Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime

from the that's-not-good dept

You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.

Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.

The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.
Right now, the law does not include those four words. Why is that a big change? As we explained last year:
All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.
While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.

The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.


Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: aaron swartz, cfaa, conspiracy, criminal, data breach, patrick leahy
Companies: target


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 9 Jan 2014 @ 1:19pm

    This is insane, this would make something as simple as reading the JavaScript on a page that has to do with login or auth or using a tool like Fiddler to look at your own web traffic potentially illegal actions. Not to mention completely killing white and grey hat security research completely. That's awesome, this is like taking all the guns away from law abiding folks, only the black hats will be able to research security holes and thus have the guns to exploit them.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2014 @ 1:57pm

      Re:

      "Not to mention completely killing white and grey hat security research completely."

      That is likely his goal because in his tiny pea brain of a mind he likely thinks that if no one is looking for security holes then none will ever be found and exploited!

      link to this | view in chronology ]

    • identicon
      Avantare, 9 Jan 2014 @ 3:05pm

      Re:

      I'm guilty then. I use GreaseMonkey. Therefore I'm guilty for violating this on my home pc. Of course then he would be guilty as well. "Hey, You have a trojan on your gov't issued laptop!" Opps, forgot. You work for the gubbermint. You're innocent.

      link to this | view in chronology ]

    • identicon
      Chilly8, 10 Jan 2014 @ 2:42am

      Re:

      This could also cause problems with TPP is implemented, as it would be impossible to comply with any SOPA-type law without violating the CFAA.

      When TPP comes in, I could see tech companies going to countries where they can comply with the new copyright laws, without risk of being prosecuted for hacking.

      A web site, in, say, Mexico, could not be prosecuted for CFAA violations in the U.S.

      link to this | view in chronology ]

    • identicon
      Chilly8, 10 Jan 2014 @ 2:42am

      Re:

      This could also cause problems with TPP is implemented, as it would be impossible to comply with any SOPA-type law without violating the CFAA.

      When TPP comes in, I could see tech companies going to countries where they can comply with the new copyright laws, without risk of being prosecuted for hacking.

      A web site, in, say, Mexico, could not be prosecuted for CFAA violations in the U.S.

      link to this | view in chronology ]

    • icon
      Bergman (profile), 10 Jan 2014 @ 3:56am

      Re:

      If simply discussing hacking is the same as actually doing it, then the DOJ would be unable to hold briefings or meetings internally to discuss hacking countermeasures without running afoul of the law...not that they'd ever hold themselves to the standards they apply to everyone else.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 1:26pm

    What a monumentally stupid idea introduced by a monumentally stupid Luddite.

    So if Joe User is clicking around on his banking website one day and discovers - inadvertently or otherwise - a security hole big enough to drive a truck through, just pointing that security hole out to the bank will be a criminal offense on par with actually exploiting it. I mean, obviously that's already happening in many cases, but to have such insanity codified into law means that there is no incentive whatsoever to inform the bank of the flaw.

    link to this | view in chronology ]

    • identicon
      jackn, 9 Jan 2014 @ 1:32pm

      Re:

      How did you come to this conclusion?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2014 @ 1:48pm

        Re: Re:

        By telling the bank "I could easily steal millions of dollars from you, so could anyone else. You've got this big security flaw on your website that anyone can exploit, please fix it before someone victimizes you. [insert description of flaw]"

        You've spoken about breaking into a website and stealing money from it. That's now a crime.

        (I'm not the same AC that posted the thing you're responding to BTW)

        link to this | view in chronology ]

        • identicon
          jackn, 9 Jan 2014 @ 1:56pm

          Re: Re: Re:

          No, the bill above doesn't say 'Talking about it,' thats Mikes interpretation.

          Try again...

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jan 2014 @ 2:02pm

            Re: Re: Re: Re:

            "Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section. "


            If one is looking for security vulnerabilities, that is attempting.
            If I find one by accident and report it that could easily be twisted into a conspiracy. "Your Honor this man wanted to embarrass the bank so he conspired to find security issues"

            link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jan 2014 @ 2:03pm

            Re: Re: Re: Re:

            look up how broadly the term 'conspires' is used in legal prosecution and you will find that merely talking about something illegal may be construed as 'conspiring'.

            link to this | view in chronology ]

            • identicon
              jackn, 9 Jan 2014 @ 2:09pm

              Re: Re: Re: Re: Re:

              Oh, I know it. -it can be a grey area. But the bill does not say TALKING, and I don't think it intends to. To me conspire is Talking with the intent to perform (or planning).

              I like sensational headlines, but not when they are untrue.
              I just hope mike avoids a yellow journalism approach here, that would cheapen the site and lower the effectivness.

              link to this | view in chronology ]

              • icon
                JMT (profile), 9 Jan 2014 @ 2:51pm

                Re: Re: Re: Re: Re: Re:

                Security researchers do not operate in their own little bubble. If you find an exploitable weakness and discuss it with other researchers or knowledgeable people, and then later on do something to attract the DoJ's attention, their history would indicate your discussions could quite easily be turned into 'conspiring' in order to threaten you with serious charges.

                Remember, we're not talking about common-sense interpretations here, but about how the laws can be and have been twisted by the DoJ for their own purposes, like making heavy-handed threats as part of a plea bargain.

                link to this | view in chronology ]

              • identicon
                Catskul, 9 Jan 2014 @ 8:26pm

                Sensational Headlines

                This headline just knocked Tech Dirt down a few pegs in my opinion. It's ridiculously misleading. Whoever wrote this should be ashamed, and Tech Dirt Editors should retract the headline.

                link to this | view in chronology ]

          • identicon
            Anonymous Coward, 9 Jan 2014 @ 2:05pm

            Re: Re: Re: Re:

            "The bill also includes the Obama administration’s proposal to update the Computer Fraud and Abuse Act, so that attempted computer hacking and conspiracy to commit computer hacking offenses are subject to the same criminal penalties, as the underlying offenses."
            -- Quote from the letter

            What that means is that informing them of the flaw could very well mean that the bank could accuse you of hacking. I.E. GeoHot was accused of hacking his Playstation 3, that he even bloody well owned, by Sony under CFAA.

            link to this | view in chronology ]

          • identicon
            Pragmatic, 10 Jan 2014 @ 5:16am

            Re: Re: Re: Re:

            http://www.wired.com/opinion/2013/07/dont-hate-the-crime-hate-the-person-how-weevs-appeal-affects-al l-of-us/

            Read it and weep, jackn. Weep for all of us. Seriously, this is a bad law NOW.

            We are all Weev.

            link to this | view in chronology ]

        • identicon
          OhBrian, 10 Jan 2014 @ 11:02am

          Re: Re: Re:

          No. By telling the bank you could steal is not a crime.

          The whole point of Leahy's proposal is that crimes committed over the Internet are often carried about by organized groups of individuals. Each individual is contributing to the crime. When caught some individuals are able to make the case that even though their actions contributed or facilitated the crime; they not commit the charged top act.

          For example someone could claim "I broke a window.". Another person climbed through that window and robbed the premises. Both parties contributed to the crime.

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 9 Jan 2014 @ 2:11pm

        Re: Re:

        As others have said, the legal definition of "conspiring" is broad enough to encompass simply talking about an act, despite your apparent belief to the contrary. In addition, the fact that people are already being prosecuted for this very thing* makes me think that specifically beefing up that part of the Act is intending exactly this.

        *If you don't know what cases I'm talking about here you're not informed enough to even argue the point.

        link to this | view in chronology ]

        • identicon
          jackn, 9 Jan 2014 @ 2:29pm

          Re: Re: Re:

          You present a nice logical fallacy

          link to this | view in chronology ]

          • icon
            Brandon Rinebold (profile), 9 Jan 2014 @ 6:32pm

            Re: Re: Re: Re:

            I think you're misunderstanding what he's saying.

            You don't need to agree with the conclusion he draws but if you don't even know the cases generally used as relevant legal precedent in these situations then you're not informed enough to argue legal matters.

            link to this | view in chronology ]

  • icon
    AC Unknown (profile), 9 Jan 2014 @ 1:29pm

    This is an incredibly stupid move on behalf of Sen. Leahy. KI can foresee a lot more security holes going unpatched if this law passes.

    link to this | view in chronology ]

  • identicon
    jackn, 9 Jan 2014 @ 1:31pm

    "Conspire or attempt to commit...." is not the same as 'Merely talking' about something

    lets not become businessidiots.com here

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2014 @ 3:39pm

      Re:

      But do you have the funds to fight it if someone decides to use the law in that manner?

      The laws in the US have 2 faces now. One that is easy for the average person to see and understand, and another distorted face that serves a purpose that the people who wrote the law really wanted in their toolbelt.

      link to this | view in chronology ]

      • identicon
        Anonymous Hero, 9 Jan 2014 @ 4:06pm

        Re: Re:

        The laws in the US have 2 faces now. One that is easy for the average person to see and understand, and another distorted face that serves a purpose that the people who wrote the law really wanted in their toolbelt.

        Yes

        link to this | view in chronology ]

  • icon
    btr1701 (profile), 9 Jan 2014 @ 1:32pm

    Not really

    > but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense

    That's a bit misleading. Merely talking about something isn't the same as conspiring to do it. First of all, a conspiracy requires two or more people, so someone merely writing a blog post about computer hacking, for example, wouldn't qualify. Second, conspiracy requires an "overt act in furtherance of the conspiracy" in order for it to be complete and prosecutable, so not only do you have to plan to commit the crime with other people, you also have to take an affirmative step toward implementing that plan. It's not merely "talking about it" as the article states.

    link to this | view in chronology ]

    • identicon
      Patrick, 9 Jan 2014 @ 1:46pm

      Re: Not really

      After satisfying the first condition I would not be surprise if finding some dual use tools like nmap was sufficient to establish the overt act. That in conjunction with a clueless judge and DOJ FUD, it would probably do the trick.
      It's already happened with encryption software
      http://news.cnet.com/Minnesota-court-takes-dim-view-of-encryption/2100-1030_3-5718978.html

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 9 Jan 2014 @ 1:46pm

      Re: Not really

      First of all, a conspiracy requires two or more people, so someone merely writing a blog post about computer hacking, for example, wouldn't qualify


      Are you sure? A blog post involves two people as soon as someone reads it. Commenting provides interaction, if that's a requirement.

      conspiracy requires an "overt act in furtherance of the conspiracy" in order for it to be complete


      Yes, but that's an incredibly low bar that is easily satisfied in most completely innocent circumstances. In the bank robbery planning incident I described in another comment here, that condition was satisfied by the fact that the "conspirators" had obtained the building plans for the bank.

