←back to thread

Man jailed for parole violations after refusing to decrypt his Tor node

(reddit.com)
989 points heavyset_go | 4 comments | 16 Sep 25 12:10 UTC | HN request time: 0.001s | source
Show context
tptacek ◴[16 Sep 25 13:26 UTC] No.45261951[source]
For whatever it's worth, the Reddit story here says that the federal courts used "fraudulent warrants to jail my husband again". Maybe! The other side of that story, via PACER, is a detailed parole violation warrant (you can hear the marshal refer to it in the video); the violations in that warrant:

1. Admitting to using cannabis during supervised release

2. Failing to make scheduled restitution payments and to cooperate with the financial investigation that sets restitution payment amounts.

3. Falling out of contact with his probation officer, who attempted home visits to find him.

4. Opening several new lines of credit.

5. Using an unauthorized iPhone (all his Internet devices apparently have keyloggers as a condition of his release).

These read like kind of standard parole terms? I don't know what the hell happened to get him into this situation in the first place, though.

replies(13): >>45261987 #>>45262004 #>>45262031 #>>45262032 #>>45262053 #>>45262096 #>>45262107 #>>45262359 #>>45262427 #>>45262489 #>>45262691 #>>45263190 #>>45263322 #
tptacek ◴[16 Sep 25 13:33 UTC] No.45262053[source]
OK, I think I found the original thing Rockenhaus was convicted of.

Back in 2014, Rockenhaus worked for a travel booking company. He was fired. He used stale VPN access to connect back to the company's infrastructure, and then detached a SCSI LUN from the server cluster, crashing it. The company, not knowing he was involved, retained him to help diagnose and fix the problem. During the investigation, the company figured out he caused the crash, and terminated him again. He then somehow gained access to their disaster recovery facility and physically fucked up a bunch of servers. They were down a total of about 30 days and incurred $500k in losses.

(He plead this case out, so these are I guess uncontested claims).

replies(12): >>45262123 #>>45262144 #>>45262161 #>>45262367 #>>45262384 #>>45262386 #>>45262724 #>>45262818 #>>45262976 #>>45263837 #>>45263945 #>>45264601 #
petcat ◴[16 Sep 25 13:42 UTC] No.45262161[source]
If all of that is true, then that is a very serious CFAA charge. It makes sense that they would want to downplay it as "minor" and "not relevant". It sounds like the parole violations came later? In any case, thank you for researching. There is always more to the story.
replies(3): >>45262268 #>>45262432 #>>45262527 #
mothballed ◴[16 Sep 25 14:13 UTC] No.45262527[source]
Weev 'violated' the CFAA for incrementing a GET request, with his overturned conviction only for wrong jurisdiction. So the government has put us in a position where it's hard to take the CFAA seriously.

We also know from prosecutions in other statutes that the government will often prosecute a a broad crime with many separate sub-definitions of the various way you can break it, then refuse to tell you under which sub-definition you're being charged, meaning you have no way to know if the jury even were unanimously convicting for the same thing and no way to know what you're even defending against.

replies(8): >>45262557 #>>45262571 #>>45262622 #>>45262628 #>>45262637 #>>45262699 #>>45263111 #>>45269890 #
VWWHFSfQ ◴[16 Sep 25 14:16 UTC] No.45262571[source]
The CFAA isn't super complicated. It basically boils down to:

Don't fuck with other people's shit if they don't want you to.

replies(2): >>45262657 #>>45262929 #
boston_clone ◴[16 Sep 25 14:23 UTC] No.45262657[source]
Are you a lawyer by chance?

I seem to remember cases or interpretations of the CFAA in which even guessing the username password combo of "admin:admin" would violate the act, resulting in teenagers or children being caught up in cYbEr FrAuD

replies(4): >>45262775 #>>45262844 #>>45263173 #>>45263872 #
efdee ◴[16 Sep 25 14:56 UTC] No.45263173[source]
Breaking in in a system, whether or not the password was easy to guess, sounds like a crime to me.
replies(2): >>45263612 #>>45263644 #
NoMoreNicksLeft ◴[16 Sep 25 15:31 UTC] No.45263644[source]
It does sound like a crime to me too. But was it a password or other credential that was guessed, or was it just some sequential primary key? The latter is not an authorization system, and I do not believe it a crime to do that unless you have specific knowledge that it is likely to cause damage and/or the intent to cause that damage.

