SoylentNews is people
SoylentNews
Possibly paywalled: There's finally a Supreme Court battle coming over the nation's main hacking law (Alternative URL)
The Supreme Court is finally considering whether to rein in the nation's sweeping anti-hacking law, which cybersecurity pros say is decades out of date and ill-suited to the modern Internet.
The justices agreed to hear a case this fall that argues law enforcement and prosecutors have routinely applied the law too broadly and used it to criminalize not just hacking into websites but also far more innocuous behavior – such as lying about your name or location while signing up on a website or otherwise violating the site's terms of service.
If the court agrees to narrow how prosecutors can use the law, it would be a huge victory for security researchers.They routinely skirt websites' strict terms of service when they investigate them for bugs that cybercriminals could exploit.
It would also make the Internet far safer, they say. That's because current interpretations of the 1986 law, known as the Computer Fraud and Abuse act (CFAA), have made researchers wary of revealing bugs they find because they fear getting in trouble with police or with companies, which can also sue under the law in civil courts.
"Computer researchers are constantly afraid that a security test they run is going to run them afoul of the law," Tor Ekeland, an attorney who specializes in defending people accused of violating the CFAA, told me. "This law makes the Internet less safe because it chills legitimate information security research and it's bad for the economy because it chills innovation."
The fight centers on whether the law should apply just to hacking or more broadly to breaking rules on a computer.
How many Soylentils read the entire terms of service of all the web sites they visit? In some cases, people have been convicted of crimes for violating them. It would be best to read the entire article before commenting as there are several nuances and historical precedents that it addresses.
(Score: 4, Interesting) by VLM on Thursday April 30 2020, @04:03PM (13 children)
Speaking of nuances:
Hilariously its paywalled and takes multiple clicking around to find the terms of service to find out if I can legally read the article without prosecution. You have to F around on the website for awhile before you can figure out if its legal to F around on the website which is pretty funny.
The URL for the TOS looks weird maybe contains PII so I won't copy and paste it here. I mean it doesn't look at first glance like they embedded my IP addrs in the URL but who knows with scummy companies out there.
The law shouldn't even exist. We already have fraud laws on the books. Filling out a fake mortgage application is already illegal on paper, we don't need extra laws to make it illegal solely because the criminal used a keyboard instead of an ink pen.
Its the law analogy of taking an existing business model, put it on the internet, and go patent troll rent seeking. Its simply an unnecessary law, about as stupid as having a law with parallel consequences for counterfeiting $5 bills as opposed to $1 bills, or tax fraud when you use a black ink pen as opposed to a blue ink pen on your 1040.
(Score: 2) by hendrikboom on Thursday April 30 2020, @04:23PM (1 child)
It's reasonable for the law to deal with damage caused but an attack. Not much more.
(Score: 3, Insightful) by VLM on Thursday April 30 2020, @04:37PM
If this specific law disappeared, don't we already have a bazillion laws on the books to deal with "damage caused but (sic) an attack."
I mean we don't specifically have a law to handle if I stole your paper files and shredded them. We have general laws about destruction and stealing that do just fine. Doing the same criminal behavior, but now online, doesn't need a new online law. Its already illegal to interfere with your business by stealing and destroying your stuff. Don't need an "e-law" to handle it.
The other problem is it gets too specific. Some moron politician will likely write something dumb enough that e-criminality only happens if you're on a 1980s arcnet coaxial cable installation and some crook will beat the rap because he connected via wifi. We don't need moron politicians getting too specific. More realistic stupid politician trick would be writing SQL vs noSQL into law.
(Score: 2) by PiMuNu on Thursday April 30 2020, @04:24PM (10 children)
> The law shouldn't even exist.
Have you not seen War Games? That sort of thinking can start World War III
(Score: 3, Funny) by VLM on Thursday April 30 2020, @04:42PM (4 children)
Have you? I don't think the plot of the movie was "Well, this kid did break every law in the book, but its on a computer so we'll just have to let him do it and ignore his actions".
(Score: 2) by PiMuNu on Thursday April 30 2020, @05:38PM
> Have you?
Yes, but it was a long time ago. I had to check on wikipedia that it was the film I was thinking about! I'll put down "Last Starfighter" next [checks wikipedia again]
(Score: 0) by Anonymous Coward on Thursday April 30 2020, @10:42PM (2 children)
No, that is pretty much the plot. He unwittingly breaks into the computer and starts the countdown to Armageddon. They catch him and bring him to the vault in Colorado and Dabny Coleman locks him in an office. Then when the shit is about to hit the fan, they let him decide how to interact with the computer with the hopes that he can get it to stop. And then they all walk away happy in the end.
