never accused of doing the stealing, or of being the first one to publish a hyperlink to the material.

An announcement of the dismissal:
https://pressfreedomfoundation.org/blog/2014/03/ju stice-dept-moves-drop-charges-against-journalist-b arrett-brown-could-criminalize

The official court document regarding the dismissal:
https://www.eff.org/files/2014/03/05/barrett_brown _mtd.pdf

The original indictment:
http://freebarrettbrown.org/files/BB_indictment2.p df

An analysis from last year:
https://www.eff.org/deeplinks/2013/07/indictment-b arrett-brown-threatens-right-link-could-criminalize-routine-journalism

[In the AC's opinion] While this might seem like a victory for Free Speech and Freedom of the Press, the US DOJ still helped destroy a man's life, hold him for weeks without any charges or medical care, only to drop charges (11 of 12 so far) years later, and only after big wigs came to his defense and threatened to file an amicus brief on his behalf in defense of his civil rights. This seems in-line with the usual bullying and intimidation tactics the American legal system regularly engages in, which routinely leads to the destruction of peoples' lives. Having just finished reading Homeland (http://craphound.com/homeland/) and reading the late Aaron Swartz's afterward, this news seems especially poignant.

[Editor's Note: While we encourage all contributors to comment we ask that they clearly separate the factual content of the summary from their own views and opinions. We would prefer this to take the form of a comment in the story's thread but it is also acceptable in the submission providing that it is clearly marked as such. (Please see: Submission Guidelines). Furthermore, I would usually make this remark in private to the submitter but, in this instance, it is an Anonymous Coward and I am unable to do so.]

The Aaron Swartz Documentary: Review 7 comments

Ken White over at Popehat has review of the documentary film by Brian Knappenberger: "The Internet's Own Boy: The Story of Aaron Swartz".

One unique aspect of this review is the perspective of a practising criminal defence attorney, and former federal prosecutor, on the attitude of the justice system.

My fortunate clients are the most outraged at how they are treated by the criminal justice system, and most prone to seeing conspiracies and vendettas, because they are new to it they have not questioned the premise that the system's goal is justice. My clients who have lived difficult lives in hard neighborhoods don't see a conspiracy; they recognize incompetence and brutal indifference and injustice as features, not bugs. "Justice system" is a label, not a description.

White also notes the possible impact of depression in this case, referencing back to an article he wrote which challenges many of the common perceptions about the case.

14 Pulitzer Winners Call on the Justice Dept to End its Pursuit of James Risen 13 comments

The Freedom of the Press Foundation reports

Today, fourteen Pulitzer Prize winners have issued statements in support of journalist James Risen and in protest of the Justice Department's attempt to force Risen to testify against his sources. Risen has vowed to go to jail rather than give up his source, but the Justice Department has steadfastly refused to drop its pursuit. On Thursday, many of the major US press freedom organizations will hold a press conference in Washington DC and deliver a petition with over 100,000 signatures to the Justice Department, calling on them to do the same.

ACLU Drags Feds to Court Challenging Hacking Laws 19 comments

The Register published a story which lets us know that:

the US Computer Fraud and Abuse Act (CFAA) should be stricken for being unconstitutional.

The civil rights group said in a filing [PDF] to the Washington, DC, District Court that the CFAA prevents researchers and whistleblowers from carrying out their work and violates both the free speech and due process clauses in the First and Fifth Amendments.

The suit ... asks that the courts invalidate the law, which has been the basis for hacking and computer crime prosecutions since its enaction by Congress in 1986.

According to the ACLU, the CFAA illegally prevents researchers from doing their jobs by restricting activities to those approved by a product's terms of service (TOS). Because the Act counts violating a TOS as "unauthorized" access, the ACLU argues that companies are able to effectively write their own criminal laws with a TOS.

The article notes:

The ACLU is filing the suit on behalf of a group of researchers who wish to investigate whether the Fair Housing Act (FHA) is being violated by real estate sites that would provide different results for users based on their race or ethnicity.

The researchers claim that in order to test for discrimination, they would need to present as different individuals of varying races and compare the results. Because falsifying this information would violate a site's terms of service, however, the researchers say they would be in danger of criminal prosecution under the CFAA.

As a result, the suit alleges, the ability of researchers to uncover FHA violations in these services is being blocked by the law, and in the process has a "chilling" effect on free speech and due process.

It's about time!


Original Submission

When can Password Sharing put you in Prison? 11 comments

A current employee granted access to his work account to some former employees. Since the former employees were setting up a competing business and using the account to download the employer's confidential information it wound up in court.

The case went to appeal on the question of whether access authorized by the account holder and not authorized by the computer's owner is a violation of the CFAA. One issue the appellate judges kicked around was whether a "yes" answer would criminalize some routine and harmless activities. There's even another upcoming case with a similar issue, involving a firm that provided a service involving logging in to people's Facebook accounts on their behalf. Facebook didn't like that. A "no" answer of course risks accidentally legalizing any intrusion that has an insider as part of the conspiracy.

A lawyer's analysis is at https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/07/06/password-sharing-case-divides-ninth-circuit-in-nosal-ii/

The case numbers are 14-10037 and 14-10275 if you want to look them up in PACER. No, I won't lend you my password :-)


Original Submission

Sharing Your Netflix Password Is Now a Federal Crime 30 comments

Submitted via IRC for TheMightyBuzzard

On July 5th , the U.S. Ninth Circuit Court of Appeals issued an opinion which found, in part, that sharing passwords is a crime prosecutable under the Computer Fraud and Abuse Act (CFAA). The decision, according to a dissenting opinion on the case, makes millions of people who share passwords for services like Netflix and HBOGo into "unwitting federal criminals."

The decision came in the case of David Nosal, an employee at the executive search (or headhunter) firm Korn/Ferry International. Nosal left the firm in 2004 after being denied a promotion. Though he stayed on for a year as a contractor, he was simultaneously preparing to launch a competing search firm, along with several co-conspirators. Though all of their computer access was revoked, they continued to access a Korn/Ferry candidate database, known as Searcher, using the login credentials of Nosal's former assistant, who was still with the firm.

Nosal was eventually charged with conspiracy, theft of trade secrets and three counts under CFAA, and was sentenced to prison time, probation, and nearly $900,000 in restitution and fines.

Nosal's conviction under CFAA hinged on a clause that criminalizes anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization". Though CFAA is often understood to be an anti-hacking law, that clause in particular has been applied to many cases that fall far short of actual systems tampering.

What about sharing your Kickass Torrents password?

Source: http://fortune.com/2016/07/10/sharing-netflix-password-crime/

takyon: Non-Fortune link: Ever Use Someone Else's Password? Go to Jail, says the Ninth Circuit


Original Submission

Protection of White-Hat Hackers is Slow in Coming 9 comments

In the cybersecurity world, the law doesn't always treat the good guys like good guys.

As Harley Geiger put it in a talk titled, "Fighting for Legal Protection for Security Researchers" at UNITED2016, the Rapid7 Security Summit, the vast majority of independent research into the security of consumer and commercial products, "doesn't seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm."

Yet laws at both the federal and state level, "tend to undermine that," he said.

Geiger, director of public policy at Rapid7, cited laws like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA), which he said in crucial areas fail to allow for a distinction between researchers, who are simply trying to improve cybersecurity, and criminal hackers.

The story goes on to reference how the Librarian of Congress has allowed a temporary reprieve (as we covered in It's Finally Legal to Hack Your Own Devices (Even Your Car).) But, as much as that may improve things for the time being, it falls short of what is really needed for security professionals to examine and test systems.

