Search the Community
Showing results for tags 'law'.
-
In primul rind salut la toti , stiu sant nou pe aici nu vreau sa-mi sariti in cap toti ca vin si eu cu o intrebare mai simpla pentru unii , complicata pentru altii Niste fete cochete , foste colege de clasa de fapt mau rugat sa le ajut sa stearga pozele si video de pe saituri gen - http://camgirl.gallery , webcamrecordings.com . Fetele au plecat in strainatate si doresc sa si gaseasca un alt loc de munca decat cel de videochat dar au frica sa nu fie si acolo vazute si descoperite ce au facut in trecut . Am incercat cu DMCA de la saiturile respective dar nici un folos , apoi am apelat la google suport la fel nimic , de o luna caut solutii si nimic , poate voi imi puteti da un sfat . Am inteles ca saiturile respective sunt hostate in panama , ucraina sau rusia si nu tin cont de legile UE in felul asta nu se cam poate de facut nimic ?
-
Deleting your browser history could land you up in prison for 20 years in United States Clearing your browsing history is a crime in United States according to the Sarbanes-Oxley Act of 2002 In a recent article published in The Nation, it revealed the improper use of a law meant for completely different purposes by by federal prosecutors. The Sarbanes-Oxley Act of 2002 was meant to provide authorities with tools to prevent criminal behavior by corporations. It was put into practice after the Enron meltdown when it was found out that executives or their servants following orders torn into shreds every document they could think of which may prove them guilty. The legislation’s goal was to stop companies from committing large fraud and then damaging the evidence of their conspiratorial criminality while investigations were under way. The appropriate section of Sarbanes-Oxley reads as follows: Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both. Khairullozhon Matanov, a friend of the Tsarnaev brothers, the Boston Marathon bombers was interviewed by the Federal authorities about his association with them. However, the federal authorities never accused him for any activity linked to the bombing nor have they said that he was having knowledge of their plans or felt for them. During the interviews, he did however perpetrate a few small lies, of which none had any actual relation to the case. For instance, he lied that he had last time prayed with Tamerlan Tsarnaev together. On that grounds, … they charged him with four counts of obstruction of justice. There were three counts for making false statements based on the aforementioned lies and—remarkably—one count for destroying “any record, document or tangible object” with intent to obstruct a federal investigation. This last charge was for deleting videos on his computer that may have demonstrated his own terrorist sympathies and for clearing his browser history. Based on the records section of Sarbanes-Oxley mentioned above, the last charge was applied. The law meant to stop and punish corporate wrongdoing is instead used as a hammer against a private citizen to a great extent. Some people may feel that any possible application of a law is tolerable, especially in the continual war on terror. However, if that law is ever used against them, they might end up feeling differently about it. The most unpleasant or offensive part of this is that it is being used to punish “pre-crimes.” When Matanov deleted his browser history, he had not been accused of anything and was not aware that he was under a formal inquiry. His crime was not predictable that federal agents may someday make a decision to examine him and thus failing to maintain any self-incriminating potential evidence. As Hanni Fakhoury of the Electronic Frontiers Foundation put it, the government is saying: “Don’t even think about deleting anything that may be harmful to you, because we may come after you at some point in the future for some unforeseen reason and we want to be able to have access to that data. And if we don’t have access to that data, we’re going to slap an obstruction charge that has as 20-year maximum on you.” The article in The Nation shows that this is not an remote and unfair use of Sarbanes-Oxley, discussing many other similar cases. Traders and bankers danced away with multi-million dollar bonuses after their criminally reckless maneuvering almost put an end to the global economy. Their companies paid fines that are not worth to be considered for market manipulations and criminal money laundering. Until now, none of them have go to jail and none of them have been sued under Sarbanes-Oxley. However, it is a different rule of law for an undistinguished or average citizen. As more and more data are stored online, the government wants and believes it has the rights to access that data for policing purposes. But Fakhoury disagrees. “The idea that you have to create a record of where you’ve gone or open all your cupboards all the time and leave your front door unlocked and available for law enforcement inspection at any time is not the country we have established for ourselves more than 200 years ago.” This law has been in the books for thirteen years now. It has not managed to control the corporate wrongdoing, but it is proving to be having a negative effect on citizens who have never swindled a shareholder in their lives. Combined with federal investigations through our online communications and their efforts to break secure encryption in our data storage, they want us to completely give up our personal freedom of thought and privacy. Sursa: Deleting your browser history could land you up in prison for 20 years in United States
