DOJ Blurred Lines Between Terrorism & Crime To Expand NSA & FBI Warrantless Wiretapping Of 'Hackers'

from the whatever,-it's-all-the-same dept

This week, of course, the US government passed the USA Freedom Act, a modest step towards reform. As we've noted, it doesn't even touch on two of the more concerning surveillance authorities: Executive Order 12333 and Section 702 of the FISA Amendments Act, which includes the infamous "warrantless wiretapping" programs that allow the NSA to tap "upstream" fiber optic cables from AT&T and others to sniff all data traveling across those cables.

Pro Publica and the NY Times have teamed up to report on how the DOJ expanded the warrantless wiretapping regime to go after hackers. There's a lot to unpack in the story (which is well worth reading), but the short version is that, under pressure from the White House, NSA and others, officials appear to have deliberately blurred the lines between "crime" and "international terrorism" in order to get the DOJ to sign off on secret legal orders allowing the NSA and the FBI to use its "upstream" snooping capabilities to monitor certain "cybersecurity signatures" which include basically anything the feds want, to sniff out a hacker. From the revealed documents (which, yes, come from Ed Snowden's cache): If you can't see that, the key line is:

The Certification will also for the first time spell out the authorization for targeting cyber signatures such as IP addresses, strings of computer code, and similar non-email or phone number-based selectors.

In short: the government said, "okay, you can now sniff that upstream firehose for hackers based on whatever "code snippets" or "IP addresses" we give you."

Of course, this raises some questions about the split between domestic law enforcement and international anti-terrorism/foreign intelligence work. Remember, the 702 upstream program is pretty specific in that it's only to be used for non-domestic, non-criminal work. But, according to the White House, those distinctions no longer matter:

“Reliance on legal authorities that make theoretical distinctions between armed attacks, terrorism and criminal activity may prove impractical,” the White House National Security Council wrote in a classified annex to a policy report in May 2009, which was included in the NSA’s internal files.

Yes, apparently, it's "impractical" for the surveillance state to actually follow the law.

The documents also reveal that they really wanted access to that sweet, sweet upstream firehose, because much more limited programs like PRISM (which involve court orders to certain internet companies) didn't provide enough coverage: Then, to take things a step further, the government allowed the FBI direct access to the NSA's upstream collection, even though the FBI doesn't have the same limits against surveillance on Americans that the NSA has. Why? Basically, the argument appears to be "well, the NSA already has that data... so... let's give it to the FBI as well": The documents do contain and interesting slide presentation about how and when certain capabilities can be used, including a slide dedicated to repeating the 4th Amendment, and another with a note saying that the "worst thing" the NSA can do is to use its signals intelligence capabilities "to collect against a [US Person] hacker" because doing so is "basically doing surveillance for [law enforcement] purpose without a warrant." So, at the very least, they understand the law, but it's not at all clear that they follow it: And, in fact, later in that same presentation, it notes that the NSA's Threat Operations Center (NTOC) wants more power to target "foreign hackers outside the US" without having to prove as much: "Because attribution is hard, just having to prove foreigness and an FI purpose is especially useful to NTOC."

According to the Pro Publica / NY Times report, the NSA sought more and more permission here, though it's not clear what has actually been granted:

In May and July 2012, according to an internal timeline, the Justice Department granted its secret approval for the searches of cybersignatures and Internet addresses. The Justice Department tied that authority to a pre-existing approval by the secret surveillance court permitting the government to use the program to monitor foreign governments.

That limit meant the NSA had to have some evidence for believing that the hackers were working for a specific foreign power. That rule, the NSA soon complained, left a “huge collection gap against cyberthreats to the nation” because it is often hard to know exactly who is behind an intrusion, according to an agency newsletter. Different computer intruders can use the same piece of malware, take steps to hide their location or pretend to be someone else.

So the NSA, in 2012, began pressing to go back to the surveillance court and seek permission to use the program explicitly for cybersecurity purposes. That way, it could monitor international communications for any “malicious cyberactivity,” even if it did not yet know who was behind the attack.

The newsletter described the further expansion as one of “highest priorities” of the NSA director, Gen. Keith B. Alexander.

Remember all of this when you see the government asking for new "cybersecurity" laws -- which all too frequently are ways of granting the NSA and/or FBI greater powers to do surveillance via these upstream collections. As The Intercept points out, during the big debates on cybersecurity over the last few years, the NSA has insisted that it doesn't have access to this kind of information, and almost every debate on the power of upstream collection by the NSA and others has been based on claims by the intelligence community that they only use unique identifiers like email addresses -- and not very, very broad identifiers like an IP address or "computer code."

