back to article US won’t prosecute ‘good faith’ security researchers under CFAA

The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing. Good-faith, according to the …

  1. sreynolds Silver badge

    If it's not in the Act then don't don't trust them.

    Sorry, I haven't read the bill, so excuse my ignorance. Having said that most US bills contain things that are unrelated to the actual law being enacted so it is a time waster.

    But, if they really mean it, then why not put it in the actual legislation itself. Is it too hard for the DoJ to do this? I wouldn't trust any agency.

    1. doublelayer Silver badge

      Re: If it's not in the Act then don't don't trust them.

      It's not in it and the department does not have the authority to make any changes. There are people who could put this into the law, but they probably won't do it and it wouldn't help much. They wouldn't do it because it takes a lot of effort just to add a weak protection and some of them (all of them) don't really understand what security researchers do. If they did, it wouldn't necessarily help because it isn't clear. A lot of laws include such ambiguous terms, meaning that if a prosecutor wants to, they can easily spend months in court arguing whether something was "good faith" or not, decided by a judge who also doesn't know what security researchers do. We've already seen politicians attempt to get someone prosecuted for something that already doesn't come under the definitions in that law, so they're certainly not going to be stopped by a platitude. That's why the EFF wants stronger protections.

      1. sreynolds Silver badge

        Re: If it's not in the Act then don't don't trust them.

        Sorry, seems that Americans digressed from the Westminster system sometime in the 1800s

        "At one time, the attorney general gave legal advice to the U.S. Congress, as well as the president; however, in 1819, the attorney general began advising Congress alone to ensure a manageable workload"

        The point is the crack lawyers advising the people drafting the bill can't decide how to work "good faith" and other exceptions then don't trust those policing the law that their arbitrariness.

        1. Anonymous Coward
          Anonymous Coward

          Re: If it's not in the Act then don't don't trust them.

          "The defendant was not authorized to access the protected computer under any circumstances by any person or entity with the authority to grant such authorization;"

          As we know, Oracle, Microsoft, Amazon, Disney, Apple et al., all have a history of supporting their devs unreservedly. Find a bug that costs them millions and watch the lawyers descend.

          1. badflorist

            Re: If it's not in the Act then don't don't trust them.

            Cat Fishing All Addresses (CFAA)

    2. Throatwarbler Mangrove Silver badge

      Re: If it's not in the Act then don't don't trust them.

      "Is it too hard for the DoJ to do this?"

      It is, technically speaking, impossible. The Executive Branch of the US government can propose laws to Congress, but it's up to Congress to write and pass legislation, which can then be ratified or vetoed by the President. The DoJ can make choices about how to enforce laws, within certain constraints, but it can't change them.

      This has been your US Civics 101 lesson for the day.

      1. BOFH in Training Bronze badge

        Re: If it's not in the Act then don't don't trust them.

        In other words, this "won't prosecute" thing can change whenever the administration changes.

    3. B/Eads

      Re: If it's not in the Act then don't don't trust them.

      Reads like any other DoJ policy statement - temporary. The DoJ has been down this path many times with many changes. No sense in trusting them with anything larger than an order from a sandwich shop now or in the future.

  2. Danny 2 Silver badge

    Fine line?

    "It's a fine line to demonstrate what a malicious actor could do...if I walked up to your home, saw it was unlocked, let myself in "

    No, no no, that is not a fine line, that is a red line. You don't walk into a home ever without permission. Hack their computers if you like but that is a sick analogy that indicates a sick mind. That is breaking and entering, doesn't matter if you never stole anything or phoned me.

    I don't have a house, but keep away from my house. Get off my lawn. Fuck yeah.

    1. An_Old_Dog Bronze badge

      "That's breaking and entering"

      Um, no ... it's not; it's simply "illegal entry". The door was unlocked, so you didn't break (in). But the plods will collar you for the illegal entry.

      1. chuckufarley

        Re: "That's breaking and entering"

        In some US states, the home owner can shoot and kill you if you are in their house without prior permission. I am not saying that this right or wrong. I am just saying that this *is*.

