When President Joe Biden said “journalism is not a crime” last April, federal prosecutors in Tampa, Florida, apparently took that as a challenge. Not a crime yet.
The next month, FBI agents raided the home of journalist Tim Burke. He is scheduled to be arraigned in the coming weeks under the Computer Fraud and Abuse Act (CFAA) and wiretap laws for finding and disseminating unaired Fox News footage of Kanye West’s antisemitic rant to Tucker Carlson. The indictment doesn’t accuse Burke of hacking or deceit. Instead, its theory is that he didn’t have permission to access the video, even though it was at a public, unencrypted URL that he found using publicly posted demo credentials.
But finding things that the powerful don’t want found is essentially the definition of investigative journalism—which, as Biden said, is not criminal in this country.
A recent court filing heightens concerns about whether prosecutors hid from the judge who authorized the raid that Burke was a journalist. By doing so, they may have avoided scrutiny of whether their investigation—and eventual indictment—of Burke complied with the First Amendment, federal law, and the Department of Justice’s own policies.
This article is weird. It spends a long long time hand-wringing over whether Tim Burke is a journalist, while not at all explaining whether he committed a crime.
Whether he did is slightly muddled – it sounds like he used a username and password he didn’t have permission to use, to log in to a web site, which sounds illegal (whether or not he’s a journalist), which would make this whole article an exercise in creating a narrative that didn’t happen to drive clicks. But, the credentials were sloppily exposed by a third party and were “demo credentials” in the first place, and the URLs that it gave him when he authenticated himself maybe weren’t themselves password protected. So maybe there’s some wiggle room. But I thought everyone prosecution and defense was in agreement that he used credentials that weren’t his to log in to the web site to get the links to the videos in the first place (albeit in pursuit of a noble goal, embarrassing Fox News by airing something true about them.) I don’t think being a journalist enters into it.
From a little bit better article:
According to Burke, the video of Carlson’s interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted “demo credentials” that gave access to a page where the URLs were listed.
The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters. Using the demo username and password, Burke logged into the website, and, Burke’s lawyer claims, the list of URLs for video streams automatically downloaded to his computer.
And that, the government says, is a crime. It charges Burke with violating the CFAA’s prohibition on intentionally accessing a computer “without authorization” because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn’t ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
Using a harvested demo account to log in to a service you dont have permission to access, WCGW?
Yeah. If we can say it’s relevant when their videos got stolen that the video distribution site had very poor OPSEC, I think we can say it’s relevant when he gets prosecuted that this guy had pretty poor journalistic OPSEC.
Use Tor. Download videos. Hey buddy where’d you get the videos? From a source, a journalistic source I’m not divulging, GFY, if you think something bad happened then prove it.
(I’m sitting in judgment when I don’t really know; for all I know he did everything right and his lawyer decided that this would be the best tack to take to defend the case, just to lay out what happened and argue that it wasn’t a crime.)
To me it sounds like they should be going after LiveU for not properly securing their videos, and going after the journalist is retribution. But that would also require the government to acknowledge that their own security isn’t a joke.
(It would also require them to stop supporting fascists, which America is seemingly unable to do)
There’s no discussion about if it’s a crime, because according to the law it’s 100% a crime. The law is extremely broad and doesn’t really take into account how computers work. It doesn’t matter if there were access controls or not, if you access something that the owner hasn’t given you explicit authorization to access, then it’s a crime under the CFAA.
This is the same law Aaron Swartz was facing trial for before his suicide. In his case he had legitimate credentials, but used them in an unauthorized way. Also Andrew “weev” Auernheimer, who just changed a number in a url to access other people’s information.
This law has been out there for decades now and It’s never mattered HOW you came into possession of credentials, only whether or not you have permission to access the system that they unlock.
If he used those credentials to get into a system he wasn’t authorized to use then its a crime. If the video’s were publicly available, even unintentionally, then he should be clear on those charges but that doesn’t change the first part.
Unauthorized access to computer and information systems is still a crime punishable under the law. Kevin Mitnick was being prosecuted for this clear back in the 1980s.
IF the guy accessed the system, irrespective of the videos, then this is another case of a Journalist either being ignorant of the law or ignoring it because they believe the law doesn’t apply to them.
I think the key here is of they were truly a demo username/password. If they were, there’s an expectation of use there.
I think the key here is of they were truly a demo username/password.
Again, it doesn’t matter HOW you came into possession of the credentials. What matters is your authorization to access the system they unlock. It’s really that simple.