There's a lot more in the full article and in the released documents which you can see below.

Filed Under: 702, cybersecurity, fbi, fisa, hacking, nsa, surveillance, upstream, upstream collection, warrantless wiretapping

Hacker Informs Starbucks Of Gift Card Exploit; Starbucks Accuses Hacker Of Fraud And Maliciousness

from the hackaccino dept

In a period of a couple of weeks we have already seen some rather strange stories about companies failing to make the best use of free security advice and information, and instead going on the attack. Here we go again, I guess. What this latest example lacks in terrifying flight maneuvers or disgusting internet grossness, it makes up for in pure pettiness. This is the story about how Starbucks was informed by a hacker that he'd discovered and proof-tested an exploit on the company's gift card systems that allowed people to load twice as much money on a card as they were supposed to.

Egor Homakov found a flaw that let him duplicate funds on a gift card, which he spent in a store to test his theory. Mr Homakov worked out that making two web browsers transfer money between the same cards, at the same time, sometimes duplicated the transfer and added funds to a gift card that had not been paid for. After buying some drinks and a sandwich in a store to test if the process had worked, Mr Homakov topped up the card to repay the $1.70 (£1.10) he owed to the company.

Pretty solid, honest move, especially given that Homakov then informed Starbucks of the issue after reloading his card so as not to be costing the company even the meager couple-o-dollars it took to test his theory out in practice. As far as altruistic hackers, Homakov's story is about as good as it gets. So of course Starbucks went on the attack.

He told Starbucks so they could fix the flaw, but said that the company had then called his actions "malicious".

"The unpleasant part is a guy from Starbucks calling me with nothing like "thanks" but mentioning "fraud" and "malicious actions" instead," he wrote.

A spokeswoman for Starbucks told BBC News: "After this individual reported he was able to commit fraudulent activity against Starbucks, we put safeguards in place to prevent replication."

I have to say, even when most of these stories leave me thinking that the attacking companies would be better off taking the free security advice of people like Homakov, I can at least stretch myself to understand why they might let emotions get in the way of logical behavior. Maybe, like with airflight exploits, the danger is so great that the company just wants everyone to shut up while it gets its house in order. Or maybe, like when goatse ends up on your billboards, embarrassment takes over. But Starbucks' actions are without explanation. Far from going on the attack, the coffee company should be praising and thanking Homakov and it should be counting itself lucky that the exploit was discovered by such a benevolent force rather than one with more mischievous intentions.

Hell, many companies pay for this kind of information. Resting on the fact that the hacker tested his theory before bringing the information to the company as an excuse to throw around legal threats is stupid. Maybe they need to put down the latte to calm the jitters or something.

Filed Under: egor homakov, hacking, responsible disclosure
Companies: starbucks

The Price Of Ignoring Free Internet Security Advice: Billboards Of Goatse

from the gaping-security-holes dept

Normally, when we talk about companies and institutions looking to silence security researchers and their ilk who have tried to expose potential threats, the story ends without tragedy. United Airlines, for instance, went on the attack on Chris Roberts, who may well be an idiot, for exposing in-flight WiFi security concerns. CyberLock decides to go legal on a researcher who had been trying desperately to contact them about a security flaw in a number of its electronic locks. Johns Hopkins, meanwhile, ordered the disappearing of a blog post detailing how its own servers might be compromised by the NSA (or used with permission) to defeat encryption schemes.

But in all of those cases, even if some shenanigans were had, there was no real damage done as a result of ignoring the security advice that those organizations subsequently attempted to silence. So, what is the consequence of ignoring that device? Well, as it turns out, the consequence is anus. Very, very, tragically, unfortunately infamous anus.

The affluent denizens of Atlanta’s Buckhead neighborhood received a fun treat this week when they looked up at the corner of Peachtree and East Paces Ferry: a famous internet man’s giant, ruddy, gaping spread asshole, displayed on an enormous digital billboard.

The billboard above [Techdirt editor: which I'm not posting, because obviously I'm not] is one of the thousands of YESCO digital billboards installed across the country. Naturally, it comes with an internet connection. The setup is exactly as insecure as you’d imagine: many of these electronic billboards are completely unprotected, dangling on the public internet without a password or any kind of firewall. This means it’s pretty simple to change the image displayed from a new AT&T offer to, say, Goatse.

