
US cybercrime laws being used to target security researchers - wglb
http://www.theguardian.com/technology/2014/may/29/us-cybercrime-laws-security-researchers
======
tptacek
Note that this concerns the subset of security research that involves actively
talking to computer systems owned by other people, presumably in production,
on the public Internet.

Most security research does not in fact work this way. Consider, for instance,
virtually any memory corruption vulnerability; while it was once
straightforward (in the 90s) to work out an exploit "blind", today,
researchers virtually always have their targets "up on blocks", connected to
specialized debugging tools.

I am a little surprised that we are only now hearing about high-profile
researchers getting dinged for actively scanning for actual vulnerabilities in
other people's deployed systems. It has pretty much always been unlawful to do
that.†

(These are descriptive comments, not normative ones. My take on unauthorized
testing of systems in production is complicated, but does not mirror that of
the CFAA).

It's for this reason that you should be especially appreciative of firms, like
Google and Facebook, that post public bug bounties and research pages ---
those firms are essentially granting permission for anonymous researchers to
test their systems. They don't have to do that. Without those notices, they
have the force of law available to prevent people from conducting those tests.

(Background, for what it's worth: full time vulnerability researcher, started
in '94.)

† _Caveat: it does depend on the vulnerability you 're testing for. There are
a number of flaws you could test for that would be very difficult to make a
case out of. But testing deployed systems without authorization is always
risky._

~~~
Spearchucker
_"...testing deployed systems without authorization is always risky..."_

While what you describe may be the sad reality, it makes zero sense. If a
legit researcher, 'specially one that's being transparent about it, researches
any domestic system, then that's got to be better than the Iranians, Russians
or Chinese doing it (which they do anyway).

But hey, what do we know anyway. There's probably some benefit that makes it
preferable for a foreign party to uncover our vulnerabilities without our
knowledge.

~~~
rayiner
How would you feel if I broke into your place of business, made a list of all
of the things you were doing that were out of compliance with federal and
state laws and regulations, then left you my card and offered to let you hire
me to do legal compliance work for you?

~~~
fiatmoney
"Broke in" rather presupposes the point.

If we're analogizing, an exterminator seeing rat droppings in your restaurant
and offering to solve your problem rather than letting the department of
health deal with it, is a slightly more realistic example.

~~~
DougBTX
Taking that a step further: it is like an exterminator going around different
of restaurants, then crawling under customer's tables while they are eating,
saying, "Don't mind me, just looking from rat droppings."

A more legit exterminator would agree to come past while the customers were
not there.

------
esbranson
I think this article is misleading to British English readers.

> _HD Moore, creator of the ethical hacking tool Metasploit and chief research
> officer of security consultancy Rapid7, told the Guardian he had been warned
> by US law enforcement last year over a scanning project called Critical.IO,
> which he started in 2012._

British might confuse "warning" for what's known in Britain as a "police
caution", which is a extra-judicial criminal prosecution, judged summarily by
police, and is also referred to as a "formal warning". Such warnings become
part of their criminal record in the UK and effect things like employment, as
they are in effect a criminal conviction (as I understand it, although the UK
describes them as "not a criminal conviction but an admission of guilt [after
being accused by the police]", which I view as an irrelevant distinction).
There is no such system under federal law in the United States. A UK reader
might rationally assume "police cautions" are just called "police warnings" or
"US law enforcement warnings" in the US. Police cautions are not something
most people in the US know about, and would probably be outraged to know of
their existence. (In effect, the police say you admitted to a crime, so they
go around telling everyone who asks that you're a criminal. Such as potential
employers and landlords.)

At least, to me, that's the implication of the statement.

~~~
jt2190

      > ...judged summarily by police...
    

Wikipedia claims [1] that the offender can't be summarily judged by the police
because they must agree to be cautioned:

    
    
      > In order to safeguard the offender's interests, the 
      > following conditions must be met before a caution can be 
      > administered:
      >   * there must be evidence of guilt sufficient to give 
      >     a realistic prospect of conviction;
      >   * the offender must admit the offence;
      >   * the offender must understand the significance of a
      >     caution and give informed consent to being 
      >     cautioned.
    

Did you mean something else when you wrote "summarily judged?" Or does
Wikipedia have this wrong?

[1]
[http://en.wikipedia.org/wiki/Police_caution#Circumstances_fo...](http://en.wikipedia.org/wiki/Police_caution#Circumstances_for_use)

~~~
esbranson
Only if you think a guilty plea (in a court of law) doesn't result in a
summary judgement because the offender agreed to it.

