from the only-criminals-would-change-a-URL dept.
Legality of Security Research to be Decided in US Supreme Court Case:
A ruling that a police officer's personal use of a law enforcement database is "hacking" has security researchers worried for the future.
Independent security researchers, digital-rights groups, and technology companies have issued friend-of-the-court briefs in a US Supreme Court case that could determine whether violating the terms of service for software, hardware, or an online service equates to hacking under the law.
The case—Nathan Van Buren v. United States—stems from the appeal of Van Buren, a police sergeant in Cumming, Georgia, who was found guilty in May 2018 of honest services wire-fraud and a single charge of violating the Computer Fraud and Abuse Act (CFAA) for accessing state and government databases to look up a license plate in exchange for money. While Van Buren was authorized to use the Georgia Crime Information Center (GCIC) to access information, including license plates, federal prosecutors argued successfully that he exceeded that authorization by looking up information for a non-law enforcement purpose.
[...] With the appeal accepted by the US Supreme Court, security researchers and technology companies are concerned with the potential for the case to turn independent vulnerability research into unauthorized access and, thus, a prosecutable offense. If the US Supreme Court rules that Van Buren's actions are a violation of the CFAA, it will undermine software and cloud security, says Casey Ellis, chief technology officer and founder of crowdsourced bug bounty firm Bugcrowd.
"Unauthorized access is one of the main purposes of security research—by making it illegal, researchers will be unable to effectively do their jobs, the organization will not be able to close all vulnerabilities, and attackers will win," Ellis says, adding, "the purpose of the CFAA is to outlaw malicious cyberattacks, not grant organizations the ability to halt vulnerability reporting by holding ethical researchers legally accountable for their actions."
[...] Security researchers are not the only ones at risk, says Bugcrowd's Ellis. Anyone who uses a computer system in a way not intended by the manufacturer could find themselves the target of legal action and, perhaps, prosecution, he says.
"The law is so broadly written that it criminalizes acts that otherwise violate a website's terms of services, from lying about your name on a Web form to the socially beneficial security testing that ethical security researchers undertake," he says. "A broader interpretation of 'exceeds unauthorized access' in CFAA works directly against the goals of a safer and more resilient Internet."
A date for oral arguments in the case has not been set.
(Score: 2, Insightful) by fustakrakich on Friday September 11 2020, @05:52PM (19 children)
Then the only solution is to do it anonymously. What other choice is there?
La politica e i criminali sono la stessa cosa..
(Score: 2) by Runaway1956 on Friday September 11 2020, @05:57PM (5 children)
Better access TOR through a VPN, then set up a long convoluted proxy chain that passes back through another VPN. And, hope that the NSA isn't sitting on a critical relay, such as the TOR node that you connect through.
(Score: 1, Insightful) by Anonymous Coward on Friday September 11 2020, @08:16PM (4 children)
Covfefe, hamberders, grab em by the pussy, lies, theft, corruption.
But ok, mock Biden for a mild turn of phrase. At least he overcame a legitimate stuttering proble., Trump dodged the draft and can't even read a teleprompter or prepare his speeches enoufg to not fuck up all the time.
Biden is such a typical conservative, yet you still prefer the grifter in chief. But assholes of a turd muck in a herd!
(Score: 0) by Anonymous Coward on Friday September 11 2020, @09:31PM
(Score: -1, Flamebait) by Anonymous Coward on Friday September 11 2020, @10:19PM (2 children)
When do you realize that Biden is the Manchurian candidate? The senile fuck is just a distraction. Harris will be president, not Biden. And, Harris track record as a fascist prosecutor should scare you . . .
(Score: 2, Insightful) by Anonymous Coward on Friday September 11 2020, @11:41PM
Can't speak for anyone else but Trump's fascism, corruption, and criminality are already beyond the pale. Harris would be massively preferable to the orange anus. Sheeit, that turd has already brought us close to WW3 with Iran and has openly stoked race wars in the US. Get it yet?
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @04:34PM
I don't know anything about her record, but the way she acts during speeches is fucking disgusting. Anyone voting for Biden and this dumb Negress needs to be banished, at the very least.
(Score: 3, Touché) by barbara hudson on Friday September 11 2020, @06:51PM (12 children)
Or just get consent from the owner.
Like legitimate researchers in other fields.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 1) by fustakrakich on Friday September 11 2020, @07:20PM (5 children)
Doesn't always work if the owner is complicit, but then you need a warrant, right?
"going through channels" is not always the best way to conduct research, especially in something like security where nobody can be trusted. Best to just do it and get the info out.
La politica e i criminali sono la stessa cosa..