Great, so because whoever is in charge of managing that electronic billboard couldn't be bothered to take the advice any competent technology person who came across the setup, of which there must have been at least one, the great people of Atlanta were treated to one of the most disgusting images in human existence. I'm generally loathe to blame the victim, but the owner of a public-facing billboard must have some culpability when it comes to securing their display. And I say that there was at least one person who warned them about this, because at least one has come forward publicly.

Not only was this a case of incompetence, but gross negligence: security researcher Dan Tentler tweeted yesterday that he’d tried to warn this very same sign company that their software is easily penetrable by anyone with a computer and net connection and was told they were “not interested.” Even after the billboard was defaced, Tentler said the company still hadn’t secured its software.

Probably best to just sick the lawyers on Dan. After all, this all must be his fault, somehow.

Filed Under: billboards, goatse, hacking, security, warnings

EFF Asks Court To Reconsider Ruling That Would Make Violating Work Computer Policies A Criminal Act

from the surfing-on-the-clock?-that's-a-jailing dept

The EFF is asking the Oregon Supreme Court to take a look at a disturbing opinion issued by the state's appeals court -- one that could see employees face fines and prison time simply for violating company policies.

The case prompting the filing of an amicus brief on behalf of the defendant does contain an element of criminality, but the court's decision should have been limited to the end result of the defendant's actions, rather than the actions taken to reach that point.

Caryn Nascimento worked as a cashier at the deli counter of a convenience store. As part of her job, she was authorized to access a lottery terminal in the store to sell and validate lottery tickets for paying customers. Store policy prohibited employees from purchasing lottery tickets for themselves or validating their own lottery tickets while on duty. After a store manager noticed a discrepancy in the receipts from the lottery terminal, it was discovered that Nascimento had printed lottery tickets for herself without paying for them. She was ultimately convicted not only of first-degree theft, but also of computer crime on the ground that she accessed the lottery terminal “without authorization.”

Nascimento appealed the computer crime conviction. She argued that because she had permission to access the lottery terminal as part of her work duties, she did not access the terminal without authorization—as required under the Oregon's computer crime statute. Unfortunately, the Oregon Court of Appeals affirmed Nascimento’s conviction, finding she had only “limited authorization” to access the lottery terminal for purposes of printing and validating lottery tickets for paying customers, and acted without authorization when she printed them for herself.

At first glance, it almost seems like a reasonable application of the law simply because the end result was theft. But it's the specifics that make it troublesome. "Without authorization" is far too broad a term to be used in this context. With this reading of Oregon's law, the appeals court has basically criminalized a wide variety of corporate computer-related policy violations. Actions that would normally be met (in a corporate setting) with warnings and reprimands could now be viewed as criminal acts.

[T]he Court of Appeals’ decision transforms millions of unsuspecting individuals into criminals on the basis of innocuous, everyday behavior—such as checking personal email or playing solitaire on a work computer. Such restrictions, frequently included in employers’ computer policies, are no different than the restriction imposed on Nascimento. They're ultimately all computer use, not access, restrictions. Upholding Nascimento’s conviction on the basis of a violation of a computer use restriction expands Oregon’s computer crime statute to criminalize violations of any computer use restriction.

The broad reading of Oregon's criminal statute also poses potential problems outside of the work environment.

The court’s holding that a person acts “without authorization” if she violates a policy regarding the use of a computer that she is otherwise authorized to access could be extended to an Internet user who accesses a website in violation of a written terms of service. For example, Facebook’s terms of use provide that “[y]ou will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission.” But as the Ninth Circuit noted en banc, “[l]ying on social media websites is common: People shave years off their age, add inches to their height and drop pounds from their weight.” Under the Court of Appeals’ expansive reading of ORS 164.377, if a user shaves a few years off her age in her profile information, asserts that she is single when she is in fact married, or seeks to obfuscate her current physical location, hometown or educational history for any number of legitimate reasons, she violates the computer crime law. The court’s decision thus opens the door to turning millions of individual Internet users—not just millions of individual employees—into criminals for typical and routine Internet activity.

The EFF points out that rolling back this "unconstitutionally vague" reading of Oregon's computer crime law doesn't leave the state without options to punish Nascimento for her actions. She still faces one count of aggravated first-degree theft -- a charge the EFF is not disputing. Pointing to previous decisions by the Fourth and Ninth Circuit courts, the EFF states that similarly broad readings of the rightfully-maligned CFAA (Computer Fraud and Abuse Act) have been rejected for potentially criminalizing violations of workplace computer use policies.

