Senator Leahy Tries To Sneak Through Plans To Make Merely Talking About Computer Hacking A Serious Crime
from the that's-not-good dept
You may have heard about the recent high-profile, malicious hack of Target's point of sale systems, giving the attackers access to the details of at least 40 million credit cards. Senator Patrick Leahy is, incredibly cynically, using this news event to try to sneak through a change to the "anti-hacking" law, the CFAA, which was used to prosecute Aaron Swartz and many others. And it's not a change to improve that law, but to broaden it, extending massively how the DOJ can charge just about anyone they want with serious computer crimes. This is monumentally bad, and Senator Leahy is trying to hide it behind a major news event because he knows he couldn't get this kind of DOJ wishlist through without hiding it.Officially, this is Leahy reintroducing his Personal Data Privacy and Security Act -- a bill he's tried to introduce a number of times before. The crux of that bill makes some sense: requiring companies that have had a security breach to inform those who were impacted. State laws (most notably, California's) already include some similar requirements, but this is an attempt to create a federal law on that front. There are some reasonable concerns about such a law, but the general idea of better protecting the public from data breaches, by at least letting them know about it, is an idea worth considering.
The problem is that Leahy has inserted a couple of other dangerous bits and pieces into the bill, including a couple of "reforms" to the parts of the CFAA that have raised significant concerns, and burying them deep within this bill. Section 105 of the bill, for example, simply repeats the same change that the House Judiciary tried to include last year in an attempt at bad CFAA reform. It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense. It may be difficult to understand if you just read the proposed bill (this is on purpose), but the bill says it wants to include the term "for the completed offense" so that the CFAA now reads:
Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided for the completed offense in subsection (c) of this section.Right now, the law does not include those four words. Why is that a big change? As we explained last year:
All they did was add the "for the completed offense," to that sentence. That may seem like a minor change at first, but it would now mean that they can claim that anyone who talked about doing something ("conspires to commit") that violates the CFAA shall now be punished the same as if they had "completed" the offense. And, considering just how broad the CFAA is, think about how ridiculous that might become.While the proposed bill does include a further change that notes that merely violating a terms of service agreement does not make you subject to the CFAA, it's not just the TOS issue that concerns so many people about the CFAA.
The CFAA needs to be greatly scaled back, not expanded, no matter what the DOJ wants. It's ridiculous that Senator Leahy is not only proposing this, but then trying to hide it in this bill about security breach reporting, tying it to a news event.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: aaron swartz, cfaa, conspiracy, criminal, data breach, patrick leahy
Companies: target
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
That is likely his goal because in his tiny pea brain of a mind he likely thinks that if no one is looking for security holes then none will ever be found and exploited!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
When TPP comes in, I could see tech companies going to countries where they can comply with the new copyright laws, without risk of being prosecuted for hacking.
A web site, in, say, Mexico, could not be prosecuted for CFAA violations in the U.S.
[ link to this | view in chronology ]
Re:
When TPP comes in, I could see tech companies going to countries where they can comply with the new copyright laws, without risk of being prosecuted for hacking.
A web site, in, say, Mexico, could not be prosecuted for CFAA violations in the U.S.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
So if Joe User is clicking around on his banking website one day and discovers - inadvertently or otherwise - a security hole big enough to drive a truck through, just pointing that security hole out to the bank will be a criminal offense on par with actually exploiting it. I mean, obviously that's already happening in many cases, but to have such insanity codified into law means that there is no incentive whatsoever to inform the bank of the flaw.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
You've spoken about breaking into a website and stealing money from it. That's now a crime.
(I'm not the same AC that posted the thing you're responding to BTW)
[ link to this | view in chronology ]
Re: Re: Re:
Try again...
[ link to this | view in chronology ]
Re: Re: Re: Re:
If one is looking for security vulnerabilities, that is attempting.
If I find one by accident and report it that could easily be twisted into a conspiracy. "Your Honor this man wanted to embarrass the bank so he conspired to find security issues"
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
I like sensational headlines, but not when they are untrue.
I just hope mike avoids a yellow journalism approach here, that would cheapen the site and lower the effectivness.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Remember, we're not talking about common-sense interpretations here, but about how the laws can be and have been twisted by the DoJ for their own purposes, like making heavy-handed threats as part of a plea bargain.