      If, as often happens in my workplace (a software security company), two developers are discussing how a particular exploit works then example code will certainly be exchanged, and probably written. That would probably satisfy the requirement as well.

      link to this | view in chronology ]

      • identicon
        jackn2, 9 Jan 2014 @ 2:03pm

        Re: Re: Not really

        even without a blog, conspiring does not require two people.
        One can conspire all on their own.

        link to this | view in chronology ]

        • icon
          btr1701 (profile), 9 Jan 2014 @ 2:20pm

          Re: Re: Re: Not really

          > even without a blog, conspiring does
          > not require two people. One can conspire
          > all on their own.

          Not legally one can't. The statute actually reads, "two or more people". A single person can't conspire with himself. Hell, the word 'conspire' itself means

          (1) to agree together, especially secretly, to do something wrong or illegal

          (2) to act or work together toward the same result or goal

          link to this | view in chronology ]

      • icon
        btr1701 (profile), 9 Jan 2014 @ 2:11pm

        Re: Re: Not really

        > Are you sure? A blog post involves two people
        > as soon as someone reads it.

        Yes, all parties to a conspiracy have to know of each other and agree and intend to commit a criminal act. Reading what someone else wrote doesn't make you a co-conspirator.

        link to this | view in chronology ]

        • icon
          JMT (profile), 9 Jan 2014 @ 2:58pm

          Re: Re: Re: Not really

          You don't necessarily need to be found guilty of such an act of conspiracy, you merely have to be threatened by these serious charges in order to make to take a plea deal. Techdirt and others have covered this tactic quite extensively. A law like this would give the DoJ the ability to make even scarier threats, and increase the chances of innocent people pleading guilty to a lesser offence to avoid the possibility, however unlikely, of being found guilty of a much more serious crime.

          link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Jan 2014 @ 2:44am

        Re: Re: Not really

        If they start prosecuting blogs for this, I could bloggers leaving the country. A blogger, for example, in Mexico, is not subject to U.S. laws.

        link to this | view in chronology ]

      • identicon
        OhBrian, 10 Jan 2014 @ 10:48am

        Re: Re: Not really

        When you said:

        "If, as often happens in my workplace (a software security company), two developers are discussing how a particular exploit works then example code will certainly be exchanged, and probably written. That would probably satisfy the requirement as well."

        No. It does not satisfy that requirement. People discussing something in the workplace related to their legal employment would not qualify as conspirators to an illegal activity.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2014 @ 2:47pm

      Re: Not really

      I don't know if it changes the definition of the crime. The problem is that the punishment for the more active forms of intent is now exactly the same as actually hacking. It is a sad society to live in if punishment for conspiracy to commit murder is the same as a first degree murder...

      About the overt act, it seems that it can be ignored as a requirement in some cases like drug enforcement.

      From the SCOTUS judgement in US vs Shabani:
      The Court ruled: "...Congress intended to adopt the common law definition of conspiracy, which does not make the doing of any act other than the act of conspiring a condition of liability..."

      link to this | view in chronology ]

      • icon
        btr1701 (profile), 9 Jan 2014 @ 3:07pm

        Re: Re: Not really

        > The Court ruled: "...Congress intended to
        > adopt the common law definition of conspiracy,
        > which does not make the doing of any act other
        > than the act of conspiring a condition of
        > liability..."

        That is asinine and flies in the face of reality. The federal conspiracy statute (18 USC 371) reads:

        If two or more persons conspire either to commit any offense against the United States, or to defraud the United States, or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object of the conspiracy, each shall be fined under this title or imprisoned not more than five years, or both.

        Since the statute ACTUALLY SAYS that an overt act is required, it beggars the imagination how the Court can claim that Congress didn't intend to include that in the law.

        This is just another example of the Court making shit up based on its own agenda and claiming words don't mean what they say, or mean the opposite of what they say, or whatever it takes to justify the result the Court wants, rather than what the law requires.

        link to this | view in chronology ]

        • icon
          jraymond (profile), 10 Jan 2014 @ 8:54am

          Re: Re: Re: Not really

          This is one definition from one section of one law. "Conspiracy" does not have a monolithic definition. And as far as the overt act goes, simply buying a notebook at a dollar store to keep track of the plan is and act toward effecting the object of the conspiracy, so neither adds nor subtracts substantially from the original view.

          link to this | view in chronology ]

          • icon
            btr1701 (profile), 10 Jan 2014 @ 11:28am

            Re: Re: Re: Re: Not really

            > This is one definition from one section of
            > one law. "Conspiracy" does not have a
            > monolithic definition.

