1. Acting as a go-between for (presumably Jeremy Hammond) the Stratfor hacker and Stratfor itself, Brown misled Stratfor in order to throw the scent off Hammond. Having intimate knowledge of a crime doesn't make one automatically liable for that crime, but does put them in a precarious legal position if they do anything to assist the perpetrators.
2. During the execution of a search warrant, Brown helped hide a laptop. Early in the trial, in advancing the legal theory that hiding evidence is permissible so long as that evidence remains theoretically findable in the scope of the search warrant, Brown admitted to doing exactly that, and that's a crime for the same reason that it's a crime when big companies delete email after being subpoenaed.
3. Brown threatened a named FBI agent and that agent's children on Twitter and in Youtube videos.
The offense tied to Brown's "linking" was dismissed.
Brown's sentence was unjust, but it wasn't unjust because he was wrongly convicted by a trigger-happy DOJ; rather, he got an outlandish sentence because he managed to stipulate a huge dollar figure for the economic damage caused by the Stratfor hack, which he became a party to when he helped Hammond.
Broad categories of rude speech are protected under the First Amendment, including things like, IIRC:
1. Saying if President Johnson makes you pick up a gun, he'll be the first in your rifle sight. (Watts v. United States)
2. Telling a cop "I'll kill you, you white devil" while you are in handcuffs and unable to kill him. (? v. ?)
3. Swearing "revengeance" upon the Jews. (Brandenburg v. Ohio)
This masks the scary reality that someone was indicted, arrested, and prosecuted for posting a link (not to mention that it was dismissed as part of a plea - not for lack of legal merit). While in this case there were other charges as well, there didn't have to be - all of the same pre-trial horrors (including possible detention without bail) could have occurred with only that charge. The fact that such a charge may eventually be dismissed/beaten at trial after your life is burnt to the ground for posting a link is little comfort.
Most criminal statutes look insane if you ignore the mens rea component and consider only the actus reus.
Probably the right way to address your comment is to acknowledge the sentiment behind it. It would be ominous if prosecutors trawled the Internet looking for the wrong kinds of links --- people RT'ing updates from Anonymous, for instance, or relaying already-public newsworthy facts from breaches --- and fit accessory liability cases around those innocuous acts. It is worth being wary about prosecutors doing that, because computer crime laws are poorly rigged and set up terrible incentive systems for prosecutors.
It's just that those concerns are not yet vindicated by the Brown case.
We should also think a little bit harder, I think, about whether posting a link is never criminal. It seems to me that if someone posts a link to intentionally further a criminal conspiracy, it seems like it could plainly, and unproblematically be criminal. Accomplice liability in particular makes lots of other things, that would otherwise be innocent, into crimes when they are done with the wrong sort of intent.
I don't know much of the specifics about Brown, but I think the wider point is worth discussing, especially with respect to the proposed change in legislation.
From the article:
Most of us expected that those charges would be dropped and some were, although they still influenced his sentence.
So while you're correct that Brown was not charged with linking to information, it's worth noting that this was still used against him anyway.
Also, people who think the linking to hacked data was the only thing that got him arrested are being disingenuous (or are simply ignorant).
Also those three sound like incredibly weak charges, and yet you somehow defend the prosecution over them.
Earlier you said I say his sentence was unjust given that me always seem to defend crazy sentences as not being the real ones anyway?
Maybe your life has something to do with this.
$ export LC_ALL='C'
$ awk '{ print $2 }' 10-million-combos.txt | tr 'A-Z' 'a-z' | sort | uniq -c | sort -nr | head -n 20
55893 123456
20785 password
13582 12345678
13230 qwerty
11696 123456789
10938 12345
6432 1234
5682 111111
4796 1234567
4191 dragon
3845 123123
3734 baseball
3664 abc123
3655 football
3330 monkey
3206 letmein
3136 shadow
3126 master
3050 696969
3002 michael
I'd run some more commands, to find out how many "michael"s use "michael" as their password, but I've got to head out now. Would be interesting -- anybody up for it?