[ link to this | view in chronology ]
Sensational Headlines
[ link to this | view in chronology ]
Re: Re: Re: Re:
-- Quote from the letter
What that means is that informing them of the flaw could very well mean that the bank could accuse you of hacking. I.E. GeoHot was accused of hacking his Playstation 3, that he even bloody well owned, by Sony under CFAA.
[ link to this | view in chronology ]
Re: Re: Re: Re:
Read it and weep, jackn. Weep for all of us. Seriously, this is a bad law NOW.
We are all Weev.
[ link to this | view in chronology ]
Re: Re: Re:
The whole point of Leahy's proposal is that crimes committed over the Internet are often carried about by organized groups of individuals. Each individual is contributing to the crime. When caught some individuals are able to make the case that even though their actions contributed or facilitated the crime; they not commit the charged top act.
For example someone could claim "I broke a window.". Another person climbed through that window and robbed the premises. Both parties contributed to the crime.
[ link to this | view in chronology ]
Re: Re:
*If you don't know what cases I'm talking about here you're not informed enough to even argue the point.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
You don't need to agree with the conclusion he draws but if you don't even know the cases generally used as relevant legal precedent in these situations then you're not informed enough to argue legal matters.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
lets not become businessidiots.com here
[ link to this | view in chronology ]
Re:
The laws in the US have 2 faces now. One that is easy for the average person to see and understand, and another distorted face that serves a purpose that the people who wrote the law really wanted in their toolbelt.
[ link to this | view in chronology ]
Re: Re:
Yes
[ link to this | view in chronology ]
Not really
That's a bit misleading. Merely talking about something isn't the same as conspiring to do it. First of all, a conspiracy requires two or more people, so someone merely writing a blog post about computer hacking, for example, wouldn't qualify. Second, conspiracy requires an "overt act in furtherance of the conspiracy" in order for it to be complete and prosecutable, so not only do you have to plan to commit the crime with other people, you also have to take an affirmative step toward implementing that plan. It's not merely "talking about it" as the article states.
[ link to this | view in chronology ]
Re: Not really
It's already happened with encryption software
http://news.cnet.com/Minnesota-court-takes-dim-view-of-encryption/2100-1030_3-5718978.html
[ link to this | view in chronology ]
Re: Not really
Are you sure? A blog post involves two people as soon as someone reads it. Commenting provides interaction, if that's a requirement.
Yes, but that's an incredibly low bar that is easily satisfied in most completely innocent circumstances. In the bank robbery planning incident I described in another comment here, that condition was satisfied by the fact that the "conspirators" had obtained the building plans for the bank.
If, as often happens in my workplace (a software security company), two developers are discussing how a particular exploit works then example code will certainly be exchanged, and probably written. That would probably satisfy the requirement as well.
[ link to this | view in chronology ]
Re: Re: Not really
One can conspire all on their own.
[ link to this | view in chronology ]
Re: Re: Re: Not really
> not require two people. One can conspire
> all on their own.
Not legally one can't. The statute actually reads, "two or more people". A single person can't conspire with himself. Hell, the word 'conspire' itself means
(1) to agree together, especially secretly, to do something wrong or illegal
(2) to act or work together toward the same result or goal
[ link to this | view in chronology ]
Re: Re: Not really
> as soon as someone reads it.
Yes, all parties to a conspiracy have to know of each other and agree and intend to commit a criminal act. Reading what someone else wrote doesn't make you a co-conspirator.
[ link to this | view in chronology ]
Re: Re: Re: Not really
[ link to this | view in chronology ]
Re: Re: Not really
[ link to this | view in chronology ]
Re: Re: Not really
"If, as often happens in my workplace (a software security company), two developers are discussing how a particular exploit works then example code will certainly be exchanged, and probably written. That would probably satisfy the requirement as well."
No. It does not satisfy that requirement. People discussing something in the workplace related to their legal employment would not qualify as conspirators to an illegal activity.
[ link to this | view in chronology ]
Re: Re: Re: Not really
[ link to this | view in chronology ]
Re: Not really
About the overt act, it seems that it can be ignored as a requirement in some cases like drug enforcement.
From the SCOTUS judgement in US vs Shabani:
The Court ruled: "...Congress intended to adopt the common law definition of conspiracy, which does not make the doing of any act other than the act of conspiring a condition of liability..."
