""An American security researcher has published a file containing 10 million usernames and their corresponding passwords for education purposes, opening himself up to the possibility of criminal prosecution.
The researcher, Mark Burnett, released the trove of data on Monday in an effort to further the work of others who are similarly interested in studying online security and user behavior.
“Frequently I get requests from students and security researchers to get a copy of my password research data. I typically decline to share the passwords but for quite some time I have wanted to provide a clean set of data to share with the world,” he wrote on his personal website.
“A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security,” Burnett wrote. “So I built a data set of ten million usernames and passwords that I am releasing to the public domain.”
Yet while Burnett boasts a decade-and-a-half of IT security experience and has co-authored no fewer than seven books on the topic, he acknowledges in this week’s blog post that publishing his research, even for academic purposes, poses a potentially serious legal risk for himself.
In singling out the court issues recently encountered by Barrett Brown – a Texas-based writer who received a 63-month sentence in January for sharing a web link containing similarly sensitive data – Burnett says he also risks becoming the subject of a federal probe by dumping his own trove of data on the web.
“The arrest and aggressive prosecution of Barrett Brown had a marked chilling effect on both journalists and security researchers. Suddenly even linking to data was an excuse to get raided by the FBI and potentially face serious charges. Even more concerning is that Brown linked to data that was already public and others had already linked to,” Burnett wrote.
Indeed, US District Court Judge Sam Lindsay sentenced Brown, 31, last month, after the writer pleaded guilty to charges of obstruction, making internet threats, and accessory after the fact to the unauthorized access of a protected computer, receiving in turn a punishment of only a few years after having previously faced upwards of a century behind bars.
Although the bulk of that sentence stems from the plea Brown entered concerning internet threats – he admitted in court that he broke the law by intimidating and harassing a federal agent by way of YouTube and Twitter (a felony) – Judge Lindsay said his decision was reached after considering that Brown had shared a publicly available website address that contained a trove of sensitive details, including credit card information pilfered from private intelligence firm Stratfor by hacktivist group Anonymous.""
Password................Decrypt: Accepted
No comments:
Post a Comment