        1. An_Old_Dog Bronze badge

          Re: "That's breaking and entering"

          I'd expect there to be a significantly-less proportion of peoples' houses being illegally-entered in those states. If there is not a significantly-less proportion of illegal home entries in those states, then it would appear the perpetrators are not thinking carefully, if at all.

          People not thinking carefully is a continuing societal problem.

        2. OldSod

          Re: "That's breaking and entering"

          In virtually all US states, shooting someone who has only entered your home and is not presenting a threat of imminent gross bodily harm to people in the home will probably net the shooter a criminal trial and jail time.

          Some states have a "castle doctrine" law that makes it clear that one is allowed to use deadly force inside one's home without a duty to retreat from the home, but reasonable fear (not bare fear) of gross bodily harm is still required to justify the use of deadly force.

          I.e., if your neighbor walks in through your garage and is looking around for you, it is not OK to shoot them. On the other hand, a stranger throwing a brick through your patio door and continuing to advance towards you after you warn them you are armed and that they need leave your home might be fair game, but law enforcement and possibly an attorney general will need to be convinced that your fear of them was reasonable.

        3. Negative Charlie

          Re: "That's breaking and entering"

          "In some US states, the home owner can shoot and kill you if you are in their house without prior permission."

          That's true in *all* US states. The difference is that in some states the homeowner might be prosecuted afterwards, but the result from the intruder's point of view is exactly the same.

      2. Robert Helpmann??

        Re: "That's breaking and entering"

        Um, no ... it's not; it's simply "illegal entry".

        I looked this one up because IANAL and wanted to check... Short answer is that if you have to open the door, you are applying force and this constitutes "breaking", at least in some jurisdictions. Obviously, practical definitions vary by jurisdiction within the US. I am not even going to try to address other countries' legal intricacies.


  3. Clausewitz4.0

    Who cares about the US DOJ?

    If you are not in the US DOJ jurisdiction, why bother? Just comply with local laws...

    1. doublelayer Silver badge

      Re: Who cares about the US DOJ?

      Er ... yeah, that's how laws work. This law is important to you if a) you're in the U.S., b) the thing you're testing is in the U.S., or c) the thing you're testing is owned by someone in the U.S. If none of those applies, you can ignore it all you like. Your point was?

      1. Clausewitz4.0

        Re: Who cares about the US DOJ?

        My point being explained as a response from TPB:

        The response to Warner Brothers: We are well aware of the fact that The Pirate Bay falls outside the scope of the DMCA – after all, the DMCA is a US-specific legislation and TPB is hosted in the land of Vikings, reindeers, Aurora Borealis and cute blonde girls.

        US Judiciary really thinks US local laws can be applied worldwide. Not.

        1. doublelayer Silver badge

          Re: Who cares about the US DOJ?

          I'm not here to defend copyright or an entirely different law to the one the article's talking about, but you'll note on my list of times where it counts that "owned by someone in the U.S." is a factor. Consider why that applies and draw your own parallels to the DMCA. I'll stick to the topic under discussion.

      2. Yet Another Anonymous coward Silver badge

        Re: Who cares about the US DOJ?

        But if you aren't in the USA you are a terrorist anyway

    2. chuckufarley

      Re: Who cares about the US DOJ?

      I apologize for the down vote, but I have to say that this post is endemic of some attitudes within the US. Some folks think that local laws should "Trump" the needs of a global civilization.

      Personally, I'd like to welcome you to the 20th Century. I'm sorry that you are a bit late.

    3. Kabukiwookie Silver badge

      Re: Who cares about the US DOJ?

      Because the US will ask for extradition if you fart the wrong way.

      Assange is meant to be an example to anyone foolish enough to expose inconvenient truths.

      Sadly the only places where you're free to do these things (expose US inconvenient info) is in Russia and China... how's that for irony.

      Though the other way around it's the same, Russia and China don't proclaim to be fighting for Democracy and Freedom(tm).

      1. Clausewitz4.0

        Re: Who cares about the US DOJ?

        We know they try extradition a lot, but fail a lot also.

        Yes, Russia and China are good places to work in certain fields.

        1. chuckufarley

          Re: Who cares about the US DOJ?

