Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I'm not convinced that "posting to a public network" gets you out of the sketch. Sections 5-7 seem at least partially relevant, but then I'm neither in the US nor am I a lawyer anywhere else.

Posting data to a remote system, with the clear intent of taking a thing of value from another person without permission. Perhaps it falls between the cracks, but I'd be reasonably surprised if it doesn't come under this or another similar act.

https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act



He didn't just post the passphrase, he also posted this:

"If someone figures it out, I will send you free sias"

I'd call that a clear invitation/authorization for anyone to try to crack his passphrase.


Reasonable, but not an invitation to transfer the entire amount then setup an automated process to transfer any remaining amount to your own address.


I don't know, I think transferring it was the reasonable thing to do, rather than leaving it in the compromised wallet.

It's like if you find someone's (real) wallet, and you pick it up and contact the owner to ask where to drop it off. Rather than leaving it there and just telling the owner what street corner it's on.


I recently heard about a guy who was arrested and charged for exactly that. He took a phone home that he found in a carpark, the owner texted it saying "please return to Subway" He went there the next day to hand it in and the police were waiting! Apparently he was supposed to have turned it in to any nearby business at the time he found it. Not tried to find out who owned it the next day.


Any nearby business? I thought lost property was to be turned into the police station​. Otherwise the owner could call the cops on the business employees "I was never at Dunkin Donuts yesterday."


Makes sense! Like when your neighbor leaves their door unlocked and you steal all their stuff just in case.


Well, have a look at United States v. Kane, it basically indicates that if you don't exceed authorized access you're in the clear. It's hard to say that posting a cryptographic signature to a network design to accept them from anyone exceeds authorized access if pushing buttons to trigger an exploit on a poker machine doesn't.

I'm sure you could have a pretty good argument in court if they went after you using CFAA. Other theft and fraud laws might cover it without issue though, just saying CFAA might not be the right choice here.


Perhaps, again I'm not a lawyer. However, one of the things brought up is that they didn't do something with a computer “which is used in or affecting interstate or foreign commerce or communication”.

I don't know about the additional "unauthorised access" but I'd be surprised if someone can't make a case from cracking a password to do something on a network you know shouldn't be possible unless you were the person who owned the address.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: