Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Social Networks Twitter

Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal (arstechnica.com) 116

Cyrus Farivar, reporting for Ars Technica: As a new way to connect with his fans, Jack Johnson -- one half of the pop-rap duo Jack & Jack, not to be confused with the laid back Hawaiian singer-songwriter of the same name -- has spent the last month soliciting social media passwords. Using the hashtag #HackedByJohnson, the performer has tweeted at his fans to send him their passwords. (Why he didn't go for the shorter and catchier #JackHack, we'll never know.) Then, Johnson posts under his fans' Twitter accounts, leaving a short personalized message, as them. While Johnson and his fans likely find this password sharing silly and innocuous, legal experts say that Jack Johnson, 20, may be opening himself up to civil or criminal liability under the Computer Fraud and Abuse Act, a notorious anti-hacking statute that dates back to the 1980s. "While the entertainer in question likely considers this password collection to be a harmless personalized promotional activity, there may indeed be legal implication of both the fans' and the entertainer's conduct," Andrea Matwyshyn, a law professor at Northeastern University, told Ars.
This discussion has been archived. No new comments can be posted.

Pop Star Tells Fans To Send Their Twitter Passwords, But It Might Be Illegal

Comments Filter:
  • by aristotle-dude ( 626586 ) on Tuesday July 26, 2016 @11:07AM (#52582439)
    There is no "hacking" involved.
    • Twitter did not consent.
      • Re: (Score:2, Insightful)

        by Anonymous Coward

        Twitter did not consent.

        That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.
        However, that doesn't make it any more illegal than me posting an email with my neighbors credentials while fixing/testing his email software.

        • "That's what SHE said!"

        • by mysidia ( 191772 )

          That's irrelevant. That only makes it against their TOS, giving them grounds to terminate the account/service.

          It's also against their TOS to login using someone else's credentials, and violating the TOS in that manner may be deemed Wire Fraud under the Act, and Has been before [fortune.com].

          See, the Netflix case, where sharing passwords resulted in Jail time, and the Federal Appeals court upheld the password sharing as a Computer Fraud and Abuse Act violation.

      • by Anonymous Coward

        Still not a crime based on the Computer Fraud and Abuse Act, just a possible breach of TOS.

      • Gosh I hope it didn't trigger them!

      • Twitter did not consent.

        It's likely a violation of Twitter's terms of "don't share your password" but that doesn't make it illegal or criminal.
        It's stupid to give your password out but to my knowledge not illegal even if it's the password to your bank's website.
        You might even be considered an "unauthorized user" from twitter's perspective but by giving you their password,
        the end-user has made you the defacto authorized user of that account.

        • by vux984 ( 928602 ) on Tuesday July 26, 2016 @11:39AM (#52582717)

          You might even be considered an "unauthorized user" from twitter's perspective

          That is precisely what triggers the fraud and abuse act.

          but by giving you their password,
          the end-user has made you the defacto authorized user of that account.

          The end user is not authorized to do that, per the Terms of Service.

          Look, the point is that its is not an open and shut case. There is a valid legal argument, bolstered by recent court rulings that the CFAA can be triggered in this way. The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee. Obviously that's not exactly the same thing.

          But its close enough in a lot of ways, the twitter user, like the employee doesn't really 'own the account'. It is assigned to them and they aren't allowed to share it. So if they do share it the person they share it with is NOT an authorized user, and that in theory triggers the CFAA.

          Yes, its all kinds of stupid... but the CFAA is all kinds of stupid too.

          • The most recent court cases was just such an example of an authorized user sharing their password with an ex-employee.

            How did that turn out?

          • This is not stupid at all. It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users. This has been a principle in UNIX since before most of us were born, and it continues to be a principle of every multi-user operating system since. There are distinct privilege levels between user and some form of super-user that has the right to authorize additional users.

            Moreover, it's a principle of our d

            • by vux984 ( 928602 )

              This is not stupid at all.

              Yes, yes it IS stupid.

              It mirrors the obvious principle that everyone here knows, which is that authorization to use a system does not necessarily confer authorization to authorize additional users.

              But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter. (Not the legalese... but in terms of how they think about and interact with it.)

              Moreover, it's a principle of our daily lives that's so obvious we don't even mention it. I let my neighbor Bob use my pool whenever he wants, but I would be shocked if Jill was using it and just said "Oh yeah, Bob said I could".

              Exactly right. Its clearly your property, and your delegate has clearly exceeded his authority according to all social conventions. That would be quite the faux pas, and you'd be rightfully upset.