            Actually, it does. In the definitional section of all new laws involving conspiracy, they refer back to 18 USC 371.

            link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2014 @ 9:37pm

      Re: Not really

      It's all fun and games until you get sixty years for visiting http://www.hackthissite.org/ and putting your Hello World hacking skills to use.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jan 2014 @ 2:16am

      Re: Not really

      I am afriad they have the legal precdent for merely making talking about comething without doing it illetgal When Hal Turner was prosecuted for "threatening" federal judges, it shld be noted that he did not say he was going to kill those judges, nor did he tell anyone to. He just merely offered an opinion.

      Under this CFAA change, making saying that someone deserves to have their computer hacked, without actually doing it, or telling someone to dot it, would also be a a criminal offence.

      link to this | view in chronology ]

  • icon
    John Fenderson (profile), 9 Jan 2014 @ 1:32pm

    All "conspiracy to commit" laws are questionable

    All such laws are highly questionable, and I strongly oppose any effort to add to them.

    For a real-world example from a number of years ago, it's a felony to get together with a few friends and plan a bank robbery -- even if we have no intention whatsoever of actually committing the robbery. The people who did this not only didn't commit a robbery, they very clearly engaged in the planning purely as an intellectual exercise.

    This seems to be blatantly unconstitutional on free speech grounds alone.

    I could (grudgingly) get behind "conspiracy to commit" charges as add-ons to a real crime that was actually committed, much like the hate speech laws, but that's as far as it should go.

    link to this | view in chronology ]

  • icon
    ECA (profile), 9 Jan 2014 @ 1:33pm

    what IS NOT SAID.

    For a few reasons, target does not say HOW(wireless, networked, Internet,???) that there system was taken advantage of..
    THIS is important, and could tell us if Target was an IDIOT..

    If they had a Fairly protected system, it would mean this is an INSIDE job.
    IF they were like home depot(wireless system)(STUPID) then they needed better protection then they HAD.
    If they allowed DIRECt access from an internet connection, then they are even more stupid.

    Encryption is OK, but giving anyone direct access to the file ITSELF? means only a few people should have access.

    for those that dont get it..LEts say you REALLY want to protect a file.
    1) you can make it NOT listed in the files(invisible)
    2) you have to know the NAME of the file.. as you cant see it.
    3)password the file, NOT TO HARD and it can be built into the EDITING program that WORKS with the file.
    4.)separate files..name file, Data files can be 2-3-4-5 parts, and you get 1, you dont get the others.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2014 @ 2:01pm

      Re: what IS NOT SAID.

      you can make it NOT listed in the files(invisible)


      Because finding invisible/hidden files is such a hard thing to do?

      Hiding files is a trick to keep ignorant people from seeing stuff... but it won't even speed bump anyone good enough to hack a system.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2014 @ 2:13pm

      Re: what IS NOT SAID.

      "(wireless system)(STUPID)"

      What makes wireless stupid?
      Data is transmitted from point A to point B.
      It is the job of point A and point B to:
      1. Validate they are communicating with the real endpoint
      2. Encrypt their communications to prevent eavesdropping

      If the communicating parties are doing those two things then it does not matter if you are using wired, wireless, snail mail, smoke signals or whatever.

      Fail at either of those things and you are vulnerable on a wired or wireless network.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 10 Jan 2014 @ 8:53am

        Re: Re: what IS NOT SAID.

        Wireless in general is not stupid, however it presents security problems that are not solved if you just use off-the-shelf consumer equipment without adding additional precautions (such as a VPN).

        Wireless broadcasts all of your communications over radio, where it is easily listened to by anybody within range. Also, it's like placing a network port on the outside of your house -- anyone can plug into it.

        The built-in, standard security measures (WPA) are insufficient against anybody of more skill than a script kiddie (and, these days not even against them).

        It's not stupid to use such equipment. It is naive and dangerous to use such equipment while believing that it is secure, unless you've taken additional steps to harden everything.

        link to this | view in chronology ]

    • identicon
      Anonymous Coward, 9 Jan 2014 @ 2:25pm

      Re: what IS NOT SAID.

      "1) you can make it NOT listed in the files(invisible)
      2) you have to know the NAME of the file.. as you cant see it."

      You need smacked with a clue stick.

      Hidden files are simply not shown by default, it is trivial to actually get a listing of 'hidden' files on any operating system.

      http://windows.microsoft.com/en-us/windows/show-hidden-files#show-hidden-files=windows-vista
      h ttps://discussions.apple.com/thread/5483892?tstart=0
      http://en.wikipedia.org/wiki/Hidden_file_and_hid den_directory

      link to this | view in chronology ]

      • identicon
        Arrest that AC!, 13 Jan 2014 @ 9:01pm

        Re: Re: what IS NOT SAID.

