Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime

from the that's-not-good dept

You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.

Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.

The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.
Right now, the law does not include those four words. Why is that a big change? As we explained last year:
All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.
While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.

The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.




Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 1:19pm

    This is insane, this would make something as simple as reading the JavaScript on a page that has to do with login or auth or using a tool like Fiddler to look at your own web traffic potentially illegal actions. Not to mention completely killing white and grey hat security research completely. That's awesome, this is like taking all the guns away from law abiding folks, only the black hats will be able to research security holes and thus have the guns to exploit them.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 1:26pm

    What a monumentally stupid idea introduced by a monumentally stupid Luddite.

    So if Joe User is clicking around on his banking website one day and discovers - inadvertently or otherwise - a security hole big enough to drive a truck through, just pointing that security hole out to the bank will be a criminal offense on par with actually exploiting it. I mean, obviously that's already happening in many cases, but to have such insanity codified into law means that there is no incentive whatsoever to inform the bank of the flaw.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    AC Unknown (profile), Jan 9th, 2014 @ 1:29pm

    This is an incredibly stupid move on behalf of Sen. Leahy. KI can foresee a lot more security holes going unpatched if this law passes.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    jackn, Jan 9th, 2014 @ 1:31pm

    "Conspire or attempt to commit...." is not the same as 'Merely talking' about something

    lets not become businessidiots.com here

     

    reply to this | link to this | view in thread ]

  5.  
    icon
    btr1701 (profile), Jan 9th, 2014 @ 1:32pm

    Not really

    > but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense

    That's a bit misleading. Merely talking about something isn't the same as conspiring to do it. First of all, a conspiracy requires two or more people, so someone merely writing a blog post about computer hacking, for example, wouldn't qualify. Second, conspiracy requires an "overt act in furtherance of the conspiracy" in order for it to be complete and prosecutable, so not only do you have to plan to commit the crime with other people, you also have to take an affirmative step toward implementing that plan. It's not merely "talking about it" as the article states.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    jackn, Jan 9th, 2014 @ 1:32pm

    Re:

    How did you come to this conclusion?

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    John Fenderson (profile), Jan 9th, 2014 @ 1:32pm

    All "conspiracy to commit" laws are questionable

    All such laws are highly questionable, and I strongly oppose any effort to add to them.

    For a real-world example from a number of years ago, it's a felony to get together with a few friends and plan a bank robbery -- even if we have no intention whatsoever of actually committing the robbery. The people who did this not only didn't commit a robbery, they very clearly engaged in the planning purely as an intellectual exercise.

    This seems to be blatantly unconstitutional on free speech grounds alone.

    I could (grudgingly) get behind "conspiracy to commit" charges as add-ons to a real crime that was actually committed, much like the hate speech laws, but that's as far as it should go.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    ECA (profile), Jan 9th, 2014 @ 1:33pm

    what IS NOT SAID.

    For a few reasons, target does not say HOW(wireless, networked, Internet,???) that there system was taken advantage of..
    THIS is important, and could tell us if Target was an IDIOT..

    If they had a Fairly protected system, it would mean this is an INSIDE job.
    IF they were like home depot(wireless system)(STUPID) then they needed better protection then they HAD.
    If they allowed DIRECt access from an internet connection, then they are even more stupid.

    Encryption is OK, but giving anyone direct access to the file ITSELF? means only a few people should have access.

    for those that dont get it..LEts say you REALLY want to protect a file.
    1) you can make it NOT listed in the files(invisible)
    2) you have to know the NAME of the file.. as you cant see it.
    3)password the file, NOT TO HARD and it can be built into the EDITING program that WORKS with the file.
    4.)separate files..name file, Data files can be 2-3-4-5 parts, and you get 1, you dont get the others.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    jackn, Jan 9th, 2014 @ 1:37pm

    I think this is a little bit beyond u.

    It wasn't said because it has nothing to do with anything.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Watchit (profile), Jan 9th, 2014 @ 1:37pm

    "I'm going to hack Walmart!"

    Does that mean I actually hacked Walmart? Cool.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 1:44pm

    These guys no nothing about computers. As an IT person I think I will write some laws the govern congress.

    Seems legit

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Patrick, Jan 9th, 2014 @ 1:46pm

    Re: Not really

    After satisfying the first condition I would not be surprise if finding some dual use tools like nmap was sufficient to establish the overt act. That in conjunction with a clueless judge and DOJ FUD, it would probably do the trick.
    It's already happened with encryption software
    http://news.cnet.com/Minnesota-court-takes-dim-view-of-encryption/2100-1030_3-5718978.html

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    John Fenderson (profile), Jan 9th, 2014 @ 1:46pm

    Re: Not really

    First of all, a conspiracy requires two or more people, so someone merely writing a blog post about computer hacking, for example, wouldn't qualify


    Are you sure? A blog post involves two people as soon as someone reads it. Commenting provides interaction, if that's a requirement.

    conspiracy requires an "overt act in furtherance of the conspiracy" in order for it to be complete


    Yes, but that's an incredibly low bar that is easily satisfied in most completely innocent circumstances. In the bank robbery planning incident I described in another comment here, that condition was satisfied by the fact that the "conspirators" had obtained the building plans for the bank.

