Cybersecurity and Computer Crimes: Difference between revisions
Gary Brown (talk | contribs) |
(→Links: Added class links) |
||
| Line 57: | Line 57: | ||
== Videos Watched in Class == | == Videos Watched in Class == | ||
== Links == | == Links from class discussion == | ||
Robots.txt files: http://en.wikipedia.org/wiki/Robots_exclusion_standard | |||
LOIC: http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon | |||
Amazon Web Services can be used, for example, to stop DDoS attacks like those from LOIC: http://www.slideshare.net/AmazonWebServices/ddos-resiliency-with-amazon-web-services-sec305-aws-reinvent-2013 | |||
VPN: http://en.wikipedia.org/wiki/Virtual_private_network | |||
Streaming the Olympics: http://lifehacker.com/5930437/how-an-american-can-stream-the-bbcs-official-olympics-coverage-and-overcome-nbcfail | |||
Google tips: https://support.google.com/websearch/answer/2466433?hl=en | |||
Civil vs Criminal Law: http://litigation.findlaw.com/filing-a-lawsuit/civil-cases-vs-criminal-cases-key-differences.html | |||
Felony vs Misdemeanor: http://criminal.findlaw.com/criminal-law-basics/what-distinguishes-a-misdemeanor-from-a-felony.html | |||
Catfishing: http://www.mtv.com/shows/catfish/ | |||
Bros Swiping Bros: http://www.theverge.com/2015/3/25/8277743/tinder-hack-bros-swiping-bros | |||
Snapchat images stored: http://www.dailymail.co.uk/sciencetech/article-2322661/Gone-forgotten-Deleted-Snapchat-photos-stored-phone-easily-downloaded-claims-forensics-firm.html | |||
Weev Case: http://en.wikipedia.org/wiki/Weev | |||
MAC Address: http://en.wikipedia.org/wiki/MAC_address | |||
ICCID: http://en.wikipedia.org/wiki/Subscriber_identity_module | |||
Photographing people through their windows: http://nypost.com/2013/08/09/judge-backs-the-right-of-creepy-tribeca-artist-to-photograph-people-through-their-windows/ | |||
War Games Trailer: https://www.youtube.com/watch?v=-OyoNR4kiJ0 | |||
US v Nosal: http://en.wikipedia.org/wiki/United_States_v._Nosal | |||
NSA doesn't know what Snowden took: http://www.newsweek.com/how-much-did-snowden-take-not-even-nsa-really-knows-253940 | |||
CIA "Black Bag" jobs: http://www.theverge.com/2013/7/17/4532788/cia-black-bag-squads-get-data-the-old-fashioned-way | |||
The famous hacker Kevin Mitnick largely capitalized on social engineering: http://en.wikipedia.org/wiki/Kevin_Mitnick | |||
Lulzsec: http://en.wikipedia.org/wiki/LulzSec | |||
MySQL: http://en.wikipedia.org/wiki/MySQL | |||
This is called a SQL Injection: http://en.wikipedia.org/wiki/SQL_injection | |||
XKCD cartoon about SQL Injection: https://xkcd.com/327/ | |||
Zero day: http://en.wikipedia.org/wiki/Zero-day_attack | |||
One of the LulzSec members has been helping the FBI: http://www.bbc.com/news/technology-27579765 | |||
One member of the Berkman Team also had his Twitter handle stolen: http://www.theverge.com/2012/10/3/3448932/twitter-blanket-high-profile-handle-hack | |||
Article about Mat Honan: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/ | |||
hash function: http://en.wikipedia.org/wiki/Hash_function | |||
Former Twitter General Counsel AMac: http://allthingsd.com/20130830/twitter-general-counsel-alexander-macgillivray-to-leave-company/ | |||
Sony was relegated to using fax machines after the hack wiped out their systems: http://www.businessinsider.com/sony-execs-use-fax-machines-after-hack-wiped-out-email-2014-12 | |||
Recent research is showing how to break even airgapped computers: http://www.wired.com/2015/03/stealing-data-computers-using-heat/ | |||
The Obama quote is from the President's Executive Order on Cybersecurity: http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf | |||
US Cyber Command: http://en.wikipedia.org/wiki/United_States_Cyber_Command | |||
Most common passwords: http://gizmodo.com/the-25-most-popular-passwords-of-2014-were-all-doomed-1680596951 | |||
Visualizing number of lines of code: http://www.phonearena.com/news/Lines-of-code-How-our-favorite-apps-stack-up-against-the-rest-of-tech_id49281 | |||
== Class Discussion == | == Class Discussion == | ||
Latest revision as of 10:20, 7 April 2015
March 31
Last week we looked at hacking as a form of social protest. This week, we take a closer look at the more sinister side of hacking, and the various responses to it. Hacking at its heart involves modifying or intruding upon another’s system. But not all intrusion is socially harmful, and writing laws against hacking have a troubling (and at times, tragic) history of being misused. How big a threat is hacking, really? How should systems respond to hacking? What, if anything, should be the role of government? In what ways can we govern those who don’t consider code to be a governing influence?
