And i'm not gonna get arrested for guessing the password for publicly available information (i.e. PL forum app) especially considering i didn't even use the information (logged in with 3 days on skill plan) maliciously or otherwise, to blow up an internet spaceship in a game where information is traded and shared by the minute without the consent of it's originator.

No, you're not going to get arrested because Chribba said he doesn't think it's a problem and he is the data owner.

If Chribba wanted to report you then it would be a whole other ballgame.

Social engineering and hacking are not the same thing, friend.

You said that the security of eveboard was compromised, which it was not. If you don't know about the subject you're going to blab on about it helps to just not say anything on it.

A single guess is not going to throw any anti-bruteforcing measures of the site. Even the requiring of rulesets that force people to use a seemingly more secure password are actually counter to the goal of securing the user's acount as the rulesets *limit* the keyspace one would have to use in a bruteforce attack. A reasonably open-ended password ruleset *allows* for both hilariously bad passwords such as this genius' and genuinely secure ones.

The responsibility is firmly in the hands of doofuses that pick such passwords, and it's wholly unfair to call Chribba's work insecure based on something like this.

Social engineering, in the context of information security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. This is a type of confidence trick for the purpose of information gathering, fraud, or gaining computer system access. It differs from traditional cons in that often the attack is a mere step in a more complex fraud scheme.
"Social engineering" as an act of psychological manipulation had previously been associated with the social sciences, but its usage has caught on among computer and information security professionals.

So this RoCkEt X guessed Mino IV's password on Eveboard, which allowed him to figure out when Mino IV would log his titan chararcter on enabling RoCkEt X to kill said titan. The story is here http://themittani.com/news/legion-alts-downs-avatar-low-sec, and here http://pastebin.com/u9XjXtAa Too me it seems in the grey area just curious on other people's thoughts.

CCP Games is the data owner friend. Chribba is allowed to use the data under CCP's terms.

If he had read the application then he would of known the password and would not have had to "guess" the password. Pretty simple.

What does this paragraph state?

CCP Games is the data owner friend. Chribba is allowed to use the data under CCP's terms.

Hope you e-lawyers are as up to date on your contract law as you are on your information and privacy laws!

In the US, yes it is illegal. Any attempt to access any account that does not belong to you makes you guilty. If you manage to guess a password and actually gain access you are now in violation of several more laws.

CCP Games is the data owner friend. Chribba is allowed to use the data under CCP's terms.

Hope you e-lawyers are as up to date on your contract law as you are on your information and privacy laws!

data isn't private when it's on eveboard; passworded or not, you are sharing your API. the only way this effects the individual is ingame. and does nothing to their RL privacy. Technically the data doesn't belong to them, as all EVE online accounts and such are property of CCP... and as CCP states that all information gained by sharing of API keys is solely the responsibility of the player who shares them.... :)

Stop whining, my ribs are hurting from the laughter :)

Actually, the "break-in" happened on Chribba's server that he lets other people use, so the compromised data was the account info and whatever stuff is stored there. That it is very similar to EVE data is of no consequence, it's data (bits and bytes) stored on Chribba's server by the account owner and thus belongs to those two. The account owner did not give the permission to view it to Rocket (but... see below).

Using german law Rocket would have been guilty of computer espionage against Chribba and the account owner, and if he changed anything it might also be considered sabotage. It's basically the same problem IT security experts have: if they test the defenses of servers they are actually committing a felony under german law. In fact possessing tools like WireShark is already considered being on the wrong side of the law.

A decent lawyer would probably be able to use the ****** password as major defense as a "meaningful attempt to secure the data" is required. However like stealing a wallet from a car the owner forgot to lock is still theft the act would remain a criminal act under german law. The account owner would probably be rated as extremely careless ("grob fahrl+ñssig") to the point of "if you are this stupid, you mostly deserve what you get".
Also if the guy actually posted the password to an application things get even more fishy, as this might be interpreted as permission to view the data. Why else send the password to someone if not that he uses it? He might be able to file charges against the person who gave Rocket access to the application if Rocket wasn't part of the application process.
But then, Rocket contradicts himself ("1234 was my first guess" / "password was posted in an application") so a clever lawyer might bend that to his will.

Of course finding someone to persecute it might be the biggest problem. And proving who did what is a totally different matter as it requires access to Chribbas IP logs.

Uh, no, sorry but you're wrong. CCP was the originator of the data but not was not the owner at the point of the incident.

Not a lawyer but my job's heavily into database security.

The main question re any actual law is what country Chribba's server is in.

You wouldn't download a car!

The place where he posted his pw for that eveboard is a publically viewable subforum of PL's forums.

What law does it break?

See, this is why you use an alpha-numeric password at least 16 characters long of upper and lower case letters with numbers sprinkled through it too.
It's not fool proof but it makes your password a hell of a lot harder to guess, also rotate it frequently.

You wouldn't download a car!

So, if i post my API here, and select one person in this thread whom i allow to use it, anyone else using it is doing so illegally? i don't think so. If this was the case, half of eve's intel would have been obtained illegally, and for example - eveskunk would be illegal, and it's not. in any way, shape or form.

If it's hidden behind a password it isn't public, even if the player used a simple password, as the INTENT was to keep it out of sight.

If only it wasn't posted on a public board.... something something not a reasonable expectation of privacy *vaguely legal related words*

-9 billion einsteinbrains

zzzzz...

The password to my EVEboard is my API key. I'm betting this guys probably was as well. If someone has my API key they can see my EVEboard. How is that hacking?

Well, people are kind of mixing up two different things here.

One is accessing the GÇ£accountGÇ¥, which requires an API ID/vCode key pair. The other is accessing the outwards-facing character sheets, which (may) require a password.