    If, as often happens in my workplace (a software security company), two developers are discussing how a particular exploit works then example code will certainly be exchanged, and probably written. That would probably satisfy the requirement as well.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 1:48pm

    Re: Re:

    By telling the bank "I could easily steal millions of dollars from you, so could anyone else. You've got this big security flaw on your website that anyone can exploit, please fix it before someone victimizes you. [insert description of flaw]"

    You've spoken about breaking into a website and stealing money from it. That's now a crime.

    (I'm not the same AC that posted the thing you're responding to BTW)

     

    reply to this | link to this | view in thread ]

  15.  
    icon
    ECA (profile), Jan 9th, 2014 @ 1:50pm

    Re:

    iT KINDA DOES..
    If you leave your door open, and a thief walks ina nd steals things..IS HE, breaking and entering?
    He may have entered, but you left it open..IS it hacking if they DONT protect themselves??

    AS WELL AS THE WORD hacking isnt used properly..DID they hack anything? If it was an ADMIN, it wasnt a HACK.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    jackn, Jan 9th, 2014 @ 1:56pm

    Re: Re: Re:

    No, the bill above doesn't say 'Talking about it,' thats Mikes interpretation.

    Try again...

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 1:57pm

    Re:

    "Not to mention completely killing white and grey hat security research completely."

    That is likely his goal because in his tiny pea brain of a mind he likely thinks that if no one is looking for security holes then none will ever be found and exploited!

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    jackn, Jan 9th, 2014 @ 2:00pm

    Re: Re:

    No, sorry, nothing you have written has anything to do with security, hacking, computers, IT, and reality.

    I can tell you are uninformed because of this sentence

    password the file, NOT TO HARD and it can be built into the EDITING program that WORKS with the file

    and others...

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:01pm

    Re: what IS NOT SAID.

    you can make it NOT listed in the files(invisible)


    Because finding invisible/hidden files is such a hard thing to do?

    Hiding files is a trick to keep ignorant people from seeing stuff... but it won't even speed bump anyone good enough to hack a system.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:02pm

    Re: Re: Re: Re:

    "Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section. "


    If one is looking for security vulnerabilities, that is attempting.
    If I find one by accident and report it that could easily be twisted into a conspiracy. "Your Honor this man wanted to embarrass the bank so he conspired to find security issues"

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:03pm

    Re: Re: Re: Re:

    look up how broadly the term 'conspires' is used in legal prosecution and you will find that merely talking about something illegal may be construed as 'conspiring'.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    jackn2, Jan 9th, 2014 @ 2:03pm

    Re: Re: Not really

    even without a blog, conspiring does not require two people.
    One can conspire all on their own.

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:05pm

    Re: Re: Re: Re:

    "The bill also includes the Obama administrationís proposal to update the Computer Fraud and Abuse Act, so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal penalties, as the underlying offenses."
    -- Quote from the letter

    What that means is that informing them of the flaw could very well mean that the bank could accuse you of hacking. I.E. GeoHot was accused of hacking his Playstation 3, that he even bloody well owned, by Sony under CFAA.

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:07pm

    Hacking?

    If I hack my mother inlaw to bits would I be charged under CFAA? Certainly the sentence would be greater then murder.

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:08pm

    If Leahy can preemptively jail citizens can we as citizens preemptively impeach him?

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    jackn, Jan 9th, 2014 @ 2:09pm

    Re: Re: Re: Re: Re:

    Oh, I know it. -it can be a grey area. But the bill does not say TALKING, and I don't think it intends to. To me conspire is Talking with the intent to perform (or planning).

    I like sensational headlines, but not when they are untrue.
    I just hope mike avoids a yellow journalism approach here, that would cheapen the site and lower the effectivness.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    btr1701 (profile), Jan 9th, 2014 @ 2:11pm

    Re: Re: Not really

    > Are you sure? A blog post involves two people
    > as soon as someone reads it.

    Yes, all parties to a conspiracy have to know of each other and agree and intend to commit a criminal act. Reading what someone else wrote doesn't make you a co-conspirator.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:11pm

    Re: Re:

    As others have said, the legal definition of "conspiring" is broad enough to encompass simply talking about an act, despite your apparent belief to the contrary. In addition, the fact that people are already being prosecuted for this very thing* makes me think that specifically beefing up that part of the Act is intending exactly this.

    *If you don't know what cases I'm talking about here you're not informed enough to even argue the point.

     

    reply to this | link to this | view in thread ]

  29.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:13pm

    Re: what IS NOT SAID.

    "(wireless system)(STUPID)"

    What makes wireless stupid?
    Data is transmitted from point A to point B.
    It is the job of point A and point B to:
    1. Validate they are communicating with the real endpoint
    2. Encrypt their communications to prevent eavesdropping

    If the communicating parties are doing those two things then it does not matter if you are using wired, wireless, snail mail, smoke signals or whatever.