You misunderstand- om saying that depending on what kind of demo account is it, he might have been authorized to view the demo.
It depends on who the demo was intended for.
it’s weird how computers have an expectation of privacy
Same thought I had. Journalism seems entirely unrelated to the situation. From my reading of the facts, I don’t think criminal prosecution is warranted, but it’s not some 1st amendment violation it’s just a too-vague law.
And that, the government says, is a crime. It charges Burke with violating the CFAA’s prohibition on intentionally accessing a computer “without authorization” because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn’t ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
Yeah thats BS.
See the story of Steven Donziger.
What the FUCK
US imperialism go vrrrooom. Ask the Haitians.
Honestly I’m all for freedom of the press bit there’s a lot of nuance here as to whether what he did was legal… He didn’t explicitly have permission to access what he accessed so it’s definitely a gray area which is exactly what the courts are supposed to decide.
Nuance? Yeah, no. Fox published it to a publicly accessible URL. Permission is irrelevant. Nothing more than a large corporation manipulating the system to cover their ass.
This is pretty standard for the government going after people with the CFAA. It doesn’t matter if it was publicly accessible to the law, it only matters if he had actual permission, just because a computer allows it isn’t a defense. It’s a bit like if you take a laptop at Starbucks while the owner is in the bathroom.
Even then, is it so bad compared to Kanye’s antisemitic rant?
Bad and illegal are 2 different things.
Exactly, the people that conflate legality with morality have the poorest of moral compasses. It’s sad how many people just stop at this stage of moral development.
In these times, with what is being made legal(child labor) and illegal(abortion) that should be more obvious than ever.
Two separate issues.
Agree, but it says something about the world that one man, rich, can say awful things and have almost no apparent lasting consequences, while another man, not rich, doesn’t seem to be afforded even the basic protections of the law in the pursuit of journalism.
I’m pretty sure he has a lawyer and will have a day in court, which is literally the basic protections of the law. Kanye is a piece of shit, we don’t prosecute for that.
That’s just as much bullshit as when that asshole racist white nationalist fuck weev (I’m not providing links because fuck him) accessed a bunch of ATT endpoint on their website that had customer information on them. As I recall (I won’t research because fuck him), they were sequentially labeled. He made this public and got jailed for hacking. He did no hacking. Again, fuck him, but that asshole saw a bad security practice and took advantage.
And before you say this is like walking through an unlocked door, no it isn’t. That’d be like being shown a credential window that accepted a null (empty) password and clicking through. This is more like having shit on your front lawn, but your address is unpublished so someone needed to know where to go to see your lawn.
Fuck weev. Fuck white nationalism. Fuck the DOJ. Fuck Israel.
He didn’t explicitly have permission to access what he accessed so it’s definitely a gray area…
It’s not “gray” at all. This has been a settled matter of Law since the 1980s. Accessing systems without permission, no matter how you acquired the credentials, is illegal.
This can be separate from the videos. If they were publicly available, intentionally or not, then he should be clear on those charges but that doesn’t change the unauthorized access part.
If they were behind any sort of credential, they’re not publicly available. It doesn’t matter that the website was poorly configured.
This would be like arguing a property is public because the maintenance key box still uses the default password.
If they were behind any sort of credential, they’re not publicly available. It doesn’t matter that the website was poorly configured.
It’s a bit confusing but as I understand it this is how it worked.
The video files were publicly available BUT the URL’s to them were unknown. You could get to them without signing into the system IF you knew the URLs…which nobody did.
This guy signed into the Content Management System, which he wasn’t authorized to do, using default “demo” credentials he found elsewhere. After doing that he could see the URLs for the files and was then able to download them without logging in. He may also have distributed the URLs so that other people could download them, again without having to log in.
Him signing into the CMS without Authorization was likely a crime but the downloading of the videos likely wasn’t since they were publicly available if you knew they existed and how to reach them.
That is incorrect.
They were never actually aired or released to the public.
Fox News never released them. The service used by Fox (StreamCo) routinely has uploads that are never released, they upload them live so as to expedite streaming while people ax whatever doesn’t work for whatever reason.
Again, to use the luggage analogy, this would be like someone grabbing your luggage off the checked baggage carousel, plugging in the default password, copied addresses, whose doors were unlocked. It doesn’t matter that the doors are unlocked- those files are still private.
The files themselves were never intended to be publicly released. He bypassed security in the system by exploiting flaws and accessing data he was not authorized to access.