------
Yardlink
A fundamental difference between online "property" and physical property is
that you can never fully protect physical property. Build a stronger wall and
someone can use a bigger bulldozer to break it. But build a secure website and
you might find that it doesn't get hacked no matter the resources of the
hacker. If it does, you have plans to limit the effects.

I wonder if people are so busy rushing to do things online they don't want to
pay the cost of strong security, so they let themselves be vulnerable and need
laws to protect them. As a few people have said, foreign government hackers
aren't bound by such laws and even they can't get in to many sites.

If we stop seeing hackers as guilty people to blame, and think of them as an
unavoidable natural presence on the internet, just like data corruption or
power failures, then we won't need laws, instead we'll need safety standards
and licenses for IT workers just as we do for, say gas plumbers.

Every day, spammers "hack" my web forum by solving the captcha. I don't want
to find them and send them to prison. I want to build better defenses to
prevent them doing it.

------
anonymousDan
I disagree with people who are drawing direct analogies between someone
breaking into your property to test its security and cyber security pen-
testing. To me, it's more like giving your money to a bank for safe keeping
with the understanding they will protect it, and then wanting to test they are
actually fulfilling their promise (e.g. by going to the bank and checking they
have solid thick walls, and that entry to the vault is guarded properly). Even
that's not a direct analogy, as you'll likely be compensated if the bank loses
your money, but you'll rarely be compensated when your personal information is
disclosed. I also think there are some interesting questions raised by cloud
computing. What if I were to deploy a purposefully insecure honeypot VM or
application to the cloud, and an attacker managed to use that to mount an
attack on other applications?

~~~
esbranson
There seems to be a fundamental disagreement about the correct analogy.

Is it akin to going to a bank during normal business hours and using lawful
powers of observation, i.e., implicitly authorized? Or is akin to breaking
into the bank after its closed, or otherwise violating some implicit lack of
authorization, e.g., going somewhere off-limits, such as trying to secretly
enter the vault?

Because I think you'll recognize the inherit danger of allowing people to
willy-nilly try and break into banks to "test they are actually fulfilling
their promise".

------
lasermike026
Call your congress critter, form a PAC, and elected one of your own. If you
are in a gerrymandered district, join the party that controls that district,
and primary the congress critter out.

~~~
esbranson
Take your rational thinking elsewhere. This is the Internet.

------
forgottenpass
Monied interests want you to play in their safe playground without rocking the
boat, the legal and technical enforcement is closing in. Slowly, but the
ratchet only turns one direction. I worry that the only reason it hasn't
closed in entirely is that smart people exploring is more beneficial to
business than not. For now.

Over the last few weeks I've been wondering when the scale flips and general
purpose computing will die outright. Things that were once considered forgone
conclusions about tech are turning out to be accidents of the fact adoption
starts with individuals. How long can tech empowering people continue to
outrun the oldschool powers using tech to empower themselves?

~~~
tptacek
This is both a comment on vulnerability research and a credible System Of A
Down song lyric.

~~~
forgottenpass
Yeah, it felt kinda trite writing it. I just haven't found a way to articulate
the idea without asking myself "Oh, so you're still a teenager getting stoned
every day thinking you have thoughts about things, hows that working out for
you?" Edit: Maybe I should just lean into it and write a phrack article. I'm
sorry, that's a low blow, I enjoyed phrack even when the writing style wasn't
my speed.

~~~
tptacek
I'll just note that the biggest "moneyed interests" in the technology industry
have more or less waived most of their ammunition to stop research under the
CFAA by posting public bug bounties. Not only have they made it much harder to
sue researchers, but they also pay strangers to do it.

