So yesterday we broke the news about a proposed CFAA reform bill that, rather than fix the problems of the CFAA made the law much, much worse. It added computer crimes as a racketeering issue, increased sentences and made just talking about a potential CFAA violation the equivalent of having committed it. Bad stuff all around. There was one section, however, that we said was slightly good. We noted that they ever so slightly rolled back what would constitute a crime for "exceeding authorized access" listing out a few qualifications that needed to be met -- including that the information obtained was valued over $5,000, that you had to be targeting private information and that the access was done in furtherance of a crime. Based on the bill as written, I had assumed that all of those elements needed to be present to qualify.

However, after talking to two different people with knowledge of the bill in question, it has been suggested that this is not the case, and that the different elements are really meant to be "or" statements. They point out that if you look elsewhere in the existing CFAA, you see the same pattern -- with multiple sub-statements that don't have an "or" but which are interpreted as being "or" statements. For example, under section (a)(2)(A), there is no "or" between that and (B), but clearly the CFAA doesn't only apply to information that is obtained BOTH from a financial institution and a government computer at the same time. This pattern is repeated throughout the bill, such that it seems clear the bill's clauses are connected by "or" statements, rather than "and."

If this is true, then you could run afoul of "exceeding authorized access" for any one of those actions, rather than all three. This is bad for a variety of reasons. Beyond making it much easier to go after someone for exceeding authorized access, it actually acts as a de facto way of expanding, not contracting, that clause in the CFAA. That's because at least a few courts have recently rejected broad interpretations of the CFAA around "exceeding authorized access," such that the courts (in a few key circuits) have effectively cut back on broad interpretations of the bill. This new version of the CFAA would create new broad definitions for which prosecutors could use against people claiming "exceeds authorized access."

It seems like this bill really is all bad. On top of everything else, the one area where it "rolled back" something, it may have rolled it "back" to a place which allows for more ambiguity that existing case law.

So rather than stopping bogus prosecutions like the one against Aaron Swartz, this revision of the CFAA may encourage them and create more such activity.

Last week, we had talked about some concerns about how various cybersecurity provisions would allow those hit by malicious hackers to "hack back" or, as some call it, engage in an "active defense." There were significant concerns about this, but as Marvin Ammori briefly mentioned in last week's favorites post, Rep. Louis Gohmert seems to not only think hacking back is a good idea, but that it should be explicitly allowed under the CFAA (Computer Fraud and Abuse Act). You can see his explicit statements to this effect below during last week's House Judiciary Committee hearing on the CFAA. It appears he heard a story about someone installing some malware on a hacker's computer to get a photograph of them, and has decided "that's a good thing, that helps you get at the bad guys," without ever thinking of the very, very long list of dangerous consequences of allowing such things: In case the video embed is not working above, I created a short highlight that just covers the ~5 minute exchange involving Gohmert.

Here's the basic transcript. The really crazy part is where Gohmert says he doesn't care as long as the hack back is "destroying that hacker's computer."

Rep. Gohmert: It's my understanding that under 18 USC 1030 that it is a criminal violation of law to do anything that helps take control of another computer, even for a moment. Is that your understanding?

Orin Kerr: It depends exactly what you mean by "taking control." If "taking control" includes gaining access to the computer, assuming a network your not supposed to take control of, then yes, that would clearly be prohibited by the statute.

Rep. Gohmert: For example, my understanding is that there was a recent example where someone had inserted malware on their own computer, such that when their computer was hacked and the data downloaded, it took the malware into the hacker's computer, such that when it was activated, it allowed the person whose computer was hacked to get a picture of the person looking at the screen. So they had the person who did the hacking, and actually did damage to all the data in the computer. Now, some of us would think 'that's terrific, that helps you get at the bad guys.' But my understanding is that since that allowed the hackee to momentarily take over the computer and destroy information in that computer and to see who was using that computer, then actually that person would have been in violation of 18 USC 1030. So I'm wondering if one of the potential helps or solutions for us would be to amend 18 USC 1030 to make an exception such that if the malware or software that allows someone to take over a computer is taking over a hacker's computer, that it's not a violation. Perhaps it would be like for what we do for assaultive offenses, you have a self-defense. If this is a part of a self-defense protection system, then it would be a defense that you violated 1030. Anybody see any problems with helping people by amending our criminal code to allow such exceptions or have any suggestions along these lines?