Assignment 3
Assignment 3 is due before class today. You can upload that here.
Readings
- Cybersecurity
- Brian Krebs, "The Scrap Value of a Hacked PC (infographic)," Oct 2012
- Bill Hardekopf, "The Big Data Breaches of 2014, Forbes, January 13, 2015
- Liana Baker and Jim Finkle, "Sony Playstation suffers massive data breach," Reuters, April 26, 2011
- Sean Gallagher, "Hackers Promise 'Christmas Present' Sony Pictures Won't Like," Ars Technica, December 15, 2015 (for more on this, see here and here)
- Peter Bright, "US Government Fingers North Korea as the Sony Hackers," Ars Technica, December 17 2014
- Computer Crimes
- United States Department of Justice, Prosecuting Computer Crimes (read pages 1-11: Introduction to the Computer Fraud and Abuse Act and Key Definitions)
- Case studies
Optional Readings
- Intelligence Squared Debate: "The Cyberwar Threat Has Been Grossly Exaggerated" (an Oxford-style debate with Marc Rotenberg, Bruce Schneier, Mike McConnell, and Jonathan Zittrain; watch the video of the debate)
Videos Watched in Class
Links from class discussion
Robots.txt files: http://en.wikipedia.org/wiki/Robots_exclusion_standard
LOIC: http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon
Amazon Web Services can be used, for example, to stop DDoS attacks like those from LOIC: http://www.slideshare.net/AmazonWebServices/ddos-resiliency-with-amazon-web-services-sec305-aws-reinvent-2013
VPN: http://en.wikipedia.org/wiki/Virtual_private_network
Streaming the Olympics: http://lifehacker.com/5930437/how-an-american-can-stream-the-bbcs-official-olympics-coverage-and-overcome-nbcfail
Google tips: https://support.google.com/websearch/answer/2466433?hl=en
Civil vs Criminal Law: http://litigation.findlaw.com/filing-a-lawsuit/civil-cases-vs-criminal-cases-key-differences.html
Felony vs Misdemeanor: http://criminal.findlaw.com/criminal-law-basics/what-distinguishes-a-misdemeanor-from-a-felony.html
Catfishing: http://www.mtv.com/shows/catfish/
Bros Swiping Bros: http://www.theverge.com/2015/3/25/8277743/tinder-hack-bros-swiping-bros
Snapchat images stored: http://www.dailymail.co.uk/sciencetech/article-2322661/Gone-forgotten-Deleted-Snapchat-photos-stored-phone-easily-downloaded-claims-forensics-firm.html
Weev Case: http://en.wikipedia.org/wiki/Weev
MAC Address: http://en.wikipedia.org/wiki/MAC_address
ICCID: http://en.wikipedia.org/wiki/Subscriber_identity_module
Photographing people through their windows: http://nypost.com/2013/08/09/judge-backs-the-right-of-creepy-tribeca-artist-to-photograph-people-through-their-windows/
War Games Trailer: https://www.youtube.com/watch?v=-OyoNR4kiJ0
US v Nosal: http://en.wikipedia.org/wiki/United_States_v._Nosal
NSA doesn't know what Snowden took: http://www.newsweek.com/how-much-did-snowden-take-not-even-nsa-really-knows-253940
CIA "Black Bag" jobs: http://www.theverge.com/2013/7/17/4532788/cia-black-bag-squads-get-data-the-old-fashioned-way
The famous hacker Kevin Mitnick largely capitalized on social engineering: http://en.wikipedia.org/wiki/Kevin_Mitnick
Lulzsec: http://en.wikipedia.org/wiki/LulzSec
MySQL: http://en.wikipedia.org/wiki/MySQL
This is called a SQL Injection: http://en.wikipedia.org/wiki/SQL_injection
XKCD cartoon about SQL Injection: https://xkcd.com/327/
