Tuesday, November 20, 2012

You are committing a crime right now


Are you reading this blog? If so, you are committing a crime under 18 USC 1030(a) (better known as the “Computer Fraud & Abuse Act” or “CFAA”). That’s because I did not explicitly authorize you to access this site, but you accessed it anyway. Your screen has a resolution of . I know this, because (with malice aforethought) I clearly violated 18 USC 1030(a)(5)(A) by knowingly causing the transmission of JavaScript code to your browser to discover this information.

So we are all going to jail together.

That's silly, you say, because that’s not what the law means. Well, how do you know what the law means? The law is so vague that it’s impossible to tell.

The CFAA was written in 1986. Back then, to access a computer, you had to have an explicit user account and password. It was therefore easy to tell whether access was authorized or not. But then the web happened, and we started accessing computers all over the world without explicit authorization.

So, without user accounts or other form of explicit authorization, how do we tell if access to a website is “authorized” or not?

Well, we could come up with a theory of “implicit” authorization. Obviously I intend people to read this blog, and therefore, I’ve implicitly authorized you to do so. Likewise, your browser makes your screen size available to JavaScript so that websites can render better, so it’s implicit that you’ve authorized me to grab this information.

But what are the limits of implicit authorization? Let’s say you are reading a website that has “articleId=31337” at the end. You wonder what the next article is, so you go to the URL and change it “articleId=31338” and hit return. Have you “exceeded authorized access”? It’s hard to say. If article “31337” is public, why not “31338”?

But in our scenario, let’s say that article “31338” is a press release that is not intended to be published until tomorrow announcing the quarterly corporate earnings. While the article itself is online, a link to it won’t be posted to the home page until tomorrow, so not even Google spiders can find it. Because you’ve gotten early access, you can make a huge profit buying/selling stocks.

Is it your fault for accessing the pre-posted financial results? Or their fault for making them accessible? What does the Computer Fraud and Abuse Act say on this matter?

A well-known legal phrase is “ignorance of the law is no defense”. But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between “authorized” and “unauthorized” access. We won’t know until if and when somebody tries to prosecute you.

Let’s say that instead of trying to profit from your accidental discovery, you simply post it to your blog, saying “look at what these idiots have done”. As a Fortune 500, the FBI takes notice, searches your home, confiscates all your computers, arrests you, and successfully convicts you under the CFAA.

This is selective enforcement. The FBI doesn’t go after everyone who adds one to a URL, only those who embarrass the Fortune 500. They don’t go after any cow in the herd, only those who stick their heads up. This violates the concept of “rule of law”. Everyone isn’t treated equally under law, some are treated more equally than others.

For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken. When we see this broken press release, what do we do? Do we keep our head down, or do we speak up? Even if we'll probably be found innocent, why take the risk? Better to keep quiet.

This is the issue behind the recent conviction of Andrew Auernheimer for “hacking” AT&T. The guy isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd. For that, he was convicted today under the CFAA and is on his way to jail (well, currently still out on bail awaiting sentencing).

By the way, this post is based on the legal concept “void for vagueness". It’s good reading.



Update: A funny take on this blogpost by J4vv4d: Watching this video is a crime: http://www.youtube.com/watch?v=SqkqpW6EvnM

88 comments:

  1. Very well stated. I shared this on Reddit where several people seemed to think they only got in trouble due to how Auernheimer/Spitler disclosed the issue.

    Also, https://www.youtube.com/watch?v=rs1b0lr3ptg

    ReplyDelete
  2. sidris10:46 PM

    Man ... Fortunately, for us, you don't have any feeling about law ... You think you know what law is (not), but actually you just don't know anything about it. It's an almost formal language, very well defined, from a human point of view. So, sure, it's definitely not epistemic logic, but it's far from the vagueness you pretend it is. You just don't know ... It's hard to admit, for some IT guy who knows everything better than everyone because of his incredible analytics capabilities (and blah, blah, blah), I know that ... But you should better.

    ReplyDelete
    Replies
    1. No, the meaning IS ambiguous due to the inherent ambiguity of our language. That's why legalese has gotten so convoluted. What he's saying is technically true. It's all about technicality.

      Delete
    2. Anonymous8:09 AM

      As a law student who is currently completing his masters degree in cyber law, I do not agree with your statement. Most (I say most, but what I mean is a few laws that have a major impact on society) laws are written to be purposefully ambiguous, as to allow selective interpretation. It isn't as obvious to the man on the street, but to people who work with these sorts of things every day, it becomes quite aparent. Unfortunatly, the CFAA is, in fact, outdated and in need of a serious restructuring.

      Delete
    3. Sidris, you are a clown.

      Delete
    4. Anonymous1:03 PM

      Anonymous Law student: you sir, are a fag. Just go ahead and kill yourself, do the world a favor, and just die

      Delete
    5. Anonymous4:06 AM

      The "letter of the law" is a myth. http://faculty.msb.edu/hasnasj/GTWebSite/MythWeb.htm

      Delete
    6. Anonymous7:56 PM

      The "law" is whatever a judge or jury says it is.

      Delete
  3. I enjoyed the article, especially the first couple of paragraphs. It paints a picture of what could happen if the law was stretched (as in the case in some courts).

    Just like to add that for certain countries, whenever there is vagueness in the law and a case that is presented requires the judge to sort through it, they often refer back to the intention of the executive branch of government - the folks that implemented it in the first place. In some countries such as the UK, this can be inferred from hansard. Some may even argue (such as myself) that judges/juries have wide discretion when it comes to interpreting the law... but that's another topic altogether.