-
In a House Appropriations subcommittee hearing this morning on the FBI budget for the upcoming fiscal year, FBI Director James Comey was again critical of new encryption features from Apple and Google that he claims would make it impossible for law enforcement to access the contents of mobile device communications. This is not the first time the U.S. law enforcement and intelligence-gathering community has aired this complaint. Last month, NSA director Mike Rogers hit similar talking points at a New America Foundation event in D.C., calling on Congress to draft legislation providing a legal framework accessing encrypted communications. Comey claimed encryption was leading us to “a very, very dark place” in October of last year. The concerns follow announcements from Apple and Google that they deployed encryption for which not even they had the keys back in October. Today though, Congress got involved. “The new iPhone 6’s have an encryption in it that you can’t get in to and there is no backdoor key,” said Rep. Robert Aderholt (R-AL) as he reached into his pocket and pulled out his iPhone. “This is different from their predecessors. Their other phones you were able to get into. What is the FBI’s position on Google and Apple’s decision to encrypt these smart phones?” Comey replied that this reality was a huge problem for law enforcement because these new encryption implementations would make it impossible for law enforcement to execute court ordered warrants where phones were locked and communications data encrypted. “We’re drifting toward a place where a whole lot of people are going to be looking at us with tears in their eyes,” Comey argued, “and say ‘What do you mean you can’t? My daughter is missing. You have her phone. What do you mean you can’t tell me who she was texting with before she disappeared?” Comey went on to assure the attending members of Congress that he wasn’t seeking backdoors. He said he wants a way to access the content and communications data belonging to the subjects of criminal investigations after obtaining a warrant. Comey claims that local law enforcement officials around the country are very concerned, because, they claim, mobile communications content play an integral various investigations. While Comey was unable to quantify the effect of encryption technologies on FBI investigatory work, he did claim that it has become an obstacle in a massive amount of cases, saying it would only become more of a problem moving forward. “I’ve heard tech executives say privacy should be the paramount virtue,” Comey said. “When I hear that, I close my eyes and say, ‘Try to imagine what that world looks like where pedophiles can’t be seen, kidnappers can’t be seen, drug dealers can’t be seen.'” Rep. Aderholt then asked Comey what he needs from Congress in order to address the problem. Comey acknowledged that the issue is a complex one, but ultimately that the only reasonable fix would be a legislative one and not a financial one. “If you want to do business in this country,” Comey warned, “then you’re not going to be allowed to create spaces that are beyond the reach of the law.” Rep. John Carter (R-TX) wondered how companies are able to encrypt phones in such a way that their contents cannot be accessed while also getting compromised by attacks. “Cyber is just pounding me from every direction, and every time I hear something or something pops into my head, because I don’t know anything about this stuff, [but] if they can do that to a cell phone then why can’t they do that to a computer so no one can get into it,” Carter reasoned. “If that’s the case, then isn’t that a solution to the invaders from around the world trying to get in here?” Somehow Carter reigned in his stream of thought and brought it back to the point at hand, suggesting to his colleagues that encrypted smartphones were the perfect tool for lawlessness and in fact a violation of the Fourth Amendment, which allows for lawful search and seizure under warrant. In an attempt to make sense of the issue, the Representatives explained to one another that no safe in the world is unbreakable, so how is it legal that there could be encryption that is not accessible. They seemed to agree that the analogy was a valid one, though it some would argue that a safe and a cell phone are in reality nothing alike. On that note, Rep. Michael Honda (D-CA) suggested that potential legislation seeking access to phone data may be more akin to laws governing access to the content of a suspect’s own mind than to laws dealing with physical access. He contended that some sort of force of law compelling suspects to testify or disclose the information to access their phone under threat of contempt could be another way to work around encryption. Source
