US won’t prosecute ‘good faith’ security researchers under CFAA The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing. Good-faith, according to the …
Sorry, I haven't read the bill, so excuse my ignorance. Having said that most US bills contain things that are unrelated to the actual law being enacted so it is a time waster.
But, if they really mean it, then why not put it in the actual legislation itself. Is it too hard for the DoJ to do this? I wouldn't trust any agency.
It's not in it and the department does not have the authority to make any changes. There are people who could put this into the law, but they probably won't do it and it wouldn't help much. They wouldn't do it because it takes a lot of effort just to add a weak protection and some of them (all of them) don't really understand what security researchers do. If they did, it wouldn't necessarily help because it isn't clear. A lot of laws include such ambiguous terms, meaning that if a prosecutor wants to, they can easily spend months in court arguing whether something was "good faith" or not, decided by a judge who also doesn't know what security researchers do. We've already seen politicians attempt to get someone prosecuted for something that already doesn't come under the definitions in that law, so they're certainly not going to be stopped by a platitude. That's why the EFF wants stronger protections.
Sorry, seems that Americans digressed from the Westminster system sometime in the 1800s
"At one time, the attorney general gave legal advice to the U.S. Congress, as well as the president; however, in 1819, the attorney general began advising Congress alone to ensure a manageable workload"
The point is the crack lawyers advising the people drafting the bill can't decide how to work "good faith" and other exceptions then don't trust those policing the law that their arbitrariness.
"The defendant was not authorized to access the protected computer under any circumstances by any person or entity with the authority to grant such authorization;"
As we know, Oracle, Microsoft, Amazon, Disney, Apple et al., all have a history of supporting their devs unreservedly. Find a bug that costs them millions and watch the lawyers descend.
"Is it too hard for the DoJ to do this?"
It is, technically speaking, impossible. The Executive Branch of the US government can propose laws to Congress, but it's up to Congress to write and pass legislation, which can then be ratified or vetoed by the President. The DoJ can make choices about how to enforce laws, within certain constraints, but it can't change them.
This has been your US Civics 101 lesson for the day.
"It's a fine line to demonstrate what a malicious actor could do...if I walked up to your home, saw it was unlocked, let myself in "
No, no no, that is not a fine line, that is a red line. You don't walk into a home ever without permission. Hack their computers if you like but that is a sick analogy that indicates a sick mind. That is breaking and entering, doesn't matter if you never stole anything or phoned me.
I don't have a house, but keep away from my house. Get off my lawn. Fuck yeah.
I'd expect there to be a significantly-less proportion of peoples' houses being illegally-entered in those states. If there is not a significantly-less proportion of illegal home entries in those states, then it would appear the perpetrators are not thinking carefully, if at all.
People not thinking carefully is a continuing societal problem.
In virtually all US states, shooting someone who has only entered your home and is not presenting a threat of imminent gross bodily harm to people in the home will probably net the shooter a criminal trial and jail time.
Some states have a "castle doctrine" law that makes it clear that one is allowed to use deadly force inside one's home without a duty to retreat from the home, but reasonable fear (not bare fear) of gross bodily harm is still required to justify the use of deadly force.
I.e., if your neighbor walks in through your garage and is looking around for you, it is not OK to shoot them. On the other hand, a stranger throwing a brick through your patio door and continuing to advance towards you after you warn them you are armed and that they need leave your home might be fair game, but law enforcement and possibly an attorney general will need to be convinced that your fear of them was reasonable.
This post has been deleted by its author
Um, no ... it's not; it's simply "illegal entry".
I looked this one up because IANAL and wanted to check... Short answer is that if you have to open the door, you are applying force and this constitutes "breaking", at least in some jurisdictions. Obviously, practical definitions vary by jurisdiction within the US. I am not even going to try to address other countries' legal intricacies.
REF:
https://www.law.cornell.edu/wex/breaking_and_entering
Er ... yeah, that's how laws work. This law is important to you if a) you're in the U.S., b) the thing you're testing is in the U.S., or c) the thing you're testing is owned by someone in the U.S. If none of those applies, you can ignore it all you like. Your point was?
My point being explained as a response from TPB:
The response to Warner Brothers: We are well aware of the fact that The Pirate Bay falls outside the scope of the DMCA – after all, the DMCA is a US-specific legislation and TPB is hosted in the land of Vikings, reindeers, Aurora Borealis and cute blonde girls.
US Judiciary really thinks US local laws can be applied worldwide. Not.
I'm not here to defend copyright or an entirely different law to the one the article's talking about, but you'll note on my list of times where it counts that "owned by someone in the U.S." is a factor. Consider why that applies and draw your own parallels to the DMCA. I'll stick to the topic under discussion.
I apologize for the down vote, but I have to say that this post is endemic of some attitudes within the US. Some folks think that local laws should "Trump" the needs of a global civilization.
Personally, I'd like to welcome you to the 20th Century. I'm sorry that you are a bit late.
Because the US will ask for extradition if you fart the wrong way.
Assange is meant to be an example to anyone foolish enough to expose inconvenient truths.
Sadly the only places where you're free to do these things (expose US inconvenient info) is in Russia and China... how's that for irony.
Though the other way around it's the same, Russia and China don't proclaim to be fighting for Democracy and Freedom(tm).
You mean like posting on IT forums hosted in the Western Hemisphere just to stir up trouble? Tell me, how much do you get paid for this? Does it increase the odds of humanity leaving our Pale Blue Dot or does it just put food in your belly while you watch friends and family starve?
The one line that essentially means they'll do whatever they want, to whomever they want, whenever they want it:
"Prosecution would serve the Department's goals for CFAA enforcement."
This will be enforced if the enforcer doesn't like you and you'll be let off the hook if you're doing things on behalf of someone powerful.