              There is no reason that the principle of non-delegation (that is to say, without explicit authority granted to delegate) shouldn't apply to the virtual world just as much as it applies everywhere else.

              It doesn't automatically apply everywhere else. It applies whe

              • But does that principle automatically apply here? Does a normal person *consider* their Twitter account their own property or the property of twiiter.

                No one is talking about ownership of the account, if that's even a well-formed concept. It doesn't matter either way, because what we are talking about is Twitter's actual physical servers.

                Twitter has authorized everyone to connect to their servers to do certain operations (like read all tweets)
                Twitter has authorized person A to use their physical servers to do other operations (like write a tweet or a DM). To enforce this authorization, Twitter and A agree an authentication token (password, whatever).
                Twitt

                • by vux984 ( 928602 )

                  By comparison, I might own all the items in my safe deposit box at the bank. But clearly I don't own the bank, or even the bank lobby. And yet I cannot access my owned items except by using the bank's property.

                  Not a bad example. And likewise, if I wanted to send someone to the bank to retrieve or add to the contents of the safety deposit box, that would be my prerogative.

                  Well, OK. Then legally a legal court of law will come to a different legal conclusion than a person with no technical or legal expertise might come to.

                  Where the law varies significantly from people's expectations is where conflict arises, and the law is usually wrong or ultimately unenforceable, because society en masse simply ignores the law.

                  The law ultimately is supposed to reflect and enforce the social contract, not the other way around.

                  Also, civil engineer might build a bridge differently than a normal person would. News at 11!

                  Of course. But if the normal people couldn't cross the

                  • Not a bad example. And likewise, if I wanted to send someone to the bank to retrieve or add to the contents of the safety deposit box, that would be my prerogative.

                    I agree and I don't agree. You have the power delegate authority to add or remove items from the box. That is surely your prerogative. So if you fall ill or move to another country, surely you can delegate your rights over the box itself to Bob.

                    The part where I don't agree is the idea that your authorization to Bob in any way impacts whether he is allows to use the bank lobby to access the box. Under no feasible reading of the safe-deposit-box-owner-protocol did you ever possess any authority over the bank

          • Who cares who's server the account is hosted on? Seriously - the user is authorized to use that account by Twitter. The user gives authorization to someone else for their account. End of story. Twitter should just f*ck off and die, along with all the idiots who take it so seriously.
        • by mysidia ( 191772 )

          You might even be considered an "unauthorized user" from twitter's perspective but by giving you their password, the end-user has made you the defacto authorized

          This is like handing the keys to your rental car to a stranger on the street and telling them to "have at it". Chances are the rental agreement doesn't allow this, and if they're pulled over driving when you're not there, they can be jailed. Unless you're a high-ranking employee or agent of Twitter, then nothing grants you the right to authori

      • Twitter did not consent.

        Gmail did not consent (and I SURE didn't) when a lady accepted the fB offer to "Help her find her friends" by spamming everyone she had every contacted using Gmail...
        BTW, what happens to those lists of contacts once fB has spammed them?
        I'll bet they are deleted right away to avoid any appearance of data collection on non-users! Oh, sorry, that cat has been out of the bag for so long I forgot about it...

      • Twitter didn't agree to allow him to send up to 144 characters to a list of feed subscribers for the purpose of communication? Really?
    • by Anonymous Coward

      CFAA doesn't care about consent. The second a site inserts language in their Terms of Service that users cannot share accounts, any login not from the person who owns the account in question is a violation of CFAA. Wonder why we hate that law so much?

      • by Opportunist ( 166417 ) on Tuesday July 26, 2016 @11:24AM (#52582563)

        But for once this insane law will hit "normal" people instead of just "computer geeks". And since people only start to think about insane laws when they have a "this could have been me!" experience, this might finally get something moving there.

        • by mysidia ( 191772 )

          The users who were tricked to sharing a password aren't necessarily the ones who broke the law, per se, although (I suppose) that argument could be made too, since they "Dealt in means of access" with intent.

          However, the Pop Star faces more serious trouble for phishing passwords out of followers and accessing their accounts.

    • Just have everyone who decides to share their password with him sign an agreement or waiver of some kind that spells out what it's being shared for, what he can and can't do with it (like change it and not tell them what it's changed to), the duration of his access to their Twitter account, and that they understand that at the end of the term of the agreement, it's their responsibility to change the password to something else. Any judge or jury should understand the difference (and importance) of the 'spiri
      • by Threni ( 635302 )

        No need. If you give someone your password you're letting them do what they want with your account. If you didn't want that, you shouldn't have given them your password. There's no point labouring the point with a contract. And i've no idea where you got the idea that the spirit of the law is important; that's what laws are for.

