
The Whitehouse’s New Executive Order on Cyber Crime Is (Unfortunately) No Joke - DiabloD3
https://www.eff.org/deeplinks/2015/04/whitehouses-new-executive-order-cyber-crime-unfortunately-no-joke
======
deciplex
Well, I can paraphrase my own comment from the thread about Australian
elections:

You can slander everyone who discovers vulnerabilities in your software, and
you can even lobby to make it illegal to disclose those vulnerabilities, and
throw people in prison over it, and so on... and your software will go right
on being vulnerable. You can put every security researcher and white hat in
the world in prison on trumped-up charges and throw away the keys, and it will
not make your software one bit more secure. It will probably make it a great
deal less secure.

Which is to say that this EO will accomplish exactly the opposite of its
supposed goal.

It's like, even if I convince every human being alive that I am not bound by
the laws of gravity, if I jump off a cliff I will die all the same. To think
otherwise is _insane_ , but for some reason when it comes to software (and
hardware) security we give people a pass. (Not we in the tech community, but
we who vote.)

This is one of the Big Problems with human reasoning. Maybe the biggest. It
really does seem that most people, if you drill down, truly and fundamentally
believe that the laws that govern all of reality, will respond to a popular
vote. That if we all _believe_ something hard enough, reality will take
notice. Thus we get policy which is totally divorced from the goals it is
purported to serve, and not held accountable to them at all. As though the
President of the United States can argue with mathematics or psychology and
win.

------
apsec112
Shame on the EFF, which I normally support, for jumping on this bandwagon of
terrible journalism.

The EFF insinuates, without saying outright (since they must know it is
false), that this is a _law enforcement_ policy like the Computer Fraud and
Abuse Act. A law enforcement policy is one where, if you're sitting at your
desk, and the government thinks you've hacked into someone's computer, the
government throws you in jail.

This executive order has _nothing_ to do with domestic law enforcement, like
Aaron Swartz or Kevin Mitnick or Dread Pirate Roberts or whatever. It is a
_foreign policy_ decision. The US maintains a public list, called the SDN
list, of _foreign_ entities that American citizens and companies aren't
allowed to do business with. These are normally agents of governments the US
doesn't like, eg. Iran and North Korea. This order adds hacking to the list of
reasons why the President can put an entity on the SDN list. If, say, a
Chinese defense contractor started hacking into American computers, the
President can now prohibit American businesses from trading with them.

Under this order, the _only_ way you can go to jail (that you couldn't go to
jail for before) is if a) the President suspects some foreign person or
company (say, a Chinese defense contractor) of hacking; b) the President
decides to put that company on the SDN list; c) you _know_ that company is now
on the SDN list; and d) you buy things from, sell things to, or otherwise do
commercial business with that company.

I think it's a bad idea for the executive to have the power to add people to
the SDN list without judicial oversight. But they _already had_ that power;
this isn't really anything new. Claiming it is just confuses everybody.

~~~
lazaroclapp
Not a lawyer, but sounds to me like Dread Pirate Roberts could still find
himself on the wrong side of this sort of this EO:

"Sec. 5. (a) Any transaction that evades or avoids, has the purpose of evading
or avoiding, causes a violation of, or attempts to violate any of the
prohibitions set forth in this order is prohibited"

Broadly interpreted, wouldn't that be used against crypto-currency developers
or secure communication tools developers that work on such tools with the
knowledge that they can be used by sanctioned individuals or organizations?
How about developers who write secure communication or security testing tools
and sell them online without the ability or interest to verify who the
purchaser is?

The Patriot Act was also supposed to be about targeting only a few hostile
foreign organizations, and yet it had massive implications for everyone living
in the U.S. and abroad. Now, I get that an EO and a law are different things,
but still, I can see potential implications of the general trend of the U.S.
government seeing cybersecurity as something you throw sanctions and laws and
deterrence at until it stops being an issue, without considering the potential
collateral damage or overreach.

~~~
mkohlmyr
Given he tried to have several people killed I imagine he finds himself on the
wrong side of multiple executive orders, laws and moral frameworks alike...

As for your second paragraph I would imagine you'd have to prove some form of
intent in order to throw someone in jail?

~~~
zimbatm
Do we know if he really did ? I thought this was all speculation from the
prosecutor to shine a bad light on the character. He never was convicted of it
for sure.

------
tptacek
It shouldn't matter whether Section 1(ii)(B) restricts itself to foreign
actors, because the underlying law that animates this executive order, the
International Emergency Economic Powers Act (50 U.S.C. 1702) _is_ limited to
foreign transactions. In fact: it's kind of weird that they'd even raise the
question. Fundamentally, the President can't make new laws, and they know
that. He's exercising powers that Congress delegated to him, and he is limited
by the scope of that delegation.

------
xnull2guest
A few others have mentioned this. The EO is tailored towards those outside the
US and is a response to overwhelming cyber attacks. Sanctions are one of the
US's tried and true international political weapons. They aren't going to be
sanctioning US researchers, nor US-allied parties. The EFF seems to be
confusing what is an EO targetting Chinese and Russian hackers and their
funders with civil law? The EFF is normally very careful about these sorts of
distinctions - so I'm very confused.