          You mean like posting on IT forums hosted in the Western Hemisphere just to stir up trouble? Tell me, how much do you get paid for this? Does it increase the odds of humanity leaving our Pale Blue Dot or does it just put food in your belly while you watch friends and family starve?

          1. Kabukiwookie Silver badge

            Re: Who cares about the US DOJ?

            Yup. Everyone who's critical of what happens in 'the west' is a Putin bot...

            There, there... get some dried frog pills and a tinfoil hat..

      2. Cederic Silver badge

        Re: Who cares about the US DOJ?

        Free Dmitry Sklyarov.

        (Ok, that's a tad out of date now)

  4. Kabukiwookie Silver badge

    The one line that essentially means they'll do whatever they want, to whomever they want, whenever they want it:

    "Prosecution would serve the Department's goals for CFAA enforcement."

    This will be enforced if the enforcer doesn't like you and you'll be let off the hook if you're doing things on behalf of someone powerful.

    This is banana republic level legislation.

    1. genghis_uk

      Have you been watching the US legal system ... I was going to say lately but Judge Dredd was a parody of the US 'justice' system in the '70's and nothing has really improved since...

      1. Yet Another Anonymous coward Silver badge

        Judge Dredd dispensed 'justice' without favouritism, politics or racism - he is an idealised dream of the US justice system.

  5. OhForF'

    Does the US Department of Justice really get to decide which part of federal law does not fit their agenda and thus can be ignored or is that neglect of duty?

    Security Researches should not be prosecuted for doing their job responsibly but relying on the current agenda of the DoJ to protect them seems to be wrong on muliple levels.

    1. doublelayer Silver badge

      "Does the US Department of Justice really get to decide which part of federal law does not fit their agenda and thus can be ignored or is that neglect of duty?"

      No, they just get to do that. They have to use the laws to decide who can be prosecuted, but they have the authority to focus their efforts at any subset of those people they want. This is the case so they can optimize the use of their resources (they don't spend all their time on small-scale criminals and run out of employees when bigger criminals come along), but it can lead to abuse and neglect.

      "Security Researches should not be prosecuted for doing their job responsibly but relying on the current agenda of the DoJ to protect them seems to be wrong on muliple levels."

      It definitely is. It's just that it's the only thing they can do. They are not allowed to put this into the law, so it's just a direction about who deserves their attention. It can be reversed at any time.

      1. Yet Another Anonymous coward Silver badge

        > (they don't spend all their time on small-scale criminals and run out of employees when bigger criminals come along)

        And so by concentrating on large scale fraud rather than panhandlers reselling out-of-state cigarettes they were able to prevent a major economy destroying financial breakdown.

        1. doublelayer Silver badge

          I didn't say they were perfect, and in fact I pointed out that they can have major imperfections. They have the authority to selectively prosecute and they lack the resources to prosecute everyone in existence, so whatever your view on how well they use those things, it's useful to know they have this. This is not just the U.S., by the way. It's typical of all investigation and prosecution systems everywhere. Describing how financial crimes are judged and investigated, when something counts as a financial crime, and how you can legally do something that causes financial problems is not relevant to the security research situation, so I'll spare you that essay.

  6. Anonymous Coward
    Anonymous Coward

    Misdirection, Hypocrisy.......Window Dressing........Why am I not surprised??????

    Quote: "...The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical..."

    So....immediately......prosecutors need to charge everyone in Fort Meade under the CFAA............................. "good faith"..............


    .............undermining EVERYONE ELSE'S security..............

    Yup.....I didn't think so............facing both ways at once!!!

    P.S. And while they are at it, they could charge all the Brits working at Fort Meade to hack know....that bilateral treaty where Brits hack Americans and Americans hack Brits. (See the Anne Sacoolas affair. Link

  7. Anonymous Coward
    Anonymous Coward

    I am struggling to understand why self-proclaimed "researchers" can't ask nicely for permission before trying to hack other people's systems.

    Surely that is the acid test of acting in good faith?

    Just try tunneling into a bank vault and telling the cops that you were doing research in good faith to help banks improve their security.

    1. doublelayer Silver badge

      Because sometimes, your actions are either legal without permission or unplanned, and in both cases, being denied permission could be a problem. I'll use an example for each one.