    Unfortunately, I understand where you are coming from, and it is sad that nowadays judges and juries get caught up in the confusion that lawyers tend to create in order to overwhelm them and prevent them from making sound judgements.

    Having formal education in both computer science and law, I strongly believe that many times we as computer scientists misinterpret the legal system, but at the same time (and more worryingly) the legal system just doesn't get IT and technology in general.

    ReplyDelete
  4. sidris: Well, sometimes it's well defined, sometimes not. Sometimes the legal meaning of a term is clearer than the common one: 'fair use', for example, doesn't simply mean intuitively fair use--there are lists of examples and non-examples that judges have worked out. Other times it's not clear because the deeper meaning of the language or principle is debatable and no court has resolved it yet; anything that you see come in front of the Supreme Court soon is probably in that latter category.

    Incidentally, in First Amendment law, overbreadth is one of the few reasons someone can challenge a law that isn't actively being used against them. One reason offered is the chilling effect that the post mentioned; laws can silence protected speech even without being actively enforced against speakers. It's a rare exception to the usual rules of standing and it shows just how seriously courts take vagueness when it undermines Constitutional rights.

    ReplyDelete
  5. The problem with this post is that it isn't going to convince anyone that doesn't already agree with you. I swear to god that I am on your side. I'm a nerd. I'm pretty confident that what's being done to Weev is awful. You & I probably have mutual colleagues.

    But this post made me less supportive of your cause not more.

    You wont improve the standing of your argument in this manner. You'll only make regular people think you're crazy.

    ReplyDelete
  6. It's really hard to convey rules in written language. Sure, it can be ambiguous and vague. Fortunately, we have a complex and expensive process by which we get a bunch of people together to figure out what in the world the law really meant -- a legal trial.

    So I could sit here and speculate that this legal document doesn't apply here, because you're using Blogger, a service that provides for public access to things publicly published by their users. So, in effect, you have given me authorization. And that you have not broken any law by running JavaScript code on my computer, since I run a web browser than has that feature enabled (I've permitted it), and it furthermore did no harm to my computer by running it.

    Then again, I'm not a lawyer, so I'm wasting my time even more than real lawyers who sit in a court room to pore over such poorly written documents. One of us would have to feel really strongly about this to bother suing the other, and then we'd eventually be at the mercy of a dozen people that would rather be elsewhere.

    ReplyDelete
  7. Anonymous1:14 AM

    But you have agreed to blogger terms and conditions, and blogger let us see this site.

    ReplyDelete
  8. Anonymous2:16 AM

    my resolution is not 1920x2400 -- it is 3840x2400 on my T221. This is unacceptable ;-)

    ReplyDelete
  9. Anonymous4:52 AM

    the same issue has happens in Israel. a blogger , accessed restricted content of website of the courts, and had allegedly access to all evidence and proof that was hidden from the defended, but submitted to court.

    http://www.haaretz.co.il/news/law/1.1821124

    the access he did, was the kind of changing a number.

    the question in this article is now on trial.

    ReplyDelete
  10. Chris Monk5:24 AM

    My screen resolution is set to 1920x1080 right now (says so in my System Prefs and on my TV), yet the article says 1900x1600.

    ReplyDelete
  11. You have to selectively enforce the law and prioritize the more severe cases, because there is not enough manpower in the world to enforce every law fully. Laws against jaywalking are intended to keep street traffic safe and orderly, but cops do not wait around pedestrian crossings and ticket people who jaywalk. This is selective enforcement and it's not a bad thing.

    The problem is not selective enforcement, the problem is outdated laws. The solution, of course, is fixing the legislation.

    ReplyDelete
  12. My screen resolution is 2880x1800. Yet because my browser is scaling it, it thinks it is 1440x900. Lift your game.

    ReplyDelete
  13. Chris Monk is getting the wrong resolution because of overscan correction on his TV.

    I am also getting the wrong resolution because I have a retina display - the logical resolution is displayed, not the physical resolution.

    Good article though.

    ReplyDelete
  14. Anonymous7:10 AM

    Here are some effective techniques to protect you against these issues:

    http://www.scribd.com/doc/113758768/Black-Ops-Internet-Privacy

    ReplyDelete
  15. Anonymous7:45 AM

    You realize you either have no idea how the law works, or you have done an excellent job of starting a conversation. Either way, most people reading this, are taking it at face value when it's completely false. You posted this site on a public web server, on the public web, without any sort of access control and restriction. You have no password sign in, no encryption scheme, no user control at all. Therefore by the nature of the web, and the way it is designed, there is implied permission to view this site. No one is in violation of CFAA by reading your site. You are flat out wrong.

    ReplyDelete
  16. after having clicked god knows how many "I agree" check boxes without ever reading the content of the agreement, I often thought that it would be nice to build a site with a few pages long agreement where you could ask to agree to all sort of things. Like relinquishing your house, all your money and possessions, have sex with your wife...the mind boggles at to what you could make people agree to. It would be fun to take one to court and test the stupid law.

    ReplyDelete
  17. Karellen7:53 AM

    You - or at least your web server, which you control - did authorise me to access this site when it returned a "200 OK" HTTP response.

    If you did not mean to authorise me to access this site, you should have configured your web server to return a "401 Unauthorized" response.

    Duh.

