In
2015, a security consultant named Mark Burnett published 10 million passwords
along with their corresponding usernames.
His rationale was that doing so is necessary to ensure the continued
access to hacking-related information. Until recently, cybersecurity
researchers have only been given access to passwords without usernames, which
Burnett argues provides a serious detriment to the field of computer
security. Passwords are ubiquitous in
the IT industry and only through an examination of how individuals choose them can
researchers craft better countermeasures against hackers. Or so the rationale goes.
The
major problem with Burnett’s justification is the illegality of what he
did. Given the recent five-year sentence
handed down to Anonymous hacker Barrett Brown for a similar activity, it is
understandable why Burnett might question his future as a free man. To help clarify Burnett’s position as well as
that of the federal government, it is critical to establish a few key points in
what I can only imagine is an upcoming criminal case. The passwords in question appear to have been
collected from other notable hacks leaked online. Advertised as a security consultant, Burnett
argues that he collected this data with the white-hat hacker intent of helping
to strengthen the concept of passwords for the collective good. That being said, many researchers shy away
from publishing passwords with their corresponding usernames because these
pieces of data combined create an authentication feature.
In
the case of Anonymous’ Barrett Brown, his five year sentence was predicated upon
the fact that he trafficked in stolen goods (aka, the passwords) similar to
Mark Burnett. It should be noted however
that this charge was later dropped with the government opting to go after Brown
for his association with Anonymous.
Additionally, the Obama administration has proposed changes to the Computer
Fraud and Abuse Act which would further outlaw the “publication of links to
public password dumps even if the person making the link had no intent to
defraud” (Goodin, 2015).
According
to Burnett, these recent developments in the field of cybersecurity law has
forced researchers and journalists alike to stop reporting on hacks entirely
for fear of federal retribution. If
posting links to publicly available hacked data lands you in prison, then why
would you take the risk? According to
Burnett,
“Including
usernames alongside passwords could help advance what's known about passwords
in important ways. Researchers, for instance, could use the data to determine
how often users include all or part of their usernames in their passwords.
Besides citing the benefit to researchers, Burnett also defended the move by
noting that most of the leaked passwords were "dead," meaning they
had been changed already, and that all of the data was already available
online.”
References
Goodin,
D. (2015). Fearing an FBI raid, researcher publishes 10 million
passwords/usernames. ArsTechnica.
Retrieved from http://arstechnica.com/security/2015/02/fearing-an-fbi-raid-researcher-publishes-10-million-passwordsusernames/