~~~
Cyther606
It has a clear purpose the public can get behind, but it will almost certainly
be abused for persecuting domestic political rivals, software developers among
them.

Here are some entertaining thought exercises:

A cyber 9/11 is linked to Bitcoin. Can Bitcoin developers be sanctioned?

A cyber 9/11 is linked to Tor. Can Tor developers be sanctioned?

You donate to Wikileaks, which is linked to a national security threat. Can
you be sanctioned?

Section 1(ii)(B) applies to _any_ individual or entity, domestic or abroad,
developing or facilitating development of pentesting or related software
employed against vague and faceless "national security interests". But don't
you worry, because this is only applicable to the "Chinese" threat which may
actually be true for the first couple of years to build political support for
the eventual, predictable abuses of power.

~~~
tptacek
No, "Section 1(ii)(B)" does not work that way.

------
nyar
Discouraging hacking domestically it will widen the skill gap between foreign
hackers and domestic white hats.

~~~
atmosx
Why? You can set a LAN on your VM and hack all you want. Do you really have to
attack your neighbor?

------
kissickas
It's hard to take an article seriously when they use the spelling "Whitehouse"
in the title, and harder yet when they alternate between that and the
(correct) White House within a single paragraph. I see there were two authors
for the piece- wasn't there an editor?

I would very much like to see a separation between the high-quality
investigative journalism from the EFF and their opinion pieces, which I
wouldn't mind if they were under that heading.

------
fla
If you can't pratice defense / train on your grounds, isn't it giving your
enemy an advantage ?

------
DanielBMarkham
It may be time for a constitutional amendment forbidding the United States
government from any action that would impact the Internet -- save those
maintaining free and unencumbered flow.

It'd be better for each of us to fight off APTs and other problems by
ourselves than to head too far down the road of good intentions and unintended
consequences.

------
pdkl95
A lot of you seem to be _assuming_ the EO applies only to people outside the
US. It would be a good idea to actually read the EO, which is NOT restricted
to people outside the US.

From the EO[1], reformatted to show clause structure:

    
    
        Section 1
            (a) All property and interests 
                ... of the following persons
                ... are blocked
                (i) any person determined by the Secretary of the Treasury
                    ... to have engaged in
                    ... directly or indirectly,
                    ... any activity originating form,
                                     or directed by
                                     ... persons located outside the United States
                    that are reasonably likely to result in
                    ...a significant threat to national security
                                               ...or economic health
                    ...of the united states.
    

This language targets "any person" that meets some shockingly vague
criteria[2] by few government officials[3]. The clause with "outside the
United States" is not describing the person being targeted by the EO; that
language is a detail about the type of activity that the targeted person is
doing.

If the attack is directed by someone outside the US, and you are determined to
be indirectly "engaged in" or "complicit with" that that activity, you are
targeted by this clause. Neither you nor the attack itself need to be outside
the US, as long as it is directed by someone that is outside the US.

What kinds of activities? In a previous thread I mentioned[4] how the EO
doesn't prohibit harming "critical infrastructure", but instead prohibits:

    
    
        Section 1 (a) (i)
            (A) harming, or otherwise significantly compromising
                a computer or network of computers that support
                ... the provision of service
                ... in a critical infrastructure sector
    
            (C) causing a significant disruption to the availability
                of a computer or network of computers
    

Note that section (C) does _not_ limit itself to a "critical infrastructure
sector".

There are so many vague and undefined terms in this EO, I wouldn't be
surprised if this EO could be used against some kid that is "indirectly"
engaging in a DDOS[5] being run by some *chan troll outside the US.

Also note: the EO doesn't mention the SDN list at all.

\--

[1]
[https://s3.amazonaws.com/s3.documentcloud.org/documents/1699...](https://s3.amazonaws.com/s3.documentcloud.org/documents/1699240/executive-
order-obama-establishes-sanctions.pdf)

[2] "reasonably likely to result in"? seriously?

[3] those officials, by the way, can delegate the power according to Sec 8 of
the EO

[4]
[https://news.ycombinator.com/item?id=9320343](https://news.ycombinator.com/item?id=9320343)

[5] does github-attack style injected javascript count?

~~~
tptacek
This analysis makes sense only if you believe the President can do whatever he
wants in an executive order. Of course, he can't. Executive orders have only
the flexibility allowed by Congress. You've read the text of the order, but
not the laws its based on, and those laws contradict your analysis.