    ReplyDelete
  18. Anonymous8:12 AM

    In my country if you not protect your wireless router properly with encryption you have the liability if someone is using your internet connection to commit a crime.

    Similary if you want your article to be protected you should have some form of authentication beside security trough obscurity.

    It should not be illegal for a server to use information about the clients for authentication, security and to gather statistics. Thats how the internet works.

    The main problem of course is how the internet not works as it technically does not provides the basics for proper authentication as I understand.

    ReplyDelete
  19. This seems so sad to me ...

    ReplyDelete
  20. bobkat8:32 AM

    I don't mean to be facetious but how is this different than, say, someone opening an unlocked door to a person's (stranger's) house without knocking or being invited in, and then posting information about the house they entered (address, contents, etc.) on the Internet? That's usually considered illegal or at least inappropriate (depending on country, region, etc.). Why would similar behavior be deemed acceptable on the Internet?

    ReplyDelete
  21. The law is very lenient towards the incompetent. They don't lock the door and then cry foul "he broke in". Credit cards for example have had laughable security until recently, yet they are protected by law. I think this is WRONG.

    If you care about security, especially if you have a public responsibility, you should demonstrate so. Work with the state of the art. Or hire a third party, just like you use a bank to keep your money safe, and just like the goverment requires a business to demonstrate its financial administration!

    So FALSE security, by companies that have lots of customers, should be a crime, in extreme cases punishable with imprisonment. The knife should cut at both sides. Hackers could free themselves demonstrating bad practices.

    There is a lot of incompetence out there protected by law. It leads to a culture of bad practices. The law should step it up, and hackers aren't the enemy. It's lazy organizations that treat customer data like dirt!

    But, you see, the law is made to protect them: they are trusted and made out to be the "good side". Whereas in reality bad practices should be outlawed. Then suddenly the trusted ones aren't innocent at all, but guilty of using laws to defend their private interests. Which is a crime against democracy itself. The law ends up protecting criminals at "the good side".

    For some life is easy, just band together and crush the opposition. For others it is hard.

    I do not work in the security industry.

    ReplyDelete
  22. It looks like a thrill.

    ReplyDelete
  23. Although I mostly agree with you here, I have a brief statement and a couple real questions.

    As I understood it in this case (and i have not followed it as closely as some) the problem is a matter not so much of raw "did he access unpublished documents" but instead did he act within the spirit of the law and good faith. The analogy that swayed me from full support of weev & company to mere resignation that he's unfairly being punished for apple's error goes as such:

    Let's say you find an unlocked safe in a public building and within are piles of documents with personal identifying information. You have many choices from quietly alerting the owner of the safe to making a Xerox of every sheet and then returning them to the safe while laughing madly about how incompetent the owner is. My understanding is weev did the latter, or at least, made a youtube video with a virtual treasure map to access these documents for anyone who would want. I have also been told there are chat where he and/or his coconspiritor attempt to sell this data.

    So the question is: did he violate the spirit of the law? Its quite clear to any lay person and even more clear to even IT amateurs that these documents were never intended for public access. While it would be one thing to have simply alerted apple and perhaps the tech press that there was A way to access this info, it is an entirely different sort of action to publish this data or to encourage and enable others to access this data.

    I personally believe this whole thing should be marked up to "apples mistake" but I can't in good faith believe weev did what was right or reasonable given the situation. Just because the door isn't locked doesn't give me a right to walk in and start copying your documents, and I have trouble believing it would be any less of a crime to wander in, see valuable info, and then share the knowledge that the door is unlocked and their are valuable documents inside with the general public.

    I am no lawyer, but as a citizen of the united states I would prefer the law was weighted towards protecting my sensitive data even if I forget to lock it up tight. If I accidentally enable a web server on my computer and my private files are shared, I'd like to believe anyone who accesses them is in the wrong, especially if they do it in a systematized manner in attempt to retrieve all documents.


    Further can anyone confirm or deny the existence of chat logs indicating he wished to sell the data?

    ReplyDelete
  24. Anonymous8:54 AM

    This is why I love this country, people are free to post whatever "perspective" they have, no matter how educated they are on the subject matter.

    Try reading this:

    http://www.law.cornell.edu/uscode/text/18/1030?quicktabs_8=1#quicktabs-8

    And I am sure that weev had just accidentally left his window open on his house, where someone then (because it is now ok for them to enter his house) climbed in the window and placed all the cocaine, xtc, lsd, etc... there for safe storage, right? Right.....

    ReplyDelete
  25. Anonymous8:58 AM

    First: 18 USC 1030(a) (better known as the “Computer Fraud & Abuse Act” or “CFAA”) does not apply to me as I am outside of the U.S.A. and its law code doesn't have any legal binding outside its borders.

    Second: the JavaScript code you (-r server) trasmitted to my browser is clearly broken as it doesn't recognizes my dual monitor setup.

    Third: a similar law as the CFAA is in place here, enacted in 1993 AFAIC remember. And the "unauthorized access" section expressely states "where adeguate relevant protective measures are in place", which clearly doesn't apply to a webserver front-facinG the Internet.

    Summing it up: we're talking about a non-issue here.
    Have a nice day.

    ReplyDelete
  26. Reddit has brought me here and im very happy about that. The law is idiotic. SOme great comments here as well.

    great post!!

    ReplyDelete
  27. Anonymous9:03 AM

    This reminds me of that guy who had the secret service raid his home after he did that photography project where he rigged computers at the Apple store to take pictures of people using them.