This is banana republic level legislation.
Does the US Department of Justice really get to decide which part of federal law does not fit their agenda and thus can be ignored or is that neglect of duty?
Security Researches should not be prosecuted for doing their job responsibly but relying on the current agenda of the DoJ to protect them seems to be wrong on muliple levels.
"Does the US Department of Justice really get to decide which part of federal law does not fit their agenda and thus can be ignored or is that neglect of duty?"
No, they just get to do that. They have to use the laws to decide who can be prosecuted, but they have the authority to focus their efforts at any subset of those people they want. This is the case so they can optimize the use of their resources (they don't spend all their time on small-scale criminals and run out of employees when bigger criminals come along), but it can lead to abuse and neglect.
"Security Researches should not be prosecuted for doing their job responsibly but relying on the current agenda of the DoJ to protect them seems to be wrong on muliple levels."
It definitely is. It's just that it's the only thing they can do. They are not allowed to put this into the law, so it's just a direction about who deserves their attention. It can be reversed at any time.
> (they don't spend all their time on small-scale criminals and run out of employees when bigger criminals come along)
And so by concentrating on large scale fraud rather than panhandlers reselling out-of-state cigarettes they were able to prevent a major economy destroying financial breakdown.
I didn't say they were perfect, and in fact I pointed out that they can have major imperfections. They have the authority to selectively prosecute and they lack the resources to prosecute everyone in existence, so whatever your view on how well they use those things, it's useful to know they have this. This is not just the U.S., by the way. It's typical of all investigation and prosecution systems everywhere. Describing how financial crimes are judged and investigated, when something counts as a financial crime, and how you can legally do something that causes financial problems is not relevant to the security research situation, so I'll spare you that essay.
Quote: "...The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical..."
So....immediately......prosecutors need to charge everyone in Fort Meade under the CFAA.............................
.............no "good faith"..............
.............unethical..............
.............undermining EVERYONE ELSE'S security..............
Yup.....I didn't think so............facing both ways at once!!!
P.S. And while they are at it, they could charge all the Brits working at Fort Meade to hack Americans...you know....that bilateral treaty where Brits hack Americans and Americans hack Brits. (See the Anne Sacoolas affair. Link https://www.dailymail.co.uk/news/article-7548519/American-spys-wife-fled-UK-crash-conviction-poor-driving-Virginia.html)
I am struggling to understand why self-proclaimed "researchers" can't ask nicely for permission before trying to hack other people's systems.
Surely that is the acid test of acting in good faith?
Just try tunneling into a bank vault and telling the cops that you were doing research in good faith to help banks improve their security.
Because sometimes, your actions are either legal without permission or unplanned, and in both cases, being denied permission could be a problem. I'll use an example for each one.
Legal without permission: I've bought a device, and I'm going to run security tests on it. This device is mine, and I have that right. I do not require the manufacturer's permission to try gaining extra control of the software running on it. If I find a vulnerability in this one, I'll inform the manufacturer in the hope that they will fix it for all users of the device. If I asked them for permission to test something that I own and they declined, it would have no effect on my rights but they might think that it allows them to come after me. Manufacturers that don't want their vulnerabilities disclosed and don't want to fix them have frequently taken this approach to attempt to silence researchers who discover real problems.
Discovery is unplanned: I'm using a service legitimately and find a problem. This may be entirely accidental (I mistyped a URL, for example) basic (oh, look, this form reacts wrongly when an SQL query is put in it), or more active (look, they've got private information in the HTML of this page which they're sending to me without authorization) but in all cases, it's something that is made available for my use. Even in the SQL example, I'm putting text in a box where I'm supposed to do so, and if my message actually contains a valid SQL query, it's valid input. Having found this, I inform the company that there is a possible issue. Again, I haven't done something invasive to discover they have a problem, but if they're annoyed or don't understand what I've done, they may react badly. I shouldn't need their permission to do that.
There are many cases where you do need permission to do a test, and where failing to get it makes your activities criminal. A penetration test without permission is nearly always an obvious crime. These are pretty clear. Unfortunately, when the activity is clearly acceptable, researchers are not always treated well when they disclose it to the owner, which is why more protections are needed.
Since you seem to be hard of thinking, let me help you out. Applying your analogy, you buy a model of safe (or lock) that is used by one or more banks and discover that by knocking on it with "Shave and a Haircut" you can cause it to unlock. Being a responsible researcher, you report this to the safe company, which then turns around and has you charged with a criminal offense.
Alternately, you happen to notice that the supposedly secure bank vault has a second entrance marked "employees only" which is easily accessible with a skeleton key. You notify the bank and are charged with a criminal offense.
Etc.
I've worked in the US railroad industry in various ways, and have come close to being extinguished. In 2003, FRA (Federal Railroad Admin) began to work on a reporting system that separated blame and reporting, so that more safety incidents would be reported. They based it on a system that NASA had been using (guessing since the Morton-Thiokol incident), and NASA handles the data from their center in Sunnyvale.
Here's the background reasoning of the process.
The current page for the program.
The idea is that when an employee witnesses or participates in something that would be punishable and so they would not report it, they can submit a report online or by mail. The data is then anonymised and a summary is given tot he employer. NASA holds and protects all of the data to prevent obvious employer reactive behaviors. When I first read about this I was very interested and tried to apply myself. Likely my Aspie-rations got in the way.
"C3RS provides a safe environment for employees to report unsafe events and conditions and employees receive protection from discipline and FRA enforcement. In addition, railroads receive protection from FRA enforcement for events reported within C3RS."
It seems to me that the kinds of reporting where bounties are given which could remain much as they are.
The above system could be used for potential security threats where there is potential for legal retribution by the connected.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