-
SACRAMENTO, Calif.—A California state bill that would require a warrant to access all kinds of digital data passed its first hurdle after being approved by the Senate Public Safety Committee on Tuesday. Among other sweeping new requirements to enhance digital privacy, the bill notably imposes a warrant requirement before police can access nearly any type of digital data produced by or contained within a device or service. In other words, that would include any use of a stingray, also known as a cell-site simulator, which can not only used to determine a phone’s location, but can also intercept calls and text messages. During the act of locating a phone, stingrays also sweep up information about nearby phones—not just the target phone. According to the bill's summary: If the California Electronic Communications Privacy Act (CalECPA) passes the California State Senate and the State Assembly, and is signed by the governor, it would mark a notable change for law enforcement in America’s most populous state. However, passage is not a sure thing. Previous versions of the bill were vetoed by the governor twice in 2012 and again in 2013. The bill was introduced in February 2015 by State Senator Mark Leno (D-San Francisco). Texas and other states already have similar laws on the books, while revision to the federal Electronic Communications Privacy Act (ECPA) has stalled for years. California law enforcement agencies, like others nationwide, have been cagey as to how stingray use is requested and carried out. Last week, the Anaheim Police Department published a version of a letter that had been prewritten by the FBI in a poor attempt to provide further disclosure about how they use the surveillance devices. Only one opposed In June 2014, the Supreme Court of the United States ruled unanimously in a case known as Riley v. California that law enforcement officials must obtain a warrant before searching the contents of an arrestee’s phone. Among other changes, the new bill would put the Golden State in compliance with that decision. The Senate Committee on Public Safety approved Senate Bill 178 (SB 178) by a vote of 6-1, with little discussion from the assembled senators. It faced just a modicum of opposition at this stage. "California residents use technology every day to connect, communicate, work and learn," Nicole Ozer, an attorney with the American Civil Liberties Union of California, testified from a prepared statement in favor of the bill. "Our state’s leading technology companies rely on consumer confidence in these services to help power the California economy. "But consumers are increasingly concerned about warrantless government access to their digital information, and for good reason. While technology has advanced exponentially, California privacy law has remained largely unchanged. Law enforcement is increasingly taking advantage of outdated privacy laws to turn mobile phones into tracking devices and to access e-mails, digital documents, and text messages without proper judicial oversight." In the pre-cellphone era, a "pen register and trap and trace order" allowed law enforcement to obtain someone's calling metadata in near real-time from the telephone company. Now, that same data can also be gathered directly by the cops themselves through the use of a stingray. In some cases, police have gone to judges asking for such a device or have falsely claimed the existence of a confidential informant while in fact deploying this particularly sweeping and invasive surveillance tool. Most judges are likely to sign off on a pen register application not fully understanding that police are actually asking for permission to use a stingray. Under federal law, pen registers are granted under a very low standard: authorities must simply show that the information obtained from the pen register is "relevant to an ongoing criminal investigation." That is a far lower standard than being forced to show probable cause for a search warrant or wiretap order. A wiretap requires law enforcement to not only specifically describe the alleged crimes but also to demonstrate that all other means of investigation had been exhausted or would fail if they were attempted. California doesn’t actually have a specific pen register statute—a pen/trap application template that Ars recently obtained from the Oakland Police Department under a public records request cites the federal statute. However, that practice goes against a 2003 opinion from the California Attorney General. The AG concluded that because California affords its citizens more privacy under the state constitution than does federal law, a state law enforcement officer cannot use a federal statute for a pen/trap order. Cops don’t like it After more testimony, the committee members heard from Marty Vranicar of the California District Attorneys Association (CDAA) and Aaron McGuire, a lobbyist for the California Sheriff's Association (CSA). Vranicar told the committee that the bill would "undermine efforts to find child exploitation," specifically