So, how can a white hat work in a responsible way that is distinguishable from a black hat who, when caught, only claims he is a white hat?


Original Submission

UK Gov: Journalists Who Obtain Leaked Official Material Could be Sent to Prison Under New Proposals 29 comments

Campaigners have expressed outrage at new proposals that could lead to journalists being jailed for up to 14 years for obtaining leaked official documents. The major overhaul of the Official Secrets Act – to be replaced by an updated Espionage Act – would give courts the power to increase jail terms against journalists receiving official material. The new law, should it get approval, would see documents containing "sensitive information" about the economy fall foul of national security laws for the first time.

In theory a journalist leaked Brexit documents deemed harmful to the UK economy could be jailed as a consequence.

[...] John Cooper QC, a leading criminal and human rights barrister who has served on two law commission working parties, added: "These reforms would potentially undermine some of the most important principles of an open democracy."

[...] "It is shocking that so few organisations were consulted on these proposed changes given the huge implications for public interest journalism in this country," said Ms Ginsberg.

The Law Commission sought advice from media groups including Guardian Media as well as civil liberties groups including Liberty and Open Rights Group. Other groups consulted included the intelligence agencies MI5 and MI6 as well as several government departments and senior politicians and lawyers.

[...] The Law Commission recommendations state that there should be "no restriction on who can commit the offence," including hackers, politicians and journalists.

[...] A Law Commission spokesman said it was "both misleading and incorrect" to suggest journalists were at any greater risk under the planned law changes.

Source: The Telegraph


Original Submission

Man Gets Threats-Not Bug Bounty-After Finding DJI Customer Data in Public View 11 comments

A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.

https://arstechnica.com/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/

DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

-- submitted from IRC


Original Submission

Ninth Circuit Doubles Down: Violating a Website’s Terms of Service Is Not a Crime 46 comments

Submitted via IRC for FatPhil

Good news out of the Ninth Circuit: the federal court of appeals heeded EFF's advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle's website in a manner it didn't like. The court ruled back in 2012 that merely violating a website's terms of use is not a crime under the federal computer crime statute, the Computer Fraud and Abuse Act. But some companies, like Oracle, turned to state computer crime statutes—in this case, California and Nevada—to enforce their computer use preferences.

This decision shores up the good precedent from 2012 and makes clear—if it wasn't clear already—that violating a corporate computer use policy is not a crime.

Source: https://www.eff.org/deeplinks/2018/01/ninth-circuit-doubles-down-violating-websites-terms-service-not-crime


Original Submission

Matthew Keys Leaves Jail but CFAA Reform Will have to Wait 5 comments

Journalist Matthew Keys has been released from the Satellite Prison Camp Atwater, in Atwater, California, a few months early.

As Ars reported previously, Keys was accused and convicted of handing over a username and password for his former employer KTXL Fox 40's content management system (CMS) to members of Anonymous and instructing people there to "fuck some shit up." Ultimately, that December 2010 incident resulted in someone else using those credentials to alter a headline and sub-headline on a Los Angeles Times article. (Both Fox 40 and the Times are owned by the Tribune Media Company.) The changes lasted for 40 minutes before editors reversed them.

[...] While he had initially wanted to challenge the oft-maligned federal law under which he was convicted, the Computer Fraud and Abuse Act, Keys said his case was ultimately not the right one to bring such a challenge.

Keys and his legal team ultimately decided not to pursue an appeal to the Supreme Court after losing at the 9th US Circuit Court of Appeal in June 2017. Within the next few months he will begin supervised release and will be able to resume work.

From Ars Technica : Matthew Keys, now freed from prison, is ready to get back to journalism

and previously : Former Reuters Journalist Matthew Keys Found Guilty of Three Counts of Hacking [sic].


Original Submission

Court Says Scraping Websites and Creating Fake Profiles Can be Protected by the First Amendment 11 comments

Submitted via IRC for fyngyrz

It's no secret that the Computer Fraud and Abuse Act (CFAA) is a mess. Originally written by a confused and panicked Congress in the wake of the 1980s movie War Games, it was supposed to be an "anti-hacking" law, but was written so broadly that it has been used over and over again against any sort of "things that happen on a computer." It has been (not so jokingly) referred to as "the law that sticks," because when someone has done something "icky" using a computer, if no other law is found to be broken, someone can almost always find some weird way to interpret the CFAA to claim it's been violated. The two most problematic parts of the CFAA are the fact that it applies to "unauthorized access" or to "exceeding authorized access" on any "computer... which is used in or affecting interstate or foreign commerce or communications." In 1986 that may have seemed limited. But, today, that means any computer on the internet. Which means basically any computer.

[...] There is a case happening now, brought by some researchers and journalists, trying to get the CFAA declared unconstitutional for making scraping of the open internet a crime. On Friday, in a little-noticed, but highly-entertaining ruling [pdf], the district court let the case proceed, but also made some important points about the CFAA, making it clear that the law should be narrowly applied (which actually harms the "is this unconstitutional" question, since the more limited the law is, the less likely it's unconstitutional).

Source: https://www.techdirt.com/articles/20180401/22565539541/court-says-scraping-websites-creating-fake-profiles-can-be-protected-first-amendment.shtml


Original Submission

The FBI Secretly Collected Data on Aaron Swartz Earlier Than We Thought—in a Case Involving Al Qaeda 32 comments

Gizmodo:

Nearly two years before the U.S. government's first known inquiry into the activities of Reddit co-founder and famed digital activist Aaron Swartz, the FBI swept up his email data in a counterterrorism investigation that also ensnared students at an American university, according to a once-secret document first published by Gizmodo.

The email data belonging to Swartz, who was likely not the target of the counterterrorism investigation, was cataloged by the FBI and accessed more than a year later as it weighed potential charges against him for something wholly unrelated. The legal practice of storing data on Americans who are not suspected of crimes, so that it may be used against them later on, has long been denounced by civil liberties experts, who've called on courts and lawmakers to curtail the FBI's "radically" expansive search procedures.

The government does store information indefinitely that can be used against you later at a more convenient time.


Original Submission

Web Scraping Doesn't Violate Anti-Hacking Law, Appeals Court Rules 15 comments

Web Scraping Doesn't Violate Anti-Hacking Law, Appeals Court Rules :

Scraping a public website without the approval of the website's owner isn't a violation of the Computer Fraud and Abuse Act, an appeals court ruled (pdf) on Monday. The ruling comes in a legal battle that pits Microsoft-owned LinkedIn against a small data-analytics company called hiQ Labs.

HiQ scrapes data from the public profiles of LinkedIn users, then uses the data to help companies better understand their own workforces. After tolerating hiQ's scraping activities for several years, LinkedIn sent the company a cease-and-desist letter in 2017 demanding that hiQ stop harvesting data from LinkedIn profiles. Among other things, LinkedIn argued that hiQ was violating the Computer Fraud and Abuse Act, America's main anti-hacking law.

This posed an existential threat to hiQ because the LinkedIn website is hiQ's main source of data about clients' employees. So hiQ sued LinkedIn, seeking not only a declaration that its scraping activities were not hacking but also an order banning LinkedIn from interfering.

A trial court sided with hiQ in 2017. On Monday, the 9th Circuit Appeals Court agreed with the lower court, holding that the Computer Fraud and Abuse Act simply doesn't apply to information that's available to the general public.