    ReplyDelete
  28. Anonymous9:03 AM

    This reminds me of that guy who had the secret service raid his home after he did that photography project where he rigged computers at the Apple store to take pictures of people using them.

    ReplyDelete
  29. Anonymous9:20 AM

    I think you are misreading the statute. All the violations in that statute appear to require some malicious intent. Could you please explain by the terms of the statute how you are violating (a)(5). I am a law student and the terms of the statute aren't that ambiguous at all compared to other statutes I have had to read.

    ReplyDelete
  30. Anonymous9:31 AM

    Heh. 31337.

    ReplyDelete
  31. Anonymous10:04 AM

    I think what you are saying applies to the entire legal world, not just United States law, or even just Internet law. And I agree that the legal system, any of them, can never keep up with technological and cultural changes when 1) it is written in such a rigid fashion, 2) is subject to interpretation by humans who are notorious for changing their mind, have different educational/economic/political/emotional/spiritual beliefs, and, probably most importantly, 3) the meanings of words change over time and when you put those words into sentences, WOW!, those changes can be monumental.

    Personally, my belief is that the simplest laws are the most effective. They stand the test of time (don't kill except in self-defense, don't take shit that isn't yours, etc.) Complicate these with short-term abstractions and your law becomes obsolete before the ink dries or your IP connection is released.

    But humans have a propensity for making the simple complex. In no other arena is that more obvious than law. Well, maybe in accounting and taxation also, but you get the idea.

    And no law has ever been written to give you more rights than you were born with. Wild animals have more Rights than you do. Every single law every written was written to take away something. Every...single...one. And who pays the price? Not the criminals, not the "terrorists". Taken a flight through an American airport lately? Yeah, you're looking at the people that the laws are written to oppress. In the name of SECURITY? No, in the name of order and compliance and submission. Just because you are told you are free does not mean you are Free.

    ReplyDelete
  32. I've personally lived thru this stupidity of this law, Just google me 'Brian K. West' and laugh your asses off. It was the most retarded thing I've ever gone thru in my entire life.

    /b

    ReplyDelete
  33. Anonymous10:12 AM

    Simple strategy used for the last thousand or more years. You write a vague law, and use it selectively to persecute your enemies under the guise of something else.

    This is how you ensure that everyone is thinking "correct" thoughts and speaking "correct" words.

    Correct, in this case, is what keeps you in power.

    What's astounding is how people have been duped by this same game, over and over and over.

    ReplyDelete
  34. Anonymous11:03 AM

    I don't think this law is as broad as you say it is, because when an employer fired a CEO employee and stole her LinkedIn account, a federal court decided that was not criminal under the CFAA. And that's way worse than one of the examples you gave, which was changing URLs.

    Source: http://arstechnica.com/tech-policy/2012/10/court-taking-over-employees-social-media-account-a-ok-under-cfaa/

    I am a lawyer.

    ReplyDelete
  35. In response to those fools that make the analogy with a house: a house exists in a neighbourhood and a city and a country. In addition anyone visiting is seen.

    On the internet everybody is your neighbour and it is dark all the time. Anyone can get to your house and be anonymous. In such circumstances you don't leave your keys in the car.

    If you have something of value and you can't risk it being stolen, YOU have the responsibility to guard it, or be negligent when you suffer its loss. That loss is definitely a pity, but you certainly didn't value it enough to protect it.

    Now, when the interests of others are involved, that same lack of protection is downright criminal, yet you have the nerve to come whining about those "mean hackers". You need to be kicked to the curb.

    In addition, what is stealing digital goods? Since copying leaves your files intact, one only loses exclusivity to the information held in these files. Hackers however have the obligation to copy files, because it allows them to "see" where it is otherwise "dark".

    The point however is that laws also take away the exclusivity/authenticity of my life. They judge me if I was just another stupid ignorant guy breaking into computers. Those laws rob me, of my authenticity, of my integrity, and if they can condemn someone, they should be condemned also. For they steal our lives in the same way documents are "stolen"... with their imposition of an utter lack of love, just like the criminal hacker does.

    Such law enforcement is just like a bookkeeper running a company: until it is lifeless.

    ReplyDelete
  36. The word Fraud implies an act of deception - it means you are lying about who you are in order to steal something. You commit "Computer Fraud" when you log into a system using someone else's access credential - you are claiming to be someone else.

    In this case there was no act of "Fraud" (at least as far as I know). This person asked the web server for the information, and the server provided the answer. The information wasn't locked in an account that only certain people had access to - it was out in the open, so no act of deception was needed to access it. Without an act of deception you can't get to fraud.

    ReplyDelete
  37. There are rules which Judges follow when they are figuring out what a law means, and they are not the same everywhere. They are one of the things laymen don't consider.

    In this case I think it matters a lot that the data was not specially protected, and just typing a different number in a URL could reveal it. But US courts do seem to have strange views on computer security.

    I wonder how a court would view the matter if they were dealing with a paper document, that had been left in the open before being pinned to a noticeboard. But there are a lot of other differences between a paper document and an HTML file.

    I reckon the law is filled with some rather strained analogies and there are few people out there, lawyers or legislators, in a position to change that.

    ReplyDelete
  38. Anonymous12:29 PM

    I don't think you are reading it right

    a(1) only applies to things made secret by the government.

    a(2) requires that you obtain financial information, government information, or information from a protected computer, defined as pretty much financial or governmental computers.

    a(3) is only for government computers.

    a(4) requires an intent to defraud.

    a(5) is again only for protected computers and requires damage.

    a(6) requires an intent to defraud.

    a(7) requires an intent to extort.