The Supreme Court should have no problem rolling back this broad reading and the attendant charge brought against Nascimento. The theft may have been facilitated by improper access that violated company policy, but this access doesn't rise to the level of a criminal act -- even if it ultimately resulted in a criminal action.

Filed Under: caryn nascimento, cfaa, company policies, computer access, computers, hacking, oregon

FBI Investigating Chris Roberts For Hacking Flight WiFi, Taking Control Of Engines

from the how-is-this-possible? dept

I'll be honest: when I wrote about Chris Roberts being detained by the FBI for tweeting about hacking his flight's WiFi, I reacted with a great big eyeroll. On the one hand, security researchers like Roberts look for these vulnerabilities all the time and it's quite helpful when law enforcement and airlines learn about potential avenues for threats. On the other hand, Chris Roberts is quite obviously not Al Qaeda. The whole thing appeared to be a reaction to embarrassment that the vulnerability had been allowed to exist, rather than any belief that Roberts was in any way a threat.

But if Roberts is to be believed, he did something really stupid on previous flights: he used his WiFi hack to manipulate the plane's engines.

During two interviews with F.B.I. agents in February and March of this year, Roberts said he hacked the inflight entertainment systems of Boeing and Airbus aircraft, during flights, about 15 to 20 times between 2011 and 2014. In one instance, Roberts told the federal agents he hacked into an airplane’s thrust management computer and momentarily took control of an engine, according to an affidavit attached to the application for a search warrant.

“He stated that he successfully commanded the system he had accessed to issue the ‘CLB’ or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights,” said the affidavit, signed by F.B.I. agent Mike Hurley.

If true, that would go way beyond identifying exploits, mentioning that you could drop the oxygen masks, or really anything else that deals with in-flight wireless hacks. If the affidavit is to be believed, Roberts dangerously manipulated the flight's equipment, potentially putting everyone aboard at risk. We have only the FBI's word for all of this, of course, but the feds are certainly behaving as though Roberts both said all of this and that he's not simply making fictional claims.

Roberts, who has been interviewed at least three times by the F.B.I. this year, is under investigation for allegedly hacking into the electronic entertainment systems of airplanes, according to an application for a search warrant to probe seized electronic equipment. The document shows F.B.I. agents investigating Roberts believe he has the ability to do what he claims: take over flight control systems by hacking the inflight entertainment computer.

“We believe Roberts had the ability and the willingness to use the equipment then with him to access or attempt to access the (inflight entertainment system) and possibly the flight control systems on any aircraft equipped with an (inflight entertainment system) and it would endanger the public safety to allow him to leave the Syracuse airport that evening with that equipment,” sates the warrant application.

Roberts, for his part, has at least suggested to a Wired reporter that the FBI is twisting his words:

“That paragraph that’s in there is one paragraph out of a lot of discussions, so there is context that is obviously missing which obviously I can’t say anything about,” he said. “It would appear from what I’ve seen that the federal guys took one paragraph out of a lot of discussions and a lot of meetings and notes and just chose that one as opposed to plenty of others.”

That still doesn't say he didn't do it, though.

As with too many of these stories, the end result is that we have absolutely nobody to root for. To be fair, Roberts has been warning the airlines and the feds about these exploits for years, without any of it generating much attention. His purported stunt has suddenly brought a little light to what is obviously an untenable security risk, which doesn't in any way excuse manipulating an engine mid-flight. That, plainly, is insane, and I don't think it can be argued that it's an action that deserves punishment. On the other hand, Roberts still isn't Al Qaeda and the end result of all of this may be that planes are safer. Intentions matter, after all.

As for the federal government and the airlines: are you kidding me? You're telling me that not only was all of this possible, which is crazy at the outset, but they had been warned about it and had done nothing? Crazy as it sounds, everyone should be thanking the universe that Chris Roberts was the one manning the keyboard on these flights instead of someone with more nefarious intentions. The feds and the airlines should have simply hired Roberts to battle these vulnerabilities rather than letting it get to this point. Instead, we learn this way that it may indeed be possible to get control of a flight through a plane's WiFi. And we learn that law enforcement and the airline's chief strategy to deal with that fact was to pretend it didn't exist.