    Fail at either of those things and you are vulnerable on a wired or wireless network.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    btr1701 (profile), Jan 9th, 2014 @ 2:20pm

    Re: Re: Re: Not really

    > even without a blog, conspiring does
    > not require two people. One can conspire
    > all on their own.

    Not legally one can't. The statute actually reads, "two or more people". A single person can't conspire with himself. Hell, the word 'conspire' itself means

    (1) to agree together, especially secretly, to do something wrong or illegal

    (2) to act or work together toward the same result or goal

     

    reply to this | link to this | view in thread ]

  31.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:25pm

    Re: what IS NOT SAID.

    "1) you can make it NOT listed in the files(invisible)
    2) you have to know the NAME of the file.. as you cant see it."

    You need smacked with a clue stick.

    Hidden files are simply not shown by default, it is trivial to actually get a listing of 'hidden' files on any operating system.

    http://windows.microsoft.com/en-us/windows/show-hidden-files#show-hidden-files=windows-vista
    h ttps://discussions.apple.com/thread/5483892?tstart=0
    http://en.wikipedia.org/wiki/Hidden_file_and_hid den_directory

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Jerrymiah, Jan 9th, 2014 @ 2:27pm

    It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense.

    It's about time to change the name of the DOJ to DOI. Since Eric the Nazi took over as AG, the DOJ has been acting more like the Department of Injustice than the former.

     

    reply to this | link to this | view in thread ]

  33.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:27pm

    "Whoever conspires to commit an offense shall be punished as provided for the completed offense"
    Consider committing a crime, be punished as if you'd actually done the crime.
    Just when you didn't think America could get any more dystopian, the Senate is now voting on whether to start having people arrested for thoughtcrime.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    jackn, Jan 9th, 2014 @ 2:29pm

    Re: Re: Re:

    You present a nice logical fallacy

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 2:47pm

    Re: Not really

    I don't know if it changes the definition of the crime. The problem is that the punishment for the more active forms of intent is now exactly the same as actually hacking. It is a sad society to live in if punishment for conspiracy to commit murder is the same as a first degree murder...

    About the overt act, it seems that it can be ignored as a requirement in some cases like drug enforcement.

    From the SCOTUS judgement in US vs Shabani:
    The Court ruled: "...Congress intended to adopt the common law definition of conspiracy, which does not make the doing of any act other than the act of conspiring a condition of liability..."

     

    reply to this | link to this | view in thread ]

  36.  
    icon
    JMT (profile), Jan 9th, 2014 @ 2:51pm

    Re: Re: Re: Re: Re: Re:

    Security researchers do not operate in their own little bubble. If you find an exploitable weakness and discuss it with other researchers or knowledgeable people, and then later on do something to attract the DoJ's attention, their history would indicate your discussions could quite easily be turned into 'conspiring' in order to threaten you with serious charges.

    Remember, we're not talking about common-sense interpretations here, but about how the laws can be and have been twisted by the DoJ for their own purposes, like making heavy-handed threats as part of a plea bargain.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    JMT (profile), Jan 9th, 2014 @ 2:58pm

    Re: Re: Re: Not really

    You don't necessarily need to be found guilty of such an act of conspiracy, you merely have to be threatened by these serious charges in order to make to take a plea deal. Techdirt and others have covered this tactic quite extensively. A law like this would give the DoJ the ability to make even scarier threats, and increase the chances of innocent people pleading guilty to a lesser offence to avoid the possibility, however unlikely, of being found guilty of a much more serious crime.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Avantare, Jan 9th, 2014 @ 3:05pm

    Re:

    I'm guilty then. I use GreaseMonkey. Therefore I'm guilty for violating this on my home pc. Of course then he would be guilty as well. "Hey, You have a trojan on your gov't issued laptop!" Opps, forgot. You work for the gubbermint. You're innocent.

     

    reply to this | link to this | view in thread ]

  39.  
    icon
    btr1701 (profile), Jan 9th, 2014 @ 3:07pm

    Re: Re: Not really

    > The Court ruled: "...Congress intended to
    > adopt the common law definition of conspiracy,
    > which does not make the doing of any act other
    > than the act of conspiring a condition of
    > liability..."

    That is asinine and flies in the face of reality. The federal conspiracy statute (18 USC 371) reads:

    If two or more persons conspire either to commit any offense against the United States, or to defraud the United States, or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object of the conspiracy, each shall be fined under this title or imprisoned not more than five years, or both.

    Since the statute ACTUALLY SAYS that an overt act is required, it beggars the imagination how the Court can claim that Congress didn't intend to include that in the law.

    This is just another example of the Court making shit up based on its own agenda and claiming words don't mean what they say, or mean the opposite of what they say, or whatever it takes to justify the result the Court wants, rather than what the law requires.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    btr1701 (profile), Jan 9th, 2014 @ 3:09pm

    Re:

    > If Leahy can preemptively jail citizens
    > can we as citizens preemptively impeach him?

    No. Members of Congress cannot be impeached, preemptively or otherwise.

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    btr1701 (profile), Jan 9th, 2014 @ 3:14pm

    Conspiracy

    > Consider committing a crime, be punished
    > as if you'd actually done the crime. Just
    > when you didn't think America could get any
    > more dystopian, the Senate is now voting
    > on whether to start having people arrested
    > for thoughtcrime.

