Search the Community

0d1n is a web security tool for fuzzing various HTTP payloads. It's written in C and uses libcurl. Download

The Obama administration, currently engaged in a war of words with North Korea over the recent hacking of Sony Pictures Entertainment, is calling on Congress to increase prison sentences for hackers and to expand the definition of hacking. During next week's State of the Union address, the president is set to publicly urge increased prison time and other changes to the Computer Fraud and Abuse Act—the statute that was used to prosecute Internet activist Aaron Swartz before he committed suicide in 2013. At issue is the Computer Fraud and Abuse Act (CFAA), passed in 1984 to bolster the government's ability to nab hackers who destroy or disrupt computer functionality or who steal information. In general, the CFAA makes it illegal to "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period." Obama said Tuesday, "We want cybercriminals to feel the full force of American justice, because they are doing as much damage—if not more, these days—as folks who are involved in more conventional crime." Among other things, penalties under Obama's plan would increase from a maximum five-year penalty to 10 years for pure hacking acts, like circumventing a technological barrier. What's more, the law would expand the definition of what "exceeds authorized access" means. A hacker would exceed authorization when accessing information "for a purpose that the accesser knows is not authorized by the computer owner." That raised the eyebrows of researchers and scholars alike. That language is "awkward," according to Orin Kerr, a professor and CFAA expert who has defended Lori Drew and Andrew "weev" Auernheimer in CFAA criminal prosecutions. "For example, if your employer has a policy that 'company computers can be accessed only for work-related purposes,' and you access the computer for personal reasons, then you presumably would be accessing the computer for a purpose that you know the employer has not allowed," Kerr said Wednesday. Kerr continued: Kerr said his "biggest concern" surrounds accepted social computing practices, or as he calls it—"norms-based" liability. He said: More broadly, Kerr added, "The expansion of 'exceeding authorized access' would seem to allow lots of prosecutions under a 'you knew the computer owner wouldn't like that' theory. And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct." Security expert Robert Graham said Wednesday that the proposal would affect "cybersecurity professionals that protect the Internet. If you cared about things such as 'national security' and 'cyberterrorism,' then this should be your biggest fear. Because of our knowledge, we do innocent things that look to outsiders like 'hacking.' Protecting computers often means attacking them. The more you crack down on hackers, the more of a chilling effect you create in our profession. This creates an open door for nation-state hackers and the real cybercriminals." Source