As far as I am concerned, I am allowed to send any traffic I wish to public-facing hosts, and if they respond with content that the owners would not wish me to see, I have no responsibility to refrain. The only traffic I am not permitted to send are credentials I am not authorized to use (this would include password guessing, because if I manage to guess correctly, I was still not permitted to use it).

So which was it?

replies(2): >>45263823 #>>45264058 #
ecb_penguin ◴[16 Sep 25 16:01 UTC] No.45264058[source]
You are not allowed unauthorized access regardless of how the key works.

> I am allowed to send any traffic I wish to public-facing hosts

No you're not. Denial of service is a federal crime.

> I have no responsibility to refrain

Yes you do, and this is just beyond silly. The nuance of how you obtained it will be decided in a court. Stop making everything so reductionist and lazy.

> The only traffic I am not permitted to send are credentials I am not authorized to use

Absolutely not. Use of a vulnerability to cause a data breach is OBVIOUSLY a federal crime.

This is beyond absurd.

replies(1): >>45266250 #
1. NoMoreNicksLeft ◴[16 Sep 25 18:49 UTC] No.45266250{3}[source]
> You are not allowed unauthorized access regardless of how the key works.

You and I seem to both speak/write English, but there is a language barrier. For me, "authorization" means that they have given me credentials, and any content locked down under those credentials is off-limits.

For you, "authorization" is a magical term that has no real meaning. It means that they want me to have the content. But I am no telepath, and I do not know what they want me to have or do not want me to have. The only way, from my point of view, to know what they want me to have or not is to try to retrieve the content without credentials, and if it succeeds, it's legal.

Of course, there are a few corner cases. What if I discover some software defect that very clearly shows they intended to require credentials, and a test without credentials shows that it is indeed off-limits, but exploiting the defect produces that content? I wouldn't do that, that'd be illegal.

But your way of (non-)thinking is alien to me, and no reasonable judge or legislator could possibly mean what you claim that law states. Or at least what you seem to claim.

>No you're not. Denial of service is a federal crime.

Only with intent. If I send reasonable content that shouldn't be DoS, how was I to know? I intend no crime.

>Yes you do, and this is just beyond silly.

You're the one being silly. You can't even decide what you mean by "authorized".

>The nuance of how you obtained it will be decided in a court.

I'm never going to trial, I'm not even going to be noticed.

>Use of a vulnerability to cause

Use of a clear defect. The biggest and most dangerous vulnerabilities are the apathy and stupidity of their employees, their lack of a sane business model and attainable vision, and so on. Using those is just common sense. There is a popular magazine that is subscription only. But they have the pdf download links hidden with display: none CSS. These links require no authorization. Just knowledge. I retrieve those quite punctually.

replies(1): >>45266454 #
2. tptacek ◴[16 Sep 25 19:04 UTC] No.45266454[source]
You're both veering out of CFAA jurisprudence in different ways. But you know you're in trouble when you start saying things like "I am no telepath", because in fact a big part of an ambiguous CFAA case will be determining what a reasonable person (ie: the jury) would think confronted with the computer system under discussion. There will in fact be mind reading involved; your intent would in fact be tried.

There's nothing at all CFAA-specific about this; this is really basic US criminal law and it comes up in all sorts of different criminal justice contexts. The terms you're both dancing around are mens rea and actus reus.

replies(1): >>45270358 #
3. NoMoreNicksLeft ◴[17 Sep 25 01:11 UTC] No.45270358[source]
>But you know you're in trouble when you start saying things like "I am no telepath",

I'm not in trouble. There is virtually zero chance of this ever being noticed by law enforcement, and even less chance than that of them giving a shit.

Also note, I am not arguing what the worst possible interpretation might falsely convict someone of, but how the law should be viewed, or, if someone can demonstrate to my satisfaction that the law disagreed with, then how it should be altered.

If I have to guess what retards (read: juries) might think is reasonable, then there can be no public internet. We're just a few years after journalists were arrested for looking at html source with "view source", aren't we?

>The terms you're both dancing around are mens rea

I'm only mildly ignorant. Has CFAA ever been considered to describe strict liability crimes?

replies(1): >>45270598 #
4. tptacek ◴[17 Sep 25 01:45 UTC] No.45270598{3}[source]
You're in trouble rhetorically, is what I mean, because your argument is completely alien to criminal law.