    So many people in this thread are acting like this is something new. The conspiracy offense has been a part of federal law for a century or more. Just because it's now being applied to computer/tech offenses doesn't make it some novel attempt to create a dystopian nightmare.

     

    reply to this | link to this | view in thread ]

  42.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 3:39pm

    Re:

    But do you have the funds to fight it if someone decides to use the law in that manner?

    The laws in the US have 2 faces now. One that is easy for the average person to see and understand, and another distorted face that serves a purpose that the people who wrote the law really wanted in their toolbelt.

     

    reply to this | link to this | view in thread ]

  43.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 3:41pm

    You know what I find insanely stupid in all this? There is no requirement that if the federal government gets hacked they have to tell anyone anything. Nor if you look does it include the federal government in this bill. This bill is about states.

    Given the reports about ACA (Obamacare) having never been built with security in mind, this becomes seriously important. In order to sell ACA this particular topic has been sidelined into silence. And what about the NSA gathering up all this data and then turning it over to other agencies with the admonishment they can't be used as the source? Given their tools, that is hacking; dishing out malware at targeted computers/individuals.

    Senator Leahy once again shows his real colors in all this. It's about covering the governments ass not about security. When you can't find another charge, claim conspiracy to hack as a catch all dealing with computers. This makes me very uneasy. I use element Q to get rid of annoying javascript and other undesirable items on web pages I view. It does nothing to the original site, as all changes are temporary and on my computer only. Removing blocks to view the public site until you activate javascript doesn't float. Yet it is likely under prosecutor expansion it could one day be illegal with this vague law.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    Chronno S. Trigger (profile), Jan 9th, 2014 @ 4:03pm

    Re: Re: Re:

    Jackn, you have no clue what you're talking about. Reading this comment and the ones before makes it quite clear that you don't know anything about security or computers.

    You can password protect individual files and have the editing software support the encryption. Adobe Acrobat does that, Microsoft Office does that, good database software can do that. Hell, Windows (pro and up) itself supports that.

     

    reply to this | link to this | view in thread ]

  45.  
    identicon
    Anonymous Hero, Jan 9th, 2014 @ 4:06pm

    Re: Re:

    The laws in the US have 2 faces now. One that is easy for the average person to see and understand, and another distorted face that serves a purpose that the people who wrote the law really wanted in their toolbelt.

    Yes

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    jackn, Jan 9th, 2014 @ 4:11pm

    Re: Re: Re: Re:

    Hello Mister user,

    The fact that you are mentioning acrobat, office, windows pro is f&8^%^4 stupid.

    Don't even bother me with you home software achievements.

    the end

     

    reply to this | link to this | view in thread ]

  47.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 4:34pm

    Sen. Leahy is also the one introducing the USA FREEDOM Act, in order to scale back unconstitutional spying. Yet, he introduces dangerous changes to the CFAA that allows people to be charged with a crime they have yet to commit.

    This just goes to show you can never trust a politician, because the vast majority of them are two faced deceivers. The most "transparent" administration ever, the Obama administration, is proof of how two faces politicians are.

    Never trust them, or you'll wake up with a dagger in your back.

     

    reply to this | link to this | view in thread ]

  48.  
    identicon
    Automatic Grammatizator, Jan 9th, 2014 @ 5:19pm

    Re: Conspiracy

    There's some truth to this. It's like in Men In Black, where Agent J was shocked to learn that a spaceship was getting ready to destroy Earth, and Agent K told him that there's ALWAYS something out there preparing to destroy Earth.

    But that doesn't mean you shouldn't get angry and mobilize when you happen to hear about these things, or even stop talking about what could happen if you don't remind the government who's actually supposed to be running this country.

     

    reply to this | link to this | view in thread ]

  49.  
    icon
    Brandon Rinebold (profile), Jan 9th, 2014 @ 6:32pm

    Re: Re: Re: Re:

    I think you're misunderstanding what he's saying.

    You don't need to agree with the conclusion he draws but if you don't even know the cases generally used as relevant legal precedent in these situations then you're not informed enough to argue legal matters.

     

    reply to this | link to this | view in thread ]

  50.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 6:35pm

    Leahy is a fake. Always been.

    This simply proves, he don't even looks at papers shoved down his throat.

     

    reply to this | link to this | view in thread ]

  51.  
    identicon
    Just Sayin', Jan 9th, 2014 @ 6:36pm

    Re:

    "Yet, he introduces dangerous changes to the CFAA that allows people to be charged with a crime they have yet to commit."

    Actually, conspiracy to commit a crime is often a crime in and of itself. It's why you can arrest someone for hiring a hitman before the target gets killed, because it's a conspiracy to commit murder (I know, a big example, but there ya go).

    Conspiring with others to hack into a network to obtain material illegally should be a crime. It wouldn't harm white hat hackers trying to show a problem, but it would sure screw up black hatters planning their next break in.