(Ooh -- you could even juxtapose the usernames against common American names by decade [1], and probably derive some data about the ages of these users as well!)
(Furthermore -- what if we started keeping track of most common passwords by decade? That could be super interesting! I wonder if it's changed much!)
$ export LC_ALL='C'
$ 0-million-combos.txt | tr 'A-Z' 'a-z' | sort | uniq -c | sort -nr | head -n 20 3044 infouniq -c | sort -nr | head -n 20
2119 admin
1323 michael
1113 robert
1095 2000
1049 john
1041 david
967 null
940 richard
922 thomas
901 chris
866 mike
843 steve
832 dave
816 daniel
812 andrew
797 george
765 james
735 mark
730 dragon
HOWEVER, of all of the people whose password is 'michael' 83 seem to CONTAIN the str 'michael'.
Of the set of usernames 'michael' there are 20 whose passwords contain the string 'michael'
Of the set of usernames containing the string 'michael' there are 276 passwords that contain the string 'michael'
I honestly expected much more.
And... dragon. That's an unusual password to make the top-10 list. I think this might be a somewhat skewed sampling.
>>> (55893+20785+13582+13230+11696+10938+6432+5682+4796+4191+3845+3734+3664+3655+3330+3206+3136+3126+3050+3002) / 1e7
0.0180973
That might not be the case; not all passwords are created equal.
As an example, my password to some goofy online game that requires registration is nowhere near as strong as the password required to log into my work email account - for some things, I prioritize being able to type a password in quickly on a mobile device over the danger of someone breaking in and playing a low-scoring word in online scrabble.
User ID: John-CPE4E38J
Password: snoopy
User ID: John
Password: snoopy-CPE4E38J
Also, the User ID can be stored in a cookie so that the User ID field on screen is pre-populated and the user only has to type "John-CPE4E38J" when he switches to a new computer.
More details here: http://security.stackexchange.com/questions/80352/is-it-a-ba...
For almost any site I have an account, I use a strong, unique password. For sites that I don't care about at all AND that I suspect have security problems I use a standard common insecure password. It is that common insecure password that is paired with my gmail account.
Edit: oh, crud
10938 12345
How does tying each password to its corresponding username help with password research, and does the value gained outweigh the cost of someone using this list for malicious purposes?
I'm not saying this should be illegal, but I'm struggling to understand the intent here.
Do usernames of people with weaker passwords have something in common? How do they differ from people with stronger passwords? In France there is a practice of picking names like "foobar42" or "foobardu42", where "foobar" is a first name and 42 a "département" (country subdivision) number, which I would associate to casual users. Here I could quantify whether people with usernames of this form tend to pick weaker passwords. Insert your favorite prejudice here about lame and skilled username patterns, and quantify how the password diversity of this group fares in comparison with others.
Is it true that the most common passwords were associated to usernames that were also common? Does username frequency correlate with password frequency? Are there more people with unique usernames or people with unique passwords?
In some countries it is customary to annotate usernames with the user's year of birth. Filtering on such usernames could give insight about the correlation between age and password quality, or identify which passwords are more or less popular given the user age. You could try to check correctness of the filter using the fact that some of those people may have used their birthdate (including the year) as a password.
If a seemingly rare password in the dataset only occurs for two distinct user names, then maybe those two user names actually correspond to the same user. Do such usernames have a low edit distance? Could you use this to learn general rules to determine, given two usernames, whether they seem to correspond to the same person?
I just gave those off the top of my head, and I'm not at all working in this field, but I'd have no trouble imagining interesting applications for this data that would not have been possible with the passwords alone.
There are serious risks to having your username and password in a public list. Yes, all of these usernames and passwords were already technically publicly released, but to a lazy and ignorant script kiddie, finding or even being aware of those lists can be outside their grasp.
