“Geez people, it wasn’t a password leak.” That exasperated tweet was sent out Tuesday by IT security analyst and author Mark Burnett, who sparked an uproar on the Internet a day earlier by posting a publicly-accessible database of 10 million passwords.
In an accompanying blog post, Burnett explained his motivation. “[F]or quite some time I have wanted to provide a clean set of data to share with the world. A carefully-selected set of data provides great insight into user behavior and is valuable for furthering password security,” he said. “So I built a data set of ten million usernames and passwords that I am releasing to the public domain.”
We reached out to Burnett for his reaction to the coverage. “I certainly expected some attention, especially within the security community, but hadn’t expected it to spread to the mainstream press as much as it did,” he told us.
A Risky Move?
Part of the reaction stems from the fact that there is considerable public and law enforcement concern these days regarding the misuse of passwords. As Burnett himself clearly recognized, releasing usernames and passwords, even for pure research, does raise the possibility of serious legal consequences. In fact a good-size chunk of his blog post addresses the question: “Why the FBI Shouldn’t Arrest Me.”
In particular, Burnett pointed out that he did not release his database with any intent to defraud (a key requirement of existing data protection statutes). He said that he took a variety of steps to minimize the likelihood that any of the data could be used to impersonate someone or gain access to an individual’s private information.
Burnett also noted that he compiled his database from large and already publicly-accessible plaintext data dumps of passwords. As a result, “to the best of my knowledge these passwords are no longer valid and I have taken extraordinary measures to make this data ineffective in targeting particular users or organizations,” he said. “This data is extremely valuable for academic and research purposes and for furthering authentication security and this is why I have released it to the public domain.”
Among other things, Burnett recommended that Internet users periodically search for their e-mail addresses, usernames, and domains (if applicable) on Google, Pastebin, haveIbeenpwned.com, pwndlist.com, and/or breachalarm.com to see if their login information has been compromised.
Proposed Statutory Changes
Of particular concern to Burnett is a proposal pushed by the Obama White House to strip the “intent to defraud” requirement from the Computer Fraud and Abuse Act (CFAA) and replace it with the word “willfully.” The effect of this change is to make it a felony to share information whenever “you have any reason to know someone else might use it for unauthorized computer access,” Burnett said. The net effect will be a chilling effect on security-related research like his, Burnett told us.
“Intent is an important aspect of criminal law and yet it doesn’t mix well with many aspects of what security professionals do on a daily basis,” he said. “For example, if a researcher publishes a vulnerability in a software application, he knows that someone might use that to harm others but his intent is to increase security by exposing insecurities. The CFAA had many unintended consequences and the proposed changes surely will have even more.”