(Score: 4, Interesting) by bzipitidoo on Friday September 11 2020, @07:57PM
Don't do it at all. When database owners come crying because some mean hacker encrypted all their data and is holding the key for ransom, tell them it could have been prevented, and maybe would have been, if the law wasn't exerting a chilling effect on security research. The thing that sucks the most about being a white hat is the constant suspicion and distrust, and the over-the-top threats of legal action and prison time the normies like to hold over researchers' heads, as if hackers are more dangerous than serial murderers. They're afraid. One of the things notably lacking from their gut feelings is, well, guts.
I've been falsely accused. I've also been kicked out, supposedly for incompetence. You know, the demeaning escort to the exit that employers like to do because they're afraid you might sabotage them on the way out. So they still wanted me to step away from the computer just in case I could use mad hacking skills to shut down every computer and network on the base or some such. Should I feel better that they still apparently believe in my competence in such matters, even though I'm being dismissed for incompetence?
How about a medical analogy? Do we want researchers to work on a cure for coronavirus, or not? Make it illegal to have samples of viruses, or conduct tests on them, and we'll never get a cure, not through legal channels.
(Score: 2) by barbara hudson on Friday September 11 2020, @10:10PM (3 children)
Get permission and get paid for your work. What do people have against an honest days pay for an honest days work?
Or does this go against "everything should be free?"
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 1) by fustakrakich on Friday September 11 2020, @10:57PM
*sigh* I guess you didn't read what I wrote. It has nothing to do with your crazed rant against anything "free".
La politica e i criminali sono la stessa cosa..
(Score: 2) by barbara hudson on Saturday September 12 2020, @01:17AM (1 child)
Same mentality. "I have a right to free access."
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 1) by fustakrakich on Saturday September 12 2020, @01:57AM
No, your silly hysterical rants have nothing to do with what I wrote or what I think. You're just deflecting and fantasizing. Seems to be SOP with you.
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Friday September 11 2020, @10:20PM (3 children)
Said "owners" don't ask permission to run code on my machine, I don't think I need to ask permission to look at their code.
(Score: 2) by barbara hudson on Saturday September 12 2020, @01:23AM (2 children)
Store your email on google? Don't cry when they sell your data. That was the deal - tree email in return for selling your data. You have alternatives, but they will cost you money instead of data. Your choice. Get your own paid email account or get an iPhone and iMail. Because TANSTAAFL.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @05:11AM (1 child)
You don't have alternatives. If you take the time to read the terms of service they're all the same, even the paid companies (and I do pay for some of my email accounts). They all share the data you give them with 3rd parties who help them operate their primary business. What is considered part of their primary business is completely up to them and not disclosed to you nor is a list of those 3rd parties (and the 3rd parties of those 3rd parties and onward).
Your only choice to opt-out is encryption outside of the email client from both the sender and receiver but that still doesn't protect the metadata. At least the post office doesn't seem to sell your mail's metadata (except when you move) though it does data mine everything (since the anthrax attacks). Though perhaps 3rd parties do get access to your mail now that you can sign up for daily mail notifications and get scans of your mail envelopes.
(Score: 2) by barbara hudson on Saturday September 12 2020, @04:19PM
That is not true. Pay for your own email server , they don't have the right to sell your email accounts data. Ditto for paid email services outside the USA where you do not consent to information sharing.
The problem is that the US has almost no privacy protections from government or commercial abuse.
Of course if you're stupid enough to use Gmail, they will simply roll over on you without a warrant - all they require is "a reasonable expectation that the requesting party can obtain a warrant", so any Gmail accounts are open to both government and commercial rape. But you would have known that if you had actually read the ToS, which it seems nobody does, then cries afterwards about their privacy. Same as Facebook users posting photos and then complaining when a travel company pays Facebook $5 for the right to use your vacation pics in an ad - should have read the TOS, sucker. You explicitly consented to them being allowed to license your pics to anyone.
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @04:23PM (1 child)
Yes, consent from the owner.
"Hi, I'd like to test your system for security problems"
"What does that get me?"
"Well, you'll lose plausible deniability against break-ins, you'll have to do work to fix your problems, you'll have to explain to your boss why you didn't find these problems yourself, and your managers will be embarrassed. On the other hand, everyone else in the world other than you will benefit."
"... We'll get back to you"
(Score: 2) by barbara hudson on Saturday September 12 2020, @08:26PM
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 1, Interesting) by Anonymous Coward on Friday September 11 2020, @05:57PM
This should be considered a violation of the DPPA, not the CFAA. The Driver's Privacy Protection Act prohibits this use of a driver's license database. A "terms of use" document is not a law, and not even a legal contract (unless signed), and should be considered to have no legal meaning.
