It's amusing how the article says it's "potentially" in violations of US hacking laws.
That practice is _definitely_ a violation of the Computer Fraud and Abuse Act. No employer's IT is going to have it not be a violation for a user to share their password with someone else, which even in the weakest boilerplate immediately revokes their rights to the account. At that point _any_ use of those credentials is very much a violation of the CFAA.
IT's policy is more for unauthorized credential sharing to a third party that is not legally acting as a designated data transfer agent. what argyle is doing is legal and fine.
It is really nothing new to offer up credentials to some third party who promises to act benignly on your behalf.
When my niece was about 10, so let's call it 2005, she wanted to access some Barbie service. And I think it was the legit Barbie, mattel.com-affiliated website for children.
So she navigates there, and gets a login screen that wants her email credentials. Like from yahoo.com. I don't know why--to add her to a list or something? Was it an early "federated identity" login that I wasn't aware of?
And my jaw dropped open as I looked at what they were trying to do and I shouted "That's phishing! Don't ever do that!" and I force-closed all the windows and handed her over to her parents.
And looking back, I almost had a twinge of regret because I had come to find out that the Barbie service was not some Russian hacker but actually Barbie just asking to log in to her email, and it was totally normal for thousands of kids. So was I the bad uncle for stopping her in this regard?
The crazy thing about the "paperless office" of the 21st century is that authentication of documents has gone out the window, completely back to the stone age of forgeries.
Didn't we recently see where a landlord attempted to forge a lease document but was caught by the tenant?
Nobody wants to see your authentic ID/DL anymore. Just FAX it in or scan it. Nobody can examine your birth certificate or passport (except for real officials) but you need to scan and present it to all kinds of third parties. It absolutely destroys 80% of the countermeasures that are built in to those types of documents. Wrote a check from your checkbook? Your bank immediately photographs it and the image traverses their network, not the paper thing. They just shred that useless paper thing. The image is, for all intents and purposes, the negotiable document. Most of us pay a premium for "security checks" with a bunch of microprinting and other bullshit. That's utterly useless once you push it through a cellphone cam!
I've drawn a lot of public assistance from entitlements. They often require a stack of paperwork, like bank statements, paystubs. I usually ran Linux and had all the third-party PDF-manipulation tools. They would just accept screenshots from my banking apps! I could've easily forged anything, down to pixel level, or in the HTML itself, print to PDF, undetectable. No checksums or hashes to worry about!
So perhaps this headline is a symptom, a symptom of landlords being skeptical and wary of tenant-side forgeries, that they feel the need to grab the documents straight from the horse's mouth. I can't blame them for being risk-averse and wary of forgery, but this is crazy. Just... figure out a way to authenticate electronic documents. We cryptographers have worked this all out, but it's been ignored for reasons of cost and expedience. You can't ignore it anymore.
9 comments
[ 3.1 ms ] story [ 34.6 ms ] threadThat practice is _definitely_ a violation of the Computer Fraud and Abuse Act. No employer's IT is going to have it not be a violation for a user to share their password with someone else, which even in the weakest boilerplate immediately revokes their rights to the account. At that point _any_ use of those credentials is very much a violation of the CFAA.
It's also quite (maddeningly) common for some websites to collect email service login credentials.
When my niece was about 10, so let's call it 2005, she wanted to access some Barbie service. And I think it was the legit Barbie, mattel.com-affiliated website for children.
So she navigates there, and gets a login screen that wants her email credentials. Like from yahoo.com. I don't know why--to add her to a list or something? Was it an early "federated identity" login that I wasn't aware of?
And my jaw dropped open as I looked at what they were trying to do and I shouted "That's phishing! Don't ever do that!" and I force-closed all the windows and handed her over to her parents.
And looking back, I almost had a twinge of regret because I had come to find out that the Barbie service was not some Russian hacker but actually Barbie just asking to log in to her email, and it was totally normal for thousands of kids. So was I the bad uncle for stopping her in this regard?
Didn't we recently see where a landlord attempted to forge a lease document but was caught by the tenant?
Nobody wants to see your authentic ID/DL anymore. Just FAX it in or scan it. Nobody can examine your birth certificate or passport (except for real officials) but you need to scan and present it to all kinds of third parties. It absolutely destroys 80% of the countermeasures that are built in to those types of documents. Wrote a check from your checkbook? Your bank immediately photographs it and the image traverses their network, not the paper thing. They just shred that useless paper thing. The image is, for all intents and purposes, the negotiable document. Most of us pay a premium for "security checks" with a bunch of microprinting and other bullshit. That's utterly useless once you push it through a cellphone cam!
I've drawn a lot of public assistance from entitlements. They often require a stack of paperwork, like bank statements, paystubs. I usually ran Linux and had all the third-party PDF-manipulation tools. They would just accept screenshots from my banking apps! I could've easily forged anything, down to pixel level, or in the HTML itself, print to PDF, undetectable. No checksums or hashes to worry about!
So perhaps this headline is a symptom, a symptom of landlords being skeptical and wary of tenant-side forgeries, that they feel the need to grab the documents straight from the horse's mouth. I can't blame them for being risk-averse and wary of forgery, but this is crazy. Just... figure out a way to authenticate electronic documents. We cryptographers have worked this all out, but it's been ignored for reasons of cost and expedience. You can't ignore it anymore.