Dear America, best not share that password with your pals. Lots of love, the US Supremes

You may end up in the clink with 'hacker' on your criminal record

A California bloke fighting a computer hacking conviction has lost his final appeal after the US Supreme Court declined to hear his case.

The ramifications of this decision could affect everyone in America who has ever shared a password with their friends and family. We'll explain.

In 2004, David Nosal was a high-level regional director at recruitment consultancy biz Korn/Ferry. He then left to start up his own firm, although stayed on for a year as a contractor. During that time, he tried to lure his former colleagues over to his new business, and convinced three of them to share their passwords to Korn/Ferry's internal database of consultants with him.

Using the purloined passwords, Nosal copied the firm's one million-person database so that he could use it to kickstart his own recruitment outfit. When this was discovered, the US Department of Justice charged him with hacking crimes under America's Computer Fraud and Abuse Act.

At the heart of the matter was the fact that Nosal used the passwords to gain unauthorized access to a computer system.

Password screen

Chap fails to quash 'shared password' 'hacking' conviction


Nosal was found guilty by a jury in 2013, and was sentenced to a year and a day in the cooler. He was also fined $60,000 for his troubles. He appealed, arguing that his shenanigans fell shy of actual proper computer hacking that the law is supposed to tackle, and last year was shot down in a 2-1 split decision by the California 9th Circuit Court of Appeals.

The lone dissenting appeals judge said he had serious doubts about the case. Sharing a password among folks is a fairly common practice, be it someone sharing banking credentials with their spouse to pay a bill or friends sharing Netflix account details. The dissenting judge, Stephen Reinhardt, feared the justice system, by convicting Nosal, was about to outlaw the simple act of sharing passphrases.

Crucially, Nosal's fate hinged on the law's definition of authorized access. Since Nosal clearly didn't have permission aka authorization to access the database, the appeals court ruled that the hacking conviction should stand. So the legal precedent seemed to be that you cannot access a system you are not allowed to, whether or not you were slipped the password by an authorized user. And that appeared to be pretty straight forward.

That wasn't good enough for the Electronic Frontier Foundation, though, which filed an amicus brief to the US Supreme Court. The digital rights warriors argued the appeals court decision will criminalize millions of Americans simply for sharing their passwords among each other. Giving your friend the password to, say, your online video-streaming account may violate the terms and conditions of the website's use, which may trigger a prosecution under America's computer hacking laws. After all, your friend did not have authorization from the website to access the service.

In other words, even though you gave your pal permission to watch streamed TV shows from your account, the website may forbid such shared use – and that would be an unauthorized access, the kind that ultimately landed Nosal in the clink. This is why the EFF found the appeals court's ruling particularly dangerous.

The foundation has a real beef with the Computer Fraud and Abuse Act, which is key to this whole case, and has previously called for reforms in order to, as EFF staff attorney Jamie Williams put it, prevent "overzealous prosecutors" from exploiting the law to lock up folks. The campaigners therefore asked the Supreme Court to clarify that sharing passwords can never be a crime.

"This [appeals court] ruling threatens to turn millions of ordinary computer users into criminals," Williams said earlier this year. "Innocuous conduct such as logging into a friend's social media account or logging into a spouse's bank account, with their permission but in violation of a corporate prohibition on password sharing, could result in a [Computer Fraud and Abuse Act] prosecution. This takes the CFAA far beyond the law's original purpose of putting individuals who break into computers behind bars."

Well, the Supremes didn't see a need to take this further: this week, they declined to hear the case. So for now, to be safe, don't share your password with anyone – not just because it may break the rules and therefore possibly the law, but also because it's just not good security hygiene. ®

Other stories you might like

  • Developers offered browser-based fun in and Java action in Visual Studio Code

    Looking at code here, there and (almost) everywhere

    Microsoft has whipped the covers off yet another take on code-in-the-browser with a lightweight version of Visual Studio Code, while unveiling the version 1.0 release of support for Red Hat Java in the freebie source wrangler.

    It comes after last month's preview of the code editor that runs entirely in the browser, and will doubtless have some users pondering the difference between this and Microsoft-owned GitHub's, which also pops a development environment into the browser. One of the biggest of those differences is a lack of compulsory integration with the VS source-shack; this is unavoidable with (the clue is, after all, in the URL.), on the other hand, will permit the opening up of a file from a local device (if the browser allows it and supports the File System Access API) in what looks for all the world like an instance of Visual Studio Code, except surrounded by the gubbins of a browser.

    Continue reading
  • No swearing or off-brand comments: AWS touts auto-moderation messaging API

    Automate everything – but while human moderation is hard, robot moderation tends not to work

    AWS has introduced channel flows to its Chime messaging and videoconferencing API, the idea being to enable automatic moderation of profanity or content that "does not fit" the corporate brand.

    Although Amazon Chime has a relatively small market share in the crowded videoconferencing market, the Chime SDK is convenient for developers building applications that include videoconferencing or messaging, competing with SDKs and services from the likes of Twilio or Microsoft's Azure Communication Services. In other words, this is aimed mainly at corporate developers building applications or websites that include real-time messaging, audio or videoconferencing.

