You are committing a crime right now

[malsploit]

Are you reading this blog? If so, you are committing a crime under 18 USC 1030(a) (better known as the “Computer Fraud & Abuse Act” or “CFAA”). That’s because I did not explicitly authorize you to access this site, but you accessed it anyway. Your screen has a resolution of 1920x1080. I know this, because (with malice aforethought) I clearly violated 18 USC 1030(a)(5)(A) by knowingly causing the transmission of JavaScript code to your browser to discover this information.

So we are all going to jail together.

That's silly, you say, because that’s not what the law means. Well, how do you know what the law means? The law is so vague that it’s impossible to tell.

The CFAA was written in 1986. Back then, to access a computer, you had to have an explicit user account and password. It was therefore easy to tell whether access was authorized or not. But then the web happened, and we started accessing computers all over the world without explicit authorization.

So, without user accounts or other form of explicit authorization, how do we tell if access to a website is “authorized” or not?

Well, we could come up with a theory of “implicit” authorization. Obviously I intend people to read this blog, and therefore, I’ve implicitly authorized you to do so. Likewise, your browser makes your screen size available to JavaScript so that websites can render better, so it’s implicit that you’ve authorized me to grab this information.

But what are the limits of implicit authorization? Let’s say you are reading a website that has “articleId=31337” at the end. You wonder what the next article is, so you go to the URL and change it “articleId=31338” and hit return. Have you “exceeded authorized access”? It’s hard to say. If article “31337” is public, why not “31338”?

But in our scenario, let’s say that article “31338” is a press release that is not intended to be published until tomorrow announcing the quarterly corporate earnings. While the article itself is online, a link to it won’t be posted to the home page until tomorrow, so not even Google spiders can find it. Because you’ve gotten early access, you can make a huge profit buying/selling stocks.

Is it your fault for accessing the pre-posted financial results? Or their fault for making them accessible? What does the Computer Fraud and Abuse Act say on this matter?

A well-known legal phrase is “ignorance of the law is no defense”. But that doesn’t really apply here. You know the law exists. You may have read it in detail. You may have even consulted your lawyer. It’s just that nobody can tell precisely whether this act as crossed the line between “authorized” and “unauthorized” access. We won’t know until if and when somebody tries to prosecute you.

Let’s say that instead of trying to profit from your accidental discovery, you simply post it to your blog, saying “look at what these idiots have done”. As a Fortune 500, the FBI takes notice, searches your home, confiscates all your computers, arrests you, and successfully convicts you under the CFAA.

This is selective enforcement. The FBI doesn’t go after everyone who adds one to a URL, only those who embarrass the Fortune 500. They don’t go after any cow in the herd, only those who stick their heads up. This violates the concept of “rule of law”. Everyone isn’t treated equally under law, some are treated more equally than others.

For cybersecurity researchers like me, this creates chilling effect. In order to fix security we have to point out when it’s broken. When we see this broken press release, what do we do? Do we keep our head down, or do we speak up? Even if we'll probably be found innocent, why take the risk? Better to keep quiet.

This is the issue behind the recent conviction of Andrew Auernheimer for “hacking” AT&T. The guy isn’t a criminal. He wasn’t trying to profit. He simply noticed that AT&T had made user accounts publicly available, and published proof. He believed that since the information was publicly available he was not exceeding authorization. He stuck his head up above the herd. For that, he was convicted today under the CFAA and is on his way to jail (well, currently still out on bail awaiting sentencing).

By the way, this post is based on the legal concept “void for vagueness". It’s good reading.

Errata Security: You are committing a crime right now

Vechi, dar interesant.

[syl3]

lol, not weev again