      Legal without permission: I've bought a device, and I'm going to run security tests on it. This device is mine, and I have that right. I do not require the manufacturer's permission to try gaining extra control of the software running on it. If I find a vulnerability in this one, I'll inform the manufacturer in the hope that they will fix it for all users of the device. If I asked them for permission to test something that I own and they declined, it would have no effect on my rights but they might think that it allows them to come after me. Manufacturers that don't want their vulnerabilities disclosed and don't want to fix them have frequently taken this approach to attempt to silence researchers who discover real problems.

      Discovery is unplanned: I'm using a service legitimately and find a problem. This may be entirely accidental (I mistyped a URL, for example) basic (oh, look, this form reacts wrongly when an SQL query is put in it), or more active (look, they've got private information in the HTML of this page which they're sending to me without authorization) but in all cases, it's something that is made available for my use. Even in the SQL example, I'm putting text in a box where I'm supposed to do so, and if my message actually contains a valid SQL query, it's valid input. Having found this, I inform the company that there is a possible issue. Again, I haven't done something invasive to discover they have a problem, but if they're annoyed or don't understand what I've done, they may react badly. I shouldn't need their permission to do that.

      There are many cases where you do need permission to do a test, and where failing to get it makes your activities criminal. A penetration test without permission is nearly always an obvious crime. These are pretty clear. Unfortunately, when the activity is clearly acceptable, researchers are not always treated well when they disclose it to the owner, which is why more protections are needed.

    2. Throatwarbler Mangrove Silver badge

      Since you seem to be hard of thinking, let me help you out. Applying your analogy, you buy a model of safe (or lock) that is used by one or more banks and discover that by knocking on it with "Shave and a Haircut" you can cause it to unlock. Being a responsible researcher, you report this to the safe company, which then turns around and has you charged with a criminal offense.

      Alternately, you happen to notice that the supposedly secure bank vault has a second entrance marked "employees only" which is easily accessible with a skeleton key. You notify the bank and are charged with a criminal offense.


  8. cd

    Reporting system from another industry

    I've worked in the US railroad industry in various ways, and have come close to being extinguished. In 2003, FRA (Federal Railroad Admin) began to work on a reporting system that separated blame and reporting, so that more safety incidents would be reported. They based it on a system that NASA had been using (guessing since the Morton-Thiokol incident), and NASA handles the data from their center in Sunnyvale.

    Here's the background reasoning of the process.

    The current page for the program.

    The idea is that when an employee witnesses or participates in something that would be punishable and so they would not report it, they can submit a report online or by mail. The data is then anonymised and a summary is given tot he employer. NASA holds and protects all of the data to prevent obvious employer reactive behaviors. When I first read about this I was very interested and tried to apply myself. Likely my Aspie-rations got in the way.

    "C3RS provides a safe environment for employees to report unsafe events and conditions and employees receive protection from discipline and FRA enforcement. In addition, railroads receive protection from FRA enforcement for events reported within C3RS."

    It seems to me that the kinds of reporting where bounties are given which could remain much as they are.

    The above system could be used for potential security threats where there is potential for legal retribution by the connected.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Mega's unbreakable encryption proves to be anything but
    Boffins devise five attacks to expose private files

    Mega, the New Zealand-based file-sharing biz co-founded a decade ago by Kim Dotcom, promotes its "privacy by design" and user-controlled encryption keys to claim that data stored on Mega's servers can only be accessed by customers, even if its main system is taken over by law enforcement or others.

    The design of the service, however, falls short of that promise thanks to poorly implemented encryption. Cryptography experts at ETH Zurich in Switzerland on Tuesday published a paper describing five possible attacks that can compromise the confidentiality of users' files.

    The paper [PDF], titled "Mega: Malleable Encryption Goes Awry," by ETH cryptography researchers Matilda Backendal and Miro Haller, and computer science professor Kenneth Paterson, identifies "significant shortcomings in Mega’s cryptographic architecture" that allow Mega, or those able to mount a TLS MITM attack on Mega's client software, to access user files.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
    Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

    The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

    OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

    But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

    Continue reading

Biting the hand that feeds IT © 1998–2022