I remember the movie fairly well, I think, but it was also my first real date with the girl I wanted to be my girlfriend and I did spend a lot of the movie wondering if I should touch her or maybe try to steal a kiss after it was over, so I might be a little fuzzy on some of the parts.
(Score: 2) by janrinok on Friday May 01 2020, @08:26AM
You can't finish there! Inquiring minds need answers.
Did you kiss her? Did you get a second date?
(Score: 2) by VLM on Monday May 04 2020, @09:45PM
Should have watched the movie more closely; the secret is change her grade in class to an "A". Either that or prevent WWIII. Girls are unpredictable that way.
(Score: 4, Funny) by DannyB on Thursday April 30 2020, @05:27PM (4 children)
Recently on SN I pointed out that CFAA [wikipedia.org] (computer fraud and abuse act) was inspired by the movie War Games.
Yes, really. Lawmakers asked about how well military computers were protected. Naturally making hacking illegal would prevent it from happening. Just as laws against murder have eliminated all murders.
Gone are the days where you would dial in to Soylent News, to have your terminal emulator spit out a banner of rules and a notice about the CFAA and howww09909n;ln; n2;l0dd0a#(SuG9G)s32]
NO CARRIER
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Insightful) by meustrus on Thursday April 30 2020, @10:15PM (3 children)
Most important sentence on this page.
Computation and cryptography together represent a fundamentally new means of enforcing reality. Because you can mathematically prove that a law is broken and immediately prevent it, there's no reason to design punishments for breaking that law.
Take Bitcoin as an example. We don't need laws against forging Bitcoin. Bitcoin as a technology is designed so that forging it is mathematically impossible (within certain highly visible restrictions).
Businesses take far too much for granted from the government. Sure, if you have a brick and mortar store, the police are there to respond to break-ins and track down the burglar.
That doesn't work with computers, though. There are simply too many would-be burglars for human cops to chase after them.
What does work with computers is designing an interface that is cryptographically impossible to access fraudulently. Which is admittedly very difficult, to the point that possibly nobody has done it correctly.
If anybody has, though, it would be the military. And here's the kicker: they could share that knowledge with the rest of society. We could have military-grade secure communication.
We don't have military-grade secure communication, though, ultimately because they like having the best toys. See export of cryptography from the United States [wikipedia.org].
Maybe the CFAA helped placate civilian needs for military-grade security. Maybe that was the plan all along. Maybe law enforcement prefers playing an unwinnable game of cat-and-mouse to being effectively locked out from snooping along with everybody else.
Then again, maybe it's not realistic to think private enterprise would ever invest all that much in their own digital security. Maybe the explosion of economic activity on the internet depends on web site operators being able to avoid the expense of real security.
At that point, though, it's all actuarial. Does it really matter to customers that the perpetrator of a data breach is classified as a criminal? No. Does it matter to their insurance underwriters? Probably.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by DannyB on Friday May 01 2020, @02:02PM (1 child)
Maybe, but the CFAA (1986) was a long time before the crypto wars of the early 1990s. Maybe there was demand for military grade crypto in 86, but I wasn't aware of it.
One interesting thing about the crypto wars was a hack workaround. What if I published source code and detailed knowledge in a textbook (Applied Cryptography) and then traveled out of the US with that textbook. Was the US prepared to ban books? Or burn them? Or censor them? Or confiscate academic textbooks? Apparently they were not quite ready, at that time, to go that far. Yet.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by meustrus on Friday May 01 2020, @06:35PM
"Placate" is probably the wrong word. "Preempt" would be a better fit. Because yeah, the private sector didn't think they needed it. Even though Bell had been getting phreaked for years, they still thought they could get away with security-by-obscurity forever.
In a more perfect world, the US government would have predicted the influence that networked computing would have and launch a program to provide free military-grade security consulting to US tech companies.
There's no way that ever could have happened, though. It would have required government to simultaneously be pro-private-sector and pro-big-government, not to mention incredibly prophetic.
It's the kind of thing that could only happen in a centrally-managed economy. Most of those were too anti-private-sector to ever consider such a scheme. All but one.
Which raises the question: is it possible that China is running such a program? They fit all the requirements. The CCP might be too paranoid, though. But if we start to discover that Chinese tech is much more secure than anyone else's, maybe this is the reason why.
Funny how cyberpunk in the 80s predicted the wrong east Asian country would come to dominate the world through superior technology.
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by Pino P on Saturday May 02 2020, @06:29PM
Have engineers been able to implement a computer system in which a user is authorized to access a document but not to disclose its contents to a third party? The only thing backing that up right now is national implementations of the 1996 WIPO treaty.