     

    reply to this | link to this | view in thread ]

  52.  
    icon
    dfed (profile), Jan 9th, 2014 @ 8:18pm

    All I read was "Old man yells at cloud" and see a picture in my mind of Grandpa Simpson talking about how in his day he was hacked by three different nonconsecutive presidents.

     

    reply to this | link to this | view in thread ]

  53.  
    identicon
    Catskul, Jan 9th, 2014 @ 8:26pm

    Sensational Headlines

    This headline just knocked Tech Dirt down a few pegs in my opinion. It's ridiculously misleading. Whoever wrote this should be ashamed, and Tech Dirt Editors should retract the headline.

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 9:37pm

    Re: Not really

    It's all fun and games until you get sixty years for visiting http://www.hackthissite.org/ and putting your Hello World hacking skills to use.

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    ECA (profile), Jan 9th, 2014 @ 10:44pm

    Re: Re: Re: Re: Re:

    Dear Jack..
    Giving wireless access or internet Access to ROOT, BASe commands is a REAL sec. threat.
    Giving Full control for any remote access should be forbidden..
    How stupid do these people seem.

    Any commercial business wishes to see Every transaction and Action done in the store. its the only way to protect themselves, and see WHO DID WHAT..and WHOM to blame.
    If they did, even BASIC, security and tricks, the ONLY way to have full access to this file, is to KNOW the name of it and have the password to open it.
    thats why information is important..HOW did they get the files.
    IF they had basic sec. then it had to be someone with access.

    ALSO, there are many ways to hide files. 1 uses control characters in the name, which will list the DIR, but the name is blank. it erases itself, and unless you have a HEX dump of the DIR you will NEVER see the name.
    The OLD ways still work..HOw do you think we hacked int he OLD days..HEX editors RULE..

     

    reply to this | link to this | view in thread ]

  56.  
    identicon
    Anonymous Coward, Jan 9th, 2014 @ 11:35pm

    Mike, you seem to be misunderstanding what the bill says, or what current law says. Or both. Those words don't change what acts are criminal at all. They don't make things into crimes that aren't criminal as the law now stands. They just change the maximum possible punishment, from 5 years (the punishment for conpiracy ) to 5 or 10 or 15 years or more under the CFAA. I'm sure you think that's a bad idea too , but it is a completely different bad idea from the one your post seems to have invented based on some misreading of the statute.

     

    reply to this | link to this | view in thread ]

  57.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 2:16am

    Re: Not really

    I am afriad they have the legal precdent for merely making talking about comething without doing it illetgal When Hal Turner was prosecuted for "threatening" federal judges, it shld be noted that he did not say he was going to kill those judges, nor did he tell anyone to. He just merely offered an opinion.

    Under this CFAA change, making saying that someone deserves to have their computer hacked, without actually doing it, or telling someone to dot it, would also be a a criminal offence.

     

    reply to this | link to this | view in thread ]

  58.  
    identicon
    Chilly8, Jan 10th, 2014 @ 2:28am

    They way I see this, this could put ISPs in a damned-if-you-do, damned if you don't sitaution once TPP is implemeneted. They could be in violation of the CFAA if they do monitor users for copyright violations, and violations of copyright laws of theuy dont.

    Between this and TPP, it could force nearly every internet company out of business, if you cannot obey the laws that will result from TPP, without violating the CFAA.

     

    reply to this | link to this | view in thread ]

  59.  
    identicon
    Chilly8, Jan 10th, 2014 @ 2:42am

    Re:

    This could also cause problems with TPP is implemented, as it would be impossible to comply with any SOPA-type law without violating the CFAA.

    When TPP comes in, I could see tech companies going to countries where they can comply with the new copyright laws, without risk of being prosecuted for hacking.

    A web site, in, say, Mexico, could not be prosecuted for CFAA violations in the U.S.

     

    reply to this | link to this | view in thread ]

  60.  
    identicon
    Chilly8, Jan 10th, 2014 @ 2:42am

    Re:

    This could also cause problems with TPP is implemented, as it would be impossible to comply with any SOPA-type law without violating the CFAA.

    When TPP comes in, I could see tech companies going to countries where they can comply with the new copyright laws, without risk of being prosecuted for hacking.

    A web site, in, say, Mexico, could not be prosecuted for CFAA violations in the U.S.

     

    reply to this | link to this | view in thread ]

  61.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 2:44am

    Re: Re: Not really

    If they start prosecuting blogs for this, I could bloggers leaving the country. A blogger, for example, in Mexico, is not subject to U.S. laws.

     

    reply to this | link to this | view in thread ]

  62.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 2:47am

    The way this law is written, half the student body where I went to community college in the late 1980s would have been felons, if this had been law them, because of a few things we did to circumvent disk quotas.

     

    reply to this | link to this | view in thread ]

  63.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 3:17am

    Courtroom Hillarity

    So wouldn't that mean that under that utterly idiotic law it is ironically nearly impossible to convict someone for hacking? I mean in order to prosecute you they'd need to talk about computer hacking. Therefore you can attempt to have the prosecutor prosecuted for violating the law when he attempts to prosecute you.