(Score: 0, Informative) by Anonymous Coward on Friday September 11 2020, @06:14PM (1 child)
It appears that every auto repair shop has access to owner information by license plate. Don't need to bribe a policeman here.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @05:24PM
I found this out when I got new brakes for my Honda. "What is your license plate?" - "RTFM" - "A Mercedes?" - I look on his screen and I see name, address and car type info for whoever owned RTFN.
(Score: -1, Troll) by Anonymous Coward on Friday September 11 2020, @07:51PM
There are some women in a certain business in flyover country who will need to eat humble pie if SCOTUS rules the CFAA applies to licensing agreements. Of course it won't change their pseudo-feminist bigotry, just make it more apparent.
According to them, having a magic vagina means that you can violate licensing agreements at will and reverse engineer software. If only we had menstrual programmers the CFAA and DMCA wouldn't apply! Though looking at Title IX (the language says one thing, but that is not how it is used), for all I fucking know having a magic vagina and being a wombyn programmer does actually make you immune to criminal charges and lawsuits when you violate a licensing agreement.
(Score: 4, Interesting) by Mojibake Tengu on Friday September 11 2020, @08:00PM (8 children)
One fragment of distorted reality is calling intrusive hacking a security research.
It is quite similar situation to if killing people for just to see if they are killable was renamed survivability research.
Of course all of your cheesy computers are hackable. Of course anyone with valid authorization to use a machine can misuse it for some mischief, be it an excavator or computer.
Better contemplate what could by done about it in the domain of engineering. Funny laws without technical merit are useless.
From the technical point of view, any and all such laws are only reactive, they cannot prevent a shit happening.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1, Interesting) by Anonymous Coward on Friday September 11 2020, @08:52PM (7 children)
When does this actually happen?
Instead I remember the pen testers hired by a city or county government (can't be arsed to find it, but soylent covered it) that got thrown in jail for attempting to complete the work they were paid to do.
Patriarchy (and right-wing feminism) loves to thump around dorks and geeks, with whom it associates gender non-conformance. What makes this case unique is that it's one of the uniformed, state-funded bullies who gets caught up in hacking hysteria. That's probably the only reason it got to SCOTUS. Pigs are supposed to do the thumping, not get thumped like some incel dork.
(Score: 1, Offtopic) by barbara hudson on Friday September 11 2020, @10:15PM (6 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @12:02AM (5 children)
> > Instead I remember the pen testers hired by a city or county government (can't be arsed to find it, but soylent covered it) that got thrown in jail for attempting to complete the work they were paid to do.
>
> They were hired to do penetration testing. That did NOT include taking a pry bar and hammer and committing a break and enter.
They were hired to also test physical security. They didn't use a "prybar" and "break" anything; they did slip a thin piece of notched plastic through to unlatch the door. It was at least the fourth facility so tested on the contract; at three previous facilities one of the test findings was that the alarm system was properly hooked up to alert law enforcement to the alarm. They were hired by the state and the initial officers on the scene verified their credentials and let them go, but them the county sheriff arrested them because he was mad about the state stepping on his toes on his turf. Eventually the state came down on the county officials and all the charges were dropped.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @12:05AM (4 children)
crap! one of the test findings was that the alarm system was *NOT* properly hooked up to alert law enforcement to the alarm
(Score: 3, Insightful) by barbara hudson on Saturday September 12 2020, @01:06AM (3 children)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @02:43AM (2 children)
They didn't cause damage. They did what they were hired to do.
(Score: 2) by barbara hudson on Saturday September 12 2020, @03:20AM (1 child)
SoylentNews is social media. Says so right in the slogan. Soylentnews is people, not tech.
(Score: 1) by fustakrakich on Saturday September 12 2020, @03:34AM
Wow! You don't read at all! The lock wasn't "forced", he said it was unlatched, without causing any damage.
La politica e i criminali sono la stessa cosa..
(Score: 2, Interesting) by Anonymous Coward on Friday September 11 2020, @09:01PM (2 children)
Part of me is afraid this court will somehow manage to let the cop off, while also preventing security research.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @04:32PM
The Supreme Court prefers to issue no meaningful rulings at all if they can avoid it. The Supreme Court is always like this, but right now they're much worse than usual. On top of that, John Roberts has no discernable ideology or legal philosophy; his only goal appears to be to avoid taking a position on anything.
They will inevitably rule that this guy either violated the law or didn't, but probably in such a way that no other court can construe any guidance from it, so that nothing will have been accomplished.
(Score: 0) by Anonymous Coward on Saturday September 12 2020, @04:37PM
no shit.
(Score: 4, Interesting) by takyon on Friday September 11 2020, @10:16PM
https://arstechnica.com/tech-policy/2020/09/online-voting-vendor-voatz-urges-supreme-court-to-limit-security-research/ [arstechnica.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]