~~~
AnthonyMouse
It makes me wonder who actually likes the CFAA the way it is. Does anybody? I
don't see how it's helping anybody. Most of the actually malicious computer
intrusions come from outside of U.S. jurisdiction. It's like trying to reduce
child labor in China by increasing the breadth of the offense and severity of
the penalties in Texas. The next thing you know nothing has changed in China
but a father in Texas is facing felony charges for having his son stock
shelves at the family business.

Who would actually oppose fixing that? Is it purely a lack of understanding
the issue on the part of legislators?

~~~
tptacek
The CFAA exists because during the 1980s, there was a concern that no existing
statute would deter purely malicious attacks on systems, or any other attack
that didn't fit the narrow definition of wire fraud.

I actually do not have a problem with the CFAA's statutory prohibitions on
unauthorized access. They seem eminently sensible to me. Don't mess with
systems that don't belong to you.

I do think the CFAA has a grave and dangerous flaw: I think its sentencing
makes absolutely no sense. I generally do not believe that computer crimes
should have sentences that scale with the iterator in a "for()" loop. In the
cases where sentences could reasonable scale along with the magnitude of the
attack, the meaningful scaling factor should (and I think typically does, in a
sane reading of the law) come from some other crime charged along with CFAA.

~~~
AnthonyMouse
I agree that significantly reducing the penalties under the CFAA would
mitigate almost all of the damage it causes, but I don't see how that makes
the language any better. It just limits the damage.

"Don't mess with systems that don't belong to you" worked much better in 1980
when typical computers cost a million dollars and were only expected to be
used by the employees of the bank or government that owned them, because in
that context you know you're authorized when you file a W2 and are issued a
security badge.

Once you put systems on the internet for access by the general public it
changes everything. "Mess with systems that don't belong to you" is
practically the definition of The Cloud. The defining question is no longer
who is authorized, because everybody is authorized, so the question becomes
what everybody is authorized to do.

The problem is that nobody has any idea what that means in practice. All we
can do is make some wild guesses -- maybe SQL injection against random servers
of unsuspecting third parties is unauthorized access whereas typing
"google.com" into a web browser without prior written permission from Google,
Inc. is not. But what about changing your useragent string to Googlebot? What
if that will bypass a paywall? What if that will bypass a paywall, but you're
a web spider like the real Googlebot? What if you demonstrate a buffer overrun
against the web host you use in order to prove their breach of a contract to
keep the server patched? Can you charge a journalist for reading a company's
internal documents when the company made its intranet server accessible to the
internet without any authentication?

The answers to these questions depend primarily on which judge is deciding the
case. Which is ridiculous, and the hallmark of a bad piece of legislation.

~~~
jamiek88
Well, the Weev case showed that accessing unsecured data that doesn't belong
to you is punishable under the law.

He was released on appeal over a jurisdictional issue, not a statue or
misapplication of the law.

~~~
AnthonyMouse
> He was released on appeal over a jurisdictional issue, not a statue or
> misapplication of the law.

This is actually why we _don 't_ know anything from that case. District court
rulings aren't binding on other courts and the appellate court apparently
threw out the case without ruling on the CFAA, so there was no precedent
created either way.

But if the appellate court had ruled the same way as the district court and
created _that_ precedent, I don't think you could reasonably describe that as
an improvement in the CFAA situation.

------
perlpimp
this is dumb on many layers - threatening white hat who could be held
accountable but could be hired to do further audit; failing to come to grips
that if you are insecure enough to threaten someone, you know - internet will
find out that you rather than fixing holes in your system rather use expensive
lawyers to intimidate people who on the whole trying to a good thing for you.

The whole thing about unauthorized access - not sure about. If you get
burglarized and live worse part of town - because you did not lock your front
door - is this you fault or criminal's? Ultimately buck stops with you, you
would look very stupid arguing that a stranger walked off the street and
pinched your laptop, better yet, if you leave your laptop on your front lawn.

~~~
esbranson
It in no way diminishes the effect of a crime if a person does not lock their
front door. It is not the victim's fault if they did not install bulletproof
glass and employ a security guard. If you think differently you have a twisted
outlook on life, a sort of might-makes-right view of righteousness.

Such rationale is the rationale of a lowlife. "The front door was unlocked so
its their fault I stole from them." "If they didn't want me to steal their
lawnchair, they shouldn't have left it unchained on their porch." Nothing is
inexcusable with that line of thinking. "If she didn't want to get raped, she
shouldn't have been all alone in the middle of the night in a dark alleyway."
"If he didn't want to get brutally assaulted, he shouldn't have left such a
stupid comment on HN."