Filed Under: chris roberts, fbi, flights, hacking, wifi

FBI And United Airlines Shoot The Messenger After Security Researcher Discovers Vulnerabilities In Airplane Computer System

from the that-doesn't-make-me-feel-safer dept

At some point, the corporations and authorities in America are going to have to get over this knee-jerk reaction complex they have in going after citizens kindly pointing out technology and security flaws for them. You see this over and over and over again: someone notices a flaw in a system, points it out publicly instead of exploiting the flaw, and is thoroughly punished for his or her efforts. Often times there is a mealy-mouthed explanation for these punishments, which, chiefly, have to do with security risks in publicizing the flaw even though the ultimate goal should be fixing the exploit to begin with.

The latest version of this has gotten the EFF involved in defending a security intelligence expert who tweeted from aboard a United Airlines flight about his ability to hack into the flight's WiFi and access some level of the flight's communications.

Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :) — Chris Roberts (@Sidragon1) April 15, 2015

It may not mean much to you, but he's talking about getting access to communications systems and even some level of controls within the plane itself. And if that doesn't scare you, it should. It scared the feds, too, but it didn't scare them into actually, you know, addressing the security concerns. But it did scare them enough that upon the plane landing Roberts was scooped up by the FBI, questioned for several hours, and had his encrypted computer, tablet, and drives snatched from him. No warrant for any of this, mind you, at least not at the time of this writing. As you can imagine, he's not pleased. Mostly, though, he's confused as to why the feds are picking on him at all.

Roberts told FORBES he was disconcerted by the actions of US law enforcement. “Feds have known about issues in planes for years, why are they hot now? I’m a researcher, that’s what I do, I don’t go out to harm or hurt, why pick on researchers? If not us then who will find flaws?”

Which is the entire point. The government should be thanking its lucky stars that a benevolent force such as Chris Roberts was the one who found this exploit, rather than someone who might actually wish to do harm. Tweeting about it may alert more nefarious folks that such an exploit exists, sure, but it also got the attention of the federal government who had damned well better be fixing this tout de suite. As far as anyone interested in actually fixing this exploit should be concerned, mission freaking accomplished. And yet Roberts is targeted, not because he's an actual threat, but merely for doing what people in his profession do.

And not just at the conclusion of that flight, either, I should add. The harassment continued afterwards.

Roberts was back at the airport on Saturday evening, headed to San Francisco to attend two high-profile security conferences, the RSA Conference, where he is scheduled to present on Thursday, and BSides SF. After Roberts retrieved his boarding pass, made his way through the TSA checkpoint and reached the gate, United corporate security personnel stopped him from boarding the plane. Roberts was told to expect a letter explaining the reasons for not being allowed to travel on United. Thankfully, Roberts was able to book a last-minute flight on another airline and has now landed safely in San Francisco.

Nevertheless, United’s refusal to allow Roberts to fly is both disappointing and confusing. As a member of the security research community, his job is to identify vulnerabilities in networks so that they can be fixed. Indeed, he was headed to RSA speak about security vulnerabilities in a talk called “Security Hopscotch” when attempting to board the United flight.

This should be seen as useful for the public, which now knows somewhat certainly that United Airlines would much rather attempt to achieve security through obscurity rather than seeing experts like Roberts as a boon to their own safety product. Should you need to fly anytime soon, do you really want to board a flight run by a company that has now demonstrated that it tolerates vulnerabilities aboard its flights and also would rather try to put its head in the sand than deal with those vulnerabilities? I sure wouldn't. Keep in mind, by the way, that United is getting this important information into its own security for free. But rather than be grateful, out come the cross hairs.

It's enough with this crap already. No amount of embarrassment is justification for harassing a security researcher who happens to be fault-testing technology on high-profile targets. And doing it free of charge, I might add. In the realm of security, Roberts is a helpful force, not a harmful one. It'd be nice if the Feds and United Airlines would behave gratefully, rather than targeting the man.

Filed Under: chris roberts, hacking, in-flight computers, in-flight wifi, obscurity, research, security, shooting the messenger
Companies: united airlines

Senators Introduce Anti-Aaron's Law To Increase Jail Terms For 'Unauthorized Access' To Computers

from the someone-buy-these-senators-a-clue dept

Yesterday, we wrote about an important new bill, Aaron's Law, from Senators Ron Wyden and Rand Paul and Rep. Zoe Lofgren. It's a fix to many of the problematic aspects of the Computer Fraud and Abuse Act (CFAA). If you're unaware, the CFAA is supposed to be a law to be used against people doing malicious hacking, but the wording is so broad and problematic, it has been used against people for merely violating the terms of service on a website, or someone using a work computer for non-work-related items -- which could lead to excessively long jail terms. The reason Aaron's Law is named that is because of Aaron Swartz, the guy that Federal Prosecutors publicly announced was facing 30 years in jail under the CFAA because he downloaded too many academic journal articles from JSTOR -- despite the fact that he did so on the MIT campus where the campus had a site license that allowed anyone on their network to download all the JSTOR papers.