child pornography. "SB 178 threatens law enforcement’s ability to conduct undercover child porn investigation. the so-called peer-to-peer investigations," he said. "Officers, after creating online profiles—these e-mails provide metadata that is the key to providing information. This would effectively end online undercover investigations in California." Ars was unable to obtain the letters filed by Vranicar and McGuire to the committee that more fully outlined their opposition. However, no other members of the public nor other groups spoke up in favor of the law enforcement position. By contrast, SB 178 has notable support from a number of established organizations and tech companies, including the Council on American Islamic Relations, the California Newspaper Publishers Association, Twitter, Facebook, Microsoft, and Google, among others. After Vranicar and McGuire spoke, they faced just one question from Sen. Joel Anderson (R-San Diego County), who said that he wanted to see revision suggested by the law enforcement establishment. "One of the issues that I have is that people's cellphones are being abused," he said, holding up his iPhone. "It's clear that that's happening. I think you need to figure out how to be part of that solution. "While you want to stop criminal behavior, it can't be at the price of liberty. If you have the right to break into my house, with a warrant and take my computer, that should be the standard for phones as well." The committee seemed unmoved by law enforcement concerns, and passed the bill handily. It now moves to the Senate Appropriations Committee before eventually going on to the entire state Senate. Source
-
- bill
- california
-
(and 3 more)
Tagged with:
-
The federal government is seeking more legal power to step in and shut down botnets through an amendment to the existing criminal law, which would allow the Department of Justice to obtain injunctions to disrupt these malicious networks. The Obama administration has proposed an amendment to existing United Stated federal law that would give it a more powerful tool to go after botnets such as GameOver Zeus, Asprox and others. In recent years, Justice, along with private security firms and law enforcement agencies in Europe, have taken down various incarnations of a number of major botnets, including GameOver Zeus and Coreflood. These actions have had varying levels of success, with the GOZ takedown being perhaps the most effective, as it also had the effect of disrupting the infrastructure used by the CryptoLocker ransomware. As part of those takedown operations, the Department of Justice files civil lawsuits against alleged operators of the botnets, and sometimes their hosting providers, and also obtains injunctions that enable the government to sinkhole C2 servers or take physical control of those machines. Now, the administration would like to expand those powers. “One powerful tool that the department has used to disrupt botnets and free victim computers from criminal malware is the civil injunction process. Current law gives federal courts the authority to issue injunctions to stop the ongoing commission of specified fraud crimes or illegal wiretapping, by authorizing actions that prevent a continuing and substantial injury. This authority played a crucial role in the department’s successful disruption of the Coreflood botnet in 2011 and the Gameover Zeus botnet in 2014,” Leslie R. Caldwell, assistant attorney general in the criminal division at the Department of Justice, wrote in a blog post explaining the administration’s position. “The problem is that current law only permits courts to consider injunctions for limited crimes, including certain frauds and illegal wiretapping. Botnets, however, can be used for many different types of illegal activity. They can be used to steal sensitive corporate information, to harvest email account addresses, to hack other computers, or to execute DDoS attacks against web sites or other computers. Yet — depending on the facts of any given case — these crimes may not constitute fraud or illegal wiretapping. In those cases, courts may lack the statutory authority to consider an application by prosecutors for an injunction to disrupt the botnets in the same way that injunctions were successfully used to incapacitate the Coreflood and Gameover Zeus botnets.” In order to obtain an injunction in these cases, the government would need to sue the defendants in civil court and show that its suit is likely to succeed on its merits. “The Administration’s proposed amendment would add activities like the operation of a botnet to the list of offenses eligible for injunctive relief. Specifically, the amendment would permit the department to seek an injunction to prevent ongoing hacking violations in cases where 100 or more victim computers have been hacked. This numerical threshold focuses the injunctive authority on enjoining the creation, maintenance, operation, or use of a botnet, as well as other widespread attacks on computers using malicious software (such as “ransomware” ),” Caldwell wrote. One hundred machines is a low number for