"The CFAA was enacted to prevent intentional intrusion onto someone else's computer—specifically computer hacking," a three-judge panel wrote. The court notes that members debating the law repeatedly drew analogies to physical crimes like breaking and entering. In the 9th Circuit's view, this implies that the CFAA only applies to information or computer systems that were private to start with—something website owners typically signal with a password requirement.

Information wants to be free.


Original Submission

Court: Violating a Site's Terms of Service Isn't Criminal Hacking 14 comments

Court: Violating a site's terms of service isn't criminal hacking

A federal court in Washington, DC, has ruled that violating a website's terms of service isn't a crime under the Computer Fraud and Abuse Act[*], America's primary anti-hacking law. The lawsuit was initiated by a group of academics and journalists with the support of the American Civil Liberties Union.

[...] rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs' proposed research wouldn't violate the CFAA's criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn't become a hacker simply by doing something prohibited by a website's terms of service, the judge concluded.

"Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature," Bates wrote.

[...] This isn't the first time a court has held that violating a website's terms of use is not a criminal hacking offense. In 2009, a California federal judge rejected a CFAA prosecution against Lori Drew, a woman who contributed to a MySpace hoax that led to the suicide of 13-year-old Megan Meier. Prosecutors had argued that Drew violated MySpace's terms of service.

In 2014, the Ninth Circuit Court of Appeals—which includes California—rejected another CFAA prosecution based on a terms-of-service violation. In that case, an employee had used a valid password to access confidential information, which the employee then used in ways that violated the employer's policies.

A 2015 ruling by the Second Circuit Court of Appeals interpreted the CFAA in a similar way. It overturned the conviction of a cop who had used a police database to look up information about women he knew personally. While his creepy behavior violated police department policies, the court held, that didn't make it a violation of the anti-hacking law.

"The government's construction of the statute would expand its scope far beyond computer hacking to criminalize any unauthorized use of information obtained from a computer," the appeals court concluded.

China, Coronavirus and Censorship 88 comments

China clamps down in hidden hunt for coronavirus origins

China clamps down in hidden hunt for coronavirus origins

MOJIANG, China (AP) — Deep in the lush mountain valleys of southern China lies the entrance to a mine shaft that once harbored bats with the closest known relative of the COVID-19 virus.

The area is of intense scientific interest because it may hold clues to the origins of the coronavirus that has killed more than 1.7 million people worldwide. Yet for scientists and journalists, it has become a black hole of no information because of political sensitivity and secrecy.

A bat research team visiting recently managed to take samples but had them confiscated, two people familiar with the matter said. Specialists in coronaviruses have been ordered not to speak to the press. And a team of Associated Press journalists was tailed by plainclothes police in multiple cars who blocked access to roads and sites in late November.

More than a year since the first known person was infected with the coronavirus, an AP investigation shows the Chinese government is strictly controlling all research into its origins, clamping down on some while actively promoting fringe theories that it could have come from outside China.

"Picking Quarrels & Provoking Trouble" - China Slams Journalist With 4 Years in Jail Over COVID Reporting

"Picking Quarrels & Provoking Trouble" - China Slams Journalist With 4 Years In Jail Over COVID Reporting:

At the beginning of the pandemic, the Communist Party filled the airwaves with positive headlines about how well it was mitigating the virus' spread. The Chinese government also went on a censoring spree, removing online content posted by journalists or citizen-journalist who reported firsthand accounts of the public health crisis unfolding in Wuhan, China, the epicenter of COVID-19. The government even went to the extent of detaining people who reported on the crisis, alleging they were spreading lies.

Citizen journalist Zhang Zhan is the first known person to be handed a four-year jail term for her reporting in Wuhan.

Zhan provided firsthand accounts of overcrowded hospitals and empty streets that challenged the government's official narrative.

She was convicted on Monday at the Shanghai Pudong New Area People's Court for "picking quarrels and provoking trouble," according to Reuters.

The verdict is a warning to all journalists in the country that the communist government is coming after those who exposed their shortcomings during the initial months of the virus outbreak. More importantly, Zhan's case shows the government has a zero-tolerance policy for critics.

"You have not converted a man because you have silenced him."
-- John Morley, 1st Viscount Morley of Blackburn.(link)


Original Submission #1Original Submission #2

Supreme Court Overturns Overbroad Interpretation of CFAA, Protecting Researchers and Users 30 comments

Supreme Court Overturns Overbroad Interpretation of CFAA, Protecting Security Researchers and Everyday Users:

EFF has long fought to reform vague, dangerous computer crime laws like the CFAA. We're gratified that the Supreme Court today acknowledged that overbroad application of the CFAA risks turning nearly any user of the Internet into a criminal based on arbitrary terms of service. We remember the tragic and unjust results of the CFAA's misuse, such as the death of Aaron Swartz, and we will continue to fight to ensure that computer crime laws no longer chill security research, journalism, and other novel and interoperable uses of technology that ultimately benefit all of us.

[...] Today's win is an important victory for users everywhere. The Court rightly held that exceeding authorized access under the CFAA does not encompass "violations of circumstance-based access restrictions on employers' computers." Thus, "an individual 'exceeds authorized access' when he accesses a computer with authorization but then obtains information located in particular areas of the computer— such as files, folders, or databases—that are off limits to him."

Read our detailed analysis of the decision here.


Original Submission

LinkedIn Can't Use Anti-Hacking Law to Block Web Scraping, Judges Rule 11 comments

https://arstechnica.com/tech-policy/2022/04/linkedin-cant-use-anti-hacking-law-to-block-web-scraping-judges-rule/

In a case involving LinkedIn, a federal appeals court reaffirmed Monday that web scraping likely doesn't violate the Computer Fraud and Abuse Act (CFAA).

The ruling by the US Court of Appeals for the Ninth Circuit drew a distinction between data that is password-protected and data that is publicly available. That means hiQ Labs—a data analytics company that uses automated technology to scrape information from public LinkedIn profiles—can continue accessing LinkedIn data, a three-judge panel at the appeals court ruled:


Original Submission

DOJ Announces It Won’t Prosecute White Hat Security Researchers 15 comments

DOJ Announces It Won't Prosecute White Hat Security Researchers:

On Thursday the Department of Justice announced a policy shift in that it will no longer prosecute good-faith security research that would have violated the country's federal hacking law the Computer Fraud and Abuse Act (CFAA).

The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.

"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good."

[...] For decades experts have criticized the broad nature of the CFAA. The Electronic Frontier Foundation, an activist organization, previously said that "Security research is important to keep all computer users safe. If we do not know about security vulnerabilities, we cannot fix them, and we cannot make better computer systems in the future. The CFAA should protect white-hat hackers and give them incentives to continue their important work."

Andrew Crocker, a senior staff attorney on the EFF's civil liberties team told Motherboard in a statement "We're pleased to see the Department of Justice recognize the contribution that security research plays in strengthening the security of the entire Internet, everything from messaging and social media applications to financial systems to critical infrastructure. Too often, the specter of the CFAA—with its ill-defined focus on 'unauthorized access'—deters researchers from discovering and disclosing vulnerabilities in these systems."

He said that the new policy does not go far enough. "By exempting research conducted 'solely' in 'good faith,' the policy calls into question work that serves both security goals and other motives, such as a researcher's desire to be compensated or recognized for their contribution. As an agency policy, it does not bind courts and can be rescinded at any time such as by a future administration. And it does nothing to lessen the risk of frivolous or overbroad CFAA civil litigation against security researchers, journalists, and innovators. The policy is a good start, but it is no substitute for comprehensive CFAA reform."