There is no gray area there. Is Kanye West a raging bigot? Yes. Did Burke break the law to reveal that? Also yes.
Freedom of the Press and first amendment protection doesn’t mean they can break the law. It’s unfortunate because he seems to be one of the good ones.
or released to the public.
They were publicly available, without credentials, if you knew how to get to them.
Again, to use the luggage analogy,
The luggage analogy sucks. A better analogy is someone taking a stack of paperwork and putting it behind a chair in a coffee shop. You can’t see the papers and don’t know they are there unless someone tells you about them. The papers aren’t intended for public consumption but they’re being stored in a publicly available space.
He bypassed security in the system by exploiting flaws and accessing data he was not authorized to access.
Why are you acting like I don’t agree with you on this? You can read my other comments in here and see that I do.
He apparently accessed a system with credentials that he wasn’t authorized to use and that’s a crime. What may not be a crime is downloading the videos. If those were available to the public, no matter how obscured, without needing credentials to access them then they were in fact publicly available.
It’s two separate actions and one is likely criminal while the other may not be.
I don’t give a shit about Kanye and I addressed Burke in a previous comment.
In your example, the papers are probably mislaid property, not abandoned property. Taking them would still be a crime, but somebody stumbling on them, there probably wouldn’t be any crime in reading them (similar to opening a lost wallet to pull the driver’s license. Now, if they contacted the owner, and they said “keep it” or something, or if they couldn’t identify the owner, that’s different, but didn’t happen here)
Unlike the luggage, which wasn’t misslaid- the files were where they were supposed to be.
As for accessing the files, that becomes a crime because he had to use knowledge taken from the prior crime. It doesn’t matter if your car is parked in a public lot; I steal your proximity keys (the URLs), that’s a crime. The car letting me in doesn’t suddenly make driving the car off not a crime.
There was no reasonable means of getting those files without first figuring out what urls they were at, and he knew that. He’s not some kid plugging in random URLs and stumbling in.
There’s not that much nuance, actually.
It’s equivalent to someone plugging in the default password to luggage locks knowing full well it’s not their luggage.
He wasn’t authorized to access those files, it really doesn’t matter how he came by the credentials.
It also really doesn’t matter that he’s a journalist. Journalists aren’t allowed to break the law, even if he’s going after a scumbag like West.
This differs from the Marion county raid in that they accessed public information (actual public information. That the server interacts with the public doesn’t make it public) and received files from people who were authorized to access it. No crimes were committed by the journalists.
This differs from Assange in that Assange merely received the files and published them. Assange didn’t steal the files himself.
If I go to an old site on the wayback machine, that no longer exists because the original webmaster took it offline at some point and doesn’t want anyone to go there anymore, am I breaking the law because they didn’t include a robots.txt to show they didn’t want the site to be crawled?
There should be no expectation of privacy for a publicly hosted URI.
If you make a separate webpage with an anchor link to that public URI without accessing it yourself, or even if you just post the text to the URL to public forum like this one, or Twitter or Reddit or Facebook or Instagram or YouTube where it just gets converted to a hyperlink automatically, when someone else then clicks the link and accesses it, who does the law hold responsible?
If you talk to a live chat representative at the actual company that has exposed that file for public access, and let them know about the URI by sending it to them in chat, and they clicked it to confirm, are they now accessing something illegally that their own company didn’t authorize them access to?
How absolutely cretinous would the lawmakers have to be, to write a law like that?
It’s my responsibility to secure my own shit, to a reasonable degree. If I leave a dollar on the ground in a public park and come back a month later and it’s been taken by someone who saw it and picked it up, have they stolen from me?
If I go to an old site on the wayback machine
That’s not how the archive works.
When you access an old website, they saved a snapshot of that website on their servers. You are not accessing 3rd party servers.
There should be no expectation of privacy for a publicly hosted URI.
You understand that all a URL is, is a forwarding address? Do you have no expectation of privacy if you’re in the phone book? What if your front door is unlocked? (If you’re in the US, yes you do. Most the world I imagine.)
When you plug a URL in, your browser goes to a DNS server, looks, for the domain name in question, then tells your. Browser what the current/best IP address is for that.
That’s as far as “public” as it is. When you’re taking about domain names all it means bejng “public” is that you’re registered with a DNS service. Your server is still yours. That is all that’s “public” about it.
The streaming service relies, apparently, on security through obscurity.
That they have shitty security protocols doesn’t change that he wasn’t supposed to get it, and that it wasn’t public.
free assange!