Orin Kerr: Mr. Gohmert, that's a great question that is very much debated in computer security circles. Because, from what I hear there is a lot of this "hacking back" as they refer to it. But at least under current law, it is mostly illegal to do that.... The real difficulty is in the details. In what circumstances do you allow someone to counterhack, how broadly are they allowed to counterhack, how far can they go? The difficulty, I think, is that once you open that door as a matter of law, it's something that can be difficult to cabin. So I think if there is such an exception, it should be quite a narrow one to avoid it from becoming the sort of exception that swallows the rule.

Rep. Gohmert: Well, I'm not sure that I would care if it destroyed a hacker's computer completely. As long as it was confined to that hacker. Are you saying we need to afford the hacker protection so we don't hurt him too bad?

Orin Kerr: (brief confounded look on his face) Uh... no. The difficulty is that you don't know who the hacker is. So it might be that you think the hacker is one person, but their routing communications... Let's say, you think you're being hacked by a French company, or even a company in the United States...

Rep. Gohmert: Oh and it might be the United States Government! And we don't want to hurt them if they're snooping on our people. Is that...?

Orin Kerr: No.

Rep. Gohmert: I don't understand why you're wanting to be protective of the hacker.

Orin Kerr: The difficulty is first, identifying who is the hacker. You don't know when someone's intruding into your network who's behind it. So all you'll know is that there's an IP address that seems to go back to a specific computer. But you won't know who it is who's behind the attack. That's the difficulty.

First off, kudos to Orin Kerr for keeping a (mostly) straight face through that exchange. There are many amazing things about this particular exchange, but the fact that Rep. Gohmert is one of the people in charge of how the CFAA gets reformed, and doesn't understand these very basic concepts, is immensely troubling. Among the headsmackers in that exchange: the idea that hackers are bad -- and not just partially bad, but apparently obviously and totally bad, like out of a movie. Also: that they're somehow easy to identify and that a freebie on hackbacks wouldn't be abused in amazing ways. Further, as Kerr pretty clearly points out that you can't automatically track back and (without saying so directly, but clearly implying) that hackers likely would shield their identity or fake someone else's identity, Gohmert still doesn't get it and somehow thinks that Kerr is saying we don't want to allow hackbacks on US government snooping (which, again, Gohmert seems to have no problem with). Yikes. Please do not let people like this near laws that have anything to do with computers. To me, this level of misunderstanding is worse than the whole "series of tubes" garbage from a few years back by Senator Stevens.

I'm sorry, but it seems that if you can't understand that there isn't some magic list that says "these hackers are bad, and therefore we should destroy their computers," I don't think you should have any role in making laws around this topic.

We've written a few times about the case of Andrew Auernheimer, perhaps better known as weev. While he has a bit of a reputation as an online troll, and self-admitted jerk, his case is yet another example of how ridiculously broken the CFAA (Computer Fraud and Abuse Act) remains. In this case, what he did was expose a pretty blatant security hole in AT&T's servers, that allowed anyone to go in and find the emails of any AT&T iPad owner, merely by incrementing the user ID. This isn't a malicious "hack." It's barely a "hack" at all. This isn't "breaking in." This is just exploring a totally broken system. To call attention to this, weev collected information on a bunch of famous folks who had iPads and alerted the press. This is what security folks do all the time. And for his troubles in helping AT&T discover and close a pretty bad security hole, he's been sentenced to 41 months in prison plus he has to pay $73,000 to AT&T. One hopes AT&T will use it to hire half a decent security person or something.

The sentencing, by the way, was near the top of the "guidelines" the judge had, for those who insisted that the courts in other CFAA cases, such as Aaron Swartz's might be lenient.