        • And i've no idea where you got the idea that the spirit of the law is important; that's what laws are for.

          Are you trolling? You must be, or you're hopelessly pedantic and literal. If all there was, was just the strict interpretation of the law, then the entire country would be one huge prison. Judges and juries exist in part to interpret the law and make appropriate judgements, not just mechanically apply potentially flawed, certainly imprecise text authored by potentially flawed, certainly imprecise biological brains.

    • by Lumpy ( 12016 )

      Does not matter, The morons in Congress will call it a terrorist action and put him in Gitmo for 60 years.

      This is the problem when laws are passed by dimwits that can barely tie their shoes in the morning, let alone understand something as complex as a computer or twitter.

      Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.

      • Here int he USA we have a major problem. WE allow the very uneducated to be the ruling class, this causes tons of laws that are absurd and applied badly.

        Worse than that, we actively vote them into office.

        • by Lumpy ( 12016 )

          Which is very telling as to the general IQ level of the american populace.

          Our public education system is breeding generations of morons.

  • by freeze128 ( 544774 ) on Tuesday July 26, 2016 @11:12AM (#52582483)
    Give Jack your credit card number and ATM PIN to get a customized message from your bank about how you don't have any money anymore.
    • The fans of this Jack (whom I've never heard of) probably won't have much worth stealing. What you want to do is persuade them to get account numbers and PINs of their parents. They'd probably do it for something trivial in return, like a signed photo or, as stated, a personalized message in social media.

      And why was the password required anyway? If you have less than 50 followers on Twitter, which I assume would be the case for most people, then any mention of your @accountname stands out. Although there is

      • And why was the password required anyway?

        It really wasn't, since they could have granted posting privileges via OAuth without giving away the password. Don't pop stars have marketing teams to help them with technical details of this sort of thing?

    • Give Jack your credit card number and ATM PIN to get a customized message from your bank about how you don't have any money anymore.

      Because there's an order of magnitude difference in affect on a person. That's why you would stop there. Jack can have my Twitter login, because I don't give a shit. The same can't be said about my bank account.

    • by __aaclcg7560 ( 824291 ) on Tuesday July 26, 2016 @11:22AM (#52582549)

      Vice President of the United States isn't your garden variety job. If this was an ordinary job that demanded my social media passwords, I would say, "Oh, hell no!"

      On a related note, I'm still waiting for Donald Trump to release his tax returns.

    • by PPH ( 736903 )

      Family members? I wonder how that would go over with adult children.

      "Son. I need to turn over your passwords in order to apply as Clinton's VP."

      "Fuck you, dad. By the way, I'm voting for Trump."

  • by __aaclcg7560 ( 824291 ) on Tuesday July 26, 2016 @11:29AM (#52582613)
    I've worked at many Fortune 500 companies in Silicon Valley. Each one has the same policy that users aren't supposed to share or write down their passwords. As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login. They always get mad at me when they have to change their password.
    • by Frosty Piss ( 770223 ) * on Tuesday July 26, 2016 @11:57AM (#52582849)

      As an IT support technician, I had to prevent people from telling me their passwords. It never fails that find someone's password written on a Post-It note on their monitor or underneath their keyboard. Whenever a user compromises their password, I set their AD account to change password on next login

      So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?

      This is an honest question that should not be poo-pooed by the "leet IT Dudes" as the fallout of moron netwrok users...

      • So, when you are talking to a non-IT / non-IT savvy network user who has to "remember" 20 (and that's not a high number for some folks) different UID/PAS combos, what exactly is your suggestion beyond writing it down and securing the written source?

        That's an extremely high number of combos. Most jobs that I had only required a single password. My current job has two-factor authentication: Windows login is a PIV card with a PIN, and administrator account has a security login with a complex passwords.

        • by PPH ( 736903 )

          Most jobs

          People have passwords for things other than their job. Hopefully, they don't use the same one for their DoD job and Slashdot.

          I have 110 uid/passwords for various accounts (everything from banking to Netflix) stored safely (encrypted, pass-phrase protected) on a portable device.

          • Hopefully, they don't use the same one for their DoD job and Slashdot.

            My DoD CAC pin is 123456. My Slashdot pass is a little more secure.

        • Most jobs that I had only required a single password.

          You are the exception. Many jobs require indevidual logins to many systems. I've had as many as 25, though right now it's 10. Yes, I write them down.

        • I think I had one password back in 1986. Since then, I've kept getting more. They've gone down recently, with a lot of stuff accessible via Lincpass, but I've still got a whole slew of work pws for various systems. Not to mention several slews of non-work pws.

