You can slander everyone who discovers vulnerabilities in your software, and you can even lobby to make it illegal to disclose those vulnerabilities, and throw people in prison over it, and so on... and your software will go right on being vulnerable. You can put every security researcher and white hat in the world in prison on trumped-up charges and throw away the keys, and it will not make your software one bit more secure. It will probably make it a great deal less secure.
Which is to say that this EO will accomplish exactly the opposite of its supposed goal.
It's like, even if I convince every human being alive that I am not bound by the laws of gravity, if I jump off a cliff I will die all the same. To think otherwise is insane, but for some reason when it comes to software (and hardware) security we give people a pass. (Not we in the tech community, but we who vote.)
This is one of the Big Problems with human reasoning. Maybe the biggest. It really does seem that most people, if you drill down, truly and fundamentally believe that the laws that govern all of reality, will respond to a popular vote. That if we all believe something hard enough, reality will take notice. Thus we get policy which is totally divorced from the goals it is purported to serve, and not held accountable to them at all. As though the President of the United States can argue with mathematics or psychology and win.
The EFF insinuates, without saying outright (since they must know it is false), that this is a law enforcement policy like the Computer Fraud and Abuse Act. A law enforcement policy is one where, if you're sitting at your desk, and the government thinks you've hacked into someone's computer, the government throws you in jail.
This executive order has nothing to do with domestic law enforcement, like Aaron Swartz or Kevin Mitnick or Dread Pirate Roberts or whatever. It is a foreign policy decision. The US maintains a public list, called the SDN list, of foreign entities that American citizens and companies aren't allowed to do business with. These are normally agents of governments the US doesn't like, eg. Iran and North Korea. This order adds hacking to the list of reasons why the President can put an entity on the SDN list. If, say, a Chinese defense contractor started hacking into American computers, the President can now prohibit American businesses from trading with them.
Under this order, the only way you can go to jail (that you couldn't go to jail for before) is if a) the President suspects some foreign person or company (say, a Chinese defense contractor) of hacking; b) the President decides to put that company on the SDN list; c) you know that company is now on the SDN list; and d) you buy things from, sell things to, or otherwise do commercial business with that company.
I think it's a bad idea for the executive to have the power to add people to the SDN list without judicial oversight. But they already had that power; this isn't really anything new. Claiming it is just confuses everybody.
"Sec. 5. (a) Any transaction that evades or avoids, has the purpose of evading or avoiding, causes a violation of, or attempts to violate any of the prohibitions set forth in this order is prohibited"
Broadly interpreted, wouldn't that be used against crypto-currency developers or secure communication tools developers that work on such tools with the knowledge that they can be used by sanctioned individuals or organizations? How about developers who write secure communication or security testing tools and sell them online without the ability or interest to verify who the purchaser is?
The Patriot Act was also supposed to be about targeting only a few hostile foreign organizations, and yet it had massive implications for everyone living in the U.S. and abroad. Now, I get that an EO and a law are different things, but still, I can see potential implications of the general trend of the U.S. government seeing cybersecurity as something you throw sanctions and laws and deterrence at until it stops being an issue, without considering the potential collateral damage or overreach.
As for your second paragraph I would imagine you'd have to prove some form of intent in order to throw someone in jail?
Sure, not saying he is a moral person, or not a criminal, or that he is likely to be even in the smallest measure a good person. But he clearly is not a hostile foreign power in and of himself, though I am sure he would love to be considered one ;)
My only argument regarding DPR is that this sort of EO might end up applying to targets other than agents of hostile governments or terrorists or whatever the current boogieman is.
> As for your second paragraph I would imagine you'd have to prove some form of intent in order to throw someone in jail?
I would hope so, and that things like "intent to sell/export tools to find and exploit security vulnerabilities" would not be enough, even when interpreted by non-expert police, prosecutors, juries and judges.
This is just not true.
As the article points out, Section 1(ii)(B) has absolutely no provision requiring activity to be outside of the United States. Read it through:
Section 1. (a) All property and interests in property that are in the United States, that hereafter come within the United States, or that are or hereafter come within the possession or control of any United States person of the following persons are blocked and may not be transferred, paid, exported, withdrawn, or otherwise dealt in:
(ii) any person determined by the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State:
(B) to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in subsections (a)(i) or (a)(ii)(A) of this section or any person whose property and interests in property are blocked pursuant to this order;
Look closely at this part of (B):
to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in subsections (a)(i) or (a)(ii)(A) of this section
The requirement is only to assist, sponsor, or provide support to someone described in (a)(i) or (a)(ii)(A), which describe people who are "in whole or in substantial part, outside the United States."