~~~
npizzolato
Agreed. You don't get a pass for breaking into someone's house just because
you say you weren't there to cause any harm. Yes, it's good to be pragmatic
and understand that there's always something the owner of the house could have
done to help prevent the break in -- close the door, lock them, get locks that
are harder to pick, install security cameras, etc. etc. -- but the person
breaking into your house is still wrong for doing so, even if they claim they
just wanted to tell you about the weaknesses of your house's security. I don't
see any reason the same reasoning shouldn't apply to digital property.

~~~
mikeash
I think what makes it tricky is that the systems are automated and intent and
authorization aren't so clear.

We never call up the owner of a web server and ask them for permission to
browse their site. We just connect to port 80 or 443 and go to town. This is
universally accepted as authorized use.

Now, say you're running a vulnerable sshd such that if you send just the right
bytes, it'll log you in as root without the password. I imagine most will say
that this is unauthorized use.

But what's the difference really? In both cases, you're asking the server to
do something, and then it does it. In the real world, we have various things
to look for. Private dwellings are off limits without an invitation.
Elsewhere, a lock means you don't go in, even if it would be trivial to
defeat. Or just a sign that says you should stay out. It's not so clear with
computers.

People have been convicted of a crime for taking a public URL and chopping off
the last component and getting a directory listing from the server. To one
side, the fact that you had to edit the URL and the fact that the directory
listing wasn't what the rest of the site was like was enough to establish that
as "unauthorized". To the other side, the guy just asked the server, "Can I
have what's located here?" And the server replied, "Yep, sure, here you go."

A few weeks ago, there was a story here about a blackjack player who cheated a
casino out of a bunch of money. He asked for a dealer who spoke Mandarin. His
confederate then asked the dealer in Mandarin to turn certain cards upside
down for luck. Normally this would be fine, but the cards at this particular
casino weren't quite symmetric on the back, so they could tell them apart. The
request would be suspicious, but they used a language the bosses couldn't
understand, so they didn't realize what was going on.

In the end, the casino sued the guy for hefty damages. And yet all he did was
ask and then receive what he asked.

In many ways, servers are like that dealer. You talk to it in a weird language
that the owner can't understand (or he can, but he doesn't listen in on
everything) and sometimes you can ask it for something the owner would refuse,
but the server/dealer says yes.

So while it's clear that walking off with somebody's laptop just because they
left the front door open is wrong, it's much less clear to me where you draw
the line with networked computers, and it doesn't look like others have a
particularly clear idea either. Given that fundamental lack of clarity, I
don't think it's completely unreasonable to characterize these guys as
locating spots where access _is_ authorized (and thus legal) but shouldn't be,
rather than locating spots where unauthorized access can be gained.

~~~
esbranson
The difference between lawfully entering a 7-11 and trespass is just as you
describe the situation with a server. Authorization can be implied, and
"unauthorization" can be trivial.

The real problem is that a lock on a door is more obvious than a URL scheme.
The government is saying that entering a 7-11 that is unlocked, but walking in
backwards, is criminal trespass because that's not what the 7-11 intended for
the customer to do. That's nonsense. Implicit authorization in physical
property is just so much more straightforward, and the government is trying to
maliciously take advantage of the lack of common sense on what is
unauthorized, helped along by a Congress that willfully authorizes such
action.

And I like your server dealer analogy. The question is whether or not a
computer is an agent of its owner and whether its decisions, right or wrong,
can be relied upon in business dealings as the actions of its owner.

So what is the digital equivalent of a lock on a door? Must the law explicitly
say a lock on a door signifies lack of authorization to enter? Is walking into
a 7-11 store backwards implicitly unauthorized?