As we noted in our post, there are still some who are pushing in the other direction -- and they didn't waste much time. The very same day that Aaron's Law was introduced, Senators Mark Kirk and Kirsten Gillibrand introduced a competing law that appears to be a "We Should Have Threatened Aaron With More Years In Jail" Act. Okay, technically it's called the Data Breach Notification and Punishing Cyber Criminals Act -- and as I type this, no one seems willing to release the text. Both Senators have press releases out about the bill, but neither link to it, and Congress's website has a placeholder saying that it hasn't received the actual text yet either. Hopefully that will change soon.*

It's bizarre that they're lumping together data breach notifications and CFAA expansion in a single bill. These are two separate issues. And yet, from the press release quotes and the few small articles about these bills, it appears that everyone's focusing on the data breach notification stuff (which has its own problems) and thus we should be worried that the CFAA expansion could get included as something of a "throw in." The quotes, however, on this part of the bill are ridiculous. Here's Senator Kirk's press release:

This bipartisan legislation increases the maximum allowable fines and imprisonment for many of the most common cyber-crimes, including identity theft and theft of personal information. Current law does not sufficiently punish cyber criminals, and incidences like these recent devastating breaches of confidential information must be punished more aggressively. By modernizing these punishments, as many prosecutors have requested, we will better align punishments to the degree of harm that these crimes may inflict on victims.

And Senator Gillibrand's:

The bill raises the maximum allowable fines and imprisonment for many of the statutes which cyber criminals are charged: identity theft, conspiracy to commit access device fraud, obtaining information from a protected computer without authorization and computer hacking with intent to defraud.

It's the whole "obtaining information from a protected computer without authorization" that is a serious concern here, as that's part of what's been widely abused. Both Kirk and Gillibrand use a lot of populist rhetoric about protecting people from all these scary data breaches out there, but it demonstrates a serious ignorance of how widely the CFAA (with insanely large existing punishments) has been used repeatedly for activities no one legitimately thinks of as malicious hacking. Furthermore, it suggests a pretty serious cluelessness about the incentives and motivations of those who commit many of those breaches. Increasing the number of years they could spend in time from crazily high to insanely high isn't going to change a damn thing. And if these two Senators can't understand that, they shouldn't be touching the CFAA at all.

* As an aside, it's plainly ridiculous for anyone to announce a new bill without releasing the actual text. Even more ridiculous: in searching for the text of the actual bill on both Senators websites, I note that the very first item highlighted on Senator Gillibrand's website is "Transparency" where it says "Senator Gillibrand believes that more openness and transparency in government leads to more accountability and better results." Well, you know what might helps with that transparency? If you actually release the text of the bills you're introducing when you introduce them so that people can take a look at them.

Filed Under: aaron swartz, cfaa, cfaa reform, hacking, kirsten gillibrand, mark kirk

Teen Changes Wallpaper On Teacher's Computer; Gets Charged With A Felony By Sheriff's Office

from the CFAA:-Teen-Edition dept

Change a teacher's desktop wallpaper? That's a felony.

The Pasco County Sheriff's Office has charged Domanik Green, an eighth-grader at Paul R. Smith Middle School, with an offense against a computer system and unauthorized access, a felony. Sheriff Chris Nocco said Thursday that Green logged onto the school's network on March 31 using an administrative-level password without permission. He then changed the background image on a teacher's computer to one showing two men kissing.

Seemingly everyone at every level of government wants to talk about cybersecurity. Most of what's discussed is delivered in the breathless cadence of a lifetime paranoiac. (Won't someone think of the poor multimillion-dollar studios?!!?) This school is one level of government. So is the sheriff's office. Both felt the 14-year-old's actions were severe enough to warrant felony charges. Why? Because somebody hacked something. If you can even call it "hacking…"

Green had previously received a three-day suspension for accessing the system inappropriately. Other students also got in trouble at the time, he said. It was a well-known trick, Green said, because the password was easy to remember: a teacher's last name. He said he discovered it by watching the teacher type it in.