[ link to this | view in chronology ]
Re: Re: Not really
> adopt the common law definition of conspiracy,
> which does not make the doing of any act other
> than the act of conspiring a condition of
> liability..."
That is asinine and flies in the face of reality. The federal conspiracy statute (18 USC 371) reads:
If two or more persons conspire either to commit any offense against the United States, or to defraud the United States, or any agency thereof in any manner or for any purpose, and one or more of such persons do any act to effect the object of the conspiracy, each shall be fined under this title or imprisoned not more than five years, or both.
Since the statute ACTUALLY SAYS that an overt act is required, it beggars the imagination how the Court can claim that Congress didn't intend to include that in the law.
This is just another example of the Court making shit up based on its own agenda and claiming words don't mean what they say, or mean the opposite of what they say, or whatever it takes to justify the result the Court wants, rather than what the law requires.
[ link to this | view in chronology ]
Re: Re: Re: Not really
[ link to this | view in chronology ]
Re: Re: Re: Re: Not really
> one law. "Conspiracy" does not have a
> monolithic definition.
Actually, it does. In the definitional section of all new laws involving conspiracy, they refer back to 18 USC 371.
[ link to this | view in chronology ]
Re: Not really
[ link to this | view in chronology ]
Re: Not really
Under this CFAA change, making saying that someone deserves to have their computer hacked, without actually doing it, or telling someone to dot it, would also be a a criminal offence.
[ link to this | view in chronology ]
All "conspiracy to commit" laws are questionable
For a real-world example from a number of years ago, it's a felony to get together with a few friends and plan a bank robbery -- even if we have no intention whatsoever of actually committing the robbery. The people who did this not only didn't commit a robbery, they very clearly engaged in the planning purely as an intellectual exercise.
This seems to be blatantly unconstitutional on free speech grounds alone.
I could (grudgingly) get behind "conspiracy to commit" charges as add-ons to a real crime that was actually committed, much like the hate speech laws, but that's as far as it should go.
[ link to this | view in chronology ]
what IS NOT SAID.
THIS is important, and could tell us if Target was an IDIOT..
If they had a Fairly protected system, it would mean this is an INSIDE job.
IF they were like home depot(wireless system)(STUPID) then they needed better protection then they HAD.
If they allowed DIRECt access from an internet connection, then they are even more stupid.
Encryption is OK, but giving anyone direct access to the file ITSELF? means only a few people should have access.
for those that dont get it..LEts say you REALLY want to protect a file.
1) you can make it NOT listed in the files(invisible)
2) you have to know the NAME of the file.. as you cant see it.
3)password the file, NOT TO HARD and it can be built into the EDITING program that WORKS with the file.
4.)separate files..name file, Data files can be 2-3-4-5 parts, and you get 1, you dont get the others.
[ link to this | view in chronology ]
Re: what IS NOT SAID.
Because finding invisible/hidden files is such a hard thing to do?
Hiding files is a trick to keep ignorant people from seeing stuff... but it won't even speed bump anyone good enough to hack a system.
[ link to this | view in chronology ]
Re: what IS NOT SAID.
What makes wireless stupid?
Data is transmitted from point A to point B.
It is the job of point A and point B to:
1. Validate they are communicating with the real endpoint
2. Encrypt their communications to prevent eavesdropping
If the communicating parties are doing those two things then it does not matter if you are using wired, wireless, snail mail, smoke signals or whatever.
Fail at either of those things and you are vulnerable on a wired or wireless network.
[ link to this | view in chronology ]
Re: Re: what IS NOT SAID.
Wireless broadcasts all of your communications over radio, where it is easily listened to by anybody within range. Also, it's like placing a network port on the outside of your house -- anyone can plug into it.
The built-in, standard security measures (WPA) are insufficient against anybody of more skill than a script kiddie (and, these days not even against them).
It's not stupid to use such equipment. It is naive and dangerous to use such equipment while believing that it is secure, unless you've taken additional steps to harden everything.
[ link to this | view in chronology ]
Re: what IS NOT SAID.
2) you have to know the NAME of the file.. as you cant see it."
You need smacked with a clue stick.
Hidden files are simply not shown by default, it is trivial to actually get a listing of 'hidden' files on any operating system.
http://windows.microsoft.com/en-us/windows/show-hidden-files#show-hidden-files=windows-vista
h ttps://discussions.apple.com/thread/5483892?tstart=0
http://en.wikipedia.org/wiki/Hidden_file_and_hid den_directory
[ link to this | view in chronology ]
Re: Re: what IS NOT SAID.
