These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

Is the guessing of a password on Eveboard illegal?

First post
Author
Previous Topic Next Topic
Ruskarn Andedare
Lion Investments
#61 - 2013-07-19 12:49:56 UTC
RoCkEt X wrote:
And i'm not gonna get arrested for guessing the password for publicly available information (i.e. PL forum app) especially considering i didn't even use the information (logged in with 3 days on skill plan) maliciously or otherwise, to blow up an internet spaceship in a game where information is traded and shared by the minute without the consent of it's originator.



No, you're not going to get arrested because Chribba said he doesn't think it's a problem and he is the data owner.

If Chribba wanted to report you then it would be a whole other ballgame.
Kat Ayclism
Republic Military School
Minmatar Republic
#62 - 2013-07-19 12:53:34 UTC  |  Edited by: Kat Ayclism
Ruskarn Andedare wrote:
RoCkEt X wrote:
And i'm not gonna get arrested for guessing the password for publicly available information (i.e. PL forum app) especially considering i didn't even use the information (logged in with 3 days on skill plan) maliciously or otherwise, to blow up an internet spaceship in a game where information is traded and shared by the minute without the consent of it's originator.



No, you're not going to get arrested because Chribba said he doesn't think it's a problem and he is the data owner.

If Chribba wanted to report you then it would be a whole other ballgame.

CCP Games is the data owner friend. Chribba is allowed to use the data under CCP's terms.

Hope you e-lawyers are as up to date on your contract law as you are on your information and privacy laws!
BoomBoss
KarmaFleet
Goonswarm Federation
#63 - 2013-07-19 12:59:26 UTC
Rofl, all this over a few space pixels. Big smile
Medarr
Viziam
Amarr Empire
#64 - 2013-07-19 13:09:45 UTC
Kat Ayclism wrote:

Social engineering and hacking are not the same thing, friend.

You said that the security of eveboard was compromised, which it was not. If you don't know about the subject you're going to blab on about it helps to just not say anything on it.

A single guess is not going to throw any anti-bruteforcing measures of the site. Even the requiring of rulesets that force people to use a seemingly more secure password are actually counter to the goal of securing the user's acount as the rulesets *limit* the keyspace one would have to use in a bruteforce attack. A reasonably open-ended password ruleset *allows* for both hilariously bad passwords such as this genius' and genuinely secure ones.

The responsibility is firmly in the hands of doofuses that pick such passwords, and it's wholly unfair to call Chribba's work insecure based on something like this.


You dont know what your yapping about friend.

Quote:

Social engineering, in the context of information security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or gaining computer system access. It differs from traditional cons in that often the attack is a mere step in a more complex fraud scheme.
"Social engineering" as an act of psychological manipulation had previously been associated with the social sciences, but its usage has caught on among computer and information security professionals.


It is as much the sites creator responcibilty to make things idiot proof as it is the users responcibility to use strong passwords and running fail2ban is a nice brute force prevention which also works for webservers not only SSH.
Hevymetal
POT Corp
#65 - 2013-07-19 13:10:24 UTC
Aylanaa wrote:
So this RoCkEt X guessed Mino IV's password on Eveboard, which allowed him to figure out when Mino IV would log his titan chararcter on enabling RoCkEt X to kill said titan. The story is here http://themittani.com/news/legion-alts-downs-avatar-low-sec, and here http://pastebin.com/u9XjXtAa Too me it seems in the grey area just curious on other people's thoughts.


In the US, yes it is illegal. Any attempt to access any account that does not belong to you makes you guilty. If you manage to guess a password and actually gain access you are now in violation of several more laws.
Xia Kairui
Perkone
Caldari State
#66 - 2013-07-19 13:13:07 UTC
Kat Ayclism wrote:
CCP Games is the data owner friend. Chribba is allowed to use the data under CCP's terms.


Actually, the "break-in" happened on Chribba's server that he lets other people use, so the compromised data was the account info and whatever stuff is stored there. That it is very similar to EVE data is of no consequence, it's data (bits and bytes) stored on Chribba's server by the account owner and thus belongs to those two. The account owner did not give the permission to view it to Rocket (but... see below).

Using german law Rocket would have been guilty of computer espionage against Chribba and the account owner, and if he changed anything it might also be considered sabotage. It's basically the same problem IT security experts have: if they test the defenses of servers they are actually committing a felony under german law. In fact possessing tools like WireShark is already considered being on the wrong side of the law.