    So accessing websites would not run afoul of this nor would transmitting code to someone's computer in the manner you described.

    Plus while you brunch it off as 'implied', the very nature of a website makes it abundantly clear that access is authorized.

    ReplyDelete
  39. Luckily I'm Canadian.

    ReplyDelete
  40. After some consideration and reading I think there might be more of a grey area here than the framing of this post lets on. However, I am not fully aware of all of the technical details in this case, so if I am misrepresenting how this actually worked, by all means, please correct me.

    I agree that changing a value like "articleId=31337" in order to access data is not fraud, because the numbers are sequential and not personally identifying, so they don't constitute an access control, and changing them is not an act of deception.

    On the other hand, imagine a website with a value in the URL like "password=31337". Your personal password is "31337" and when you access this page it provides you with your personal data. Other people have other passwords on the system and when the value of the password field is changed to someone else's value, you get to see their data. Otherwise you get an error message. The password values are not sequential, but if you tried a large number of them you would successfully guess many active passwords.

    Although this would be a stupid way to design a website, I think we'd agree that writing a program to brute force guess many of these passwords and running that program on the live site would be a crime (an act of fraud), because the passwords identify the individual requesting data, so presenting someone else's password is an act of deception.

    Now, lets imagine a third scenario - a website with a value like "SSN=078-05-1120". If you put someone else's Social Security Number in that field, you get access to their personal data. Social Security numbers aren't sequential, but if you tried to guess them you would easily get lots of successful hits. Nevertheless, they are personally identifying.

    I think writing a program to brute force guess Social Security numbers in such a website would be more akin to the password guessing scenario than the articleId guessing scenario - it would be fraud.

    Furthermore, as best I understand it, the SSN scenario is similar to what happened in this case. The values guessed were subscriber ID numbers. Again, I'm not 100% clear on the facts of this case, so please correct me if you think that I'm mischaracterizing this or if there are important technical details that lead to a different interpretation.

    Having said all of that, I think there is another ingredient here, which is "intent to defraud." I don't see any evidence of that here. Wired magazine published some IRC chat logs where people were joking about committing a crime, but joking about committing a crime is not the same thing as actually committing a crime.

    As a security researcher, its obvious that my SSN website example is a bad design, but it might be hard to convince people at AT&T of that fact. They might argue that it would be hard to guess valid numbers or that their systems would detect any attempt to do so. It may have been impossible to demonstrate that this was a real vulnerability without actually performing the attack and going to the press with it.

    I think, ultimately, it should be illegal to commit actual attacks without authorization in order to demonstrate that a computer security vulnerability is real. However, sometimes there is no alternative. There is such a thing a prosecutorial discretion, and shooting the messenger in a case like this sets a bad precedent in my view.


    ReplyDelete
  41. Anonymous1:15 PM

    Do you really think that the government wants laws to be observed?
    They want laws to be broken.
    You'd better get it straight that it's not a bunch of boy scouts you're up against.
    This is not the age for beautiful gestures.
    The politicians are after power and they mean it.
    They know the real trick, and you'd better get wise to it.
    There is no way to rule innocent men.
    The only power any government has is the power to crack down on criminals.
    Well, when there aren't enough criminals, one makes them.
    One declares so many things to be a crime that it becomes impossible for men to live without breaking laws.
    Who wants a nation of law-abiding citizens?
    What's there in that for anyone?
    But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted!
    Then you create a nation of law-breakers and you can cash in on their guilt.
    Now, that's the system, that's the game, and once you understand it, you'll be much more independent and free.

    (With apologies to Ayn Rand)

    ReplyDelete
  42. Anonymous2:16 PM

    "The rules dictate that you must be precise as the law is a precise endeavor" - Suits

    ReplyDelete
  43. Anonymous2:24 PM

    A 17 year old was arrested in England for a similar thing: http://www.bbc.co.uk/news/uk-england-norfolk-17780084

    ReplyDelete
  44. Anonymous3:17 PM

    Also, one could apply Gödel's incompleteness theorems to law. And of course law is written by idiots who have no idea what Gödel's incompleteness theorems are neither they have any idea what they are actually legislating ... blahhh666@wp.pl

    ReplyDelete
  45. This is a relevant article from 2006 by Jennifer Granick -

    http://www.wired.com/politics/law/commentary/circuitcourt/2006/05/70857?currentPage=all

    The bottom line is that law needs to differentiate between unauthorized access for profit and unauthorized access that doesn't have criminal intent, as in this case.

    ReplyDelete
  46. I'd agree with harryh, were it not for the example of Andrew Auernheimer. It's hard to argue that you're wrong when something like this JUST happened on someone is on his way to jail.

    So, what can we do about it?

    ReplyDelete
  47. When you left your web service running on port 80 connected to the internet you opened your front door. When you responded to a figurative knock on your open door by responding to the http request, you invited us in.

    ReplyDelete
  48. You actually placed right stuff on the table.I hope more users will get the information that i receive from you.
    I can’t wait to read much more, maintain me coming!

    ReplyDelete
  49. @ ttj

    Court transcript of weev on the stand:

    https://www.documentcloud.org/documents/522213-auren.html

    ReplyDelete
  50. sophie6:24 PM

    College football cheerleaders. In violation of USC 1030(a)(5)(A)?
    http://bit.ly/SU7cHX

    ReplyDelete
  51. Thanks for your great information. We all appreciate your information. Keep posting these kind of nice blogs.
    Conveyancing freshwater



    ReplyDelete
  52. so many comments, so little wisdom.

