Comment Re:Run (Score 1) 330
Please cite a legal authority for your assertion that passwords are "property".
Go put a chain and padlock on your neighbor's gate and see if you get in any trouble.
Well, in criminal terms, that's "vandalism", as a Tort, might be considered "trespass to chattels" (warning: IANAL). Withholding a password is not "vandalism", and I think that would be even more of a stretch than the "anti-hacking" statute under which he was convicted.
Essentially what they got him on was "denying services to authorized users", which takes quite a bit of intellectual contortion, since no-one ever proved that his actions directly prevented services to any end-user
He denied access to the replacement administrators.
But they are the providers of the "service", not the intended beneficiaries of it. I think that's an important legal distinction to make -- there's no evidence that Terry ever targeted the users of the network with any kind of malicious intent. It was merely a scuffle amongst the providers of the service, something that happens all the time in workplaces. Even if he had remained in the employ of the City of San Francisco, he could have -- and reportedly did -- keep information about the particulars of the network, its architecture and its configuration, from other administrators and his management. This happens every day in workplaces all across the U.S. and in fact the world. No-one is compelled to disclose everything they know about their work, at the request of anyone and everyone who works in the same place. While a secretive, distrusting and/or insular employee may be grounds for disciplinary action, up to potentially -- actually, as it turns out in Terry's case -- termination, having "special" knowledge about the network, and not sharing it, is not "hacking" and not criminal.
I think the main disconnect here is that people view passwords as disconnected facilitators of "access" (however that is defined), more analogous to a physical key than to a piece of information. But I see those passwords as being at the end of a continuum of "special knowledge" that one may have about a network, or some other IT system, whether it be Operating System, application, or network infrastructure. What use would it be to give someone a password to a network infrastructure device, but they have no clue how to configure it, how to troubleshoot problems, how to even understand the role that the device plays in the overall infrastructure? Having the password to a router, a switch, a fiber concentrator, or whatever, doesn't mean you can do anything useful with it. So the threshold isn't just "password", in practical terms it's "password + other special knowledge necessary to do something useful with that access". Certainly Terry had "special knowledge" about FiberWAN that he wasn't willing to share with his co-workers or management. Passwords were only the tip of the iceberg. But to criminalize this behavior threatens to drill deep into the iceberg to other forms of "special knowledge" that workers withhold from each other and from their management on a regular basis. That's why it's such a dangerous ruling, and why it has vastly overextended the concept of "hacking", which is about protecting the society at large from the malicious actions of individuals against electronic systems.
I don't think it's an exaggeration to say that this precedent endangers all of us in the IT field -- taken to its extreme, it means employers can lay claim to anything that ex-employees know, if it helps them run their systems or their networks better.
Only because you're trying really, really hard to turn this into something it's not. Not turning over the passwords blocked the new adminsitrators from accessing the systems, just as if he DDoS'ed the management ports.
It didn't block them; it merely failed to facilitate the handoff process. That's another important legal distinction -- between acting and failing to act. I think it's stretching the concept of "hacking" way too far when someone who declines to act can be held criminally liable. There are some examples of so-called "duty to assist" laws (look it up) on the books, where someone can be held liable for not lending their (minimal) assistance in an emergency or while a crime is being committed, but as far as I know, no such law exists in California, and, in any case, to return to the point, Terry wasn't convicted of a failure to assist the City of San Francisco to maintain and secure their network; he was convicted of "hacking" it, framed in terms of "denying service to authorized users". That -- like DDoS'ing the management ports -- implies an affirmative malicious act, not merely a "failure to assist".