        By discussing how to find a 'hidden file' you have knowingly conspired to hack the super secret security system. Also having circumvented this 'hidden file' security device you have violated the DMCA.

        Off to the MPAA re-education camp for you!

        link to this | view in chronology ]

    • icon
      jraymond (profile), 10 Jan 2014 @ 9:03am

      Re: what IS NOT SAID.

      Only a few people should have access to the file? What use would the file have if no one could use it for sales, the reason it exists in the first place? EVERYONE needs access to the file by some method. When you lock people out too tightly, you also lock yourself in.

      And as far as wired/wireless, it makes no difference whatever. It's surprising that you actually think that it would. But then your suggested methods of supposedly hiding files are all well-known, sophomoric, and as easy to get around as turnstyles to jump over. You really need better security than something a 4th-grader could come up with.

      link to this | view in chronology ]

  • identicon
    jackn, 9 Jan 2014 @ 1:37pm

    I think this is a little bit beyond u.

    It wasn't said because it has nothing to do with anything.

    link to this | view in chronology ]

    • icon
      ECA (profile), 9 Jan 2014 @ 1:50pm

      Re:

      iT KINDA DOES..
      If you leave your door open, and a thief walks ina nd steals things..IS HE, breaking and entering?
      He may have entered, but you left it open..IS it hacking if they DONT protect themselves??

      AS WELL AS THE WORD hacking isnt used properly..DID they hack anything? If it was an ADMIN, it wasnt a HACK.

      link to this | view in chronology ]

      • identicon
        jackn, 9 Jan 2014 @ 2:00pm

        Re: Re:

        No, sorry, nothing you have written has anything to do with security, hacking, computers, IT, and reality.

        I can tell you are uninformed because of this sentence

        password the file, NOT TO HARD and it can be built into the EDITING program that WORKS with the file

        and others...

        link to this | view in chronology ]

        • icon
          Chronno S. Trigger (profile), 9 Jan 2014 @ 4:03pm

          Re: Re: Re:

          Jackn, you have no clue what you're talking about. Reading this comment and the ones before makes it quite clear that you don't know anything about security or computers.

          You can password protect individual files and have the editing software support the encryption. Adobe Acrobat does that, Microsoft Office does that, good database software can do that. Hell, Windows (pro and up) itself supports that.

          link to this | view in chronology ]

          • identicon
            jackn, 9 Jan 2014 @ 4:11pm

            Re: Re: Re: Re:

            Hello Mister user,

            The fact that you are mentioning acrobat, office, windows pro is f&8^%^4 stupid.

            Don't even bother me with you home software achievements.

            the end

            link to this | view in chronology ]

            • icon
              ECA (profile), 9 Jan 2014 @ 10:44pm

              Re: Re: Re: Re: Re:

              Dear Jack..
              Giving wireless access or internet Access to ROOT, BASe commands is a REAL sec. threat.
              Giving Full control for any remote access should be forbidden..
              How stupid do these people seem.

              Any commercial business wishes to see Every transaction and Action done in the store. its the only way to protect themselves, and see WHO DID WHAT..and WHOM to blame.
              If they did, even BASIC, security and tricks, the ONLY way to have full access to this file, is to KNOW the name of it and have the password to open it.
              thats why information is important..HOW did they get the files.
              IF they had basic sec. then it had to be someone with access.

              ALSO, there are many ways to hide files. 1 uses control characters in the name, which will list the DIR, but the name is blank. it erases itself, and unless you have a HEX dump of the DIR you will NEVER see the name.
              The OLD ways still work..HOw do you think we hacked int he OLD days..HEX editors RULE..

              link to this | view in chronology ]

              • identicon
                jackn, 10 Jan 2014 @ 7:47am

                Re: Re: Re: Re: Re: Re:

                What if the hacker just used dir /ah or ls -a.

                Wait a minute, Im getting it. We could a hex editor, masm or debug to disable those parameters.

                The should probably also use a SECURE font! You could use a hEX EDitor to change the font and make it unreadible.

                link to this | view in chronology ]

              • icon
                John Fenderson (profile), 10 Jan 2014 @ 8:58am

                Re: Re: Re: Re: Re: Re:

                unless you have a HEX dump of the DIR you will NEVER see the name.


                Or unless you boot the system from a Linux boot disk or USB stick, in which case you'll see everything without having to resort to hex dumps.

                link to this | view in chronology ]

                • icon
                  BeeAitch (profile), 10 Jan 2014 @ 5:59pm

                  Re: Re: Re: Re: Re: Re: Re:

                  But if the BIOS is password protected and first boot is hard drive...

                  link to this | view in chronology ]

                  • icon
                    BeeAitch (profile), 10 Jan 2014 @ 6:05pm

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    hint: I know the answers.