Zero day: http://en.wikipedia.org/wiki/Zero-day_attack
One of the LulzSec members has been helping the FBI: http://www.bbc.com/news/technology-27579765
One member of the Berkman Team also had his Twitter handle stolen: http://www.theverge.com/2012/10/3/3448932/twitter-blanket-high-profile-handle-hack
Article about Mat Honan: http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
hash function: http://en.wikipedia.org/wiki/Hash_function
Former Twitter General Counsel AMac: http://allthingsd.com/20130830/twitter-general-counsel-alexander-macgillivray-to-leave-company/
Sony was relegated to using fax machines after the hack wiped out their systems: http://www.businessinsider.com/sony-execs-use-fax-machines-after-hack-wiped-out-email-2014-12
Recent research is showing how to break even airgapped computers: http://www.wired.com/2015/03/stealing-data-computers-using-heat/
The Obama quote is from the President's Executive Order on Cybersecurity: http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
US Cyber Command: http://en.wikipedia.org/wiki/United_States_Cyber_Command
Most common passwords: http://gizmodo.com/the-25-most-popular-passwords-of-2014-were-all-doomed-1680596951
Visualizing number of lines of code: http://www.phonearena.com/news/Lines-of-code-How-our-favorite-apps-stack-up-against-the-rest-of-tech_id49281
Class Discussion
Operation Payback seems to be one of the more non-sensical, and perhaps simply juvenile examples listed in these hacks (hopefully I'm not hacked for this-- hello out there Anonymous!). The violation of free speech that occurs as a result of these cyberattacks seems to be in direct opposition to the message of open internet platforms. When sites are pulled down (even if temporarily) free speech suffers as do those who may depend on the contents of the site. For example, if a constituent was looking to contact Senator Lieberman who was attacked, a shut down of his site could block this. Furthermore, while I understand the qualms that Anonymous has with copyrights, I don't know how a musician could produce new music without any sort of revenue from sales. This also causes a threat to free speech. Gene Simmons has never made more sense than on this issue. (Amchugh (talk) 15:02, 31 March 2015 (EDT))
There are several types of hacking, including for example reputation hijacking, hacking account or financial credentials and bot activity. This is something that affects private citizens as well as large companies and governments. In the article ”Sony Playstation suffers massive data breach”, that deals with a hacker attack against Sony in 2011, Braker and Finkle write ”In the rush to get out innovative new products, security can sometimes take a back seat.”. The interesting question here is if it will continue the same way, or if consumers will put more pressure on companies to care about security.
The article ”Hackers promise ”Christmas present” Sony Pictures won´t like” deals with other hacker attacks on Sony and the quote ”The sooner SPE accept our demands, the better, of course…The farther time goes by, the worse state SPE will be put into and we will have Sony go bankrupt in the end.” shows what power the hackers can have in the computer based society of today. Hacking can be used to blackmail people, companies and governments.