A decent lawyer would probably be able to use the ****** password as major defense as a "meaningful attempt to secure the data" is required. However like stealing a wallet from a car the owner forgot to lock is still theft the act would remain a criminal act under german law. The account owner would probably be rated as extremely careless ("grob fahrlässig") to the point of "if you are this stupid, you mostly deserve what you get".
Also if the guy actually posted the password to an application things get even more fishy, as this might be interpreted as permission to view the data. Why else send the password to someone if not that he uses it? He might be able to file charges against the person who gave Rocket access to the application if Rocket wasn't part of the application process.
But then, Rocket contradicts himself ("1234 was my first guess" / "password was posted in an application") so a clever lawyer might bend that to his will.

Of course finding someone to persecute it might be the biggest problem. And proving who did what is a totally different matter as it requires access to Chribbas IP logs.
Grauth Thorner
Vicious Trading Company
#67 - 2013-07-19 13:13:16 UTC
Ritsum wrote:
Grauth Thorner wrote:
Ritsum wrote:

Also note that he said "1234 was my first guess, by the way :)" on page 1 means he did not have access to that information until after the privacy invasion.


Does it? It also could've been his first guess because he had read the application


If he had read the application then he would of known the password and would not have had to "guess" the password. Pretty simple.


Either way, it still was Mino IV's choice to not protect the data available through Eveboard well enough to prevent others from accessing this data.

Again I'm not saying I approve this kind of data access nor do I state wether RoCkEt X was wrong/right. If this data was oh so important to Mino IV, he should've protected it this way. It's like leaving the keys of your car in any public location. Wether or not the guy who took your car was wrong/right by guessing what car the key belonged to and eventually taking it, it still was a stupid move and rather easy to blame the maker of the car for it.

View real-time damage statistics in-game

>EVE Live DPS Graph application forum thread

>iciclesoft.com
Armtoe
Arton Yachting and Angling Club
Domain Research and Mining Inst.
#68 - 2013-07-19 13:16:25 UTC
Tippia wrote:
dexington wrote:
Tippia wrote:
[What law does it break?

Depends on the country, i Denmark it would be § 263

What does this paragraph state?


Here is just a random sampling from the states (Pa in particular although I could have grabbed pretty much the same thing from any of the other 49 states or the feds). Accessing someone's online account for a particular service is certainly illegal regardless of you obtained the password as long as it is done without the persons consent.

§ 7611. Unlawful use of computer and other computer crimes.
(a) Offense defined.--A person commits the offense of
unlawful use of a computer if he:
(1) accesses or exceeds authorization to access, alters,
damages or destroys any computer, computer system, computer
network, computer software, computer program, computer
database, World Wide Web site or telecommunication device or
any part thereof with the intent tointerrupt the normal
functioning of a person or to devise or execute any scheme or
artifice to defraud or deceive or control property or
services by means of false or fraudulent pretenses,
representations or promises;
(2) intentionally and without authorization accesses or
exceeds authorization to acces[/u]s, alters, interferes with the
operation of, damages or destroys any computer, computer
system, computer network, computer software, computer
program, computer database, World Wide Web site or
telecommunication device or any part thereof; or
(3) intentionally or knowingly and without authorization
gives or publishes a password, identifying code, personal
identification number or other confidential information about
a computer, computer system, computer network, computer
database, World Wide Web site or telecommunication device.
(b) Grading.--[u]An offense under this section shall constitute
a felony of the third degree.
(c) Prosecution not prohibited.--Prosecution for an offense
under this section shall not prohibit prosecution under any
other section of this title.
Ruskarn Andedare
Lion Investments
#69 - 2013-07-19 13:24:18 UTC
Kat Ayclism wrote:
Ruskarn Andedare wrote:
RoCkEt X wrote:
And i'm not gonna get arrested for guessing the password for publicly available information (i.e. PL forum app) especially considering i didn't even use the information (logged in with 3 days on skill plan) maliciously or otherwise, to blow up an internet spaceship in a game where information is traded and shared by the minute without the consent of it's originator.



No, you're not going to get arrested because Chribba said he doesn't think it's a problem and he is the data owner.

If Chribba wanted to report you then it would be a whole other ballgame.

CCP Games is the data owner friend. Chribba is allowed to use the data under CCP's terms.