The announcement provided an example of the sort of 'research' that would be considered bad faith and could still face charges. "Discovering vulnerabilities in devices in order to extort their owners, even if claimed as 'research,' is not in good faith," it reads.


Original Submission

‘The Government Killed Him’: A Tribute to Activist and Programmer Aaron Swartz 2 comments

The ScheerPost is running a tribute to the late Aaron Swartz ten years after his untimely death on 11 January 2013.

Jan. 11, 2023 marks the tenth anniversary of the death of Aaron Swartz. Swartz had a prolific career as a computer programmer: At the age of 12 he created The Info Network, a user-generated encyclopedia widely credited as a precursor to Wikipedia. Swartz's later work would transform the internet as we know it. He helped co-found Reddit, developed the RSS web feed format, and helped lay the technical foundations of Creative Commons, "a global nonprofit organization that enables sharing and reuse of creativity and knowledge through the provision of free legal tools." In 2011, Swartz was arrested and indicted on federal charges after downloading a large number of academic articles from the website JSTOR through the MIT network. A year later, prosecutors added an additional nine felony counts against Swartz, ultimately threatening him with a million dollars in fines and up to 35 years in prison. Swartz was found dead in his Brooklyn apartment from suicide on Jan. 11, 2013. TRNN Editor-in-Chief Maximillian Alvarez speaks with the co-hosts of the Srsly Wrong podcast, Shawn Vulliez and Aaron Moritz, about the life and legacy of Aaron Swartz. 

Viewers can learn more about Swartz by watching the documentary The Internet's Own Boy, and reading his "Guerilla Open Access Manifesto." 

Previously:
(2021) Supreme Court Overturns Overbroad Interpretation of CFAA, Protecting Researchers and Users
(2021) Supreme Court Reins in Definition of Crime Under Controversial Hacking Law
(2018) The FBI Secretly Collected Data on Aaron Swartz Earlier Than We Thought—in a Case Involving Al Qaeda
(2014) The Aaron Swartz Documentary: Review


Original Submission

Federal Court Says Scraping Court Records is Most Likely Protected by the First Amendment 18 comments

Federal Court Says Scraping Court Records Is Most Likely Protected By The First Amendment:

Automated web scraping can be problematic. Just look at Clearview, which has leveraged open access to public websites to create a facial recognition program it now sells to government agencies. But web scraping can also be quite useful for people who don't have the power or funding government agencies and their private contractors have access to.

The problem is the Computer Fraud and Abuse Act (CFAA). The act was written to give the government a way to go after malicious hackers. But instead of being used to prosecute malicious hackers, the government (and private companies allowed to file CFAA lawsuits) has gone after security researchers, academics, public interest groups, and anyone else who accesses systems in ways their creators haven't anticipated.

Fortunately, things have been changing in recent years. In May of last year, the DOJ changed its prosecution policies, stating that it would not go after researchers and others who engaged in "good faith" efforts to notify others of data breaches or otherwise provide useful services to internet users. Web scraping wasn't specifically addressed in this policy change, but the alteration suggested the DOJ was no longer willing to waste resources punishing people for being useful.

Web scraping is more than a CFAA issue. It's also a constitutional issue. None other than Clearview claimed it had a First Amendment right to gather pictures, data, and other info from websites with its automated scraping.

Clearview may have a point. A few courts have found scraping of publicly available data to be something protected by the First Amendment, rather than a violation of the CFAA.

No NGO Has Been Allowed to See Julian Assange Since Four Years Ago 12 comments

Democracy Now has a brief interview with a representative from Reporters Without Borders (RSF) on their latest attempt to meet Julian Assange inside Belmarsh high-security prison in the UK. Despite being granted approval, the RSF secretary-general and executive director Christophe Deloire and the others with him were denied entry. No other non-governmental agency has been able to meet with Assange in the last four years either.

CHRISTOPHE DELOIRE: So, what happened is that in the past years we requested to be able to visit Julian in his jail. We got an approval recently, which was confirmed on March 21st with a number, an official number, for myself and my colleague, Rebecca Vincent, and we were invited to come to the prison.

And when we just arrived, the guy at the desk, when he saw my passport, he suddenly was very stressed, and that taking a paper on his office — on his desk, and that read it, saying, "According to Article" — I do not remember the number of the article, but according to this article, "you are not allowed to visit Julian Assange. This is a decision that has been made by the governor of the Belmarsh prison, based on intelligence that we had" — I quote him — "that you are journalists."

And it doesn't make sense at all, first, because, personally, I've been a journalist since 1996, and we were vetted, so it was never a mystery that I was a journalist, never a secret. Second, my colleague wasn't a journalist herself. And we came here not as journalists, but as representatives of an international NGO with a constitutive status in many international organizations. So it was really as Reporters Without Borders representatives, not as reporters covering the case. So, it doesn't make sense for this second reason. And there is a third reason for which it doesn't make sense, is that already two journalists, at least, have been able to visit him in jail in the past four years. So —

Previously:
(2022) Biden Faces Growing Pressure to Drop Charges Against Julian Assange
(2022) Assange Lawyers Sue CIA for Spying on Them
(2022) Julian Assange's Extradition to the US Approved by UK Home Secretary
(2021) Key Witness in Assange Case Jailed in Iceland After Admitting to Lies and Ongoing Crime Spree
(2019) Top Assange Defense Account Suspended By Twitter
(2019) Wikileaks Co-Founder Julian Assange Arrested at the Ecuadorian Embassy in London
(2015) French Justice Minister Says Snowden and Assange Could Be Offered Asylum

And many more.


Original Submission

This discussion was created by hubie (1068) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 1, Interesting) by Anonymous Coward on Sunday March 17, @01:38AM

    by Anonymous Coward on Sunday March 17, @01:38AM (#1349146)

    As of last year, Carlson no longer works for Fox, so if it came to a counter suit against him, I wonder if Fox would pay the legal bills now?

  • (Score: 4, Insightful) by JoeMerchant on Sunday March 17, @01:55AM (15 children)

    by JoeMerchant (3937) on Sunday March 17, @01:55AM (#1349155)

    Can a website be likened to a private residence, or it it more of a public store?

    >And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.

    So, if you walk up to a private home, twist the unlocked doorknob and walk in, I believe most people (and jurisdictions) would consider that unacceptable trespass...

    However, if you are in a commercial area and you do the same on an unmarked door - that doesn't feel like trespass to me... due to the setting, the owner of the door should reasonably expect passers by to attempt to enter (exceptions for doors with signage forbidding entry, etc...)

    But, in this great land, anybody can sue anyone for anything, and if you're good at venue shopping you can make just about any flimsy argument stick well enough to at least harass your victim all the way to appeals court.

    --
    🌻🌻 [google.com]
    • (Score: 5, Insightful) by ChrisMaple on Sunday March 17, @02:27AM (3 children)

      by ChrisMaple (6964) on Sunday March 17, @02:27AM (#1349160)

      This isn't just a case of "anybody can sue anyone for anything"; this is the government bureaucracy (and in all likelihood its leadership) abusing its power to persecute its opponents. We're slipping deeper into tyranny every day.

      • (Score: 2) by JoeMerchant on Sunday March 17, @02:40PM (2 children)

        by JoeMerchant (3937) on Sunday March 17, @02:40PM (#1349205)

        >This isn't just a case of "anybody can sue anyone for anything"

        Oh, but it is. In this case "anybody" is the government... like directed IRS audits from Nixon and Hoover, but using the courts - which is at least a little less obscure about who "has it in" for the defendant.\

        >abusing its power to persecute its opponents

        Like the other thread about TheRUMP using executive order to attempt to shut down Tik Tok shortly after it was used to prank one of his political rallies? Seems to be in fashion lately, and lots of people are still voting for it. Maybe this is the government they really want?

