Most active commenters
  • petcat(3)
  • boston_clone(3)
  • tptacek(3)

←back to thread

Man jailed for parole violations after refusing to decrypt his Tor node

(reddit.com)
988 points heavyset_go | 15 comments | 16 Sep 25 12:10 UTC | HN request time: 0.478s | source | bottom
Show context
tptacek ◴[16 Sep 25 13:26 UTC] No.45261951[source]
For whatever it's worth, the Reddit story here says that the federal courts used "fraudulent warrants to jail my husband again". Maybe! The other side of that story, via PACER, is a detailed parole violation warrant (you can hear the marshal refer to it in the video); the violations in that warrant:

1. Admitting to using cannabis during supervised release

2. Failing to make scheduled restitution payments and to cooperate with the financial investigation that sets restitution payment amounts.

3. Falling out of contact with his probation officer, who attempted home visits to find him.

4. Opening several new lines of credit.

5. Using an unauthorized iPhone (all his Internet devices apparently have keyloggers as a condition of his release).

These read like kind of standard parole terms? I don't know what the hell happened to get him into this situation in the first place, though.

replies(13): >>45261987 #>>45262004 #>>45262031 #>>45262032 #>>45262053 #>>45262096 #>>45262107 #>>45262359 #>>45262427 #>>45262489 #>>45262691 #>>45263190 #>>45263322 #
tptacek ◴[16 Sep 25 13:33 UTC] No.45262053[source]
OK, I think I found the original thing Rockenhaus was convicted of.

Back in 2014, Rockenhaus worked for a travel booking company. He was fired. He used stale VPN access to connect back to the company's infrastructure, and then detached a SCSI LUN from the server cluster, crashing it. The company, not knowing he was involved, retained him to help diagnose and fix the problem. During the investigation, the company figured out he caused the crash, and terminated him again. He then somehow gained access to their disaster recovery facility and physically fucked up a bunch of servers. They were down a total of about 30 days and incurred $500k in losses.

(He plead this case out, so these are I guess uncontested claims).

replies(12): >>45262123 #>>45262144 #>>45262161 #>>45262367 #>>45262384 #>>45262386 #>>45262724 #>>45262818 #>>45262976 #>>45263837 #>>45263945 #>>45264601 #
petcat ◴[16 Sep 25 13:42 UTC] No.45262161[source]
If all of that is true, then that is a very serious CFAA charge. It makes sense that they would want to downplay it as "minor" and "not relevant". It sounds like the parole violations came later? In any case, thank you for researching. There is always more to the story.
replies(3): >>45262268 #>>45262432 #>>45262527 #
mothballed ◴[16 Sep 25 14:13 UTC] No.45262527[source]
Weev 'violated' the CFAA for incrementing a GET request, with his overturned conviction only for wrong jurisdiction. So the government has put us in a position where it's hard to take the CFAA seriously.

We also know from prosecutions in other statutes that the government will often prosecute a a broad crime with many separate sub-definitions of the various way you can break it, then refuse to tell you under which sub-definition you're being charged, meaning you have no way to know if the jury even were unanimously convicting for the same thing and no way to know what you're even defending against.

replies(8): >>45262557 #>>45262571 #>>45262622 #>>45262628 #>>45262637 #>>45262699 #>>45263111 #>>45269890 #
VWWHFSfQ ◴[16 Sep 25 14:16 UTC] No.45262571[source]
The CFAA isn't super complicated. It basically boils down to:

Don't fuck with other people's shit if they don't want you to.

replies(2): >>45262657 #>>45262929 #
boston_clone ◴[16 Sep 25 14:23 UTC] No.45262657[source]
Are you a lawyer by chance?

I seem to remember cases or interpretations of the CFAA in which even guessing the username password combo of "admin:admin" would violate the act, resulting in teenagers or children being caught up in cYbEr FrAuD

replies(4): >>45262775 #>>45262844 #>>45263173 #>>45263872 #
1. petcat ◴[16 Sep 25 14:31 UTC] No.45262775[source]
It doesn't matter if you brute forced their crappy login with commonly-used credentials. You think it's OK for someone to rummage around in your garage just because they correctly guessed your keycode was 12345? Of course not.
replies(3): >>45262878 #>>45263340 #>>45263928 #
2. boston_clone ◴[16 Sep 25 14:38 UTC] No.45262878[source]
I'm more focused on the assertion that "The CFAA isn't super complicated."

