Wednesday, September 16, 2020

You may be guilty of hacking

I've been working in computer and network security for literally decades.  During this career I've been at companies that did security research.  We did a lot to help improve the sorry state of Internet Security and you are better off for it.  Now that may about to become illegal, depending on how the Supreme Court rules on an upcoming case:

A US Supreme Court case that could expand the Computer Fraud and Abuse Act (CFAA) to include prosecuting "improper" uses of technology not specifically allowed by software makers will chill security research and could be used to punish other fair uses of technology, a group of nearly 70 vulnerability researchers and security firms said in a letter published on September 14. 

The Computer Fraud and Abuse Act is a 1980s era statute passed right around when I got into computer security.  It was passed to criminalize computer hacking - you know, breaking into someone's computer.  Simples, amirite?


Except nothing is simple, at least when the Legislature is in session.  Or when a District Attorney is prosecuting a case:

The original case that ended up at the US Supreme Court seemingly has little to do with election systems or even hacking. The case originates in the prosecution of Nathan Van Buren, a police sergeant in Cumming, Georgia, who had accessed the state records system to get information on a license plate in exchange for money. In addition to being found guilty of honest services wire-fraud in May 2018, the court also found him guilty of a single charge of violating the CFAA for accessing state and government databases for an improper use.

Now there's no doubt that Mr. Van Buren is a scumbag and a dirty cop.  But it's hard to see him as a computer hacker - he had a legitimate account on the computer system and he accessed it with his legitimate username and password.  Sure, he abused it once he was logged in, but this isn't at all what we think of when someone mentions the word "hacker".  Fraud, sure.  Probably other charges but hacking seems to be a category error.

But here's where Internet Security could be fatally crippled - legitimate security research by legitimate organizations could be made a criminal offense if the Supremes uphold the hacking charge:

A US Supreme Court case that could expand the Computer Fraud and Abuse Act (CFAA) to include prosecuting "improper" uses of technology not specifically allowed by software makers will chill security research and could be used to punish other fair uses of technology, a group of nearly 70 vulnerability researchers and security firms said in a letter published on September 14. 

This letter didn't come out of the blue.  It came in response to an Amicus brief filed to the court by Voatz, a manufacturer of voting machines and software.  Voatz has a, ahem, checkered reputation when it comes to security:

The letter — signed by computer scientists from the University of Michigan and Johns Hopkins University, as well as security firms Bugcrowd, HackerOne, and Trail of Bits, among others — is a response to a legal filing by e-voting firm Voatz in a case that could expand the definition of "exceeds authorized access" under the CFAA to include violations of user agreements and software licenses. While Voatz has participated in bug bounty programs granting participants legal protections, the firm also has reported a student researcher to state officials, dismissed serious vulnerabilities found by three researchers from the Massachusetts Institute of Technology, and even downplayed a third-party audit of their entire systems by security firm Trail of Bits that both confirmed the MIT findings and also found even more critical vulnerabilities. 

It's like a car company threatening criminal prosecution of Consumer Reports for publishing repair statistics they collected.  Sure, it may be embarrassing to the company, but is it criminal?  According to Voatz, the answer is "yes:

The letter took shape following a September 3 legal filing, known as an amicus or friend-of-the-court brief, in which Voatz argued that testing laboratories, security reviews, and bug bounties are all authorized forms of security testing and should be enough to guarantee security. Independent code reviews and penetration tests, the company claims, are not authorized and the CFAA's language "exceeds authorized access" should apply.

So this is the point that you should start wondering if you yourself are guilty of hacking*.  After all, you just merrily click "I Accept" without reading any of those boring old License Agreement notices, don't you?  That agreement specifies what is permissible use according to the software maker.  If you go beyond that, does that make you a criminal?  According to Voatz, the answer is "yes".  Especially if you publish security information that embarrass the company.

Know your place, peon.  Or do the time.

I've posted often about "Regulatory Capture", where large companies try to use government regulations to stymie dangerous competitive startups.  I've written at length about how this is very damaging to the economy, although it is financially advantageous to the company.  This is worse.  Not only will it stifle legitimate security research that makes companies (sometimes reluctantly or unwillingly) improve their security, but it will stifle security improvement in an area that is critically important for the health of the Republic - voting.

And besides, it might make you guilty of hacking.  I wish I had more faith in the intelligence and wisdom of the SCOTUS.

* Yes, yes - you only use your Powers for good.  I know that, but does the District Attorney?

2 comments:

Jonathan H said...

As you mention, companies are looking for ways to use laws to their advantage.
In this case, they only want scrutiny from 'friendly' sources they have control over... If they win this case, it will hurt computer security, which already needs all the help it can get.

Jonathan H said...

The District Attorney doesn't care about right and wrong - he cares about whether he can get a conviction or not (in most places, and definitely in liberal cities and states).