        Transparency is Always the Answer: get the message out there in terms people can understand, with proof they may dismiss in open debate but ultimately lie awake at night wondering... there are choices in the ballot box, and the choices you make do affect the future.

        --
        🌻🌻 [google.com]
        • (Score: 1) by khallow on Sunday March 17, @10:02PM (1 child)

          by khallow (3766) Subscriber Badge on Sunday March 17, @10:02PM (#1349234) Journal

          Oh, but it is. In this case "anybody" is the government... like directed IRS audits from Nixon and Hoover, but using the courts - which is at least a little less obscure about who "has it in" for the defendant.\

          "Anybody" can sue. Only government can prosecute someone for criminal charges. Here, Timothy Burke faces 14 criminal charges. A bunch of his property (computer equipment) has already been seized. And interesting enough, the only penalty mentioned in the indictment is handing over the seized property allegedly used in the crimes to the US government. I wonder if Burke was investigating something inconvenient and this seizure is an attempt to hinder that investigation.

          Like the other thread about TheRUMP using executive order to attempt to shut down Tik Tok shortly after it was used to prank one of his political rallies? Seems to be in fashion lately, and lots of people are still voting for it. Maybe this is the government they really want?

          Might be more similar than even you were thinking.

          • (Score: 2) by JoeMerchant on Sunday March 17, @10:24PM

            by JoeMerchant (3937) on Sunday March 17, @10:24PM (#1349242)

            >Might be more similar than even you were thinking.

            I'm not thinking that Red vs Blue politicians are -10 vs +10 on any particular scale.

            Right now, I'd assess our apparent choices in November as being -12 vs -7 for things I care about, overall.

            --
            🌻🌻 [google.com]
    • (Score: 2) by looorg on Sunday March 17, @10:10AM (4 children)

      by looorg (578) on Sunday March 17, @10:10AM (#1349186)

      According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.

      Which one was it? Publicly available or not? From the description of things that doesn't sound like it's publicly available. So it's unlisted and required credentials to login to see and listen to them. Doesn't sound like publicly available to me. When did we start to encrypt the URL

      "unencrypted URL"? should the URL be encrypted now to? When did we start to do that? Or just the connection. I doubt they have any idea if the connection was encrypted or not. Does that even matter? It was probably over HTTPS so in that regard it was encrypted.

      The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters.

      Doesn't sound like that was publicly available. Burke isn't a broadcaster in that sense. Those demo login credentials wasn't for anyone to use. While not personal it was not for the public or for him. If he had asked LiveU for login credentials I doubt they would have shared them with him.

      So if I try and login to every system in the world using the default, or common, credentials that is ok? If I use some credentials I just found someplace ... ok?

      Burke logged into the website, and, Burke's lawyer claims, the list of URLs for video streams automatically downloaded to his computer.

      What good fortune that it just happened to automatically download all the things he was looking for and without any interaction on his part ...

      To go with their weird analogy -- if I leave my key under the doormat is that an invitation to everyone that come inside my home? Or if you have a combination-pad-lock on something and you have infinite guesses for the 3-4 digit combination is that open to the public? What if I put a note next to the lock that says 1234?

      What if I find a folder on a park bench and on the front page there are a few double rimmed red borders and it says TOP SECRET and some § references. Public information? After all it's just there, the security is really bad since I can just open it. Lets have a good read and then share it with everyone I can find ...

      • (Score: 2) by JoeMerchant on Sunday March 17, @01:04PM (2 children)

        by JoeMerchant (3937) on Sunday March 17, @01:04PM (#1349199)

        >should the URL be encrypted now to?

        So, in the Harry Potter imaginverse: if this "URL" requires you to stumble into a corner of Diagon Alley to find the door, but the door is unlocked when you get there (no protection spells, just turn the knob like a muggle and enter), then there's an "expectation of privacy" for the viewing of items behind that unlocked door?

        >if I try and login to every system in the world using the default, or common, credentials that is ok? If I use some credentials I just found someplace ... ok?

        Back on our stranger world case: the address is not broadly advertised, but there's a "secure" (if you can call it that) website which will give you the address if you know the password, such password which was handed around like the password to speakeasys were back in Prohibition. If, instead of being given the password by someone who maybe shouldn't have given it to him, he had obtained the password off a bathroom wall under "Jenny's secret code" of 867-5309... does that change the legal status? He is a journalist, after all, he is expected to follow up leads. It's not like he went "wardialing" looking for a Jenny, a potential source gave him a lead and he walked the path to follow it up. If that source turns out to have been working for the prosecution and this turns out to be a crime, I believe the crime is called entrapment. He didn't employ "burglar tools" to get that URL, if anything he was given a key - both the URL of the "sign in to get the URL" site and the mishandled password to gain access to the second URL.

        >It was probably over HTTPS so in that regard it was encrypted.

        But HTTPS is not an "access protecting" encryption. When a (common state of secure practices) server expects you to be authorized, you are given a (usually limited time) access token which your browser "invisibly" adds in the GET request outside the URL. HTTPS secures the connection against eavesdropping (by hackers), the access token is what releases the content to you. If I understand the mechanisms correctly... the URL travels "in the clear" but the other content of the GET request is protected by HTTPS security, otherwise an eavesdropper could copy the contents of your GET request and re-issue it from another endpoint, possibly spoofing your IP address in the process, but that's a little deeper than I've ever gotten into the process.

        What I do know is: there are some (exceptionally lame) websites which do grant access like: https://secure.videos.com:443/for/eyes/only/123.mp4?user=demo&pass=secret [videos.com]

        that form of "security" is exceptionally lame in part because the browser history will record the username and password along with the URL, and you can easily "share the link" with your credentials in it.

        >if I leave my key under the doormat is that an invitation to everyone that come inside my home?

        I believe that removes the "breaking" from the "breaking and entering" when someone does use that key to come inside your home. But, my central question: is a website more like a home, or a business? There is a distinct legal difference.

        >Or if you have a combination-pad-lock on something

        Like our sailboat. Again, the boat is a legally defined private space. Tradition is to request the captain's permission to come aboard, even before reaching the padlock. Our 4 digit combination padlock would require about 5 seconds per try if you're going at it hard, so an average time of 25,000 seconds to brute force it, maybe up to 50,000, or 7 to 14 hours. The expectation is that someone standing at our hatch banging away at the lock like that for 7 hours stands as good of a chance, or better, of being noticed "breaking" the lock as someone carrying bolt-cutters onboard.

        >What if I put a note next to the lock that says 1234?

        Well, Grandma, that'll keep the squirrels out, and most of the raccoons. It is a virtual invitation to the neighbor kids to come in and empty your candy jar while you're away at Bingo, and I don't think the cops will be taking them to juvie over it even if you do have Ring footage of them doing the deed. See: entrapment.

        >some § references. Public information?

        When I see "§ references" I think of Florida's "Online Sunshine" website where our laws are openly published, such as: http://www.leg.state.fl.us/statutes/index.cfm?App_mode=Display_Statute&URL=0200-0299/0287/0287.html [state.fl.us]

        Looking there now, I don't see the § symbol, I thought they used to use it... in any event, if the "Top Secret" red bordered folder contains a pointer-link to an obscure law on the public books, no, I don't believe viewing and reporting on that law is in any way illegal.