     

    reply to this | link to this | view in thread ]

  64.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 3:23am

    With this expansion of the CFAA, I would suggest buying stock in the makers of programs like Evidence Eliminator or KillDisk, as these programs will start selling like hotcakes if it goes through.

    If they cannot get any evidence off your hard disk, they will have no case against you.

     

    reply to this | link to this | view in thread ]

  65.  
    icon
    Bergman (profile), Jan 10th, 2014 @ 3:56am

    Re:

    If simply discussing hacking is the same as actually doing it, then the DOJ would be unable to hold briefings or meetings internally to discuss hacking countermeasures without running afoul of the law...not that they'd ever hold themselves to the standards they apply to everyone else.

     

    reply to this | link to this | view in thread ]

  66.  
    identicon
    Pragmatic, Jan 10th, 2014 @ 5:16am

    Re: Re: Re: Re:

    http://www.wired.com/opinion/2013/07/dont-hate-the-crime-hate-the-person-how-weevs-appeal-affects-al l-of-us/

    Read it and weep, jackn. Weep for all of us. Seriously, this is a bad law NOW.

    We are all Weev.

     

    reply to this | link to this | view in thread ]

  67.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 6:00am

    "conspire or attempt to commit"
    So would the NSA be found guilty ..hacks up a lugie

     

    reply to this | link to this | view in thread ]

  68.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 6:11am

    "Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime"

    But, then, wouldnt that, like, seriously cripple governments "cyber security" departments, or is this just, like, another law for the "peasants" only.......again

     

    reply to this | link to this | view in thread ]

  69.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 6:14am

    Re:

    Hell, would this law not implicate spy agency methods as illegal, or is this, like, another, "do as i say, not as i do" kinda, situation........again

     

    reply to this | link to this | view in thread ]

  70.  
    identicon
    Anonymous Cow, Jan 10th, 2014 @ 7:23am

    Leahy also voted for the Patriot Act. That sorry sack of sh^t needs to be voted out.

     

    reply to this | link to this | view in thread ]

  71.  
    identicon
    jackn, Jan 10th, 2014 @ 7:47am

    Re: Re: Re: Re: Re: Re:

    What if the hacker just used dir /ah or ls -a.

    Wait a minute, Im getting it. We could a hex editor, masm or debug to disable those parameters.

    The should probably also use a SECURE font! You could use a hEX EDitor to change the font and make it unreadible.

     

    reply to this | link to this | view in thread ]

  72.  
    icon
    jraymond (profile), Jan 10th, 2014 @ 8:25am

    Conspiracy means.....

    Though I am totally against anything that would tend to restrict our freedoms in any way more than they have already been post-9/11, I have to question the interpretation of this law. Leahy has always been a strong advocate of personal rights and his insidious planning as limned here is something that would be completely out of character, if it were true. But the word "conspiracy" makes it all quite different from the knee-jerk interpretation. Talking about or discussing something is not conspiracy. Even discussing ways of circumventing security without the intention of actually doing it is not conspiracy, either. Conspiracy has always been a difficult thing to prove in court, as it should be, and I have no doubt, will continue to be.

     

    reply to this | link to this | view in thread ]

  73.  
    icon
    jraymond (profile), Jan 10th, 2014 @ 8:31am

    Re:

    Who didn't vote for the Patriot Act? If you remember the time well, you would most likely have accused him of treason if he had not voted for it at the time. Everyone was gung-ho, and even then I had the feeling that it was too much, too fast.

     

    reply to this | link to this | view in thread ]

  74.  
    icon
    jraymond (profile), Jan 10th, 2014 @ 8:36am

    Re: Conspiracy

    Agreed. It is an effort to have the tools to actually prevent the breeches before they happen instead of just trying to clean up the mess afterward. "Conspiracy" is something always difficult to prove and involves a lot more than just "talking about" the security in question.

     

    reply to this | link to this | view in thread ]

  75.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 8:53am

    Re: Re: what IS NOT SAID.

    Wireless in general is not stupid, however it presents security problems that are not solved if you just use off-the-shelf consumer equipment without adding additional precautions (such as a VPN).

    Wireless broadcasts all of your communications over radio, where it is easily listened to by anybody within range. Also, it's like placing a network port on the outside of your house -- anyone can plug into it.

    The built-in, standard security measures (WPA) are insufficient against anybody of more skill than a script kiddie (and, these days not even against them).

    It's not stupid to use such equipment. It is naive and dangerous to use such equipment while believing that it is secure, unless you've taken additional steps to harden everything.

     

    reply to this | link to this | view in thread ]

  76.  
    icon
    jraymond (profile), Jan 10th, 2014 @ 8:54am

    Re: Re: Re: Not really

    This is one definition from one section of one law. "Conspiracy" does not have a monolithic definition. And as far as the overt act goes, simply buying a notebook at a dollar store to keep track of the plan is and act toward effecting the object of the conspiracy, so neither adds nor subtracts substantially from the original view.

     

    reply to this | link to this | view in thread ]

  77.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 8:56am

    Re: Re: Re: Re:

    I possess programs that will crack the password locks on zip files, PDF files, Office files, and more in less than a second. Relying on those mechanisms to protect your data is as useful as locking your screen door.