    ReplyDelete
  53. I only want to say... great post.

    ReplyDelete
  54. Good post. I only wanted to add, those vague laws that have been passed where it was said "we will never use this law in a wrong or immoral way" have ALWAYS without fail been used that way. The patriot act is one of the most recent that has been abused in this fashion. It was stated that it will never be used against a citizen of the US but has never been used for anything but suppressing citizens. There are infinite examples of laws that have been written just vague enough so that some entity with a team of lawyers can use it against those without the resources to defend themselves.

    ReplyDelete
  55. Whatever happened to the idea of scienter?

    If a company posts it, but doesn't want it known, isn't that the cyber equivalent of an attractive nuisance? Not the kid's fault he fell into the pool . . .

    ReplyDelete
  56. Anonymous9:43 PM

    THE MULTI-MILLIONAIRE is Kim Dotcom of Megaupload. YOU HAVE COMMITTED A CRIME and your IP address is logged. Expect a summons.
    Read, the book THREE THOUSAND FELONIES A DAY.... wrong! - Three Felonies a Day.
    THE LAW IS SET UP TO BE VAGUE, so that political insiders can prosecute anyone they want. FBI HOOVER is NOT gay and NOT allegedly strange and did NOT commit blackmail against political leaders. repeat NOT.
    HERE ARE THE RULES: 1.)KILL THE MESSENGER. 2.)when in doubt, KILL THE MESSENGER's FAMILY and even those in the same software company.
    3.)the EMPEROR HAS NO CLOTHES. THE INTERNET IS COMPLETELY SECURE. remember, "IGNORANCE is STRENGTH." 1984 is too old and nobody in USA remembers history. What in the heck is history???
    4.)those who do not remember history - WILL REMAIN HAPPY - maybe condemned to repeat it.
    5.)MANY USA POLITICIANS are GREAT ACTORS. For example, President Reagan. Some say he only a B grade. I think he is an A PLUS PLUS PLUS.
    It appears he is a COMPLETE GENIUS IN PHYSICS, MATH AND COMPUTER SCIENCE. NOT JUST A GENIUS BUT A COMPLETE one for there is 1.)no such thing as global warning 2.)DUST BOWL, ecological disaster and the BP Oil spill in the gulf of mexico never caused any MAJOR CROP FAILURE in the food system.
    3.)the USA infrastructure uses only a few computers and WINDOWS is very STRONG in security. That includes NUCLEAR POWER PLANTS near you, made by the same company that made the FUKUSHIMA Japan nuclear power plant.
    4.)Telling the BIG BANKSTERS how to improve their operations is generally a somewhat allegedly questionable idea; just like talking friendly with the STATE POLICE TROOPER WHO IS LOOKING FOR DRUGS can sometimes lead to trouble.
    So, you have long hair and look like a hippie? You got nothing to hide, right? Let me sniff around. Oh, so very sorry. We have to dismantle your car, but don't worry, you get it back in pieces. We KNOW YOU ALWAYS WANT TO COOPERATE, YOU CRIMINAL according to the law.
    reddit.com/politics

    ReplyDelete
  57. Anonymous9:53 PM

    The history of YOU HAVE NOT BEEN AUTHORIZED by the centralized power
    started with The First emperor of China named Chin.
    He is still hated as being too strict with 'vague laws.'
    http://history.cultural-china.com/en/183History5107.html
    Marquis Chao of Han got drunk and fell asleep. The keeper of
    the royal hat, seeing that the marquis was cold, laid a robe over him.
    When the marquis awoke, he was pleased and asked his attendants,
    "Who covered me with a robe?" "The keeper of the hat," they replied.
    The marquis thereupon punished both the keeper of the royal hat
    and the keeper of the royal robe. He punished the keeper of the robe
    for failing to do his duty, and the keeper of the hat for
    overstepping his office. Emperor Chin was even more strict and believed

    in bureaucracy and 'centralized planning.'

    ReplyDelete
  58. Cyber laws esspecially those concerning ip and security tend to be poorly written by people that don't fully understand techical aspects of the laws they put on the books. Its a shame but there really isn't much we can expect.

    ReplyDelete
  59. The security courses are very useful nowadays, this is the edge of competition no one can achieve a successful career without being a skilled individual many institutes are offering PTLLS Course in reasonable expenses....

    ReplyDelete
  60. @ Marc Kushin
    Thanks for that, paints a pretty awful picture.... Jesus I wonder why he wanted to get on the stand, probably his ego biting him again. I think a big thing people are missing here is while the crime itself is debate able, weev has been cruising for a brusing for years. Besides threatening synagogues, the collection of drugs and his smarter, better AND holier than thou attitude(cf his ipope venture) he just isn't easy to like, and honestly easy to despise.

    I still think what he did, what he actually dis not what he thought of doing or said should be legal, but its clearly not and its clear from his testimony and the chat logs he knew it was illegal.

    He litter ally refers to he retrieval of the data as "theft"

    Jesus christ way to nail yourself to the cross weev.