Hope you e-lawyers are as up to date on your contract law as you are on your information and privacy laws!



Uh, no, sorry but you're wrong. CCP was the originator of the data but not was not the owner at the point of the incident.

Not a lawyer but my job's heavily into database security.

The main question re any actual law is what country Chribba's server is in.
Tarsas Phage
Sniggerdly
#70 - 2013-07-19 13:29:07 UTC
Hevymetal wrote:
Aylanaa wrote:
So this RoCkEt X guessed Mino IV's password on Eveboard, which allowed him to figure out when Mino IV would log his titan chararcter on enabling RoCkEt X to kill said titan. The story is here http://themittani.com/news/legion-alts-downs-avatar-low-sec, and here http://pastebin.com/u9XjXtAa Too me it seems in the grey area just curious on other people's thoughts.


In the US, yes it is illegal. Any attempt to access any account that does not belong to you makes you guilty. If you manage to guess a password and actually gain access you are now in violation of several more laws.


Difficulty: a eveboard account is not directly linkable to a real-life person. That is, eveboard by itself does not contain real-life personal information that would be revealed by accessing a given character's skill page.

A person would have to prove that he/she was harmed in real life, in legally-defined ways such as monetarily or in tangible property, he/she would also have to prove that the "hacked" eveboard page was indeed under their control (password of "1234" indicates a tenuous if non-existant degree of effective intent to control) and that they are the person (in real-life) that set it up in the first place and so on.
Sentient Blade
Crisis Atmosphere
Coalition of the Unfortunate
#71 - 2013-07-19 13:29:49 UTC
Kat Ayclism wrote:
CCP Games is the data owner friend. Chribba is allowed to use the data under CCP's terms.

Hope you e-lawyers are as up to date on your contract law as you are on your information and privacy laws!


I'm afraid you quite simply don't have a clue what you're on about; I have a fair grasp of the issues involved as my day job includes dealing with huge amounts of sensitive data on a daily basis.

Regardless of the information it contained, the only data CCP owns on Chribba's site are any icon sets he uses from the community toolkit.

The offence, regardless of Chribba's desire or intent to push the issue, is that Rocket X reached a third party service, thus completely independent of EVEs EULA and TOS which presented him with a clearly defined mechanism to prevent access to particular information, i.e password authentication, which, regardless of strength, serves in any western court as an indication that the information is private, regardless of what it is.

By trying multiple passwords, Rocket X, without the consent of the site owner, or the original provider of the password, was able to make additional requests of the server which disclosed information which neither the site owner nor the original provider opted to make available to him at the time of intrusion.

Therefore, much as you may wish to argue otherwise, the matter is unequivocal. As part of an attempt to destroy assets in-game, which is perfectly acceptable and even encouraged, he stepped over a line and committed a violation of the laws of the country the servers were in, and probably his own.
Starkiller Lothlorien
Doomheim
#72 - 2013-07-19 13:32:22 UTC
RoCkEt X wrote:
dexington wrote:
Tippia wrote:
dexington wrote:
Tippia wrote:
[What law does it break?

Depends on the country, i Denmark it would be § 263

What does this paragraph state?


You are not allowed to access other peoples private data, or invade their privacy and so on.



data isn't private when it's on eveboard; passworded or not, you are sharing your API. the only way this effects the individual is ingame. and does nothing to their RL privacy. Technically the data doesn't belong to them, as all EVE online accounts and such are property of CCP... and as CCP states that all information gained by sharing of API keys is solely the responsibility of the player who shares them.... :)

Stop whining, my ribs are hurting from the laughter :)


I have similar ailment, only cause slightly different.

Ribs cracked in several places upon force of explosive sniggers of derision when I realised you gone cockerel over ganking EMPTY ship. Lips vibrate most unpleasantly with 'THRPPPPP!' noise, narrow escape from coffee out nose onto keyboard.

Not suggest attempt to sell rights to that epic space battle to Disney for inclusion in forthcoming new Star Wars films.

PvP supposed to include second P, you know?

Grats on awesome victory over large NPC rat without AI behind it. What for next trick, win Gumball Rally against stationary driverless car?

Wait, I have perfect challenge for you. Shout at wall, if wall not respond, post on forums, claim win.
Kat Ayclism
Republic Military School
Minmatar Republic
#73 - 2013-07-19 13:32:55 UTC
Xia Kairui wrote:
Kat Ayclism wrote:
CCP Games is the data owner friend. Chribba is allowed to use the data under CCP's terms.