        --
        🌻🌻 [google.com]
        • (Score: 2) by looorg on Sunday March 17, @03:33PM (1 child)

          by looorg (578) on Sunday March 17, @03:33PM (#1349213)

          >should the URL be encrypted now to?

          So, in the Harry Potter imaginverse: if this "URL" requires you to stumble into a corner of Diagon Alley to find the door, but the door is unlocked when you get there (no protection spells, just turn the knob like a muggle and enter), then there's an "expectation of privacy" for the viewing of items behind that unlocked door?

          Isn't it tho? The door is closed, it's not a matter of it being locked or not. Some privacy should be inferred here. As noted you should not be running around trying every door to see if they are locked or not if you do not belong there. Being unlocked is not an invitation to enter.

          That said what I was more interested in was the ENCRYTPTION of URL. Have that ever been a thing? Like https://soylenentnews.org [soylenentnews.org] would be https://wdkln236n236125h123jk6.jkn [wdkln236n236125h123jk6.jkn] (so this would be protocol:// the S is the secure/encryption part, then the URL; the login credentials are not even part of the url, at least in this case) or whatever form of encryption or cipher is now being utilized to encrypt the url. The connection, or traffic, as noted is another thing. But when did they start handing out, or use, encrypted URL:s?

          >It was probably over HTTPS so in that regard it was encrypted.

          But HTTPS is not an "access protecting" encryption.

          Exactly. They claimed that the URL wasn't encrypted. So now it was apparently open to everyone and a free for all. You usually don't even enter passwords and logins in hashed or encrypted format. That would just be weird. Which is as far as I know or can think off not even thing. The only thing encrypted is mostly the connection. Which doesn't really matter in this particular case. Unless you want to use Wireshark or some other kind of traffic "listening" tool.

          What I do know is: there are some (exceptionally lame) websites which do grant access like: https://secure.videos.com:443/for/eyes/only/123.mp4?user=demo&pass=secret [videos.com] [videos.com]

          Yes. But a lame lock is still a lock. Otherwise thieves or professional lockpickers could claim all the locks are lame and they should have free access to everything. Clearly in the case mentioned here they are not to concerned about the credentials, they are not really even tied to a specific person. But there is a login, to perhaps in some kind of way you are using someone elses, or at least not yours, credentials to gain access.

          • (Score: 2) by JoeMerchant on Sunday March 17, @05:10PM

            by JoeMerchant (3937) on Sunday March 17, @05:10PM (#1349220)

            I see two distinct questions:

            My first one from above: is a website subject to U.S. style "Castle doctrine" wherein you expect personal safety therein and legal protection from home invaders? I believe, since you and your family / house mates do not sleep inside a website (unless you're Jenni [wikipedia.org]), the underlying reasons for "Castle doctrine" protections do not apply.

            My second question is: just because the open "door" or URL address was obtained via a "protected" website, does that make the open door or URL now subject to "hacking" protections? Along those lines: when the open URL was accessed, was there even as much as a click-through notice along the lines of "the following content is not for public distribution or viewing, if you have reached this website without the express permission of the owners please click here to leave now before viewing..." If not, I would say that the URL is analogous to a door in a public place standing wide open, all you have to do is walk through as anyone would to enter...

            Otherwise, every link you take might be listed on a "locked" website somewhere and your accessing of that URL might be construed as "hacking" because you have bypassed the "protection" on the URL.

            There are no perfect real-world analogies, but the above are pretty close. Construing an open website as "protected" because the address hasn't been widely distributed feels a step too far in an already over-reaching landscape of "hacking protection" laws.

            --
            🌻🌻 [google.com]
      • (Score: 5, Interesting) by Spook brat on Sunday March 17, @01:40PM

        by Spook brat (775) on Sunday March 17, @01:40PM (#1349200) Journal

        Let's see if I can remember the canonical answers to your questions about legality of various scenarios.
        #include std_disclaimer_IANAL

        if I leave my key under the doormat is that an invitation to everyone that come inside my home?

        No.

        Or if you have a combination-pad-lock on something and you have infinite guesses for the 3-4 digit combination is that open to the public?

        Also no.

        What if I put a note next to the lock that says 1234?

        Still no.

        If I recall correctly, current US legal precedent is that an uninvited visitor can be charged for forced entry if they find the door standing ajar and push it the rest of the way open. Having a key in your possession does not matter if you were not given the key by the homeowner or a legally authorized agent of the homeowner. Similarly, finding a key that someone dropped or fabricating a key from a publicly-available photograph of its bitting does not grant authorized entry to the home.

        What if I find a folder on a park bench and on the front page there are a few double rimmed red borders and it says TOP SECRET and some § references. Public information? After all it's just there, the security is really bad since I can just open it. Lets have a good read and then share it with everyone I can find ...

        Actually, kinda yes. There are two answers, depending on what legal status you fall under.

        1. If you have been granted a security clearance and made specific oaths to the U.S. Government to protect its secrets then you have a responsibility to secure and protect the TS-marked folder, even if you personally don't have sufficient clearance to read it. Your oath makes you subject to the Espionage act, and you can be prosecuted under it.
        2. If you're a run-of-the-mill civilian you have no obligation to respect the markings or even report finding it. The U.S. Government may decide to make your life miserable (there are other things besides criminal prosecution they can do), but reading it and posting it to War Thunder forums won't result in prosecution for spying. Perhaps not your smartest course of action but not illegal per se. Journalists in particular tend to get quite broad leeway when publishing such things that fall in their laps, the courts recognize strong protections for both the publisher, the journalist, and the source alike. The journalist may be jailed for contempt if they don't reveal their source, but they won't be charged with espionage, at least not in the United States.

        Back on topic, the rules are a bit different for websites, so the analogy falls apart. Web sites are not covered by Castle Doctrine, no one physically lives there to be threatened by unauthorized entry. If I recall correctly, the CFAA was written prior to "the web" being a thing, and was intended to be used to prosecute people who gained unauthorized access (e.g. user account/console login) to mainframes and the like. I don't know that it has been properly updated to account for services like HTTP which happily hand out documents to anyone who makes a properly formatted request. The lawyers in this case are certainly acting like it's grey area, so we'll see where the courts take it. The lawfare.com [lawfaremedia.org] link in the article summary gives a pretty good rundown of the state of current precedent on CFAA and how it applies to web URL scraping, so I won't rehash that here.

        And remember: I am not a lawyer, I am not YOUR lawyer, this is not legal advice, don't try this at home, if your name is Julian Assange I am very sorry on behalf of of my fellow Americans for the treatment you've received, etc.

        --
        Travel the galaxy! Meet fascinating life forms... And kill them [schlockmercenary.com]
    • (Score: 2) by theluggage on Sunday March 17, @02:30PM (3 children)

      by theluggage (1797) on Sunday March 17, @02:30PM (#1349203)

      However, if you are in a commercial area and you do the same on an unmarked door - that doesn't feel like trespass to me... due to the setting, the owner of the door should reasonably expect passers by to attempt to enter (exceptions for doors with signage forbidding entry, etc...)

      Perhaps it is different wherever you live, but on my local high street there are plenty of appointment-only offices and private flats with doors leading on to the street, and reasonable people are generally expected to spot the difference between those and "public" shop doors (lack of obviously connected shop windows, open/closed signs, list of opening hours...) - not to mention all of the back doors into shops which you could just walk around to but aren't intended to be public.