Off to the MPAA re-education camp for you!
[ link to this | view in chronology ]
Re: what IS NOT SAID.
And as far as wired/wireless, it makes no difference whatever. It's surprising that you actually think that it would. But then your suggested methods of supposedly hiding files are all well-known, sophomoric, and as easy to get around as turnstyles to jump over. You really need better security than something a 4th-grader could come up with.
[ link to this | view in chronology ]
It wasn't said because it has nothing to do with anything.
[ link to this | view in chronology ]
Re:
If you leave your door open, and a thief walks ina nd steals things..IS HE, breaking and entering?
He may have entered, but you left it open..IS it hacking if they DONT protect themselves??
AS WELL AS THE WORD hacking isnt used properly..DID they hack anything? If it was an ADMIN, it wasnt a HACK.
[ link to this | view in chronology ]
Re: Re:
I can tell you are uninformed because of this sentence
password the file, NOT TO HARD and it can be built into the EDITING program that WORKS with the file
and others...
[ link to this | view in chronology ]
Re: Re: Re:
You can password protect individual files and have the editing software support the encryption. Adobe Acrobat does that, Microsoft Office does that, good database software can do that. Hell, Windows (pro and up) itself supports that.
[ link to this | view in chronology ]
Re: Re: Re: Re:
The fact that you are mentioning acrobat, office, windows pro is f&8^%^4 stupid.
Don't even bother me with you home software achievements.
the end
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
Giving wireless access or internet Access to ROOT, BASe commands is a REAL sec. threat.
Giving Full control for any remote access should be forbidden..
How stupid do these people seem.
Any commercial business wishes to see Every transaction and Action done in the store. its the only way to protect themselves, and see WHO DID WHAT..and WHOM to blame.
If they did, even BASIC, security and tricks, the ONLY way to have full access to this file, is to KNOW the name of it and have the password to open it.
thats why information is important..HOW did they get the files.
IF they had basic sec. then it had to be someone with access.
ALSO, there are many ways to hide files. 1 uses control characters in the name, which will list the DIR, but the name is blank. it erases itself, and unless you have a HEX dump of the DIR you will NEVER see the name.
The OLD ways still work..HOw do you think we hacked int he OLD days..HEX editors RULE..
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Wait a minute, Im getting it. We could a hex editor, masm or debug to disable those parameters.
The should probably also use a SECURE font! You could use a hEX EDitor to change the font and make it unreadible.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
Or unless you boot the system from a Linux boot disk or USB stick, in which case you'll see everything without having to resort to hex dumps.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
1) [REDACTED]
2) Legally force the owner to provide password(s). (My favorite definition of 'brute force'.)
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
You guys are eye openers. Here i am in my CISSP world making things really difficult when all we need is a hex editior. I wonder if the PCI specs recoginze these methods as appropriate?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
There is a thing called a "database". It is ofetn huge. Like the Windows registry. Access is immediate and direct to each piece of data - no search, no following some path to get to it, no change in access time regardless of size. Databases have been around quite a long time.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
One question, for 'databases,' do I still need to put a control charactor in the filename? What about hiding the file, is this still required?
Thanks again for the 411
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re: Re:
It was funny, but its getting old.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Re:
But its probably DB2, MSSQL, or Oracle. Probably also involves some sort of queue like mq or the like.
All of those could have million of records and the correct indexs would make them plenty fast. Ive worked with 14 million in db2.
so
Not applicable to Target CC breach
Password protect the file
Hide the file
Office, Adobe, Access, windows pro
Windows registry
ZIP Files
Zip Password crackers
Hex editors
Applicable to the Target breech
Industrial Database
Authentication
Authorization
Encryption
Transport
Business Logic
Presentation Layer
[ link to this | view in chronology ]
Does that mean I actually hacked Walmart? Cool.
[ link to this | view in chronology ]
Seems legit
[ link to this | view in chronology ]
Hacking?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
> can we as citizens preemptively impeach him?
No. Members of Congress cannot be impeached, preemptively or otherwise.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
> of congress.