The teen changed a computer's wallpaper and was able to do so because the most basic of security precautions weren't taken. Multiple students took advantage of this lax security to access computers with webcams so they could chat "face-to-face" while utilizing the school's network.

The school got all bent out of shape because some of the computers accessed contained encrypted test questions. It turned the student over to law enforcement because it deemed his "breach" of its system too "serious" to be handled by just a 10-day suspension. It had him arrested because of things he could have done, rather than the thing he actually did.

One of the computers Green, 14, accessed also had encrypted 2014 FCAT questions stored on it, though the sheriff and Pasco County School District officials said Green did not view or tamper with those files.

And yet, Sheriff Chris Nocco is still looking to prosecute a 14-year-old for attempting to annoy one of his teachers. Here's the student's description of what he did.

"So I logged out of that computer [because that computer didn't have a webcam] and logged into a different one and I logged into a teacher's computer who I didn't like and tried putting inappropriate pictures onto his computer to annoy him," Green said.

Here's Sheriff Nocco's statement:

"Even though some might say this is just a teenage prank, who knows what this teenager might have done," Nocco said.

Well... you do know what "he might have done," Sheriff Nocco. And yet, your response to this situation is to hand out felony charges to a teen for something he might have done? Is that the way law enforcement is really supposed to work? [The FBI has issued the following statement: "That's the way it works for us. Almost exclusively."]

He told you exactly what he did and why he did it. Your own investigative efforts confirmed he never accessed the oh-so-untouchable FCAT questions. Incredibly, Sheriff Nocco wants to not only punish this student for something he might have done, but any other teens who might do stuff.

The sheriff said Green's case should be a warning to other students: "If information comes back to us and we get evidence (that other kids have done it), they're going to face the same consequences," Nocco said.

Sheriff Nocco: I will arrest and charge teens with felonies for annoying educators and/or exposing their inability to make even the most minimal effort to keep their computers secure. If I lived in this county, I'd be very concerned that law enforcement officials are keen on the idea of arresting and prosecuting teens for stuff they didn't do (access test questions) or things they might have done (TBD as needed for maximum damage to teens' futures).

Filed Under: arrest, chris nocco, computers, domanik green, hacking, pasco county, pasco county sheriff, students, teachers

Judicial Committee Gives FBI The First OK It Needs To Hack Any Computer, Anywhere On The Planet

from the the-world-is-yours dept

The FBI and DOJ are one step closer to having one of their "keeping up with the digital Joneses" requests granted. While the default phone encryption offered by Apple (and at some point in the future by Google) still remains free of law enforcement/intelligence "Golden Backdoors," the agencies are one step closer to being legally permitted to hack nearly any computer in the world.

A judicial advisory panel Monday quietly approved a rule change that will broaden the FBI's hacking authority despite fears raised by Google that the amended language represents a "monumental" constitutional concern.

The Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to modify an arcane federal rule to allow judges more flexibility in how they approve search warrants for electronic data, according to a Justice Department spokesman.

No longer bound by physical jurisdictions, the FBI will be able to perform remote searches all over the globe. This is its "21st century" fix -- a permission slip to implant malicious software in any computer, located anywhere, in order to track suspected criminals. That performing these actions may strain international relationships or break local laws is just the acceptable collateral damage inherent to modern-day crimefighting.

There's still plenty of time left before it goes into effect, and several chances that this rule change might be found to be just as potentially damaging -- both to the Fourth Amendment and rights of citizens in other nations -- as tech companies and privacy advocates are portraying it.

The judicial advisory committee's vote is only the first of several stamps of approval required within the federal judicial branch before the the rule change can formally take place—a process that will likely take over a year. The proposal is now subject to review by the Standing Committee on Rules of Practice and Procedure, which normally can approve amendments at its June meeting. The Judicial Conference is next in line to approve the rule, a move that would likely occur in September.

The Supreme Court would have until May 1, 2016 to review and accept the amendment, which Congress would then have seven months to reject, modify or defer. Absent any congressional action, the rule would take place on Dec. 1, 2016.

While the fight against the rule change will continue, its procession through the next couple of steps will likely be as quiet as its passage by the judicial advisory panel. Those in the position to shut this down are going to find it hard to argue against law enforcement and national security talking points.

Any light shed on "arcane" federal rules and laws should throw a bit on other outdated pieces of legislation, like the CFAA or the Stored Communications Act, which are more in need of an update than Rule 41. Of course, the DOJ likes those the way they are, what with their broad language and deference to law enforcement. Rather than bring American citizens "up to date" with fixes to those bad laws, we'll likely instead receive expanded government power with no corresponding bump for the governed. And as for the rest of the world -- it will be playing by our rules, whether it wants to or not.