Plenty of people -- especially in the security community, are realizing what a ridiculous ruling this is and how dangerous it is. As people are starting to point out, while he may be a jerk, that doesn't mean he's a criminal. The prosecution used chat logs in which Auernheimer and a friend, Daniel Spitler, discussed the effort, and the fact that they talked about harming AT&T's reputation and promoting themselves as security experts. I don't see how that leads to any criminal activity though. AT&T's reputation should be tarnished for having crap security. And why wouldn't some researchers talk about using the discovery of a really bad privacy hole by a major corporation to boost their own credentials. Pretty much anyone in their shoes would reasonably think the same thing.

Prosecutors, of course, played up Auernheimer's history of being a jerk, but that alone has little to do with his actions here:

"His entire adult life has been dedicated to taking advantage of others, using his computer expertise to violate others' privacy, to embarrass others, to build his reputation on the backs of those less skilled than he," wrote U.S. Attorney Paul Fishman, who went on to note the "atypical recalcitrance by the defendant to conform to the laws regarding unauthorized computer access."

While that may be true, none of that, by itself, is illegal. And the actions that exposed a glaring hole put in place by bad programmers at AT&T shouldn't be either.

It seems that everyone is giving EA and Maxis quite a bit of grief over the SimCity debacle. The game's launch was, um, not great. The backlash against the game's producers was worse, all the more so once the lying began. But late last week, new evidence was uncovered that suggests perhaps we've all been a little bit unfair to EA and Maxis. What if I told you that the always-online game architecture enabled you to be what all of us have secretly wanted to be since we were very, very little children?

Well, hello, childhood fantasy o' mine. I didn't see you standing there.
Image source: CC BY 2.0

Yes, as Kionae alerts us, one (unplanned?) consequence of requiring online saves for your SimCity games is that anyone with a bit of hacking skill can visit your city, put some Blue Oyster Cult on in the background, and wreak the kind of havoc normally reserved for Japanese nuclear monsters. See, you can, were you so inclined, enter the save game city of another person, and then completely edit or destroy their loving creation like some kind of digital psuedo-god.

Pictured: Omnipotence

Just so we're clear, this is only possible because of the EA always-online requirement.

It's still awesome because this hack is only as destructive as it is because of EA's decision to make the game always-on. If the game hadn't had always-on DRM then this hack wouldn't be half as devastating as it is. Having EA delete these kind of topics from their forums is great damage control but don't be surprised if there's another furor when people start raging on the forums when some hacker decides to go through and Godzilla everyone's town. Enjoy.

Enjoy indeed, as long as that enjoyment happens outside of EA's forums. As noted above, the company is enforcing their TOS rules on their forums and deleting all topics relating to these kinds of hacks. Why? Well, because when a dingo is chewing on your arm, the best defense is to place your noggin lovingly into some sand to make it all just disappear. Or, if that doesn't work, you could always just apologize for what is becoming the greatest video game debacle this side of a Duke Nukem game, but I'm not holding my breath.

Brian Krebs is a phenomenal online security reporter who's been deeply involved in many stories concerning underground hacking issues, from spam to credit carding and many other such issues. As someone who explores that world, he's been subject to various attacks, including regular DDoS attacks on his website (he now works with a company that helps protect against such attacks). However, things got taken to another level yesterday. First, that anti-DDoS company, Prolexic, received a forged letter, pretending to come from the FBI, asking it to stop hosting the site. Then, something much bigger happened. As Krebs was getting ready for a small dinner party at his house, he walked out his front door and discovered a bunch of police officers with guns pointed at him. He'd been "swatted," -- the term for tricking a SWAT team into raiding a house based on bogus info.

"As soon as I open the front door, I hear this guy yelling at me, behind a squad car, pointing a pistol at me saying: 'Don't move. Put your hands up,'" Krebs, who is a long-time friend and colleague, told me. "The first thing I said was: 'You've got to be kidding me.'"