a botnet, and indeed would barely even qualify as a botnet in today’s environment, which includes many networks comprising hundreds of thousands or millions of compromised PCs. Mark Jaycox, a legislative analyst for the EFF, said that the proposal from the Obama administration may be overreaching. “The blog post posits that IP/trade secret concerns are reasons that are not already covered to take down botnets. That’s a civil/private context and we’ve seen private companies use the Lanham Act to handle that angle. Seems like the DOJ is pushing for a more expansive law. As of now, we’ve seen DOJ been able to handle takedowns with the resources and laws that are already provided to them,” Jaycox said. “We’d like to see a particular use case where they couldn’t use their already aggressive interpretation of the current law to take down botnets. If anything, we should be narrowing the current anti-hacking statute and computer laws because of their excessive breadth.” Source
-
On May 30, 2014, law enforcement officials from the FBI and Europol seized a series of servers that were being used to help operate the GameOver Zeus botnet, an especially pernicious and troublesome piece of malware. The authorities also began an international manhunt for a Russian man they said was connected to operating the botnet, but the most significant piece of the operation was a side effect: the disruption of the infrastructure used to distribute the CryptoLocker ransomware. The takedown was the result of months of investigation by law enforcement and security researchers, many of whom were collaborating as part of a working group that had come together to dig into CryptoLocker’s inner workings. The cadre of researchers included reverse engineers, mathematicians and botnet experts, and the group quickly discovered that the gang behind CryptoLocker, which emerged in 2013, knew what it was doing. Not only was the crew piggybacking on the GameOver Zeus infections to reach a broader audience, but it also was using a sophisticated domain-generation algorithm to generate fresh command-and-control domains quickly. That kept the CryptoLocker crew ahead of researchers and law enforcement for a time. “The interesting thing is all the opsec involved in this. The architecture thought out with this was really clear. The people working on this really sat down and architected and then engineered something,” said Lance James of Deloitte & Touche, who spoke about the takedown effort at Black Hat last year. “It took a lot more people on our side to hit it harder.” CryptoLocker has become the poster child for a new wave of threats that are designed to relieve victims of their money through the threat of losing all of their files. The malware, like its descendants Cryptowall, Critroni, Crowti and many others, encrypt the contents of victims’ PCs and demands a payment, usually in Bitcoin, in order to get the decryption key. Millions of victims have been hit by these threats in the last couple of years, but putting a number on infections and a dollar value on how much money the crews are making is difficult. However, with ransom payments ranging from less than $100 to as much as $300 or more, the criminals behind these ransomware families are building multimillion dollar businesses on the fear and desperation of their victims. Despite the sudden appearance of CryptoLocker and the other more recent kinds of ransomware, the concept itself is not new. As far back as the late 1980s, early versions of crypto ransomware were showing up and security researchers began looking at the problem by the mid-1990s. By the mid-2000s, more and more crypto ransomware variants were popping up, but it wasn’t until CryptoLocker reared its head in 2013 that the scope and potential damage of the threat came into sharp focus. Victims, researchers and law enforcement soon realized that the game had changed. “Just imagine the scale of how many people are being held for ransom with these threats. It’s mind-boggling,” said Anup Ghosh, CEO of security vendor Invincea, which has done research on ransomware threats. “It’s someone else’s problem until your own personal information gets encrypted and you can’t access your work data and photos. The personal pain is so much more dramatic than any other intrusion.” For all the attention that CryptoLocker and Cryptowall and the other variants have gotten from the media and security researchers, enterprises haven’t yet totally caught on to the severity of the threat. Much of the infection activity by crypto ransomware has targeted consumers thus far, as they’re more likely to pay the ransom to get their data back. But Ghosh said that’s likely to change soon. “It’s not even on their radar. It’s similar to banking Trojans in terms of what IT guys think of it,” Ghosh said. “They treat it as an individual problem and as a reason to slap people on the wrist. ‘Oh, you must have done something bad’.” Ransomware gangs use a variety of methods to infect new victims, including riding shotgun on other malware infections and through drive-by downloads. But perhaps the most common infection method is through spam