Computer Crime laws are already insanely disproportionate.
They were created during a moral panic when only a few individuals, large multinationals and, large governments had computers and the government were worried that "hackers" could break into the electricity grid or the communications system and shut it down.
So right now you could literally break into someone's home, knock them unconscious, and then steal their laptop, but yet still get more jail time for "hacking" into their laptop than any of the previous crimes.
It only gets more insane when someone "hacks" across state lines. The federal laws are absolutely insane, and the only thing more disproportionate are some of the drug laws (many of which were also created during times of moral panic).
In particular are comic cases of when companies fail to secure things at all (e.g. leave data exposed to the public via hidden URLs) and then someone gets prosecuted because they "hacked" that company and "stole" that data.
> In particular are comic cases of when companies fail to secure things at all (e.g. leave data exposed to the public via hidden URLs) and then someone gets prosecuted because they "hacked" that company and "stole" that data.
Which is my main concern with all the attention and push for change (or rather more laws and less privacy) in relation to the Sony hack (among others). Would Congress and the media be calling for equitable action if someone had physically broken in to the Sony Films offices and stolen the data, due to lax (physical) security policies? Doubtful, they'd probably be told to buy better locks...
>In particular are comic cases of when companies fail to secure things at all and then someone gets prosecuted because they "hacked" that company and "stole" that data.
<devil's advocate>If I leave my garage open, and somebody takes my golf clubs, is that not theft?
Yes, the potential punishments are disproportionately harsh.
Yes, the company is silly for leaving data exposed.
No, it's not ok to take data because it's unprotected.
Yes, stealing something is a crime whether the item is locked or not. However, cases like that of the Weev guy (http://en.wikipedia.org/wiki/Weev) are very different than someone coming into an unlocked garage and stealing your stuff.
His case is more like a going into a store that is open and invites you in (this was a public website he went to). You are browsing around, looking at stuff for sale.. you then see an unmarked door in the middle of the store. It isn't locked, and doesn't say "Employees Only", so you walk in.
The store can't then turn around and have criminal charges brought against you just because you weren't supposed to go into the door. There were no locks or signs, and you were in a place you were supposed to be. Now, if there was any sort of lock at all (even a crappy, broken, one that was easy to bypass) you could argue that it is a crime.
If I send a standard request to a website, with no special forged auth or anything, and that website gives me back data, you can't blame the person who made the request. It is up to the website to tell me "no, you are not allowed to access that."
If I accidentally leave my front door unlocked, it's still a crime for you to waltz into my house and peak around. I wouldn't describe what weev did as just walking through an unlocked door, either. It's more like he walked through an unmarked door, looked into a filing cabinet and saw some private business records, then thought "Cool. There's more in this cabinet. I'll just go ahead and make copies of them all for myself."
> If I send a standard request to a website, with no special forged auth or anything, and that website gives me back data, you can't blame the person who made the request. It is up to the website to tell me "no, you are not allowed to access that."
Many remote exploits are going to fit this description. Sometimes it's just magic parameters or misconfigured URL routes.
Your concept of computer crime requires a bit more depth than that. Intent matters, as does what you do with data on their end and on your end.
The room analogy may be reasonable. Except weev realized the room contained private company records. He proceeded to copy everything, then went home and published it in the newspaper. He wasn't really prosecuted for the entering of the room, it was that second part that did it.
If your garage says "Come on in" and, when the person takes your golf clubs, you say, "OK!" then yes, it's OK.
And that's exactly what publicly accessible URLs and a status code 200 are.
You had a chance to issue a 403 (ie, "You can't take my clubs") but instead you said "OK."
I think it's egregious that anybody anywhere can be held criminally liable for accessing information available as a the result of a 200, with no former contractual arrangements in place.
If you're a robot that's true, but you're probably not a robot.
The law leans on the word "reasonable" all the time, simply because there are plenty of situations where humans can make an obvious judgement call.
If a publicly accessible URL contains obviously priveleged information, as an adult you know that it is a "door that has been left open accidentally". That doesn't mean you're free to walk in and take what you want. If you're neighbourly, you may want to let them know their door is open. People should feel safe from litigation if they do that, but I don't see why you should feel like you can do whatever you want just because there's a 200.
> The law leans on the word "reasonable" all the time
Far too often in my estimation, and in the wrong places.
> If you're neighbourly, you may want to let them know their door is open.
Agreed. But failing to be neighbourly is not a reasonable criminal offence.
> but I don't see why you should feel like you can do whatever you want just because there's a 200.
To turn things around: Why not hold AT&T liable? Why not issue a 403?
I agree that weez was "un-neighbourly," but at the end of the day, the protocol was the only contractual arrangement in place at that moment. It's just maddening to me to imagine that this can be regarded as criminal conduct.
If the Goatse security guys had discovered the exploit, shrugged and ignored it then absolutely nothing would have happened.
They chose to write scripts, pull all the data, send it to Gawker, etc. There's no question that they knew what they were doing is wrong (because of the IRC logs) so you don't even need a judge to decide what was reasonable.
What if you leave your door unlocked, someone walks into your bedroom, and looks at the sex photos you and your wife took. Or rifles through your personal letters, bank statements, etc. Still okay just because they took a copy?
> So right now you could literally break into someone's home, knock them unconscious, and then steal their laptop, but yet still get more jail time for "hacking" into their laptop than any of the previous crimes.
Can you provide some examples? And not sentencing guidelines or what the prosecutors asked for; actual sentence lengths that were actually served by people convicted solely of computer crimes vs. time served for breaking and entering and assault and battery and theft.