Filed Under: doj, fbi, hacking, judicial conference, judicial conference advisory committee, overseas computers, rule 41
Companies: apple, google

Australian Government Prosecuting Anonymous Member Who Allegedly Exposed The Major Flaw In Its Data Retention Demands

from the prison-is-for-useful-people dept

Find a security flaw, go to jail. That's the general attitude of government entities around the world. Over in Australia, an Anonymous member and fundraising manager for a cancer support group is facing an ever-shifting number of charges for finding and testing security holes.

Adam John Bennett is a rather un-anonymous member of Anonymous. He also acts as an unofficial mouthpiece for Anonymous via his LoraxLive online radio show. His supposed participation in a large-scale hack saw him raided by Australian Federal Police in May of 2014. Since then, he's been awaiting prosecution for a variety of charges -- charges government prosecutors seem unable to pin down.

The data breach leading to Bennett's arrest involved a target of Australia's controversial data retention law, which requires ISPs to hold onto subscribers' internet activity (including social network use and emails) for two years and grant extensive access to a variety of government agencies.

AAPT confirmed it was breached in July 2012, following claims by an Australian sect of Anonymous that it snatched 40GB of data from the major Australian internet service provider (ISP).

After stripping out personally identifiable information from the data (which included members of the Australian government), Anonymous released the data to raise awareness around expectations of data security: To demonstrate that if an ISP as large and trusted as AAPT can't keep its own data secure, it will be unable to keep Australians' data safe under the proposed laws.

Rather than consider this a point well taken, the government went after Bennett. As for the prosecution itself, it's been a complete shambles.

On March 11, Adam Bennett -- known by most as the radio voice of Anonymous, LoraxLive, who was arrested last year for alleged computer crimes -- will finally learn what he's being charged with.

This had been expected to happen this week. Instead, at the last minute, Australian Commonwealth prosecutors -- for the third time since the case began 10 months ago -- requested another delay to change its lineup of accusations against him.

Maddeningly, the prosecution also indicated it will be dropping its initial charges against Bennett, and adding a slew of new ones.

Not only can't the government decide what to charge Bennett with, but it's also been instrumental in hamstringing his defense counsel. It's hard enough to structure a defense when charges remain largely unknown. It's even harder when the prosecution shows up late on the Friday before the next court date and dumps 20 GB of "evidence" into the defense's lap.

Even more irritating is the fact that the prosecution apparently hopes to add Bennett's vulnerability testing of his own employer to list of charges.

One of the charges Bennett's counsel expect to be in the final lineup is "Heartbleed Vulnerability Testing for Cancer Support W.A. 2014." This is in regard to a Heartbleed vulnerability test created by Bennett to test his employer's servers (Cancer Support W.A.) for Heartbleed vulns, which would have put the CRM that Bennett was involved in building for the organization at significant risk.

This addition of complete BS suggests the prosecution can't find much about the Anonymous ISP hack it can wrap charges around. Instead, it seems to be operating purely on bluster. Constant delays followed by last-minute data dumps aren't the sort of actions that indicate prosecutorial confidence. Instead, it gives the impression that the government hopes to obfuscate its way into a guilty verdict.

Meanwhile, Bennett is still living under restrictive bail conditions that prevent him from using the internet for anything other than banking, employment (he lost his job at the cancer support group after his arrest) or legal advice.

While the government may be right to complain about the unauthorized use of an ISP's data, it seems to be more concerned with making an example out of someone who may have had something to do with providing a practical demonstration of the stupidity of data retention laws. The fact that it's going after him for testing his own employer's defense against vulnerabilities suggests there will be some prosecutorial "piling on" when it finally gets around to enumerating its criminal charges -- presumably in hopes of deterring future exposures of flaws in its lawmaking logic.

This is what happens when governments try to "protect" citizens with little more than expansions of surveillance and law enforcement powers. Retained data is just as apt to be misused by cybercriminals as it is by law enforcement/security agencies. Any time you ask a third party to hold onto data it normally doesn't, it increases the risk of serious breaches involving plenty of normally private information. There are no exceptions. Anonymous exposed the short-sightedness of data retention laws. In response, the government has decided to shoot as many messengers as it can get its hands on.

Filed Under: adam bennett, adam john bennett, anonymous, australia, data retention, hacking, loraxlive
Companies: aapt