    ReplyDelete
  61. You should stop playing armchair lawyer, Rob, because you're dead wrong here. By virtue of using a Google service, you have granted people the right to view your publication (http://www.google.com/intl/en/policies/terms/). In general, sites like this fall under "publication" rules where there is a well-defined set of case law around implied consent. This site exists to be seen and read, and thus even under CFAA it's considered authorized access. If you did not intend for people to access it, you would minimally put prohibitions on it, but more explicitly you'd have to implement some form of access control.

    All that said, CFAA (among many other laws) are desperately in need of overhaul. And, in fact, CFAA itself was updated in 1994 to add support for "networked abuses." However, what we do *not* need is things like the Cybersecurity Act of 2012, which do not update the "fraud and abuse" laws, but instead focus on micro-managing businesses. The last thing we need is micro-management of private industry by aging Boomers who don't grok technology.

    Lastly, for a decent historical perspective (if I do say so myself), please check out my piece from a couple months ago:
    http://www.secureconsulting.net/2012/10/a-little-historical-perspective.html

    You'll see that there's a lot changing, a lot underway, and a lot more left to be done.

    cheers,

    -ben

    ReplyDelete
  62. Anonymous9:59 AM

    Riemann lover said...
    I cannot agree on this point of view. As grey hacker I no I have no authorization to enter, however I might just check if the door is open. Mr. Auernheimer went way to far, exposing sensitive data of users and putting a company in risk. Im sorry but tehre is no excuse and innocence on that

    ReplyDelete
  63. Following-up on your request for a more detailed response...

    First... from the Google TOS (http://www.google.com/intl/en/policies/terms/):
    "Using our Services does not give you ownership of any intellectual property rights in our Services or the content you access. You may not use content from our Services unless you obtain permission from its owner or are otherwise permitted by law."

    This is interesting, because it seems to suggest that people don't have permission to access their services or content (bad on Google for such poor wording). However, if you go into your Blogger Settings, under Basic>Permissions, you have the option to restrict access (choices are "Anybody," "Only blog authors," "Only these readers"). By virtue of the site being accessibly without clearing any access controls, there is clearly implied consent to access the service.

    More importantly, if there was a CFAA case to be made, it would have to be by Google, since it's their site and service. How is this? Because you've agreed to a contract that affords them a wide range of permissions (essentially everything but conference of copyright ownership):

    "When you upload or otherwise submit content to our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services (for example, for a business listing you have added to Google Maps). Some Services may offer you ways to access and remove content that has been provided to that Service. Also, in some of our Services, there are terms or settings that narrow the scope of our use of the content submitted in those Services. Make sure you have the necessary rights to grant us this license for any content that you submit to our Services."

    Incidentally, we don't have to "come up with a theory of 'implicit' authorization" because that theory is already well established.

    Also, while the original CFAA was authored in 1986, it has been amended several times (http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act), including the major updated in 1996 that added support for networked abuses. While it is still generally considered to be in dire need of revision, it has not stood completely still since it's original version.

    Lastly, to your 31337/31338 example, I'll have to defer to the lawyers for specific examples, but suffice to say that I think this sort of enumeration is at best/worst a grey area. Moreover, I'm fairly certain there have been explicit examples tried in court... but I can't recall the specifics or the outcome...

    ReplyDelete
  64. Thanks Ben.

    My point is that under the original meaning of the CFAA when "authorization" was always explicit, people intentionally clicked on links knowing they were authorized. So under the original 1986 reading of the law, we are all criminals.

    Of course, it doesn't work that way today, and we've got "implicit" authorization, so you aren't committing a crime according to the 2012 interpretation of "authorization".

    But "implicit" authorization is impossible to define. You say "defer to a lawyer" about articleId=31338, but here's the thing: your lawyer doesn't know either. Nobody does. Moreover, editing a URL isn't a rare occurrence that nobody does, it's a common thing that people do every day. It's lead to the state where it's impossible to know when you are breaking the law.

    ReplyDelete
  65. CFAA has been revised about a half-dozen times since 1986... going off the "original reading" isn't appropriate or useful... for example, networked abuses were added in 1996... so, really, your original reading is absurd since CFAA didn't account for networked communication like this blog or its comments until the later revision...

    ReplyDelete
  66. "Everyone isn’t treated equally under law, some are treated more equally than others."
    You can say that again ...
    The ugly reality for consumers dealing with the eBafia/PreyPal complex ...
    “Shill Bidding Fraud on eBay: Case Study #5” ...
    http://bit.ly/N1nTlc

    ReplyDelete
  67. Ben,

    The CFAA provides no definition for the terms access or authorization, leaving the courts to come up with their own theories. I'm aware of at least two different theories on what unauthorized means.

    The one that makes the most sense is similar to what you've suggested, that access controls are used to separate what the owner intended to be available to the public or not. Orin Kerr proposed this theory in his paper "Vagueness Challenges to the Computer
    Fraud and Abuse Act", but I'm not aware of any courts using it.

    A competing theory is the agency theory that basically says that employees owe their employers a duty of loyalty and if they ever preform a disloyal act using a computer the employee has violated their implicit authorization to use the employee's computer.