      However, that's all a bit irrelevant since all of the shops, offices and private homes share one thing in common: they are not full of things which the public are free to just take or use, even if the door is open. Even shops rather expect people to take things to the checkout and pay, first. Even if an owner has left a door unlocked or failed to put up a "Private" sign that doesn't give anybody the legal or moral right to walk in and fill their boots. Their negligence might void their insurance, it might make it harder to get a conviction, but it doesn't make it OK. There are courts, and sometime juries, who get to decide whether they buy the "the door was open and I though the stuff was free" defence.

      Anyway, that's really an analogy for "guessing" a deep-link URL and maybe getting a directory listing of things that weren't intended to be published. In this case, it looks like the website needed a login, and it seems to be more of a case of "a bloke down the pub told me the lock combination and said it was OK to go in" - methinks the court will have to go over the evidence in detail to decide how much digging you can do to find a password and still claim it was "published".

      The other thing is that we'd all be justifiably concerned if the police, government or large corporations used these sort of tactics (essentially, unwarranted searches justified by "the door was unlocked" analogies) to search our digital stuff for "contraband" - and even if this led to them catching bone fide evil people, the question of whether the end justified the means - and the potential for future injustices - would arise. So, should journalists have the right to do the sort of things that "the authorities" aren't supposed to do without due process? A journalist may not be able to send you to jail - but they can certainly fuck up your life, career and family and lead "the authorities" to your door. In the social media age pretty much anybody on Facetokxogram can appoint themselves as a "journalist" - one person's journalism is another person's doxxing. "Who watches the watchmen" is a paradox - the answer is not "I do" (unless you're Dr Manhattan :-) ).

      • (Score: 0) by Anonymous Coward on Sunday March 17, @11:08PM (2 children)

        by Anonymous Coward on Sunday March 17, @11:08PM (#1349246)

        You've fallen into the trap of equating copying with stealing.

        He did not take anything. He requested information from a server, and the server responded. It's not shoplifting. It's more like reading the instructions and ingredients on a packet of cake mix, and then going home and cooking the same cake using your own ingredients. The store has lost nothing.

        • (Score: 2) by theluggage on Monday March 18, @12:12PM (1 child)

          by theluggage (1797) on Monday March 18, @12:12PM (#1349313)

          I didn't use the words "stealing" or "theft" - and copying a work without the author/creator/copyright holder's permission is illegal in most jurisdictions. The issue is trying to spin "negligently left the file accessible" into "gave permission to copy it".

          I fully agree that copyright violation is not equivalent to theft in terms of the damage caused, and that trying to enforce copyright against (say) someone making a mixtape for their friend is absurd (whatever the law says) - but that doesn't mean that copyright violation is OK (I don't, for example, think that large, organised online repositories of pirated material are defensible) and can't cause damages beyond some notional "loss of sales". Someone copying and disseminating unreleased material that contained errors or arguably offensive material which would have been removed before publication (although I doubt that anybody has much sympathy for FOX or Ye in principle, the same defence logic could be used in more sympathetic cases).

          And, yes, there may be a valid debate over whether a list of instructions like a cake recipe (or errno.h!) should be copyrightable - even if you go beyond baking your own cake and "disseminate" (see TFA) the recipe - but a video clip certainly is.

          • (Score: 0) by Anonymous Coward on Tuesday March 19, @01:47PM

            by Anonymous Coward on Tuesday March 19, @01:47PM (#1349492)

            they are not full of things which the public are free to just take or use, even if the door is open

            I didn't say you used the word stealing. I said you were equating the concepts.
            You did use the word "take", which implies illicit removal. He did not "take" anything. He may have made a copy of some information that the server freely supplied to him.

    • (Score: 1) by suxen on Tuesday March 19, @02:11PM (1 child)

      by suxen (3225) on Tuesday March 19, @02:11PM (#1349494)

      I'd say this is not so much an unlocked door and more like finding the keys hidden in the flower pot

      • (Score: 2) by JoeMerchant on Tuesday March 19, @04:50PM

        by JoeMerchant (3937) on Tuesday March 19, @04:50PM (#1349518)

        Well, the more accurate analogy is also more surreal...

        What the URL (of the video site) actually is is a doorway standing wide open, no door to close, no keys to find, it's just one of billions of open doorways standing there waiting for your browser to teleport you inside. Typing the address into the address bar is like walking down the street to get there. Clicking a link is like taking a free and instant Uber, and you're in.

        The proprietor's only attempt at privacy has been to not widely advertise the address as anything interesting, so it's a plain vanilla doorway like billions of others out there.

        Failure to advertise doesn't seem like any kind of attempt at security, to me. Not even as much as installing a door that can be pulled shut. Certainly not as much as installing a lock, locking it, then hiding the key in a flowerpot.

        The URL that required a username/password to obtain those video URLs, that might be more analogous to a locking door - well, at least a keypad lock, with a code: 5678 that gets passed around to a large group of people.

        A secret is something you tell one other person. Once that person blabs to the press, it's not really secret anymore, is it?

        --
        🌻🌻 [google.com]
  • (Score: 2) by Mojibake Tengu on Sunday March 17, @02:39AM (10 children)

    by Mojibake Tengu (8598) on Sunday March 17, @02:39AM (#1349162) Journal

    It's a shame what passes as hacking these days...

    Well, another subtle question: if what West proclaimed to Carlson was actually a truth, does it matter it was labeled anti-semitic?
    What acceptable legal method shall we use to evaluate such speech labels?

    And yes, I understand the link to LiveU was actually a switchbait by DoJ. Burke no smarter than stupid fish in a pond.

    --
    Respect Authorities. Know your social status. Woke responsibly.
    • (Score: 3, Funny) by Anonymous Coward on Sunday March 17, @03:28AM

      by Anonymous Coward on Sunday March 17, @03:28AM (#1349165)

      > It's a shame what passes as hacking these days...

      I agree, perhaps you could share a memorable hack or two?

      Here's one of mine: As a student I was involved in some that stayed on-campus (a relatively safe sandbox). For example moving an 1800 pound (~800kg) ship anchor off its concrete base, intending it for a Valentine's Day gift to one of the deans (who we didn't like). About 10 people and no winches or other lifting machinery, just cleverness. We got caught and had to put it back...

    • (Score: 3, Informative) by crafoo on Sunday March 17, @04:23AM (8 children)

      by crafoo (6639) on Sunday March 17, @04:23AM (#1349169)

      The ADL has a definition for you and you should probably read it as they are providing input to many state legislators. many states already have laws making anti-semitism illegal so you should probably be aware of what that is.

      • (Score: 2, Flamebait) by khallow on Sunday March 17, @04:51AM (7 children)

        by khallow (3766) Subscriber Badge on Sunday March 17, @04:51AM (#1349170) Journal
        Mojibake Tengu is eastern European. I haven't been paying enough attention to guess where though he has dropped hints at least. I figure as long as he doesn't publicly adhere to the German Nazi flavor of anti-Semitism then he's good. As to US states making the belief illegal? It won't pass the First Amendment. They can make anti-Semitism (and usually similar racism) an aggravating factor, unfortunately, making sentences somewhat more severe.
        • (Score: 2) by Mojibake Tengu on Sunday March 17, @09:03AM

          by Mojibake Tengu (8598) on Sunday March 17, @09:03AM (#1349180) Journal

          Let me formulate my racist position straight: if I put a Nazi German next to a Talmudist Jew, I cannot determine which one of the two is worse Evil.

          What I despise in any context is declaring a truth illegal, for whatever reason.