Actually, the "break-in" happened on Chribba's server that he lets other people use, so the compromised data was the account info and whatever stuff is stored there. That it is very similar to EVE data is of no consequence, it's data (bits and bytes) stored on Chribba's server by the account owner and thus belongs to those two. The account owner did not give the permission to view it to Rocket (but... see below).

Using german law Rocket would have been guilty of computer espionage against Chribba and the account owner, and if he changed anything it might also be considered sabotage. It's basically the same problem IT security experts have: if they test the defenses of servers they are actually committing a felony under german law. In fact possessing tools like WireShark is already considered being on the wrong side of the law.

A decent lawyer would probably be able to use the ****** password as major defense as a "meaningful attempt to secure the data" is required. However like stealing a wallet from a car the owner forgot to lock is still theft the act would remain a criminal act under german law. The account owner would probably be rated as extremely careless ("grob fahrlässig") to the point of "if you are this stupid, you mostly deserve what you get".
Also if the guy actually posted the password to an application things get even more fishy, as this might be interpreted as permission to view the data. Why else send the password to someone if not that he uses it? He might be able to file charges against the person who gave Rocket access to the application if Rocket wasn't part of the application process.
But then, Rocket contradicts himself ("1234 was my first guess" / "password was posted in an application") so a clever lawyer might bend that to his will.

Of course finding someone to persecute it might be the biggest problem. And proving who did what is a totally different matter as it requires access to Chribbas IP logs.



His site pulls the data from CCP, his usage of it is bound by his contract with CCP.

The point wasn't to pretend to know all the intricacies of the law as I admit to not being a lawyer, but to point out that the people trying to say rocket broke a law and how he did so are so woefully ignorant of all the issues actually surrounding it- contract law, privacy, etc.. - that could very well mean that no law was broken.

The place where he posted his pw for that eveboard is a publically viewable subforum of PL's forums.

Ruskarn Andedare wrote:



Uh, no, sorry but you're wrong. CCP was the originator of the data but not was not the owner at the point of the incident.

Not a lawyer but my job's heavily into database security.

The main question re any actual law is what country Chribba's server is in.

His usage of the data is under the terms of CCPs contract which I'm damned sure includes that they retain ownership of it (and reserve the rights to deny access to it, etc...).
Temmu Guerra
Viziam
Amarr Empire
#74 - 2013-07-19 13:44:39 UTC
You all are a bunch of moron's defending a titan that isnt even connected to you.

Good kill rocket
Kashmyta
HC - gizmos Gizco
#75 - 2013-07-19 13:45:11 UTC
You wouldn't download a car!
Bolow Santosi
Caldari Provisions
Caldari State
#76 - 2013-07-19 13:52:27 UTC
Crap that's the same combination to my luggage
SmokinDank
Horizon Research Group
#77 - 2013-07-19 13:55:41 UTC
Kashmyta wrote:
You wouldn't download a car!



I would if I could!


And someone change the combination on my luggage!

...
dexington
Caldari Provisions
Caldari State
#78 - 2013-07-19 13:59:28 UTC
Kat Ayclism wrote:
The place where he posted his pw for that eveboard is a publically viewable subforum of PL's forums.


i which case he did nothing wrong, but that was not what he said.

I'm a relatively respectable citizen. Multiple felon perhaps, but certainly not dangerous.
E-2C Hawkeye
HOW to PEG SAFETY
#79 - 2013-07-19 14:00:29 UTC
Tippia wrote:
Thorn Galen wrote:
There's nothing "meta' about it, it is illegal, plain and simple.
What law does it break?


Many places now have laws in place to state that hacking into accounts is illegal. Like email accounts facebook accounts etc.. Please contact your local prosecutors office for clarification.
Cyrek Ohaya
Blazing Sun Group
#80 - 2013-07-19 14:05:00 UTC  |  Edited by: Cyrek Ohaya
Wait wait what? Crime, law, prosecution?
Are people in this thread serious? Lol

To me this doesn't look any worse than a Jita scam, seems to me like elitist block tears are sprouting from the woodwork at the valid use of emergent gameplay.

No ones obliged to use Eveboard, let alone use a dumb password an infant can crack, this Mino kid whoever he was is a complete idiot, we should be celebrating instead. Big smile