Operation payback was a group of attacks on opponents of Internet privacy by the decentralized community ”Anonymous”. It all begun with the crisis on Wikileaks, when they were under pressure after publishing secret US. diplomatic cables. Anonymous was on the side of Wikileaks and there it begun. What made me really angry was when I read that Anonymous threatened to disrupt British government websites because the group opposed the possible act of handing over Julian Assange (who is often called the founder of Wikileaks) to Sweden. This is upsetting in at least three ways.
Firstly, it would have been an act that would´ve denied the British citizens information that they by law have the right to access.
Secondly, it is to indirect aggravate a lawsuit since the reason for why the Swedish court system wanted Assange to be extradited was that there had been a subpoena about rape directed towards Assange. To make it difficult for the court system to plead someone guilty or not guilty is a very serious thing to do.
Thirdly, it is illegal and there are other ways of changing laws and systems. The laws are made by the government and the government is chosen by the citizens. To believe that you are above the laws is also to believe that you are above other citizens. Laws are there for a reason and if you don´t like it, you can either vote differently or try to change the opinion in ways that don´t hurt others.
Anonymous acted this way because they believe that information should be free and open for everyone to see. It is therefore very weird and contradictory that they protest through doing exactly what they are protesting against, i.e. limiting and blocking information.
As a conclusion to my thoughts, I want to say that I believe that Internet terror is the future military threat against most countries. It might be on the Internet that our future wars will be held. Consequently, we can´t dismiss crimes on the Internet as ”something that is just on the Internet and not in the real world”, but instead look at the Internet as a natural part of our society. JosefinS (talk) 07:51, 25 March 2015 (EDT)
The first thing that comes to mind about cyber security and computer crimes are the financial errors in stock markets. As a stock trader, I get rather fearful when potential security issues happen. I’m not sure if they count as security issues, or… issues with their algorithms or partially hacking. Those would result in crashes. The second thing that comes to mind are those “reputation hijacking” (ref 1) on social networks. A family member of mine had this happened to her. She was using the application Line, and somehow pressed a bad link which asked for her logins. That wasn’t a smart move, but for a novice internet user, they would likely follow those instructions assuming it is legitimate. The end result was a long process of letting her friends know it was a hack, and to secure potential credit card information, etc. Therefore I really liked reference 1 which shows all the potential hacks others could do to a PC. I would suspect I had personally experienced a few of them.
Reference 2, 3, and 4 becomes very exciting to see the power of hackers obtaining information of normal citizens. Are we really safe by providing our information to corporations online? 77 million user accounts hacked, that is quite something. Not only is privacy an issue here, it also questions if authorities have what it takes to prevent these issues from happening. Sony not announcing it till Tuesday was, in my opinion, also a breach of it’s customers’ trust. It does raise a fair point of how the hackers will use the information that was illegally obtained. Will there be an outlet for the hackers to use it? Are these hacks individual, or are they political? It appears that hackers are yielding too much power. I still hold by my beliefs that “winners” take all. The winners get everything. Once a hacker cracks a code; that’s it, they can decrypt everything and obtain everything. Of course, as the US claims, it was hackers from Korea, most likely due to the release of The Interview. Personally I think it isn’t as bad as Team America that was released 10 years ago.
As I mentioned for last weeks readings, Anonymous has a lot of power. Not exactly sure if it is a good thing or a bad thing. But we should also consider if what they’re doing is just or not. Is it just to give “justice” to the ones they think deem it? Are they above the law? I’m not sure. As Operation Payback and Project Chanology has showed us. Were they really being just for doing what they did? Were they off base? I think the founder of Scientology website does have a point…
Heldal-Lund commented, "People should be able to have easy access to both sides and make up their own opinions. Freedom of speech means we need to allow all to speak - including those we strongly disagree with. I am of the opinion that the Church of Scientology is a criminal organisation and a cult which is designed by its delusional founder to abuse people. I am still committed to fight for their right to speak their opinion."
So it is therefore unconstitutional for what Anonymous did. This also led me to think about Edward Snowden. Was he really doing good for society, or was he doing it for fame, and his own ideals of justice? What constitutes as constitutional? This argument was shared by the United Kingdom Intellectual Property Office too, as they had said the below after Operation Payback.
