Skip to content

When is hacking OK?

The ever-astute and vigilant Rebecca Tushnet reported yesterday on Egilman v. Keller & Heckman, from the District of D.C., which found that guessing a correct username and password and using that combination to access a website without permission of its owner does not constitute “circumvention” of a “technological measure” under the DMCA.

I only wish someone would explain to me how this is different from obtaining the “secret handshake” in StreamBox or the CSS key in the DeCSS case. In those cases too, the code used is in fact the correct, actual key — otherwise it wouldn’t work. (At the very least, I want a better explanation of the difference between “decrypting” and, say, “guessing.” What if the password wasn’t guessed on the first try? What if it took ten tries? What distinguishes that from a basic computerized password attack? Cf. the great 1980s movie Wargames, in which Matthew Broderick’s character substitutes a social-engineering attack, logging in as the computer’s creator, for his slower programmed assault on what he thinks is a gaming computer.)