    This theory was used to convict Richard Wolf of violating a state CFAA analog for visiting Adult Friend Finder from his work computer (additionally worrisome in this case is that he was never given any written computer use policy).

    http://www.wired.com/threatlevel/2009/05/court-upholds-hacking-conviction-of-man-for-uploading-porn-pics-from-work-computer/

    In other cases, the court doesn't really articulate a complete theory to explain it's decision. David Ritz was found to have violated a state CFAA analog by conducting a zone transfer from a spammer's dns server. This was considered unauthorized because the only legitimate use for a zone transfer was to back up zone files and because Microsoft said that such transfers are generally unauthorized if not done by an administrator.

    http://www.circleid.com/posts/811611_david_ritz_court_spam/

    ReplyDelete
  68. hahaha this is very interesting
    guess i lost this round xD

    ReplyDelete
  69. You're wrong. The FBI doesn't just pursue things on behalf of just the Fortune 500. They pursue things on behalf of pretty much any "legitimate" U.S. based business. But if you are a U.S. individual or a multi-national with headquarters elsewhere, as far as the FBI is concerned, you can go pound sand.

    P.S. I have a little trouble understanding why, at this late date, so many people are shocked (Shocked!) to learn that we live in a corporatocracy. I guess that most of you young wipper snappers were not alive to see the theatrical release of the movie "Network" way back in 1976. (Free hint: Things have not gotten better since then. Quite the opposite in fact.)

    P.P.S. Somebody please tell me if the guy who thinks that the law in these United States is "almost formal language" is a troll or just an imbecile. I have trouble telling the difference.

    ReplyDelete
  70. Free Bollywood hot News, Bollywood Top Hot Actress and Hot Desi Girls Beautiful hot Pictures.
    hotentertainnews.blogspot.com

    ReplyDelete
  71. I'm planning on hiring a security company from Calgary to install some new monitors in my mothers house. She really needs medical watch.

    ReplyDelete
  72. PlagueHush10:35 PM

    ...followed J4vv4D over here from: http://www.youtube.com/watch?v=SqkqpW6EvnM

    Excellent article, especially the point about the chilling effect on security researchers. What's more interesting is to see how it translates into chilling peer pressure in some of the comments.

    Also, those complaining about the wrong resolution... wrong answer. What it should read is "XXX" because you haven't approved the Java script to run in the first place! ;)

    ReplyDelete
  73. Anonymous2:42 AM

    weev and pals on irc were logged discussing how best to use this flaw to promote themselves, and how best to use it to damage AT&T. This shows intent. A different intent to that implied in the article.

    He wasn't trying to help anyone. He willingly caused damage. The nature of the flaw he used to access the data is hardly relevant. I know it sucks to be busted for the crime of incrementing a digit in a URL, but that's not all he did... to make that argument is disingenuous.

    ReplyDelete
  74. Interesting story. So I should prepare myself for a jail.:)

    ReplyDelete
  75. P.D. Rocket5:37 AM

    There's a good law review article on point- Paul Ohm's 'The Myth of the Super-User'.

    the CFAA was written broadly to prevent 'leet computer criminals from finding legal loopholes and escaping prosecution. Unfortunately, that also picks up a lot of of activities that we might not see as malicious.

    Claiming 'it's on the public internets' or 'your server let me see it' means authorized access is not how the law sees it. It'd be possible to restrict authorized access in a TOS document while permitting actual access, even without a password.


    And it's possible to be a criminal without any malicious or fraudulent intent- look to 1030(a)(2)-

    (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—
    ...
    (C) information from any protected computer;

    And 'Protected Computer' is a broad term nowadays- look to 1030(e)(2)-

    (2) the term “protected computer” means a computer—
    ...
    (B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

    Anything with an IP address fits this definition.

    The CFAA was written with good intentions, in 1986.

    ReplyDelete
  76. Anonymous4:30 PM

    Weev had malicious intent.

    Nazis.

    ReplyDelete
  77. Anonymous5:13 PM

    I expect all laws / legal systems are ambiguous to some degree. Our legal system, i.e. our courts, judges, prosecutors, jury, etc., in each instance has the latitude of being just or subservient to some corrupt but powerful influence. That is inevitable.
    I doubt that it is possible for laws to be written so completely unambiguously as to ensure a single consistent interpretation. This implies that we have no option but to trust the system. After all, we (the people) built it. When it does not do what we intend it to do we can and should fix it.
    I think the real question is: Do we, the majority of the public, trust the government?
    That is a much harder question to deal with and it brings us into a domain that does not lend itself to computational precision. Too many variables, too many measurements, subjectivity is inevitable.
    Given that caveat: My sense is that, generally speaking, the public is happy or at least has accepted the government as it is. At least they are unwilling to expend the effort necessary to make any changes they may want. Sure there is a minority (significant perhaps, vocal certainly, better informed –they would have you believe) that is dissenting. But that too is inevitable. There will never be universal agreement on such complex matters.
    In short, although I personally worry about the possibility of court malfunction because of technical ignorance, or corporate influence, I've recognized this as the will of the majority. The people are the government. They are the courts. After all the government and the courts aren't aliens who have imposed themselves on us. They are us. It’s not ideal. Just the best deal out there.

    ReplyDelete
  78. So I'm commiting crime. Interesting.

    ReplyDelete
  79. My spouse's company was embroiled in a civil lawsuit where a user had entered arbitrary URLs and managed to insert bids into a purchasing system.

    Of course, he wasn't arrested or charged with hacking - it was a small company. Instead, he was suing to retain the purchases that he did outside of the bidding system!

    He violated both the letter of the law, the spirit of the law, the letter of the contract to purchase, and the spirit of the contract to purchase, and yet my spouse's company was stuck in the lawsuit for several years.

    ReplyDelete
  80. I considered this web site to consent to all in sequence on any observation camera definitely, there along with most of carecterstiques. which revenue that have always been rather satisfied to get this web site four courts.

    ReplyDelete