“The United Kingdom Intellectual Property Office said that when its site was attacked, those responsible were depriving its citizens of access to information they have a democratic right to access. Other critics claimed the attacks restricted Gene Simmons' right to free speech.”
Anonymous is not pro-democracy. They want to dictate what is right or wrong in their own hands. If they did things that reflected what people really believed in, then I believe they have done things “just”-ly. But to deprive people of their basic right to speech and beliefs; I’m not so sure. Was it a troll taken too far?
There have been increasing amounts of threats that we face, such as “Destroy Obama Care”. Also forbes gives a whole list of the top 20 data breaches. They are increasing in numbers, and it seems like corporations don’t know what to do. Just as technology has enhanced their reach, they would also be required to invest in technological defense against these potential hackers. It also feels that law really lags behind technology a lot. Technology advances so quickly that law requires time to pass. The amendments to the CFAA, which occurred many times. I believe there needs to be a better way to enforce new laws at the same pace as technological advancement, otherwise law would always be a step behind.
References:
http://krebsonsecurity.com/wp-content/uploads/2012/10/HackedPC2012.png
http://www.reuters.com/article/2011/04/26/us-sony-stoldendata-idUSTRE73P6WB20110426
http://arstechnica.com/security/2014/12/hackers-promise-christmas-present-sony-pictures-wont-like/
http://arstechnica.com/security/2014/12/us-government-fingers-north-korea-as-the-sony-hackers/
https://en.wikipedia.org/wiki/Project_Chanology
https://en.wikipedia.org/wiki/Operation_Payback
http://www.csmonitor.com/Technology/2013/1113/Hacking-tool-threatens-Healthcare.gov-site
http://www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/
http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf
Caelum (talk) 17:32, 28 March 2015 (EDT)
A New Species of Crime – A New Species of Enforcement?
The 1986 Congress’ well meaning but clumsy efforts to address the world of computer crimes with the Computer Fraud and Abuse Act (CFAA)—and its eight subsequent amendments in a span of 10 years (pg 2. http://www.justice.gov/criminal/cybercrime/docs/ccmanual.pdf) is a dismal picture of what happens when Ignorance marries Power. Or perhaps it was simply inevitable that the speed of Internet technology and hacking techniques would outdash the pace of the lugubrious State – a race that does not look too bright for lawmakers going through the usual snail’s pace of lawmaking.
Laskow’s article about the Scripps reporters prosecuted for hacking crimes because they engaged in industry practice to download publicly available information serves a chilling anecdote for the innumerable “crimes” committed everyday by the Internet-accessing world. Once again, in this course, we encounter a crisis of definition; this one is perhaps, the most sinister crisis in terms of criminal prosecution (compared to debates about the definitions of civic engagement or privacy, and their entailing prosecutions, for instance).
The speed by which hackers are able to change their tactics, work around legal frameworks of the CFAA, or simply develop more invisible but potent means of stealing identities, systems, and intellectual property, in a federal system attempting to accommodate 50 individual state laws – or even worse, international hackers operating on a system of web that ignores geographic and political boundaries poses direly complex legal problems.
As somewhat of a self-described Libertarian, I am dismayed to feel that there might have to be a specialized and internationally centralized court, and body of governance – one that can move faster than the legislative movements of nations to address these highly technical and ever changing crimes. The most effective and true hackers are invisible through technical prowess, while the most innocent of them such as the Scripps reporters, are the blatant criminals under laws like CFAA.
The illegal hacking issue is an ever-complicated result of a global problem that is outrunning its bumbling, localized resolutions. There are no single answers to the problem, and I am but a layman before the world of hacking issues and virtual crimes, but it seems that the starting point to resolving this disastrous diaspora is to conglomerate the governing and enforcement bodies into a more centralized system, a more synchronized strategy of attack.