What it does NOT say is that the person providing that support must also be outside of the United States. That's what the EFF article is talking about.
Executive orders are part of the federal rulemaking process. Rulemaking fills in the blanks left deliberately by Congress. Whether or not the President can use a national emergency to interfere with domestic financial transactions is not a blank Congress appears to have left in the IEEPA.
50 U.S. Code § 1702 - Presidential Authorities :
(1) At the times and to the extent specified in section 1701 of this title, the President may, under such regulations as he may prescribe, by means of instructions, licenses, or otherwise—
(B) investigate, block during the pendency of an investigation, regulate, direct and compel, nullify, void, prevent or prohibit, any acquisition, holding, withholding, use, transfer, withdrawal, transportation, importation or exportation of, or dealing in, or exercising any right, power, or privilege with respect to, or transactions involving, any property in which any foreign country or a national thereof has any interest by any person, or with respect to any property, subject to the jurisdiction of the United States;
to have materially assisted, sponsored, or provided financial, material, or technological support for, or goods or services in support of, any activity described in subsections (a)(i) or (a)(ii)(A)
According to the EO, you only need to "provide technological support." And what does that entail? Whatever the Secretary of Treasury and AG decide it does.
This has come up before in US law --- executive orders w/r/t IEEPA --- before, by the way.
The article doesn't give any more detail on the "national emergency". But I worry that it could be a "get out of jail free" card for the president to do more than Congress authorized in the IEEPA.
Does anyone know enough to shed some light here?
The history of the IEEPA was that before it was passed in the 1970s, Congress felt like there were not enough controls on the President's emergency powers. So we're discussing a delegation of power designed for exactly the circumstance you're talking about.
The concern that the President could claim extralegal powers in an "emergency" is legitimate, but you can't reasonably point to a case where he's working within the narrow guidelines established by Congress specifically to avoid that outcome as evidence that that's happening.
I'm not sure if that was extended in 2014 but after some googling I also found that we have multiple ongoing national emergencies http://www.usatoday.com/story/news/politics/2014/10/22/presi...
So it's not as if the President can say "oh noez hackers national emergency!", suspend habeas, and imprison Michal Zalewski†. Instead: Congress gave the President the authority to recognize arbitrary foreign powers as "threats" and, pursuant to the declaration of a "national emergency", to interfere with their financial transactions. That's what Obama has done here, presumably with China as the subtext.
In the wake of KindHearts, if these powers are executed against American citizens or organizations, they can be challenged and overturned on 4th Amendment grounds. (Note the powers we're talking about are, again, only meaningful in the context of foreign transactions, or assets whose beneficiaries are foreign threat actors).
† I'm not saying you said this.
If you are a part of a cryptocurrency network, you are materially assisting and providing technological support for services potentially in use by foreign entities that are potentially targeted by United States enforcement of this EO.
Of course it doesnt, just like kidnapping people, or murdering with drones doesnt. Its just something your president does on the side, for fun.
Here are some entertaining thought exercises:
A cyber 9/11 is linked to Bitcoin. Can Bitcoin developers be sanctioned?
A cyber 9/11 is linked to Tor. Can Tor developers be sanctioned?
You donate to Wikileaks, which is linked to a national security threat. Can you be sanctioned?
Section 1(ii)(B) applies to _any_ individual or entity, domestic or abroad, developing or facilitating development of pentesting or related software employed against vague and faceless "national security interests". But don't you worry, because this is only applicable to the "Chinese" threat which may actually be true for the first couple of years to build political support for the eventual, predictable abuses of power.
I would very much like to see a separation between the high-quality investigative journalism from the EFF and their opinion pieces, which I wouldn't mind if they were under that heading.
It'd be better for each of us to fight off APTs and other problems by ourselves than to head too far down the road of good intentions and unintended consequences.
From the EO, reformatted to show clause structure:
(a) All property and interests
... of the following persons
... are blocked
(i) any person determined by the Secretary of the Treasury
... to have engaged in
... directly or indirectly,
... any activity originating form,
or directed by
... persons located outside the United States
that are reasonably likely to result in
...a significant threat to national security
...or economic health
...of the united states.
If the attack is directed by someone outside the US, and you are determined to be indirectly "engaged in" or "complicit with" that that activity, you are targeted by this clause. Neither you nor the attack itself need to be outside the US, as long as it is directed by someone that is outside the US.
