

President Obama Wants You--In Jail - thinkcomp
http://www.quora.com/Aaron-Greenspan/President-Obama-Wants-You-In-Jail

======
iwwr
The title is a little bait-y, but the piece is worth reading.

What decision-makers are not really thinking is that by threatening legitimate
security researchers (or well-meaning insiders), they leave the field open to
the malicious hackers. However, with government money in play, there could be
an interest to leave backdoors open for other shenanigans (like rigged
tendering).

~~~
thinkcomp
I'm glad you think it's worth reading. The title isn't bait, however.
President Obama wants to make 18 U.S.C. 1030 tougher than it already is, and
it already prescribes automatic jail time for anyone the government thinks is
a so-called cyber threat.

~~~
iwwr
You can hardly expect politicians to understand the ramifications of the
legislation they're proposing. Most of it they haven't even read.

Though, to be fair, malicious hackers are the people they're out to get, just
that well-meaning people would get caught in the crossfire. Granted, matters
are much too complex to be understood by politicians or even many corporate
lawyers.

~~~
thaumaturgy
> _You can hardly expect politicians to understand the ramifications of the
> legislation they're proposing._

That anyone would ever say this in a non-ironic sense is flabbergasting.

~~~
presto8
_> > You can hardly expect politicians to understand the ramifications of the
legislation they're proposing.

> That anyone would ever say this in a non-ironic sense is flabbergasting._

Legislators write the laws and then courts figure out the ramifications. Laws
get written because of some catalyst, but I wouldn't expect anybody to be able
to understand the full ramifications until the law is in place for a while and
people have started testing it in the legal system.

------
smokeyj
A companies servers is a companies problem, that's all there is to it. No one
forced Sony to store sensitive customer information, but they chose to -- and
they also chose to neglect the security ramifications around it.

Imagine your bank decided to store your money in an unprotected vault, no
security, and then it goes missing one day. Yes, a criminal stole it, but it
was only possible because the bank deceived the customers into thinking their
money was secure. As far as I'm concerned, there's two criminals in this
equation.

------
kefs
> _Wikileaks was indeed a serious problem..._

Would you mind elaborating...?

------
unreal37
I had never really thought about it before, but there is such a fuzzy line
between so-called white-hat hackers, grey-hat hackers and black hat hackers.
In fact the only difference between them is what you do with the information
AFTER hacking into a system.

Even if you deduce that there might be a flaw in some web site design, you
actually need to illegally hack the site in order to prove such flaw exists.
In the article, the author noticed he could associate himself with any company
that works with the US government and change their info. To prove that, he
broke the law. And is lucky he is not in jail for doing so.

I can see from the company's point of view, from the FBI, from the government,
from senators and congressmen writing the laws - trying to find flaws in a
system is by definition hacking, illegal entry, unauthorized use. You don't
have to be stealing credit card numbers for it to be a crime. Logging in to a
computer system you are not authorized to is a crime. Period.

So the moral of the story is, if you want to stay out of jail, don't try to
find flaws in web sites. Just don't. Or if you do, have a theory and report it
to the company, but don't test your theory.

But I do agree companies should have a way to be contacted about security
flaws, and be held criminally liable if a flaw was reported and not fixed in a
timely manner. But even white-hat hackers are breaking the law and only by
their actions after (reporting it to the company) are they not getting
arrested or sued for it.

------
thinkcomp
I just updated the post with a point I forgot to include when I wrote it last
night:

The one thing new legislation should do is require companies, and especially
banks, government agencies, and health care organizations, to have a defined
channel for reporting security flaws anonymously and in detail. By reporting
the GSA eOffer flaw to the agency's Inspector General, I followed proper
procedure (and was punished), but most of the time, there is no proper
procedure. I reported the PayMaxx flaw to the only people who would listen--my
sales representative and customer service representatives--and unsurprisingly,
the critical information went nowhere. I reported the Facebook flaw to Mark
Zuckerberg, and unsurprisingly, he placed the blame on someone else, telling
me that he hadn't written the code in question. Responses like these aren't
good enough. On the FaceCash payment system web site, this is why we've put a
link to our security response form on the bottom of every single page. (If you
run a web site, you should do the same.)

~~~
ataggart
>The one thing new legislation should do is...

This puzzles me. You correctly note how absolutely abysmal the political arena
is for crafting well-defined rules regarding technical issues, and yet you
immediately start agitating for _more_ regulation. Do you really want to be
compelled to conform to whatever (likely flawed) procedural policy the
politicians and bureaucrats would come up with? A policy which would require
further legislation to fix (much to the joy of lawyers and lobbyists)?

How about this instead: repeal some legislation. Repeal the laws that
prosecute Good Samaritans who, after a reporting a security flaw to a firm,
release it to the public who might be harmed by the flaw. If the firm has no
procedures in place to deal with the reports, then too bad for them; they
don't get to use the state as a club against others.

I'm fully aware that none of that will happen. The police power of the state
confers no wisdom on those willing to wield it. Nor do they have any incentive
to write good laws, but on the contrary are encouraged by interested parties
to write bad laws (intentionally or not). So please, stop agitating for new
laws in the vain hope that finally, this time, they won't create a plethora of
unintended consequences and injured innocents.

~~~
thinkcomp
We're all entitled to our political views. Mine are that regulation and
deregulation are both potentially dangerous, but that if we all assume the
worst--that no regulation can ever be effective, so we shouldn't have any--
we'll get nowhere fast. So I advocate for regulations that make sense, despite
being aware that politics isn't always so logical or straightforward.

------
cheez
Bait-y title requires bait-y response:

There's no way to rule innocent men. The only power government has is the
power to crack down on criminals. When there aren't enough criminals, one
makes them. One declares so many things to be a crime that it becomes
impossible for men to live without breaking laws.

------
jparicka
Sick of seeing Quora on Ycombinator.........

------
spartanfan10
Yup, title is absurd, but the article is great.

------
lotusleaf1987
This is absolutely the type of stuff that should be flagged--linkbait,
politics, off-topic.

How can anyone take an article seriously when the title is so intellectually
dishonest, hyperbolic, and factually untrue? Please keep this stuff on Reddit.

~~~
natural219
Completely disagree. It's a great article. I'd agree you should change the
title, it sounds a little too ridiculous.

~~~
thinkcomp
I'm glad you and others seem to like the article, but I'm perplexed by the
weight everyone is giving the title. I have a 2006 letter from the U.S.
Attorney's office saying that (as of that time) they are considering opening a
criminal investigation into my actions under a statute that requires automatic
jail time. The President wants to make this kind of letter more common, or
skip the letter step altogether.

Not every piece of literature ever written has a title that perfectly
summarizes the contents. I like my title, but regardless, the issues discussed
in the piece are what's important.

