In France the judge doesn't have any discretion on damages. The defendant is liable for all damages as a result of his action. Even if these amount to $1 billion.
Maybe not the time for semantics, but curious where people's line in the sand is with regards to calling logging in with the correct admin credentials as 'hacking'.
It's unauthorised access, TFA says that he "obtained login credentials - without ever having been given them - and accessed the records without authorisation".
The phrase "hacking" doesn't quite sit right with me either but I guess it's close enough to the truth in this case. I'll personally give them a pass this time. ;)
I consider "hacking" to be any instance of an entity deliberately undermining the confidentiality, integrity or availability assurances (the CIA triad) of a technical security control; be it passively or actively, and regardless of the apparent weakness of the control.
Information security begins with confidentiality, which brings us to the concept of authorization and and the use of encryption. When Bob and Alice want to communicate in secret, they want to assure confidentiality, and they use encrypted messages. Then we also have integrity: when Bob and Alice are enjoying a confidential communication, they want to make sure no one has altered the messages even if they can't read them, so we get hash functions and MACs. Maybe Bob wants authentication: he wants to make sure the person who sent him the message really is Alice, even if he's already sure it's confidential and unaltered, so now we've got digital signature schemes. Eventually Alice decides she wants non-repudiation, or peer entity auth, etc.
Every technical security control can be modeled as the practical implementation of one of these desires for a particular type of assurance. This is neat, because it precludes pernicious questions like, "Well what if it's weak and the 'hacker' just incremented a value in a URL" - we shift the slippery-slope problem of ascribing malicious intent to the legal sphere without sacrificing the cleanly drawn technical definition.
Under this definition, I'd consider the individual in this story to have "hacked" their employer. A login interface is a technical security control designed to provide authorization/access control as a method of implementing confidentiality (among other things). The employee logged in as a user other than themselves, thereby undermining the control. Furthermore, he did it intentionally, which establishes the deliberation requirement. It was not a sophisticated hack, but then again real world hacking very rarely is technically sophisticated.
Despite the composition of Blackhat/DEFCON proceedings every year, the median company is far more likely to be compromised through a social engineering or endpoint failure (e.g. executive is phished, employee pirates media and gets a virus, etc).
EDIT: Apparently this is an unpopular answer, that's fine. But it's an answer that probably goes the farthest and with the fewest rabbit holes. Humans need to trust software in different ways, and if you deliberately break that trust by bypassing the implementation that assures it, you've hacked the software.
It's actually not. Laws are not an appropriate analogy for technical security controls. First and foremost, laws exist which are clearly not enforced. Technical security controls exist, or they don't. They don't generally rely on human arbitrators for enforcement, unlike legislation. Once it is in place, the technical nature of the control is self-enforcing; bypassing the enforcement is what constitutes "hacking." In this way criminality and hacking aren't comparable. A better comparison might be security policies and laws, but that's close to tautological because they're so similar.
Moreover, laws can be broken unintentionally, and under this definition you cannot hack something unintentionally. Awareness can be tantamount to intentionality - I'd argue most people aren't even aware they're jaywalking when they do it. It stretches the boundaries of believability that someone would log in as someone else and not be aware that they did it. In a contrived scenario where they did somehow accomplish that, I wouldn't call it hacking.
just to confirm. within this scheme, all a website needs is 2 form fields "userid" and "password" , they don't even have to do anything, and if you crawled it, you've hacked it?
If the login interface actually works (i.e. it's actually an access control), and you successfully login with credentials that aren't yours - yes, you've hacked it. It's only a hack if you intend to do it and the interface is a good faith implementation.
I don't really follow your question in this comment and the other one though - what do you mean about CIA desires? You need to understand that a technical control represents a control in order to intentionally bypass it.
if theres a bunch of numbers in my url after i login, and i'm oh so curious what i'd see if i increment that number by 1, now i'm hacking? i mean, i believe the website simply didnt want to implement session control, if i saw someone else's account details, is that acceptable interpretation? there's no "rule of the internet" that says we must only navigate by provided links on a html page, is there?