What kinds of activities? In a previous thread I mentioned how the EO doesn't prohibit harming "critical infrastructure", but instead prohibits:
Section 1 (a) (i)
(A) harming, or otherwise significantly compromising
a computer or network of computers that support
... the provision of service
... in a critical infrastructure sector
(C) causing a significant disruption to the availability
of a computer or network of computers
There are so many vague and undefined terms in this EO, I wouldn't be surprised if this EO could be used against some kid that is "indirectly" engaging in a DDOS being run by some *chan troll outside the US.
Also note: the EO doesn't mention the SDN list at all.
 "reasonably likely to result in"? seriously?
 those officials, by the way, can delegate the power according to Sec 8 of the EO
I wonder if there is any data out there to show how long executive orders typically take from conception to execution.
Basically the internet changes the paradigm of law enforcement. I get the impression this is a step toward allowing US to "penalize" people who actively seek to disrupt computers / networks in the US from abroad.
If you spend too much time trying to figure out all the tiny details and put them into the eo this is where (a) you can waste time nitpicking instead of spending that time enforcing, (b) cases get thrown out of court on technicalities just because "this is what the law / eo says". Instead I prefer a system where executive / judicial branches of government can spend all their time analyzing a case based on the merits alone and not on the technical jargon that may or may not be included in the law / eo.
I prefer the approach of "give the elected representatives a leash, but a short one". Spend less time agonizing over exactly what the law should say, and more time analyzing whether or not the law / eo is being enforced in good faith.
The one exception to this rule is if you have (a) an overly broad law / executive order, and (b) an executive branch who is not transparent about how they enforce those laws / executive orders.
There is no "enforce[ment] in good faith", and the evidence is everywhere. The Patriot Act is used domestically for any and every type of law enforcement investigation, far beyond what it was supposedly intended to be. We've seen civil forfeiture become essentially a license to steal for LE agencies. The government has stretched the meaning of the "exceeds authorization" component of the CFAA to the point of being almost meaningless.
The point is this: the natural tendency of government is to stretch any power it is granted to the absolute max. We have reached a point that an assumption that government will exercise enforcement in "good faith" is simply naive. I assert that there is little evidence to the contrary.
Another perspective is, "Law enforcement isn't doing anything that it shouldn't be doing, therefore they aren't acting in bad faith". Whether they're going after terrorists or drug dealers or money launderers, it's all the same to many (if not most) people. As long as there's no evidence that government officials are abusing the provisions of the PATRIOT Act to settle personal scores or persecute those with unpopular beleifs, most people will see them as acting in good faith. This assumes that actions taken are within a reasonable interpretation of the letter of the law, of course.
I get where you're coming from, or at least I think I do. I just don't think that the issue is so black and white. This may be a case of "The current government isn't doing what I want it to do" as opposed to "We should change the way that the laws are written". And the solution to that is pretty simple: Vote.
As if the holocaust wasn't already proof enough 70 years ago.
But when you have sufficiently capable and competent actors in government I would lean on the side of trusting and giving the leash.
EDIT: And come to think of it, enormous weight of huge bills / laws I imagine could become a hindrance to a government's ability to do its job. Think about it. What if you inherited a highly complex legacy application that you were not allowed to rewrite from scratch or even refactor it, but were stuck maintaining it. And all that you ever get to do is add more code on top of the old (alot of times bad) code. It seems a cycle of futility. Instead given limited resources of a government I want a lean system where people are allowed to use their judgment and intuition.
The elected and appointed members of government change. Their terms expire, they retire, they're voted out.
The law doesn't suddenly change when a bad actor is elected or appointed.
And laws don't generally have expiry dates. The now nearly 100 year old Espionage Act of 1917 is being applied to Edward Snowden, imagine how out of touch laws will become, and how misapplied they will be?
tl;dr: the government changes and the length of the leash doesn't adapt to suit it.
The Patriot Act wasn't being enforced in good faith. In fact, the Patriot Act was being used for drug investigations, not terrorism.
303 points on HN: https://news.ycombinator.com/item?id=8536292
The more I think about it the more I feel governments should be alot more nimble than they have been historically. Alot more like an agile development team.
There needs to be just as often "amendments to" or "repealing of" laws that aren't working as originally intended as there are signings of new laws.
Instead we have in government the equivalent of a team of developers working on a project for months or maybe years nitpicking all the details before launching only to find that no one wants the product they spent all that time working on, or that it's out-dated, or impossible to maintain given all the complexity, or that it doesn't work on half the computers people try to run it on.
Transparency and good faith are ideals that are rare in powerful bureaucracies. Expecting those with the most power in the world to act in good faith is a scorpion and frog tale.
Non-story, it's not targeted so I don't see why anyone would be against this unless maybe they are racist or love terrorism or something.