     

    reply to this | link to this | view in thread ]

  78.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 8:58am

    Re: Re: Re: Re: Re: Re:

    unless you have a HEX dump of the DIR you will NEVER see the name.


    Or unless you boot the system from a Linux boot disk or USB stick, in which case you'll see everything without having to resort to hex dumps.

     

    reply to this | link to this | view in thread ]

  79.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 9:01am

    Re: Conspiracy

    Just because it's now being applied to computer/tech offenses doesn't make it some novel attempt to create a dystopian nightmare.


    You're right, conspiracy laws are nothing new. However, the CFAA is already a dystopian nightmare. I think the reaction is that adding the ability to bring conspiracy charges on top of it will just make everything that much worse.

     

    reply to this | link to this | view in thread ]

  80.  
    icon
    jraymond (profile), Jan 10th, 2014 @ 9:03am

    Re: what IS NOT SAID.

    Only a few people should have access to the file? What use would the file have if no one could use it for sales, the reason it exists in the first place? EVERYONE needs access to the file by some method. When you lock people out too tightly, you also lock yourself in.

    And as far as wired/wireless, it makes no difference whatever. It's surprising that you actually think that it would. But then your suggested methods of supposedly hiding files are all well-known, sophomoric, and as easy to get around as turnstyles to jump over. You really need better security than something a 4th-grader could come up with.

     

    reply to this | link to this | view in thread ]

  81.  
    identicon
    jackn, Jan 10th, 2014 @ 9:27am

    Re: Re: Re: Re: Re:

    I wonder how target stored their detailed transaction data. Probably PDF or excel. I think that could handle 70 million records. Indexing is probably really slow though. Maybe they store their trans data in a zipped pdf. No wonder it takes so long for a credit card purchase to go through!

    You guys are eye openers. Here i am in my CISSP world making things really difficult when all we need is a hex editior. I wonder if the PCI specs recoginze these methods as appropriate?

     

    reply to this | link to this | view in thread ]

  82.  
    icon
    jraymond (profile), Jan 10th, 2014 @ 9:47am

    Re: Re: Re: Re: Re: Re:

    PDF? Excel? Are you kidding me? I think I'm getting dizzy. And the DMV, too? And do you think that retrieving that data requires a search or something and that is why you mention the time?

    There is a thing called a "database". It is ofetn huge. Like the Windows registry. Access is immediate and direct to each piece of data - no search, no following some path to get to it, no change in access time regardless of size. Databases have been around quite a long time.

     

    reply to this | link to this | view in thread ]

  83.  
    icon
    jraymond (profile), Jan 10th, 2014 @ 9:55am

    Re: Re:

    Anyone can be impeached, including members of congress. The hard part is showing that he is guilty and needs a possible sentence. Impeaching is easy.

     

    reply to this | link to this | view in thread ]

  84.  
    identicon
    jackn, Jan 10th, 2014 @ 10:46am

    Re: Re: Re: Re: Re: Re: Re:

    Wow, no search. How does that work? How does it know what Im looking for? I should check into these 'databases' like the windows registry. I didn't know the registry could hold 70 million records.

    One question, for 'databases,' do I still need to put a control charactor in the filename? What about hiding the file, is this still required?

    Thanks again for the 411

     

    reply to this | link to this | view in thread ]

  85.  
    identicon
    OhBrian, Jan 10th, 2014 @ 10:48am

    Re: Re: Not really

    When you said:

    "If, as often happens in my workplace (a software security company), two developers are discussing how a particular exploit works then example code will certainly be exchanged, and probably written. That would probably satisfy the requirement as well."

    No. It does not satisfy that requirement. People discussing something in the workplace related to their legal employment would not qualify as conspirators to an illegal activity.

     

    reply to this | link to this | view in thread ]

  86.  
    identicon
    OhBrian, Jan 10th, 2014 @ 11:02am

    Re: Re: Re:

    No. By telling the bank you could steal is not a crime.

    The whole point of Leahy's proposal is that crimes committed over the Internet are often carried about by organized groups of individuals. Each individual is contributing to the crime. When caught some individuals are able to make the case that even though their actions contributed or facilitated the crime; they not commit the charged top act.

    For example someone could claim "I broke a window.". Another person climbed through that window and robbed the premises. Both parties contributed to the crime.

     

    reply to this | link to this | view in thread ]

  87.  
    identicon
    Anonymous Coward, Jan 10th, 2014 @ 11:26am

    Re: Re: Re: Re: Re: Re: Re: Re:

    Ok, jack, We can see you know more about this than some random window's guys on the internet.

    It was funny, but its getting old.

     

    reply to this | link to this | view in thread ]

  88.  
    icon
    btr1701 (profile), Jan 10th, 2014 @ 11:28am

    Re: Re: Re: Re: Not really

    > This is one definition from one section of
    > one law. "Conspiracy" does not have a
    > monolithic definition.

    Actually, it does. In the definitional section of all new laws involving conspiracy, they refer back to 18 USC 371.

     

    reply to this | link to this | view in thread ]

  89.  
    icon
    btr1701 (profile), Jan 10th, 2014 @ 11:30am

    Re: Re: Re:

    > Anyone can be impeached, including members
    > of congress.