By aggregating everything into one list, you 1) increase the search engine visibility for all credentials, which means someone Googling the username of, say, an Internet commenter who pissed them off may find a plaintext password they could use to impact the person's life with much higher probability (I work in information security and have seen that happen on many occasions), 2) encourage script kiddies and fraudsters to spend time working through the list to find working accounts that other criminals have missed in the past decade, and 3) undo any work that paste sites like Pastebin and file sharing sites like Mediafire have done to remove copies of the database dumps. 1) may not apply if it strictly remains a torrent, but it'll probably be floating around public paste sites within a few days, which would likely mean search engine visibility for every username on it.
If even 0.01% of the users on this list have accounts compromised due to its release, then I don't think that cost justifies the research benefits relative to a more redacted version of the list.
So, the next interesting question is: given the already plaintext-available lists of usernames and passwords, just how much coverage is there in the known space? Are your passwords known? Are your users' and clients' passwords known?
This document is perfect for a true positive on the matter of needing to deprecate particular combinations of username and password, and, as an obvious corollary, presenting evidence for consultation advice about the same. (Of course, being only a sample, it doesn't say anything about a true negative.)
Also I am sure there are some research aspects to the usernames. At the very least behavioral deductions that can be drawn based on these combinations.
So if you're concerned that information which wasn't previously public is now public, you can be at ease -- all of this data was not only public already, but less "cleaned up".
https://breachalarm.com/ https://haveibeenpwned.com/
The author does not seem like the type of person who did the hacking himself to obtain these, but rather curated leaks into his database
A desire for a particular type of attention his ego seems to need.
Which, combined with either a moronic lack of appreciation for the hassle and damage he's going to cause to end-users who've already been hosed once before, or an arrogance that makes him not care, makes him difficult to fit for a white hat.
FTA:
> This is completely absurd that I have to write an entire article justifying the release of this data out of fear of prosecution
What's absurd is his assumption that stripping domain names is somehow sufficient.
Edit: I'm getting downvoted like crazy here. Which is fine, but people seem to think it's ad hominem because I'm narrowing the reasons behind why someone would release a data set with a considerable price of collateral damage attached to it, while doing very little to mitigate that damage.
Just because the likely options for why someone would do such a thing don't speak favorably of the person, doesn't make it ad hominem. An ad hominem attack is seeking to undermine someone's argument by attacking their character.
I'm saying Mark Burnett made it difficult to assume good things about him after a stunt like that. If he actually made a real argument that what he did was sufficient, or that the harm he's going to cause is more than offset by the greater good it'll do (or some such argument), then we'd have something to try to undermine (whether legitimately or fallaciously), but as it stands, he hasn't even justified his actions.
Research requires data. If I want to do research on how best to implement my bank system, I would like to know what passwords are more likely to be contained in a dictionary attack. Usernames may have a high correlation with passwords and thus are useful. Considering all of these passwords can be obtained from obscure forums/websites and that the website where the IDs are used are not specified, I don't see why he could not release it to the public for researchers to use.
Unfortunately, I was equally impressed with what attackers are able to do with them as well. An important point is that attackers tend to have better lists, because they are the ones stealing and cracking them, and these lists make them increasingly better at cracking passwords. Defenders use the lists for all sorts of analysis on how exactly users pick passwords.
For example, "complex password policies" have become increasingly popular. But do they actually increase the entropy of the chosen passwords? Surprisingly little, since users will "defeat" the policy by applying easy to guess "munging rules". Humans being human and such. The thieves have the lists, and learn to apply the munging rules and defeat the policies. Researchers need these lists so they can discover the same weakness and try to react.
More recent research looks at things like how effective the password strength indicators are at actually helping users choose stronger passwords. We also learn about how users choose different strength passwords based on the sites they visit and such. This is absolutely fertile ground for research which can improve how we perform authentication.
Yet another good use of the lists is in defending against online attacks. E.g. Failed attempts that follow the general probability distribution of the lists are easier to identify as bots.