      • by gosand ( 234100 )

        Well, all this IT tech has done is forced the user to come up with a new password and WRITE IT DOWN ON ANOTHER POST-IT. He may think he is being clever, but what he has done is ensure that they will just do it again because it's a new password.

        What he should do is come up with a method by which they can create a secure password and write down the hint to remember it, and distribute that process to everyone. In other words, TEACH them how to do good passwords.

        1. Think of a very memorable event in your lif

        • 1. Think of a very memorable event in your life.
          2. Come up with a password based on that event.
          3. Make it follow convention. (e.g. capitals, letters, length, etc)
          4. Make it able to be changed easily without changing the event.

          Example: My dog Daisy died in 1998
          password: DaisyRIPxx98

          Nice.

          Remember that through 20 permutations associated with 20 random user accounts.

          Like I said, I write them down and secure them. No "hacker" is going to break into my office and pry open my desk. And if they do? They can have 'em, not that important, they would find out how to hack in anyway.

          • by gosand ( 234100 )

            I am not an admin, I only need to remember my passwords. Personally, I have a less-secure "story" and a more-secure "story". So I basically have 2 variations on the story behind my passwords. That doesn't mean I have only 2 passwords of course. So even if someone cracked one of my passwords they would be able to guess my others. And I have been using the secure scheme since 1996. The password looks totally random, but I know the story behind it, and remember the variations I made. So I can write down

      • by idji ( 984038 )
        Use a password vault like keepass, or let your browser handle it like firefox or chrome, or icloud or your iphone.
      • People in my company - including the non-geeks - seem to manage OK without writing them down on a postie. This is with a policy requiring passwords be changed every few months and have a certain complexity.

        Sometimes you forget and need to get the password reset, but in general most people seem to be smarter than you credit them for.

        If you have trouble remembering, go for something based on a phrase or a common variation for different services.

  • if this is the most illegal thing young people are doing today then it seems like a good deal to me. Let the law professor talk it up as a high crime and let the kids revel in their their forbidden fun.
  • by wardrich86 ( 4092007 ) on Tuesday July 26, 2016 @11:41AM (#52582735)
    1. If he asks for your password, and you provide it... there's really no unlawful action there. He didn't force you to give it to him, and you had all the power and right in the world to not be an idiot and toss it out there. I wonder how long before somebody hacks Jack's email and scoops up all those yummy accounts.

    2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword
    • 1. If he asks for your password, and you provide it... there's really no unlawful action there. He didn't force you to give it to him, and you had all the power and right in the world to not be an idiot and toss it out there. I wonder how long before somebody hacks Jack's email and scoops up all those yummy accounts. 2. You fucking gave the guy your password. That's not hacking. He needs to change his hashtag to #PostedByJohnson or #ThisUserWasDumbEnoughToGiveMeTheirPassword

      While I agree with your common sense approach, the law may see things differently. If Twitter decided it was an unauthorized use, as they define unauthorized based on their TOS, someone could be charged. It would be a stupid waste of time and one would hope a judge, after he or she stopped laughing, tossed the case. It does illustrate how something that would be considered normal in the physical world, i.e. I give you the key to my diary to let you write in it, could be illegal in cloud space where you don'

  • Why he didn't go for the shorter and catchier #JackHack, we'll never know.

    Saving that for when headphone jacks disappear from smartphones.

  • by doconnor ( 134648 ) on Tuesday July 26, 2016 @12:01PM (#52582883) Homepage

    I don't know any of those Jack Johnsons. The only one I know is the Futurama Presidential candidate Jack Johnson [theinfosphere.org] who ran against his rival and clone, John Jackson.

  • Because a "JackHack" sounds like a masturbation shortcut.
  • Seriously - why do things like Twitter need a password? It's not an email account, it's not that hard to hack and no body is going to lose anything important if someone else takes their twitter account.

  • by Anonymous Coward

    Yeah Hackedbyjohnson sounds bad but
    A hacked Johnson would be way worse.
    I'll let myself out.

  • Donald says email your passwords to him. Hillary says, no email, no way. Please never email anything to her... EVER.
  • by Anonymous Coward

    If TPTB say it's illegal, then it doesn't if there's a law or not, at least that's the impression I've gotten over the last decade or two.

  • Some website services require you to provide your password to some other site to work. For example, email filtering or some finance sites.

    I know that when done correctly the site provides an authentication token, but the old-style approach was to just require you to provide your mail or bank's password.

To stay youthful, stay useful.

Working...