                    1) [REDACTED]

                    2) Legally force the owner to provide password(s). (My favorite definition of 'brute force'.)

                    link to this | view in chronology ]

          • icon
            John Fenderson (profile), 10 Jan 2014 @ 8:56am

            Re: Re: Re: Re:

            I possess programs that will crack the password locks on zip files, PDF files, Office files, and more in less than a second. Relying on those mechanisms to protect your data is as useful as locking your screen door.

            link to this | view in chronology ]

            • identicon
              jackn, 10 Jan 2014 @ 9:27am

              Re: Re: Re: Re: Re:

              I wonder how target stored their detailed transaction data. Probably PDF or excel. I think that could handle 70 million records. Indexing is probably really slow though. Maybe they store their trans data in a zipped pdf. No wonder it takes so long for a credit card purchase to go through!

              You guys are eye openers. Here i am in my CISSP world making things really difficult when all we need is a hex editior. I wonder if the PCI specs recoginze these methods as appropriate?

              link to this | view in chronology ]

              • icon
                jraymond (profile), 10 Jan 2014 @ 9:47am

                Re: Re: Re: Re: Re: Re:

                PDF? Excel? Are you kidding me? I think I'm getting dizzy. And the DMV, too? And do you think that retrieving that data requires a search or something and that is why you mention the time?

                There is a thing called a "database". It is ofetn huge. Like the Windows registry. Access is immediate and direct to each piece of data - no search, no following some path to get to it, no change in access time regardless of size. Databases have been around quite a long time.

                link to this | view in chronology ]

                • identicon
                  jackn, 10 Jan 2014 @ 10:46am

                  Re: Re: Re: Re: Re: Re: Re:

                  Wow, no search. How does that work? How does it know what Im looking for? I should check into these 'databases' like the windows registry. I didn't know the registry could hold 70 million records.

                  One question, for 'databases,' do I still need to put a control charactor in the filename? What about hiding the file, is this still required?

                  Thanks again for the 411

                  link to this | view in chronology ]

                  • identicon
                    Anonymous Coward, 10 Jan 2014 @ 11:26am

                    Re: Re: Re: Re: Re: Re: Re: Re:

                    Ok, jack, We can see you know more about this than some random window's guys on the internet.

                    It was funny, but its getting old.

                    link to this | view in chronology ]

              • icon
                John Fenderson (profile), 10 Jan 2014 @ 1:06pm

                Re: Re: Re: Re: Re: Re:

                Target, like anybody else that has a huge database they need to access quickly, stores their data in a DBMS, such as Access, MySQL, etc. Anything else wouldn't be searchable in a useful way, would take forever to do transactions on, and couldn't be used by thousands of users simultaneously.

                link to this | view in chronology ]

                • identicon
                  jackn, 10 Jan 2014 @ 1:32pm

                  Re: Re: Re: Re: Re: Re: Re:

                  A winner.

                  But its probably DB2, MSSQL, or Oracle. Probably also involves some sort of queue like mq or the like.

                  All of those could have million of records and the correct indexs would make them plenty fast. Ive worked with 14 million in db2.

                  so
                  Not applicable to Target CC breach

                  Password protect the file
                  Hide the file
                  Office, Adobe, Access, windows pro
                  Windows registry
                  ZIP Files
                  Zip Password crackers
                  Hex editors

                  Applicable to the Target breech

                  Industrial Database
                  Authentication
                  Authorization
                  Encryption
                  Transport
                  Business Logic
                  Presentation Layer

                  link to this | view in chronology ]

  • icon
    Watchit (profile), 9 Jan 2014 @ 1:37pm

    "I'm going to hack Walmart!"

    Does that mean I actually hacked Walmart? Cool.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 1:44pm

    These guys no nothing about computers. As an IT person I think I will write some laws the govern congress.

    Seems legit

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 2:07pm

    Hacking?

    If I hack my mother inlaw to bits would I be charged under CFAA? Certainly the sentence would be greater then murder.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 2:08pm

    If Leahy can preemptively jail citizens can we as citizens preemptively impeach him?

    link to this | view in chronology ]

    • icon
      btr1701 (profile), 9 Jan 2014 @ 3:09pm

      Re:

      > If Leahy can preemptively jail citizens
      > can we as citizens preemptively impeach him?

      No. Members of Congress cannot be impeached, preemptively or otherwise.

      link to this | view in chronology ]

      • icon
        jraymond (profile), 10 Jan 2014 @ 9:55am

        Re: Re:

        Anyone can be impeached, including members of congress. The hard part is showing that he is guilty and needs a possible sentence. Impeaching is easy.

        link to this | view in chronology ]

        • icon
          btr1701 (profile), 10 Jan 2014 @ 11:30am

          Re: Re: Re:

          > Anyone can be impeached, including members
          > of congress.

          No, the Constitution only allows for impeachment of Executive and Judicial Branch officials. Members of Congress cannot be impeached.

          link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Jan 2014 @ 5:52am

      Re:

      There is nothing that prevents The People from voting for someone else.

      link to this | view in chronology ]

  • identicon
    Jerrymiah, 9 Jan 2014 @ 2:27pm

    It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense.