No, the Constitution only allows for impeachment of Executive and Judicial Branch officials. Members of Congress cannot be impeached.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It's basically part of the DOJ's wishlist, changing the CFAA to make you guilty of violating the law if you merely "conspire or attempt to commit" the offense, rather than if you actually do commit the offense.
[ link to this | view in chronology ]
Just when you didn't think America could get any more dystopian, the Senate is now voting on whether to start having people arrested for thoughtcrime.
[ link to this | view in chronology ]
Conspiracy
> as if you'd actually done the crime. Just
> when you didn't think America could get any
> more dystopian, the Senate is now voting
> on whether to start having people arrested
> for thoughtcrime.
So many people in this thread are acting like this is something new. The conspiracy offense has been a part of federal law for a century or more. Just because it's now being applied to computer/tech offenses doesn't make it some novel attempt to create a dystopian nightmare.
[ link to this | view in chronology ]
Re: Conspiracy
But that doesn't mean you shouldn't get angry and mobilize when you happen to hear about these things, or even stop talking about what could happen if you don't remind the government who's actually supposed to be running this country.
[ link to this | view in chronology ]
Re: Conspiracy
[ link to this | view in chronology ]
Re: Conspiracy
You're right, conspiracy laws are nothing new. However, the CFAA is already a dystopian nightmare. I think the reaction is that adding the ability to bring conspiracy charges on top of it will just make everything that much worse.
[ link to this | view in chronology ]
Given the reports about ACA (Obamacare) having never been built with security in mind, this becomes seriously important. In order to sell ACA this particular topic has been sidelined into silence. And what about the NSA gathering up all this data and then turning it over to other agencies with the admonishment they can't be used as the source? Given their tools, that is hacking; dishing out malware at targeted computers/individuals.
Senator Leahy once again shows his real colors in all this. It's about covering the governments ass not about security. When you can't find another charge, claim conspiracy to hack as a catch all dealing with computers. This makes me very uneasy. I use element Q to get rid of annoying javascript and other undesirable items on web pages I view. It does nothing to the original site, as all changes are temporary and on my computer only. Removing blocks to view the public site until you activate javascript doesn't float. Yet it is likely under prosecutor expansion it could one day be illegal with this vague law.
[ link to this | view in chronology ]
This just goes to show you can never trust a politician, because the vast majority of them are two faced deceivers. The most "transparent" administration ever, the Obama administration, is proof of how two faces politicians are.
Never trust them, or you'll wake up with a dagger in your back.
[ link to this | view in chronology ]
Re:
Actually, conspiracy to commit a crime is often a crime in and of itself. It's why you can arrest someone for hiring a hitman before the target gets killed, because it's a conspiracy to commit murder (I know, a big example, but there ya go).
Conspiring with others to hack into a network to obtain material illegally should be a crime. It wouldn't harm white hat hackers trying to show a problem, but it would sure screw up black hatters planning their next break in.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
This simply proves, he don't even looks at papers shoved down his throat.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Between this and TPP, it could force nearly every internet company out of business, if you cannot obey the laws that will result from TPP, without violating the CFAA.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Courtroom Hillarity
[ link to this | view in chronology ]
If they cannot get any evidence off your hard disk, they will have no case against you.
[ link to this | view in chronology ]
So would the NSA be found guilty ..hacks up a lugie
[ link to this | view in chronology ]
But, then, wouldnt that, like, seriously cripple governments "cyber security" departments, or is this just, like, another law for the "peasants" only.......again
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I thought that every single person who voted for it then (and the renewals since then) shouldn't be trusted to be in government due to either extremely poor judgement or too much of a totalitarian bent.
[ link to this | view in chronology ]
Conspiracy means.....
[ link to this | view in chronology ]
Re: Conspiracy means.....
[ link to this | view in chronology ]
It is possible, on many phones, circumvent that by logging in to a VPN. I know when I moved, and did not have normal Intrenet for a while, I had to do this to get the Internet.
Nypassing anti-tethering features on your cell phone, by using a VPN, could be construed at attempted hacking, the way I see it.
[ link to this | view in chronology ]
It is possible, on many phones, circumvent that by logging in to a VPN. I know when I moved, and did not have normal Intrenet for a while, I had to do this to get the Internet.
Nypassing anti-tethering features on your cell phone, by using a VPN, could be construed at attempted hacking, the way I see it.
[ link to this | view in chronology ]