I don't understand how the Sony hack relates to the proposed changes to the CFAA. If the attacker was North Korea--as suggested by the administration (which I don't believe)--then how would increasing penalties for "hacking" or developing (or even sharing) "hacking tools" make a difference? As if we had any jurisdiction whatsoever over there or that the laws of the United States would somehow deter foreign attackers.
If they want to increase penalties for anything it should be for companies failing to secure their systems. Attackers can often use very sophisticated methods to make their way into internal networks but once they're in it's run-of-the-mill, patched-three-years-ago vulnerabilities that let them do the most damage.
There's a lot of negligence going on inside corporate networks in regards to information security and one of the justifications I often hear is that they can't justify increased spending (or spending any money whatsoever) on IT security when the costs of an attack are unknown. If we apply significant punitive damages then the costs would be much easier to calculate and justify.
> I don't understand how the Sony hack relates to the proposed changes to the CFAA.
I'm guessing that the lobbyists behind SOPA, PIPA, CISPA, etc have been trying to push something like this for a while, but now think that the Sony hack has scared enough people that the bill can appear like it has popular support.
> If the attacker was North Korea--as suggested by the administration (which I don't believe)--then how would increasing penalties for "hacking" or developing (or even sharing) "hacking tools" make a difference?
This might be a bit off-topic, but there's potentially a distinction between North Korea being responsible for the hack of Sony, and whoever the people are who actually penetrated Sony's network and extracted/deleted the data. By analogy: if you pay an assassin to kill someone, the law holds both you and the assassin responsible.
I think this is what the government means when they say North Korea was responsible--not necessarily that every participant in the attack was a North Korean in North Korea.
It is well known that NKorea and China are partners in a cyberwar against the west. NKorea's elite hacker team are stationed in China. This has all been documented by various groups and reporters.
I think a lot of the skepticism here and the general praise of autocratic states on HN, are mostly from a lot of people with an anti-US bone to pick or other political agenda. So to them, the US is always wrong, so they hold up NKorea, China, Russia, and Iran as bastions of liberty, honesty, and utopia. Its incredible how delusional these people are.
I also think a lot of people, especially right/libertarian leaning kids, lean toward autocracy and want a "decisive toughguy" leader for their own political and emotional reasons. Democracy, secular enlightenment, separation of powers, etc is seen as weak. Of course, they think the autocrats will be on their side, the same way, many think eugenics is a fine idea because, of course, "my people" will be allowed to procreate. There's a Fox News anchor who famously praised Putin and wished he had a Putin-like president during Russia's taking of Crimea. Of course, western sanctions have all but crippled Russia and the ruble today. I wonder if this anchor is still praising Russia's leadership.
I laughed hard at this one! The Hamptons is basically a vacation destination in eastern New York state for very very wealthy people, who don't want any riff-raff cluttering up their picturesque vacation views. 'The Wicker Man' is a film (+ a remake) about a police officer who goes to investigate a crime in a remote idyll where everyone knows everyone else and runs into...problems. Translation: let's ensure that the 'wrong' people stay away.
Really? And you think they won't assume you're some nasty hacker trying to angle for weak laws so you can just get away with more of this demonic evil hateful hacking thing that you do? Hoodlum! The incompetency here is not striking in the fact there's apparently been no change since 1984.
I think there's a valid concern that we would be seen this way if we contacted our reps.
This is why I think it's important that you present and carry yourself well, be prepared about what you want to talk about, and anticipate questions by having well-thought-out answers ready. These people consider themselves professionals, so despite our views of them, we will better communicate our points if we demonstrate professionalism and respect.
I don't need any "protections", I need to be left alone. That's how I actually can speak free, feel free and don't worry about my privacy too much (well, as long as I don't use skype, gmail, mobile phone… well, everything is relative, ok?). And honestly I thing that only fools believe in stuff like "free speech protections", although I usually don't try to persuade anybody about all these abstract matters. So, yeah, I'm just fine in Europe without all these "free speech protections" and stuff. I guess it could be better, but I don't feel like leaving to Siberia or some desert island yet.
I don't understand the distinction you are making between free speech and being able to speak freely. I'm not talking about an abstract concept, I mean posting certain things on your blog is actually illegal. And being spied on by the government is the the opposite of being left alone, so I think you should be against that too.
Making the CFAA apply more broadly and criminalizing hacking behaviors that are currently misdemeanors will have the following effects imo:
1. As stated in the article, restrict legitimate security work and creation of useful tools.
2. Glamorize becoming a hacker for the misfits of the world. ( It's a criminal behavior; you'll get underground respect for doing it... )
3. Drive hacking further underground ( this is like suddenly making weed illegal again in places where it is currently legal ) More crime will result.
4. Cause me to release code I write under an alias through multiple proxies in combination with Tor.
They were created during a moral panic when only a few individuals, large multinationals and, large governments had computers and the government were worried that "hackers" could break into the electricity grid or the communications system and shut it down.
So right now you could literally break into someone's home, knock them unconscious, and then steal their laptop, but yet still get more jail time for "hacking" into their laptop than any of the previous crimes.
It only gets more insane when someone "hacks" across state lines. The federal laws are absolutely insane, and the only thing more disproportionate are some of the drug laws (many of which were also created during times of moral panic).
In particular are comic cases of when companies fail to secure things at all (e.g. leave data exposed to the public via hidden URLs) and then someone gets prosecuted because they "hacked" that company and "stole" that data.