    It's about time to change the name of the DOJ to DOI. Since Eric the Nazi took over as AG, the DOJ has been acting more like the Department of Injustice than the former.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 2:27pm

    "Whoever conspires to commit an offense shall be punished as provided for the completed offense"
    Consider committing a crime, be punished as if you'd actually done the crime.
    Just when you didn't think America could get any more dystopian, the Senate is now voting on whether to start having people arrested for thoughtcrime.

    link to this | view in chronology ]

  • icon
    btr1701 (profile), 9 Jan 2014 @ 3:14pm

    Conspiracy

    > Consider committing a crime, be punished
    > as if you'd actually done the crime. Just
    > when you didn't think America could get any
    > more dystopian, the Senate is now voting
    > on whether to start having people arrested
    > for thoughtcrime.

    So many people in this thread are acting like this is something new. The conspiracy offense has been a part of federal law for a century or more. Just because it's now being applied to computer/tech offenses doesn't make it some novel attempt to create a dystopian nightmare.

    link to this | view in chronology ]

    • identicon
      Automatic Grammatizator, 9 Jan 2014 @ 5:19pm

      Re: Conspiracy

      There's some truth to this. It's like in Men In Black, where Agent J was shocked to learn that a spaceship was getting ready to destroy Earth, and Agent K told him that there's ALWAYS something out there preparing to destroy Earth.

      But that doesn't mean you shouldn't get angry and mobilize when you happen to hear about these things, or even stop talking about what could happen if you don't remind the government who's actually supposed to be running this country.

      link to this | view in chronology ]

    • icon
      jraymond (profile), 10 Jan 2014 @ 8:36am

      Re: Conspiracy

      Agreed. It is an effort to have the tools to actually prevent the breeches before they happen instead of just trying to clean up the mess afterward. "Conspiracy" is something always difficult to prove and involves a lot more than just "talking about" the security in question.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Jan 2014 @ 9:01am

      Re: Conspiracy

      Just because it's now being applied to computer/tech offenses doesn't make it some novel attempt to create a dystopian nightmare.


      You're right, conspiracy laws are nothing new. However, the CFAA is already a dystopian nightmare. I think the reaction is that adding the ability to bring conspiracy charges on top of it will just make everything that much worse.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 3:41pm

    You know what I find insanely stupid in all this? There is no requirement that if the federal government gets hacked they have to tell anyone anything. Nor if you look does it include the federal government in this bill. This bill is about states.

    Given the reports about ACA (Obamacare) having never been built with security in mind, this becomes seriously important. In order to sell ACA this particular topic has been sidelined into silence. And what about the NSA gathering up all this data and then turning it over to other agencies with the admonishment they can't be used as the source? Given their tools, that is hacking; dishing out malware at targeted computers/individuals.

    Senator Leahy once again shows his real colors in all this. It's about covering the governments ass not about security. When you can't find another charge, claim conspiracy to hack as a catch all dealing with computers. This makes me very uneasy. I use element Q to get rid of annoying javascript and other undesirable items on web pages I view. It does nothing to the original site, as all changes are temporary and on my computer only. Removing blocks to view the public site until you activate javascript doesn't float. Yet it is likely under prosecutor expansion it could one day be illegal with this vague law.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 4:34pm

    Sen. Leahy is also the one introducing the USA FREEDOM Act, in order to scale back unconstitutional spying. Yet, he introduces dangerous changes to the CFAA that allows people to be charged with a crime they have yet to commit.

    This just goes to show you can never trust a politician, because the vast majority of them are two faced deceivers. The most "transparent" administration ever, the Obama administration, is proof of how two faces politicians are.

    Never trust them, or you'll wake up with a dagger in your back.

    link to this | view in chronology ]

    • identicon
      Just Sayin', 9 Jan 2014 @ 6:36pm

      Re:

      "Yet, he introduces dangerous changes to the CFAA that allows people to be charged with a crime they have yet to commit."

      Actually, conspiracy to commit a crime is often a crime in and of itself. It's why you can arrest someone for hiring a hitman before the target gets killed, because it's a conspiracy to commit murder (I know, a big example, but there ya go).

      Conspiring with others to hack into a network to obtain material illegally should be a crime. It wouldn't harm white hat hackers trying to show a problem, but it would sure screw up black hatters planning their next break in.

      link to this | view in chronology ]

      • icon
        Watchit (profile), 10 Jan 2014 @ 3:44pm

        Re: Re:

        The conspiracy to hack already was a crime, but that's not the problem. The problem is that with the 4 words added to the law, the conspiracy to hack would be treated the same as if you had actually committed the crime.

        link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 6:35pm

    Leahy is a fake. Always been.