In all, there were at least a dozen officers with pistols, shotguns, and assault rifles pointed at him. They had police dogs circling his house and cruisers had sealed off a nearby street. Krebs, who was dressed in just gym shorts and a T-shirt, complied. Wisely.

"Two different guys were barking orders at me," he continued. "I finally said: 'Which way should I go?'" One officer told Krebs to lie on the ground, but before he could comply the other cop ordered Krebs to walk backwards. Eventually, "they put the cuffs on me and took me up the street. I was freezing the whole time."

Someone had made a call to the police, pretending to be Krebs, and claiming that "he was hiding in a closet after Russian thieves had broken into his home and shot his wife." And the police sent the SWAT team.

Why? Krebs suspects it was a response to a an article he had just posted, which highlighted a Russian website that was used to get easy and cheap access to credit reports (one interesting tidbit, is that he suggests that people are abusing the federally mandated free AnnualCreditReport.com site, which was supposed to reduce identify fraud, but may actually be enabling much more of it). Krebs figures that the people behind that site weren't too happy about the exposure, and tried to send him a message.

Of course, if law enforcement officials weren't so eager to rush in with a SWAT team, such issues might have been avoided as well. In fact, Krebs notes that he warned his local police agency of the possibility of such a thing happening about six months ago, but apparently no one bothered to check on that bit of info until later.

After about five minutes in custody, Krebs explained that he was the victim of a monstrous crime known as swatting. One of the officers asked if Krebs was the person who had filed a report a few months earlier. When Krebs replied yes, the officers did a quick search of his home. With preparations for a dinner party clearly on display, it quickly became apparent that Krebs' home was not a crime scene and that the call was part of a fiendish plot. An officer told him later that they had tried calling him before he opened his front door but no one had answered the phone.

As Krebs notes, these are situations where it makes little sense for local law enforcement to rush into these things where they may not understand what's going on.

Often local police are left to investigate, even when the perpetrators may be half a world away. He wants that to change. "Your local police department, the ones that are responding to these distress calls, they don't have the bandwidth," he said. "This is an area where federal law enforcement needs to be coordinating investigations. I'd like to see some sort of recognition or statement from federal law enforcement that this is something they're actively investigating."

Of course, I'm not sure how well that would have worked in this case, since the caller suggested it was a local crime issue. Still, hopefully Krebs' situation raises some questions about the eagerness to send in the SWAT team, though given just how common bogus SWAT team raids have become, it seems doubtful that yet another example of a bogus raid will lead to any real change.

In what seems like a pretty cut and dry case, Reuters editor Matthew Keys has been indicted for letting some hackers into the content management system of his former employer, Tribune, after he was fired. Barring a case of mistaken identity (and if that defence were raised, things would get interesting) it doesn't look good for Keys, as the indictment includes some damning IRC chat logs:

According to a federal indictment first obtained by the Huffington Post, Keys used a chat site to pass information to Anonymous. Using the name AESCracked, Keys handed over the login credentials and told hackers to "go fuck some shit up", the indictment says.

The hacker accessed at least one Los Angeles Times story and altered it, the charges say.

On the one hand, when compared what happened with Aaron Swartz, this is a step in the right direction. We're not talking about someone with positive intentions who walked the line between hacking and innovation, but someone who acted with obvious malice. But on the other hand, this highlights the big problem with federal hacking laws. The damage amounted to little more than inconvenience for a system administrator, making this essentially a case of small-scale vandalism—but because it involves computers, it's elevated to a federal crime. This really makes no sense. Computers and the internet are present in every part of life today, and computer crime can happen at every scale. In this case, it was the sort of reckless but small act of spite that would result in a much less serious punishment if it didn't happen online, and if it didn't allow the government to place Anonymous in the villain role of another story.

The case against Keys looks strong, and I'm guessing it will end with some sort of deal for a lesser punishment—possibly in exchange for information about other hackers. The real penalty will be the damage done to his career by this breach of trust (which further highlights the pointlessness of trying to put him in jail), but the biggest takeaway is that federal computer crime laws are in serious need of reform. Elevating the severity of simple crimes because they involve what is now one of the most common tools in the world is a senseless imbalance of justice, and makes it much harder to identify and combat serious crime online.

