Although there is fear of being arrested after the sentencing, security researchers Barrett Brown researchers releases 10 million passwords. Brown, who is a journalist, explained his reasoning for releasing more than 10 million passwords combined with user names, but then goes on to talk about why the US government should not have him arrested for his actions.
Recently, Brown received over five years in jail for a wide range of criminal charges, which are all associated with a link he posted in a private chat room online that led to a cache of stolen credit card information. After giving his reason for releasing the information, things now lie in the hands of Judge Samuel Lindsay.
According to Brown, questions were raised about his judgment in releasing the information, even if it was specifically for research. Brown went on to say that his arrest and intense prosecution has had a huge impact not only for other journalists, but also people who work as researchers for security. Because of the actions taken, a link to any data became a reason for the FBI to make a raid offices of journalists and researchers who could ultimately face very serious criminal charges.
The combination passwords and user names were the result of leaks that occurred over the past five years and according to Brown, had already been released to the public. He claims that none of the information is new and that anyone could have gained access to the passwords and user names in a complete legal manner. He also stresses that at no point did he crack, pay for, or use illegal means of obtaining the leaked information, adding that many more passwords can be found using a simple Google search.
As to the reason that Brown released the information, it was based on an analysis conducted on username/password combinations within a specific area that had been horribly neglected. As such, those combinations offer tremendous study value, far more than just studying passwords on their own.
Brown insists the username/password combinations have academic and research value but they can also be beneficial for authentication security in the future. Although he did offer some insight into his decision to release the passwords, he also felt it was totally ludicrous that he was required to defend the publication of the data by writing out a long and exhaustive explanation.
Reportedly, the data released will not be used to access user accounts illegally because of the different steps taken by Brown. For instance, credit card information, financial account numbers, and the domain portion of email accounts have been removed.
Brown feels that under current US law, he will never be released for releasing the passwords although he did make a proposal that the Computer Fraud and Abuse Act be changed, making his actions legal. In his opinion, the word “willfully” should replace “intent to defraud” in the Act. With this, sharing information would be deemed legal but only if there is knowledge of someone else using it to gain access to computers in an authorized manner.
In closing his statement, Brown said that serious breaches are becoming increasingly more commonly so tougher laws make sense. However, these laws make it extremely hard to improve security for people who study hard data. Restrictive laws have been fought for years but the US government still feels they only affect criminals, which is simply untrue.