> if theres a bunch of numbers in my url after i login, and i'm oh so curious what i'd see if i increment that number by 1, now i'm hacking
Under the definition above, if you do it to deliberately bypass the control, then yes. If you do it out of curiosity without believing you might subvert any control, then no you're not hacking.
Real-world metaphors don't always hold up, but you could enter my house with a key that fits my lock, but without my permission. Nobody is confused about what that is.
My personal comparison is: If a postal worker opens your mail is that okay? If your window is open but your curtains are closed, is it okay for someone to stand outside your house and open them? Humans protect their privacy with mostly pathetic measures due to an intrinsic sense of trust, but that doesn't give other humans the right to erode that trust.
I think logging in with someone else's username/password, defacing the website, corrupting/deleting files and stealing data to start a rival business are all crimes.
I draw the line here. If my username/password still work it should be lawful to continue to use. For example if I buy a subscription to a saas product and my card expires, if the service continues to allow me access I should be able to legally use the product until the saas restricts my access.
It does work that way. You'll just end up getting billed for using the service. You probably agreed to pay until you cancelled it. Just not paying isn't going to change that.
Logging into work servers after being fired is sorta like coming back into the office and looking at stuff because they didn't change their locks.
Completely agree in that scenerio. What if you work at a social networking company (lets say a smaller facebook) and you create a standard public account and add all of your friends and family because the company encourages you to use the product. Because of your role you have addition permissions added to your account that allows you to see non public information when viewing profiles. After leaving you realize access hasn't been downgraded. Is it okay to continue to use the account? At this point all of your friends and family and history are connected to this profile?
If you specifically use the access, by, say, clicking "god mode", I think the CFAA views that as unauthorized. And it really is unauthorized. It's like the office not changing the keycode so you go in from time to time to read reports.
Using the word "hacking" in this scenario is just like saying someone "broke in" by using an old key. The correct word in that case would, of course, be "trespassing".
Instead of "hacking", we need to use specific and correct terms.
> Using the word "hacking" in this scenario is just like saying someone "broke in" by using an old key. The correct word in that case would, of course, be "trespassing".
No, using an old key that you have no permission to use doesn't convert B&E into mere trespass. About the only way to have mere trespass inside a building (rather than merely on the grounds) is to have your permission to stay revoked while you are in the building.
It is the correct site. The court record says "Mr. Fischbach first examined Nick Tsotsikyan, founder, owner, and Director of Operations of Security Specialists."
Nick Tsotsikyan is noted on the about page of the website you linked to.
"Then, he noticed that someone had tampered with the program’s 'Lunch' field. Four hours had been added into the lunch field each day, which accounted for the unexplained extra 40 hours of overtime in Garcia’s records. The hours had been entered in black text on a black background, in one-point font. As a result, the alterations to Garcia’s hours would not have been noticeable to the casual observer. The alterations resulted in Garcia’s being paid wages for overtime that, presumably, he did not work."
That's just one of the things he did.
If you're going to be a criminal, at least be a smart criminal. He's going to be stuck with trying to pay off $300k on a fast food worker's wages which will take him the rest of his life unless he inherits a lot of money or plans on winning the lotto. He effectively removed himself from consideration from any decent job and thus his ability to pay the fine in a comfortable manner.
40 comments
[ 4.4 ms ] story [ 78.9 ms ] threadIn cases like this, I would expect that $300K to drop later, or to be renegotiated at some point.
>he was found guilty and sentenced to five years of prison, with two years suspended, full restitution of the $6.7 billion which was lost
Good luck with that when
>permanent ban from working in financial services
However, it was pretty egregious, and several incidents. And the amount seems like it's not a horribly inflated number.
(Rockstar/10x dev hunters, come and get it...)