One thing we've talked about for years is that lawmakers are notoriously bad at thinking through the unintended consequences of legislation they put forth. They seem to think that whatever they set the law to be will work perfectly, and that there won't be any other consequences. This is one reason why we're so wary of simple "fixes" even when the idea or purpose sound good up front. "Protecting artists" sounds good... unless it destroys the kinds of services artists need. Cybersecurity sounds good, unless it actually makes it easier to violate your privacy. And, now, people are realizing that not only may cybersecurity rules like CISPA be awful for privacy, but they could potentially lead to more "cyber" attacks, as companies look to "hack back" against those who attack them. As Politico describes:

The idea is known as "active defense" to some, "strike-back" capability to others and "counter measures" to still more experts in the burgeoning cybersecurity field. Whatever the name, the idea is this: Don't just erect walls to prevent cyberattacks, make it more difficult for hackers to climb into your systems — and pursue aggressively those who do.

So, how would cybersecurity rules create more hacking? Well, possibly by encouraging this kind of behavior by providing some amount of cover for it. The Cybersecurity bill in the Senate last year included an undefined allowance for "counter measures." CISPA doesn't explicitly mention that, but some in the security field are interpreting the bill to provide some amount of cover for such "counter measures" in which they could "perform hacks against threats." But, if you're trying to discourage online attacks, that seems like a problem. The likelihood of someone attacking the wrong target is quite high, and it could create quite a mess.

Thankfully, the folks behind CISPA suggest that they're willing to change the bill to make it more explicit that such countermeasures are not allowed, but until that's in place, it's a serious concern:

Some of those fears have reached Rep. Mike Rogers (R-Mich.), chairman of the chamber's Intelligence Committee and one of CISPA's lead authors. In fact, panel aides told POLITICO they're open to revising the relevant definitions in the bill. And Rogers himself this year has railed on the idea of an aggressive active defense, describing it as a "disaster for us" at a time when the country's digital defenses remain subpar.

Even if they fix this particular hole, it's these kinds of things that should worry all of us about broad laws that provide things like blanket immunity over ill-defined concepts like "cybersecurity" and "cyberattacks." The likelihood of it being abused is quite high, especially in an ever changing technology world. Just look at computer laws like the CFAA and ECPA, which cover various computer crimes and privacy today. Both are ridiculously outdated, with concepts that are laughable by any rational view today. And thus, there are massive unintended consequences associated with both laws. Before we rush into creating new laws with big broad vague terms, perhaps we should focus on fixing the old laws and proceeding with caution on any new ones.

The good folks over at the EFF have posted a letter from a group of startups and innovators to Congress seeking reform of the CFAA (Computer Fraud and Abuse Act), which has been abused for years, most notably and recently, in the case against Aaron Swartz (full disclosure: I helped review the initial letter and helped the EFF get some of the signatures on the letter). This is important, because, as we have noted, plenty of innovators and entrepreneurs could have been charged under this law for some of their random hacking experiments, some of which directly led them to create amazing innovations.

Many people have thought that the tech industry isn't as interested in CFAA reform, since it supposedly protects them in cases where they have been hacked, but that's not the case. Through out the startup community, I've heard many people who were horrified to learn about the charges against Aaron Swartz, as they quickly realized how easy it would be for a Justice Department official to spin what they themselves were doing into something nefarious sounding. That does not help innovation.

No one is in favor of having no rules at all, but clearly the CFAA is outdated, broken and widely abused. Fixing the law to focus on actual malicious and nefarious attacks would be a huge step forward, not just for the public, but for innovators and entrepreneurs who often build great things by starting with a simple hack.