Which raises sincere doubts about the commenter's credibility to make such a claim.

replies(1): >>45263418 #
3. RankingMember ◴[16 Sep 25 15:07 UTC] No.45263340[source]
Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage?
replies(2): >>45263951 #>>45264008 #
4. echoangle ◴[16 Sep 25 15:12 UTC] No.45263418[source]
How does „you’re not allowed to guess credentials“ mean it’s complicated?
replies(1): >>45264146 #
5. account42 ◴[16 Sep 25 15:52 UTC] No.45263928[source]
You think walking through an unlocked door should result in federal charges?
replies(3): >>45264081 #>>45264092 #>>45264523 #
6. dpassens ◴[16 Sep 25 15:54 UTC] No.45263951[source]
(I don't know enough about the CFAA to know whether this is true so I'll assume it is.)

To continue the garage door analogy, you wouldn't walk up to any random garage door and try code 12345 to help protect the owner's stuff, would you?

replies(1): >>45265166 #
7. ecb_penguin ◴[16 Sep 25 15:58 UTC] No.45264008[source]
> Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage?

There is no law for "white-hat hackers". You don't get to break into a system because the color of your hat.

"White-hat hackers" have contracts, or very specific rules of engagement. Having run many a bug bounty, if someone was malicious, we would absolutely work to prosecute.

You can also find bugs in software freely, as long as you don't obtain unauthorized access to other people's systems.

replies(1): >>45264084 #
8. petcat ◴[16 Sep 25 16:03 UTC] No.45264081[source]
So now the door is unlocked?? Where are the goal posts?

Don't mess with people's stuff if they don't want you to. This seems very simple to me. But I'm aware that you're trying to find some fringy gray area where you think it will be OK to mess with people's stuff even though they don't want you to.

replies(1): >>45270678 #
9. tptacek ◴[16 Sep 25 16:03 UTC] No.45264084{3}[source]
This isn't true: there is, jurisdictionally dependent and I think also dependent on DOJ norms, a broad exception for good-faith white hat vulnerability research that would otherwise violate CFAA. Like I said, CFAA is very complicated in practice.
10. Ekaros ◴[16 Sep 25 16:04 UTC] No.45264092[source]
So what about using rakes or bump keys? Very low tech, very easy. Can defeat some poor quality locks.
replies(1): >>45273239 #
11. boston_clone ◴[16 Sep 25 16:08 UTC] No.45264146{3}[source]
I think that's a massive oversimplification of how the CFAA has been applied.
12. ptero ◴[16 Sep 25 16:35 UTC] No.45264523[source]
Walking through an unlocked door that has a sign "private property, do not enter", searching for sensitive information, finding it and exposing it surely could.

Or not, depending on how the party who owns what's inside that door feels. But if it feels he should be prosecuted, then hell yes, the state should do that. My 2c.

13. RankingMember ◴[16 Sep 25 17:27 UTC] No.45265166{3}[source]
To stick with this analogy: I think a white hat equivalent would be more like driving down the street with a garage door remote set to a default code and then notifying anyone whose door opens in response that they should change their code. I don't think that should be illegal.
14. Dylan16807 ◴[17 Sep 25 01:58 UTC] No.45270678{3}[source]
If we're making an analogy to the Weev case then yes the door was unlocked, with the explicit intent that the general public could come through that door and access some of the documents.
15. account42 ◴[17 Sep 25 08:20 UTC] No.45273239{3}[source]
Still sounds like petty crime that doesn't need the FBI to roll in.

The point is that in the physical world there is some notion of proportionality in the response to trespassing depending on the actual damage done and sophistication and premeditation of the act. We don't generally lock up people because they accidentally walked into an area they shouldn't have. But once computers are involved we have laws that automatically make even even minor infractions into a big scary issue that allows the government to essentially destroy someone's live.