The phrase "hacking" doesn't quite sit right with me either but I guess it's close enough to the truth in this case. I'll personally give them a pass this time. ;)
See this clip from a 1983 film: https://www.youtube.com/watch?v=U2_h-EFlztY
Information security begins with confidentiality, which brings us to the concept of authorization and and the use of encryption. When Bob and Alice want to communicate in secret, they want to assure confidentiality, and they use encrypted messages. Then we also have integrity: when Bob and Alice are enjoying a confidential communication, they want to make sure no one has altered the messages even if they can't read them, so we get hash functions and MACs. Maybe Bob wants authentication: he wants to make sure the person who sent him the message really is Alice, even if he's already sure it's confidential and unaltered, so now we've got digital signature schemes. Eventually Alice decides she wants non-repudiation, or peer entity auth, etc.
Every technical security control can be modeled as the practical implementation of one of these desires for a particular type of assurance. This is neat, because it precludes pernicious questions like, "Well what if it's weak and the 'hacker' just incremented a value in a URL" - we shift the slippery-slope problem of ascribing malicious intent to the legal sphere without sacrificing the cleanly drawn technical definition.
Under this definition, I'd consider the individual in this story to have "hacked" their employer. A login interface is a technical security control designed to provide authorization/access control as a method of implementing confidentiality (among other things). The employee logged in as a user other than themselves, thereby undermining the control. Furthermore, he did it intentionally, which establishes the deliberation requirement. It was not a sophisticated hack, but then again real world hacking very rarely is technically sophisticated.
Despite the composition of Blackhat/DEFCON proceedings every year, the median company is far more likely to be compromised through a social engineering or endpoint failure (e.g. executive is phished, employee pirates media and gets a virus, etc).
EDIT: Apparently this is an unpopular answer, that's fine. But it's an answer that probably goes the farthest and with the fewest rabbit holes. Humans need to trust software in different ways, and if you deliberately break that trust by bypassing the implementation that assures it, you've hacked the software.
That sounds extremely broad, in the same way that calling jaywalkers criminals would be.
Moreover, laws can be broken unintentionally, and under this definition you cannot hack something unintentionally. Awareness can be tantamount to intentionality - I'd argue most people aren't even aware they're jaywalking when they do it. It stretches the boundaries of believability that someone would log in as someone else and not be aware that they did it. In a contrived scenario where they did somehow accomplish that, I wouldn't call it hacking.
I don't really follow your question in this comment and the other one though - what do you mean about CIA desires? You need to understand that a technical control represents a control in order to intentionally bypass it.
if theres a bunch of numbers in my url after i login, and i'm oh so curious what i'd see if i increment that number by 1, now i'm hacking? i mean, i believe the website simply didnt want to implement session control, if i saw someone else's account details, is that acceptable interpretation? there's no "rule of the internet" that says we must only navigate by provided links on a html page, is there?
Under the definition above, if you do it to deliberately bypass the control, then yes. If you do it out of curiosity without believing you might subvert any control, then no you're not hacking.
I draw the line here. If my username/password still work it should be lawful to continue to use. For example if I buy a subscription to a saas product and my card expires, if the service continues to allow me access I should be able to legally use the product until the saas restricts my access.
Logging into work servers after being fired is sorta like coming back into the office and looking at stuff because they didn't change their locks.
I would say yes it's okay.
Instead of "hacking", we need to use specific and correct terms.
No, using an old key that you have no permission to use doesn't convert B&E into mere trespass. About the only way to have mere trespass inside a building (rather than merely on the grounds) is to have your permission to stay revoked while you are in the building.
http://www.capatrol.com/
Nick Tsotsikyan is noted on the about page of the website you linked to.
That's just one of the things he did.
If you're going to be a criminal, at least be a smart criminal. He's going to be stuck with trying to pay off $300k on a fast food worker's wages which will take him the rest of his life unless he inherits a lot of money or plans on winning the lotto. He effectively removed himself from consideration from any decent job and thus his ability to pay the fine in a comfortable manner.