messages carrying infected attachments. These often look like FedEx shipping notifications or fake invoices. When a user opens the attachment, the malware infects the machine and encrypts the files. But the crypto ransomware gangs don’t operate on their own. They have support systems, developers and other systems in place to help them create their malware and cash out the profits. “CryptoLocker and GameOver Zeus were often installed alongside each other, and now you see these groups improving from there and specializing,” said John Miller, manager, ThreatScape cyber crime, at iSIGHT Partners. “There’s so much momentum behind ransomware operations and the black markets that support it, we expect it to be a problem for the foreseeable future. There are people selling ransomware, customization services for countries and distribution services for getting it onto machines or phones.” How much money is involved? Millions and millions of dollars. In just the first six months of operation, the Cryptowall malware generated more than a million dollars in revenue for its creators, according to research from Dell SecureWorks. That’s one group using one variant of crypto ransomware. And there are dozens, if not hundreds, of other groups running similar operations. Where CryptoLocker innovated with the use of strong encryption and demand for Bitcoin as ransom, other groups have taken the concept and run with it. The Critroni, or CTB-Locker, ransomware not only accepts Bitcoin, but it also uses elliptic curve cryptography and employs the Tor network for command-and-control. The group behind Cryptowall also goes to some lengths to ensure that the ransomware is on the right kind of machine before it runs. “They went through a lot of work to hide the executable in encryption, to check if it’s running in a virtual machine, and the ability to exploit multiple environments,” said Cisco Talos security research engineer Earl Carter. “So much was put into Cryptowall 2.0. Someone went to a lot of work on the front end to avoid detection.” The piles of money and growing complaints from victims has begun to draw the attention of law enforcement, as evidenced by the GameOver Zeus-CryptoLocker takedown and actions against the Reveton ransomware operation. Researchers expect the level of law enforcement interest to grow, especially as ransomware infects more enterprises and the profits for attackers continue to grow. “Now that it’s become apparent how much damage ransomware is causing, law enforcement is paying attention,” Miller said. “It’s gotten their attention in a big way. It’s in their scope. But it hasn’t been targeted very much by takedown activity. A lot of the criminals operating this feel that because what they’re doing is stealing virtual currency from individuals it’s less likely to see law enforcement attention. “The biggest reason this environment will change is sustained law enforcement action.” Source
-
- cryptolocker
- enforcement
-
(and 3 more)
Tagged with:
-
Breach Notification refers to the notification that businesses, government agencies and other entities are required by law in most states to do when certain personally identifiable information is obtained or believed to have been obtained by an unauthorized party. The breach can occur when a system is hacked or when a device containing sensitive information is lost, stolen or inadvertently sold. Personally identifiable information, also known as PII, is information that on its own or in conjunction with other information can be used to identify a person—the latter can include, for example, a name combined with a Social Security number, driver’s license number, bank account or credit card number. The first state breach notification law was passed in California in 2002 and went into effect the following year. Among the first breaches reported under the new law occurred in 2004 when a bank card processing company CardSystems Solutions was hacked. CardSystems Solutions processed purchasing transactions for its retailer customers by sending the card account data to the correct bank or issuer for authorization. Some 263,000 card numbers were verified stolen in the hack, but nearly 40 million card numbers were exposed to the hackers. The data involved card transactions that CardSystems had retained on its system long after the transactions were completed and that had been stored in an unencrypted format. The breach began in September 2004 but wasn’t discovered until May 2005. It was the first major breach disclosed under the new California law. Also among the first companies disclosing a breach under the new law was Choicepoint. The data broker sent letters to 145,000 people in February 2005 notifying them that it had mistakenly sold personal data about them to identity thieves. ChoicePoint was in the business of collection financial, medical and other information on billions of people in order to sell it to other marketers, other businesses and government agencies. The thieves had posed as legitimate businesses to open customer accounts with the massive data broker, then subsequently succeeded to purchase Social Security