~~~
pdkl95
This is a good point, and may account for some of the vagueness I'm concerned
about. I will have to do more reading.

------
chubs
Is this related to China DDOS'ing the NY Times and Github a few days ago?

~~~
DiabloD3
Probably, and I hate knee-jerk reactions like this.

~~~
raquo
I don't think it's a knee-jerk reaction. For me it's easier to believe that
this EO was signed deliberately to make every important security researcher
guilty by default. It's hard to go against a government that can always punish
you for what you have already done.

------
jkot
Prisons are getting empty, it is time to start "war on hackers and pirates"
:-(

------
datashovel
When I read the executive order it appears to explicitly target people
"outside the US".

Basically the internet changes the paradigm of law enforcement. I get the
impression this is a step toward allowing US to "penalize" people who actively
seek to disrupt computers / networks in the US from abroad.

If you spend too much time trying to figure out all the tiny details and put
them into the eo this is where (a) you can waste time nitpicking instead of
spending that time enforcing, (b) cases get thrown out of court on
technicalities just because "this is what the law / eo says". Instead I prefer
a system where executive / judicial branches of government can spend all their
time analyzing a case based on the merits alone and not on the technical
jargon that may or may not be included in the law / eo.

I prefer the approach of "give the elected representatives a leash, but a
short one". Spend less time agonizing over exactly what the law should say,
and more time analyzing whether or not the law / eo is being enforced in good
faith.

The one exception to this rule is if you have (a) an overly broad law /
executive order, and (b) an executive branch who is not transparent about how
they enforce those laws / executive orders.

~~~
valar_m
I could not disagree more. The only way to keep the "leash" short is with a
great amount of precision in writing laws.

There is no "enforce[ment] in good faith", and the evidence is everywhere. The
Patriot Act is used domestically for any and every type of law enforcement
investigation, far beyond what it was supposedly intended to be.[0] We've seen
civil forfeiture become essentially a license to steal for LE agencies.[1] The
government has stretched the meaning of the "exceeds authorization" component
of the CFAA to the point of being almost meaningless.[2]

The point is this: the natural tendency of government is to stretch any power
it is granted to the absolute max. We have reached a point that an assumption
that government will exercise enforcement in "good faith" is simply naive. I
assert that there is little evidence to the contrary.

[0]
[http://www.washingtonpost.com/blogs/worldviews/post/patriot-...](http://www.washingtonpost.com/blogs/worldviews/post/patriot-
act-used-to-fight-more-drug-dealers-than-
terrorists/2011/09/07/gIQAcmEBAK_blog.html)

[1]
[http://www.newyorker.com/magazine/2013/08/12/taken](http://www.newyorker.com/magazine/2013/08/12/taken)

[2]
[http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf](http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf)

~~~
karmacondon
I think there might be different definitions of "enforcement in good faith"
here. Your perspective, if I understand it correctly, is "The purpose of this
law was presented as fighting terrorism and now it's being used for other
purposes, which constitutes bad faith enforcement".

Another perspective is, "Law enforcement isn't doing anything that it
shouldn't be doing, therefore they aren't acting in bad faith". Whether
they're going after terrorists or drug dealers or money launderers, it's all
the same to many (if not most) people. As long as there's no evidence that
government officials are abusing the provisions of the PATRIOT Act to settle
personal scores or persecute those with unpopular beleifs, most people will
see them as acting in good faith. This assumes that actions taken are within a
reasonable interpretation of the letter of the law, of course.

I get where you're coming from, or at least I think I do. I just don't think
that the issue is so black and white. This may be a case of "The current
government isn't doing what I want it to do" as opposed to "We should change
the way that the laws are written". And the solution to that is pretty simple:
Vote.

~~~
u23KDd23
The fact is it is being used to persecute people with unpopular beliefs. The
evidence is taken out of context or completely false. You just hear very
little about its misuse because poor, defenseless, innocent people are
targeted. They are not obligated to present the court with information that is
true.

------
shard972
> this executive order [does not] target the legitimate cybersecurity research
> community or professionals who help companies improve their cybersecurity

Non-story, it's not targeted so I don't see why anyone would be against this
unless maybe they are racist or love terrorism or something.

~~~
shiggerino
If there was any genuine interest in making US systems more secure they would
be more worried about making sure those systems don't succumb so easily to
arbitrary strings of bytes sent over the network. The EO is completely
pointless and toothless for any purpose BUT gaining an upper hand on
legitimate security researchers.