    The new feature is for real-time text chat rather than video and is called messaging channel flows. It enables developers to create code that intercepts and processes messaging before they are delivered. The assumption is that this processing code will run on AWS Lambda, its serverless platform.

    Continue reading
  • UK government puts £5bn on the table in trawl for public sector networks services

    I dream of wires, say Whitehall’s big buyers

    The UK's central government procurement agency is chumming the waters around the market's swimmers, hoping to tempt suppliers into providing a range of computer network services and kit with a £5bn tender.

    The buying spree, which will officially begin when a framework agreement starts in fiscal 2023, involves a large spread of hardware, software and services around IT networks. Included are categories such as networking, internet and intranet software packages, network interfaces, network operating system software development services and so on.

    Crown Commercial Service, the cross-government buying organisation that sits within the Cabinet Office, has launched what is known as a "prior information notice" to start talking to suppliers before it forms the official competition to be on the framework: a group of contracted suppliers from which a huge number of public sector bodies can buy.

    Continue reading
  • Informatica UKI veep was rightfully sacked over Highways England $5k golf jolly, says tribunal

    Underling took customer on bucket list trip - and VP signed it off without checking

    Informatica's former UK & Ireland vice president was correctly sacked after letting a salesman take Highways England's executive IT director on a $5,000 golfing jaunt, the Employment Appeal Tribunal has ruled.

    Not only did Derek Thompson breach Informatica's anti-corruption policies but he also warned underlings to "be discreet" about the jolly – and told HR investigators "Why does anyone do any customer entertainment?" when asked how playing golf benefited the business.

    Thompson lost his appeal against a judge's earlier ruling [PDF] that his October 2017 sacking was reasonable, with the Employment Appeal Tribunal publishing its judgment [PDF] last week.

    Continue reading
  • Boeing's Starliner capsule corroded due to high humidity levels, NASA explains, and the spaceship won't fly this year

    Meanwhile Elon's running orbital tourist trips and ISS crew missions

    Boeing’s CST-100 Starliner capsule, designed to carry astronauts to and from the International Space Station, will not fly until the first half of next year at the earliest, as the manufacturing giant continues to tackle an issue with the spacecraft’s valves.

    Things have not gone smoothly for Boeing. Its Starliner program has suffered numerous setbacks and delays. Just in August, a second unmanned test flight was scrapped after 13 of 24 valves in the spacecraft’s propulsion system jammed. In a briefing this week, Michelle Parker, chief engineer of space and launch at Boeing, shed more light on the errant components.

    Boeing believes the valves malfunctioned due to weather issues, we were told. Florida, home to NASA’s Kennedy Space Center where the Starliner is being assembled and tested, is known for hot, humid summers. Parker explained that the chemicals from the spacecraft’s oxidizer reacted with water condensation inside the valves to form nitric acid. The acidity corroded the valves, causing them to stick.

    Continue reading
  • Research finds consumer-grade IoT devices showing up... on corporate networks

    Considering the slack security of such kit, it's a perfect storm

    Increasing numbers of "non-business" Internet of Things devices are showing up inside corporate networks, Palo Alto Networks has warned, saying that smart lightbulbs and internet-connected pet feeders may not feature in organisations' threat models.

    According to Greg Day, VP and CSO EMEA of the US-based enterprise networking firm: "When you consider that the security controls in consumer IoT devices are minimal, so as not to increase the price, the lack of visibility coupled with increased remote working could lead to serious cybersecurity incidents."

    The company surveyed 1,900 IT decision-makers across 18 countries including the UK, US, Germany, the Netherlands and Australia, finding that just over three quarters (78 per cent) of them reported an increase in non-business IoT devices connected to their org's networks.

    Continue reading
  • Huawei appears to have quenched its thirst for power in favour of more efficient 5G

    Never mind the performance, man, think of the planet

    MBB Forum 2021 The "G" in 5G stands for Green, if the hours of keynotes at the Mobile Broadband Forum in Dubai are to be believed.

    Run by Huawei, the forum was a mixture of in-person event and talking heads over occasionally grainy video and kicked off with an admission by Ken Hu, rotating chairman of the Shenzhen-based electronics giant, that the adoption of 5G – with its promise of faster speeds, higher bandwidth and lower latency – was still quite low for some applications.

    Despite the dream five years ago, that the tech would link up everything, "we have not connected all things," Hu said.

    Continue reading
  • What is self-learning AI and how does it tackle ransomware?

    Darktrace: Why you need defence that operates at machine speed

    Sponsored There used to be two certainties in life - death and taxes - but thanks to online crooks around the world, there's a third: ransomware. This attack mechanism continues to gain traction because of its phenomenal success. Despite admonishments from governments, victims continue to pay up using low-friction cryptocurrency channels, emboldening criminal groups even further.

    Darktrace, the AI-powered security company that went public this spring, aims to stop the spread of ransomware by preventing its customers from becoming victims at all. To do that, they need a defence mechanism that operates at machine speed, explains its director of threat hunting Max Heinemeyer.

    According to Darktrace's 2021 Ransomware Threat Report [PDF], ransomware attacks are on the rise. It warns that businesses will experience these attacks every 11 seconds in 2021, up from 40 seconds in 2016.

    Continue reading

Biting the hand that feeds IT © 1998–2021