numbers, credit histories and other information that ChoicePoint had collected on them. Since the California law was passed, another forty-six states and the District of Columbia have passed similar legislation. Alabama, New Mexico and South Dakota do not have breach laws. This patchwork of laws has resulted in uneven and confusing requirements for businesses with customers in multiple states. The laws vary on a number of things, including when notification needs to occur, how notification should occur and exemptions from notification. Federal lawmakers have been trying for years to remedy this confusing patchwork of laws by passing a federal law that would take precedent over all of them. But the proposed bills have failed to take hold on Capitol Hill. President Obama and the White House began pushing another bill in January 2015 that would require breached entities to notify affected victims within 30 days of discovering the breach, though critics say this renewed push for a mandatory notification period will likely suffer the same problems previous bills had. Source
-
Obama’s proposed hacking law could unwittingly make you a criminal Next week, Obama is expected to unveil an update to the US’ CFAA law against hacking in a State of the Union address, hot on the tail of Sony’s massive hacking attack that unfolded in late 2014. A draft version of the new law has been published on the White House website and gives us a look into a scary future in which clicking a single link could make you complicit in committing a hacking crime. A letter accompanying the proposal dated January 13 introduces the new law to Congress for discussion. Remember when Sony wanted to sue Twitter (and individual users) who posted screenshots or links to its stolen data? According to Errata Security, these new laws could pin you as a “racketeer” who willingly participated in hacking if you were one of those users (or if you clicked one of those links); punishable by up to 10 years in jail. Didn’t click a link? There are plenty of other ways you could be in legal trouble; Errata points out that something as trivial as being in an IRC channel where others are discussing a hack or having an online conversation with a “hacker” could make you a member of a “criminal enterprise,” which would allow the FBI to confiscate all your electronics. The piece of legislation also could cover data like email address and password dumps that might be found on services like Pastebin. If you accessed one of those knowingly, you could be punishable for the complete hacking offense under the draft legislation. This is to say, that if you accessed a data leak from inside a company that was shared online by another party, the language in the updated proposal says that you would now be punishable to the same extent as those who performed the hacking themselves. That’s up to 20 years in prison, along with other potential penalties. The proposed legislation is also worrisome for those in the penetration testing industry. I talked with Dan Tentler, a prominent computer security researcher on Twitter, who is worried that his job itself could become legally sketchy. Dan Tentler @vIss so the whitehouse thinks that by disarming the good guys, it'll stop bad guys. Good job, fellas. *slow clap* Obama’s proposal — which is expected to be made next week — has a few major hurdles to make it into actual law, but it’s cause for concern that even a draft is so broad about the definition of hacking itself and who can be held accountable for it. Tentler expressed concerns that the definition of “protected computer” is so vague that it could be stretched to almost anything. Is a “protected computer” one that is wide open to the internet with minimal security? Or does simply having a basic firewall enabled imply protection? The Washington Post expressed similar concerns, citing that it’s hard to define when a computer is protected if information is available online, without hindrance. The wording could make almost anyone who found themselves stumbling over data they shouldn’t — let alone those that make a living searching for and reporting security flaws — liable for a crime they didn’t commit. Errata Security also pointed out in its blog that “most hacking is international and anonymous” and says the government “can’t catch the perpetrators no matter how much they criminalize the activities.” He believes that instead, “while Obama’s new laws will dramatically increase hacking prosecutions, they’ll be of largely innocent people rather than the real hackers that matter.” The story of Weev’s imprisonment in 2013 for accessing and sharing data that wasn’t properly protected shows how vague laws can be a problem in a world where companies often aren’t being held responsible for customer data. Since it’s still early days for the law, it’s hard to say what the implications truly could be, but if it’s as broad as it appears, it could put people in danger unwittingly. Cyber security legislation is important in the wake of the Sony hack, but this doesn’t appear to be the right way to go about it. Obama's Proposed Hacking Law Could Make You a Criminal