    No, the Constitution only allows for impeachment of Executive and Judicial Branch officials. Members of Congress cannot be impeached.

     

    reply to this | link to this | view in thread ]

  90.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 1:02pm

    Re: Re: Re: Not really

    What about when I engage in similar conversations with friends?

     

    reply to this | link to this | view in thread ]

  91.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 1:06pm

    Re: Re: Re: Re: Re: Re:

    Target, like anybody else that has a huge database they need to access quickly, stores their data in a DBMS, such as Access, MySQL, etc. Anything else wouldn't be searchable in a useful way, would take forever to do transactions on, and couldn't be used by thousands of users simultaneously.

     

    reply to this | link to this | view in thread ]

  92.  
    identicon
    jackn, Jan 10th, 2014 @ 1:32pm

    Re: Re: Re: Re: Re: Re: Re:

    A winner.

    But its probably DB2, MSSQL, or Oracle. Probably also involves some sort of queue like mq or the like.

    All of those could have million of records and the correct indexs would make them plenty fast. Ive worked with 14 million in db2.

    so
    Not applicable to Target CC breach

    Password protect the file
    Hide the file
    Office, Adobe, Access, windows pro
    Windows registry
    ZIP Files
    Zip Password crackers
    Hex editors

    Applicable to the Target breech

    Industrial Database
    Authentication
    Authorization
    Encryption
    Transport
    Business Logic
    Presentation Layer

     

    reply to this | link to this | view in thread ]

  93.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 2:57pm

    Re: Re:

    No, not everyone was gung-ho at the time. The Patriot Act was incredibly unpopular in my circles. Not everyone lost their minds.

    I thought that every single person who voted for it then (and the renewals since then) shouldn't be trusted to be in government due to either extremely poor judgement or too much of a totalitarian bent.

     

    reply to this | link to this | view in thread ]

  94.  
    icon
    John Fenderson (profile), Jan 10th, 2014 @ 3:00pm

    Re: Conspiracy means.....

    The problem is the nexus with the CFAA, which is infamous for being interpreted way beyond reason to imprison people who, at worst, engaged in misdemeanor offenses. Bringing conspiracy into that mix is a pretty clear indicator that "conspiracy" will be used in an overly-broad fashion as well.

     

    reply to this | link to this | view in thread ]

  95.  
    icon
    Watchit (profile), Jan 10th, 2014 @ 3:44pm

    Re: Re:

    The conspiracy to hack already was a crime, but that's not the problem. The problem is that with the 4 words added to the law, the conspiracy to hack would be treated the same as if you had actually committed the crime.

     

    reply to this | link to this | view in thread ]

  96.  
    icon
    BeeAitch (profile), Jan 10th, 2014 @ 5:59pm

    Re: Re: Re: Re: Re: Re: Re:

    But if the BIOS is password protected and first boot is hard drive...

     

    reply to this | link to this | view in thread ]

  97.  
    icon
    BeeAitch (profile), Jan 10th, 2014 @ 6:05pm

    Re: Re: Re: Re: Re: Re: Re: Re:

    hint: I know the answers.

    1) [REDACTED]

    2) Legally force the owner to provide password(s). (My favorite definition of 'brute force'.)

     

    reply to this | link to this | view in thread ]

  98.  
    identicon
    Chilly8, Jan 11th, 2014 @ 4:54am

    One other thing that I think could become a criminal offence is bypasssing the anti-tethering features on your cell phone.

    It is possible, on many phones, circumvent that by logging in to a VPN. I know when I moved, and did not have normal Intrenet for a while, I had to do this to get the Internet.

    Nypassing anti-tethering features on your cell phone, by using a VPN, could be construed at attempted hacking, the way I see it.

     

    reply to this | link to this | view in thread ]

  99.  
    identicon
    Chilly8, Jan 11th, 2014 @ 4:54am

    One other thing that I think could become a criminal offence is bypasssing the anti-tethering features on your cell phone.

    It is possible, on many phones, circumvent that by logging in to a VPN. I know when I moved, and did not have normal Intrenet for a while, I had to do this to get the Internet.

    Nypassing anti-tethering features on your cell phone, by using a VPN, could be construed at attempted hacking, the way I see it.

     

    reply to this | link to this | view in thread ]

  100.  
    identicon
    Anonymous Coward, Jan 11th, 2014 @ 5:52am

    Re:

    There is nothing that prevents The People from voting for someone else.

     

    reply to this | link to this | view in thread ]

  101.  
    icon
    John Fenderson (profile), Jan 12th, 2014 @ 11:53am

    Re: Re: Re: Re:

    They can be kicked out, though.

     

    reply to this | link to this | view in thread ]

  102.  
    identicon
    Arrest that AC!, Jan 13th, 2014 @ 9:01pm

    Re: Re: what IS NOT SAID.

    By discussing how to find a 'hidden file' you have knowingly conspired to hack the super secret security system. Also having circumvented this 'hidden file' security device you have violated the DMCA.

    Off to the MPAA re-education camp for you!

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This