          --
          Respect Authorities. Know your social status. Woke responsibly.
        • (Score: 2) by crafoo on Sunday March 17, @09:36AM (5 children)

          by crafoo (6639) on Sunday March 17, @09:36AM (#1349183)

          correct, I misspoke. as of now it's a 'hate crime' and elevates the sentencing. I think it's law in about 25-27 states or so, the last time I checked on it.

          here's a story about their working definition: https://www.jta.org/2021/01/15/global/the-ihra-definition-of-anti-semitism-and-why-people-are-fighting-over-it-explained [jta.org]

          It seems the IHRA definition is what is being used, not ADL's although I think ADL may be using the same thing.

          • (Score: 4, Insightful) by crafoo on Sunday March 17, @09:39AM (4 children)

            by crafoo (6639) on Sunday March 17, @09:39AM (#1349184)

            just to clarify, I don't think it's particularly productive to be an asshole to others. my issue is the wording seems to say that criticizing the state of Israel is a hate crime. I think it's important that we are able to talk openly about geopolitics if we expect to run a successful nation.

            • (Score: 2) by gnuman on Sunday March 17, @04:00PM (1 child)

              by gnuman (5013) on Sunday March 17, @04:00PM (#1349215)

              criticizing the state of Israel is a hate crime.

              which is exactly what extremists in Israel love and approve! How do you make sure that everyone tows the line, internationally? You have to swing the atomic weapon of calling anyone out as "anti-semite" if they don't agree with you! Make sure that everyone tows the line or at least cower in fear of "anti-semite" label.

              https://www.bbc.com/news/world-latin-america-68332821 [bbc.com]

              People like Netanyahu is one of the worse extremists, and like I said 20 years ago, this guy's policies will destroy Israel. Heck, before this "war", Netanyahu was sending bags of money to Hamas. Qatar wanted to cut off Hamas, but Israel send Mosad chief to persuade Qataris to keep sending the money... but enemy(hamas)-of-my-enemy(PA) is a friend? right? Knee-cap PA and prop up Hamas to make sure that he can say "no one to negotiate with?!" was Netanyahu strategy.

              https://www.businessinsider.com/israel-security-forces-escorted-suitcases-cash-hamas-qatar-report-2023-12?op=1 [businessinsider.com]

              Anyway ... offtopic so I'll stop now...

              • (Score: 2) by crafoo on Sunday March 17, @10:17PM

                by crafoo (6639) on Sunday March 17, @10:17PM (#1349238)

                Bibi Netanyahu is an interesting character. and the whole Likud political party over there. Ironically Biden has been far harder on Israel and Bibi than Trump ever would be. We even recently stopped the free USA AR-15 giveaways to Israeli settlers in the West Bank. also Biden is using threats of sanctions of the ultra-orthodox over there to pressure Bibi with the possible breakup of his coalition, which would force an election, which Netanyahu would 100% lose. biden needs those young pro-palestine voters in the USA this year. the world is a real mess. I'm not at all convinced democracy is all that useful or stable.

            • (Score: 2) by Beryllium Sphere (r) on Sunday March 17, @09:00PM (1 child)

              by Beryllium Sphere (r) (5062) on Sunday March 17, @09:00PM (#1349231)

              Judge for yourselves. Quite a few statements that weren't about Netanyahu policies.

              https://www.vice.com/en/article/3ad77y/kanye-west-tucker-carlson-leaked-footage-antisemitism-fake-children [vice.com]

              • (Score: 0) by Anonymous Coward on Sunday March 17, @11:21PM

                by Anonymous Coward on Sunday March 17, @11:21PM (#1349247)

                Ok, that says that he "called the singer Lizzo 'clinically unhealthy' for her weight".

                https://duckduckgo.com/?q=the+singer+Lizzo&iar=images [duckduckgo.com]

                Maybe the rest of what he said was just as accurate?

  • (Score: 3, Interesting) by gnuman on Sunday March 17, @03:29PM

    by gnuman (5013) on Sunday March 17, @03:29PM (#1349212)

    Reading the summary,

    1. You get account permission to some "sekrit" bookmark page
    2. The bookmarks are basically,

        * browser does GET request for the thing
        * site now responds with either the data if *** AUTHORIZED *** or responds with 401 **UNAUTHORIZED**

    There is plenty of precedence that this is just a hack of a case, not a hacking case. When you get data from public S3 bucket -- is that authorized or not? If you just do a GET, it's authorized. When companies lose all types of customer info because they can't be bothered securing their S3 buckets, that's not exactly hacking cases here -- it's negligent practice.

    The case should be thrown out of court. Anything else basically just leads to blatant entrapment, like,

        1. put some shit online
        2. google indexes it
        3. get everyone that accesses it prosecuted for fetching it without a authorization?

  • (Score: 2) by DadaDoofy on Sunday March 17, @07:10PM (5 children)

    by DadaDoofy (23827) on Sunday March 17, @07:10PM (#1349224)

    What a tangled web was woven to try and justify this.

    Just because a site is "publicly accessible" does not mean the public is authorized to access it. The fact that it was protected by a user ID and password, by definition, requires a user to be granted credentials to access it. You can say it was a "demo" account. You can say you received the credentials from "a source", but when that source is not the owner of the data or someone authorized by the owner to grant access to it, that's a textbook case of unauthorized access.

    • (Score: 1) by khallow on Sunday March 17, @10:07PM (1 child)

      by khallow (3766) Subscriber Badge on Sunday March 17, @10:07PM (#1349235) Journal

      or someone authorized by the owner to grant access to it

      Depends on how authorization was handled. Knowledge of a password is a common authorization though.

      • (Score: 2) by DadaDoofy on Monday March 18, @05:42PM

        by DadaDoofy (23827) on Monday March 18, @05:42PM (#1349365)

        Simply having knowledge of an id/password does not authorize one to use it.

    • (Score: 2) by deimtee on Sunday March 17, @11:27PM (2 children)

      by deimtee (3272) on Sunday March 17, @11:27PM (#1349248) Journal

      Reread the summary. The data was not secured by a password. The list of links on another site was.

      According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.

      Just because a site is "publicly accessible" does not mean the public is authorized to access it.

      What does it mean then?

      --
      If you cough while drinking cheap red wine it really cleans out your sinuses.
      • (Score: 2) by theluggage on Monday March 18, @12:36PM (1 child)

        by theluggage (1797) on Monday March 18, @12:36PM (#1349317)

        What does it mean then?

        Like your banking details would "publicly accessible" if you left a bank statement open on your coffee table and forget that two years ago you put a spare key to your front door under a flower pot so that the cleaner can get in. Huge negligence on your part (& good luck with the insurance claim), but that doesn't give someone the right to let themselves in, read your confidential documents and post them on social media.

        In this case that the public can access the files if they jump through a lot of implausible hoops like guessing a "deep link" URL and/or digging around on the Internet Archive (i.e. it was no longer being actively published) for an old demo* password - not that the public were being invited to access it.

        * Which are typically provided with a list of terms of use, as if the word "demo" wasn't enough clue.

        • (Score: 3, Insightful) by deimtee on Monday March 18, @01:53PM

          by deimtee (3272) on Monday March 18, @01:53PM (#1349325) Journal

          A website is not a home. It is more like a noticeboard on the outside of the fence around your property. Anyone walking past can read it. If you only want some people to read it, you put a cover over it and give them a key.
          Security by obscurity is like putting the notice down in the bottom corner and hoping no-one notices. Some other site pointed out "hey, there's some funny bits over here on the noticeboard at co-ordinates xxx.yyy.com/ye".
          He went and had a look. He didn't break any locks, or hack through the cover, he just looked where they weren't expecting anyone to look.

          --
          If you cough while drinking cheap red wine it really cleans out your sinuses.
(1)