In a conversation with some folks in the tech industry recently, someone pointed out that nearly every super famous entrepreneur likely could have, at some point, been legitimately accused of violating the Computer Fraud and Abuse Act (CFAA), which is the law that prosecutors used against Aaron Swartz, and is in desperate need of an overhaul. Over at the EFF, Trevor Timm has a great post exploring how Steve Jobs, Bill Gates and Mark Zuckerberg all might have faced charges under the CFAA. You should read the whole thing, but here are a few snippets:

On Zuckerberg:

In 2006, while a sophomore at Harvard, Zuckerberg created a website called “Facemash” which compared photographs of Harvard’s entire population, asking users to compare two photos and vote on who looked better. Zuckerberg allegedly got access to these photos by “hacking” into each of Harvard’s nine House websites and then collecting them all on one site. It’s not clear what this “hacking” was, but since the charges against him included “breaching security,” it may have fun afoul of the law.

On Jobs:

Columbia Law Professor Tim Wu notes in the New Yorker that Apple co-founders Steve Jobs and Steve Wozniak, did acts that were “more economically damaging than, Swartz’s.” The two college roommates made what were called “blue boxes,” cheap devices that mimicked a certain frequency that allowed them to trick AT&T’s telephone system into making free long-distance calls. They also sold blue boxes before moving onto bigger and better ideas.

On Gates:

In his autobiography, Allen told the story of when the two future billionaires “got hold of” an administrator password at the company they worked at before starting Microsoft. The company had timeshared computers and Allen and Gates were getting charged for using them for their personal work.

The two men used the password to access the company's accounts and set about trying to find a free runtime account so that they could carry on programming without having to pay for the time. They also copied the account database for later perusal. However, management got wise to the plan.

"We hoped we'd get let off with a slap on the wrist, considering we hadn't done anything yet. But then the stern man said it could be 'criminal' to manipulate a commercial account. Bill and I were almost quivering."

Of course, defenders of the existing law will argue that these episodes are entirely unrelated to the later greatness that all three of these folks were eventually involved in. But that's not actually supported by the facts. Facesmash almost certainly directly led Zuckerberg to Facebook. And, in the case of Steve Jobs, he specifically told an interviewer:

“Experiences like that taught us the power of ideas…And if we hadn’t have made blue boxes, there would’ve been no Apple.”

Innovators innovate because they hack away at stuff. They push boundaries and they try new things to explore uncharted worlds. Do we really want to be punishing people like that with threats of 35 years in jail? (And, yes, the government absolutely did threaten him with 35 years.)

A few folks sent over this story of Dutch Member of Parliament (MP) Henk Krol being fined about $1,000 for "hacking." He claims that he was just exposing poor security on the part of a Dutch medical laboratory called "Diagnostics for You," which he felt was especially important since there are stricter privacy rules for medical info. Of course, "hacking" is used loosely here: basically, a patient overheard an employee at Diagnostics for You reveal the system password while he was in the lobby, and that patient passed the password along to Krol. So, the "flaw" could be as simple as a stupid employee revealing their password out loud (though, you could argue that a system like that should require two-factor authentication or some other more advanced security than a simple password).

Either way, the court recognized that Krol's intentions may have been in the right place, but faulted him for viewing and printing "more files than necessary" to make his point -- and also for going to the press with his findings at around the same time he notified the laboratory. The court said simply finding the flaw and even downloading some records to prove it to the lab would have been fine, but that he went too far (even if he carefully redacted personal info). And then going to the press immediately when the problem seemed to be more a case of a bad employee revealing their password, just seemed like too much. As the court noted: "the problem was not so acute that immediate use of media was necessary."

Of course, this kind of thing is often a struggle when it comes to security hacking. Different people have different opinions on whether or not it's appropriate to go to the press, and also how much information to access. But it seems to be handled on a case by case basis, rather than with clear rules. There are some norms among security researchers -- and that tends to include giving a company some period of time to fix things -- but this remains an area of the law that is sometimes a bit fuzzy. You want companies to respond quickly to security flaws, and sometimes going to the press ensures getting a real response faster. But, it also seems less likely to cause significant damage if you contact them first.

Perhaps MP Krol can now try to pass some legislation with standards on how to handle security breaches found without having them turn into legal cases against the researchers.