    This simply proves, he don't even looks at papers shoved down his throat.

    link to this | view in chronology ]

  • icon
    dfed (profile), 9 Jan 2014 @ 8:18pm

    All I read was "Old man yells at cloud" and see a picture in my mind of Grandpa Simpson talking about how in his day he was hacked by three different nonconsecutive presidents.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 9 Jan 2014 @ 11:35pm

    Mike, you seem to be misunderstanding what the bill says, or what current law says. Or both. Those words don't change what acts are criminal at all. They don't make things into crimes that aren't criminal as the law now stands. They just change the maximum possible punishment, from 5 years (the punishment for conpiracy ) to 5 or 10 or 15 years or more under the CFAA. I'm sure you think that's a bad idea too , but it is a completely different bad idea from the one your post seems to have invented based on some misreading of the statute.

    link to this | view in chronology ]

  • identicon
    Chilly8, 10 Jan 2014 @ 2:28am

    They way I see this, this could put ISPs in a damned-if-you-do, damned if you don't sitaution once TPP is implemeneted. They could be in violation of the CFAA if they do monitor users for copyright violations, and violations of copyright laws of theuy dont.

    Between this and TPP, it could force nearly every internet company out of business, if you cannot obey the laws that will result from TPP, without violating the CFAA.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jan 2014 @ 2:47am

    The way this law is written, half the student body where I went to community college in the late 1980s would have been felons, if this had been law them, because of a few things we did to circumvent disk quotas.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jan 2014 @ 3:17am

    Courtroom Hillarity

    So wouldn't that mean that under that utterly idiotic law it is ironically nearly impossible to convict someone for hacking? I mean in order to prosecute you they'd need to talk about computer hacking. Therefore you can attempt to have the prosecutor prosecuted for violating the law when he attempts to prosecute you.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jan 2014 @ 3:23am

    With this expansion of the CFAA, I would suggest buying stock in the makers of programs like Evidence Eliminator or KillDisk, as these programs will start selling like hotcakes if it goes through.

    If they cannot get any evidence off your hard disk, they will have no case against you.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jan 2014 @ 6:00am

    "conspire or attempt to commit"
    So would the NSA be found guilty ..hacks up a lugie

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Jan 2014 @ 6:11am

    "Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime"

    But, then, wouldnt that, like, seriously cripple governments "cyber security" departments, or is this just, like, another law for the "peasants" only.......again

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Jan 2014 @ 6:14am

      Re:

      Hell, would this law not implicate spy agency methods as illegal, or is this, like, another, "do as i say, not as i do" kinda, situation........again

      link to this | view in chronology ]

  • identicon
    Anonymous Cow, 10 Jan 2014 @ 7:23am

    Leahy also voted for the Patriot Act. That sorry sack of sh^t needs to be voted out.

    link to this | view in chronology ]

    • icon
      jraymond (profile), 10 Jan 2014 @ 8:31am

      Re:

      Who didn't vote for the Patriot Act? If you remember the time well, you would most likely have accused him of treason if he had not voted for it at the time. Everyone was gung-ho, and even then I had the feeling that it was too much, too fast.

      link to this | view in chronology ]

      • icon
        John Fenderson (profile), 10 Jan 2014 @ 2:57pm

        Re: Re:

        No, not everyone was gung-ho at the time. The Patriot Act was incredibly unpopular in my circles. Not everyone lost their minds.

        I thought that every single person who voted for it then (and the renewals since then) shouldn't be trusted to be in government due to either extremely poor judgement or too much of a totalitarian bent.

        link to this | view in chronology ]

  • icon
    jraymond (profile), 10 Jan 2014 @ 8:25am

    Conspiracy means.....

    Though I am totally against anything that would tend to restrict our freedoms in any way more than they have already been post-9/11, I have to question the interpretation of this law. Leahy has always been a strong advocate of personal rights and his insidious planning as limned here is something that would be completely out of character, if it were true. But the word "conspiracy" makes it all quite different from the knee-jerk interpretation. Talking about or discussing something is not conspiracy. Even discussing ways of circumventing security without the intention of actually doing it is not conspiracy, either. Conspiracy has always been a difficult thing to prove in court, as it should be, and I have no doubt, will continue to be.

    link to this | view in chronology ]

    • icon
      John Fenderson (profile), 10 Jan 2014 @ 3:00pm

      Re: Conspiracy means.....

      The problem is the nexus with the CFAA, which is infamous for being interpreted way beyond reason to imprison people who, at worst, engaged in misdemeanor offenses. Bringing conspiracy into that mix is a pretty clear indicator that "conspiracy" will be used in an overly-broad fashion as well.

      link to this | view in chronology ]

  • identicon
    Chilly8, 11 Jan 2014 @ 4:54am

    One other thing that I think could become a criminal offence is bypasssing the anti-tethering features on your cell phone.

    It is possible, on many phones, circumvent that by logging in to a VPN. I know when I moved, and did not have normal Intrenet for a while, I had to do this to get the Internet.

    Nypassing anti-tethering features on your cell phone, by using a VPN, could be construed at attempted hacking, the way I see it.

    link to this | view in chronology ]

  • identicon
    Chilly8, 11 Jan 2014 @ 4:54am

    One other thing that I think could become a criminal offence is bypasssing the anti-tethering features on your cell phone.

    It is possible, on many phones, circumvent that by logging in to a VPN. I know when I moved, and did not have normal Intrenet for a while, I had to do this to get the Internet.

    Nypassing anti-tethering features on your cell phone, by using a VPN, could be construed at attempted hacking, the way I see it.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.