[1] - I think all the talks are posted, although I'm not sure there's a central archive, each conference is identified as Passwords^[Year], e.g. Passwords^14 https://passwordscon.org/
We know users pick bad passwords. It seems to me the most compelling "problem" is hardly a research question -- isn't it about finding ways to encourage users pick strong passwords, not share them between sites, and not put them on sticky notes on their monitors.
Ok, putting my charitable hat again... My best guess is that researchers would like some idea about how long it takes to crack some percentage of accounts; e.g. with rainbow tables or other techniques?
The author mentioned "Analysis of usernames with passwords is an area that has been greatly neglected and can provide as much insight as studying passwords alone." What directions might a researcher take this?
The main goal here is to put the data out there and let other researchers find the value in it.
Anyways, that password is not in this list. I have found it in other password dumps before. So, I don't know what to think.
And just keep in mind that there's one password to "rule them all". That is the password for the primary mail account. I use 2-factor authentication for that.
Can you elaborate? My first thought is tiered by category of the service. No, I don't want my financial institutions to all have the same password, even if it's from the most secure tier.
So there is only a 1% chance of a leaked account getting in this list.
The teacher willfully (and knowingly) teaches the student about "possible means of access to a protected computer."
Note: According to http://www.law.cornell.edu/uscode/text/18/1029 teaching is defined as trafficking information ("the term “traffic” means transfer, or otherwise dispose of, to another, or obtain control of with intent to transfer or dispose of; ")
grep -i <password> 10-million-combos.txt export HISTCONTROL=ignorespace
grep -i <password> 10-million-combos.txt
I don't know a shorter way, but to delete one line from history, do 'history', which shows the line numbers, then 'history -d LINE_NUM'.
Or, in bash, prepend the command with a space and it won't go into history.
Don't put sensitive stuff in CLI args!
edit: Looks like vacri mentioned this in a peer comment an hour ago. Whoops!
This should be fairly straightforward even for non-technical people, if they've got a grasp on actually using the password manager itself. The hard part is (1) getting the list of identities, which isn't too hard if you're hand-holding, and (2) actually remembering to do it. (Which is why annual is nice. You can peg it to a holiday you already celebrate, or substitute it for one you don't. Halloween, for instance, because breaches are scary? Or something.)
Bonus: if a breach happens that actually feels scary, just do the rotation ritual ahead of time. Not that big of a deal.
I thought of exactly the same. I was motivated by the password strength meter out there. How can you actually tell a password is strong or not or whether a password is known to attacker or not if you can ask (I was thinking along the line of private information retrieval) privately and get a probability rather than a yes/no based on all the known stolen credential out in the Internet (there are many Gbs files you can download)...
It would probably be more security theatre than actual security, but I'd imagine that it would at least keep the FBI happy.
All data currently is or was at one time generally available to anyone and discoverable via search engines in a plaintext
#successkid
read -e -s -p "Password: " password && grep -i $password 10-million-combos.txt | wc -l && password=""
But Barrett Brown is not the first or only example.
Aaron Swartz is the only example I need to understand what to expect from the various US law enforcement agencies.
Swartz? Swartz knowingly did several obviously illegal things (breaking-and-entering?) and then acted shocked when he got charged.
His actions may have been morally defensible, but not legally. Law enforcement did their job there.
Err, no he wasn't. He just managed to get a modest amount of attention.
Currently got it returning this JSON: {"found":true,"password":"test","count":117}
That is smart!
only 180896 people have 1234 in their password, thought there would be more
Everyone knows that legally questionable moves should always be made on a friday. That allows everyone in government to cool down for a couple days. By the time the weekend is over all the news outlets have moved on to whatever war just started up. You don't want some hothead prosecutor tweeting out a threat, forcing himself to follow through later in the week. Nobody picks a fight when 15 minutes away from a weekend.
Watch the NSA/CIA/MIB admissions. They always stage their spying/torturing me culpas on friday afternoons.