Universal criminals who know no boundaries are destined to win when we are so bound to our disparate governing territories.
The moderate libertarian in me is protesting at my own words. But such is the result of my lay-thoughts after this week’s readings…
Chanel
Chanel Rion (talk) 22:18, 30 March 2015 (EDT)
It seems like we hear about big data breaches all the time these days, but it was still startling to read Bill Hardekopf’s compiled list of “The Big Data Breaches of 2014” in Forbes. Seeing several instances combined was a bit of a wake up call (especially since I wasn’t even aware of many of these), and it prompted several questions for me. For example, are data breaches a new fact of life and an inevitability of using credit cards and putting our information online? Should we be focusing on beefing up security in order to minimize the likelihood of breaches like this, or should we focus on taking swift action once a breach inevitably occurs? Are there any patterns we can find in the victims of the hacks (the companies, not the credit card users), or in the hacking approaches themselves?
Reading about the various Sony hacks in Ars Technica also made me think about the wide range of motives that might be at work from the hacker’s perspective, and the various degrees of damage different acts of hacking can lead to. The Sony hacks from this year are a perfect example: presumably they were meant as an act of political intimidation, in order to scare Sony into shelving “The Interview” before its release, but the hacked data held a range of implications the hackers might not have anticipated. For example, racist emails between producer Scott Rudin and Sony executive Amy Pascal became a huge embarrassment for Sony and led to discussions about race in Hollywood. Similarly, breached data showing how much each actor made for the movie “American Hustle” showed that there is still a problematic gender pay gap in Hollywood as well, and led to discussions of income inequality between the sexes. It was interesting and strange to me that an act meant to bully a studio into self-inflicted censorship ended up spurring productive conversations about race and gender.
It was similarly interesting to see the fallout and reactions following the release of several private celebrity photos, showing them naked. The breach was an undisputed criminal act, and furthermore it was a gendered act of bullying and power dynamics, but it also led to widespread conversations that were not in the public light before (for example, questioning the previous shaming of the celebrities for having naked photos on their phones). Overall, it is helpful to examine cybersecurity and computer crimes right after our session about “Hacktivism,” because clearly sometimes (for example, with Anonymous), online crimes are used as a form of Hacktivism, but in many cases, online crime can have unintended consequences with bizarre and fascinating effects.
Beccalew (talk) 06:58, 31 March 2015 (EDT)
This topic definitely has made a recent impact on me and some fellow colleagues. Just recently, I received the following email from Anthem:
“To Members:
On January 29, 2015, Anthem, Inc. (Anthem) discovered that cyber attackers executed a sophisticated attack to gain unauthorized access to Anthem's IT system and obtained
personal information relating to consumers who were or are currently covered by Anthem or other independent Blue Cross and Blue Shield plans that work with Anthem. Anthem
believes that this suspicious activity may have occurred over the course of several weeks beginning in early December, 2014...
Information Accessed
The information accessed may have included names, dates of birth, Social Security numbers, health care ID numbers, home addresses, email addresses, employment information,
including income data. We have no reason to believe credit card or banking information was compromised, nor is there evidence at this time that medical information such as
claims, test results, or diagnostic codes, was targeted or obtained.”
It is safe to assume the hackers were not highly interested in our medical history; but rather our identifiable information. While I have added additional safeguards including credit monitoring, a former colleague was not as fortunate. With great misfortune, she discovered the hackers used her identification information to file her taxes. Here is an article about the Anthem breach and tax returns:http://www.bostonglobe.com/business/2015/02/06/turbotax-stops-processing-state-tax-returns-fraud-reports/dvPJbZC9G4tpzJx9ORsZcJ/story.html
The sophistication and frequency of current data breaches, shows why a proactive response would be beneficial as compared to a reactive response. O’Farrell (2014) reported, “ The FBI admitted that the malware used in the attack on Sony was so sophisticated, it would have blown past 90% of security defenses. Which means all kinds of businesses must be worried about this new battle front where not only is their intellectual property the target of attacks, but highly sensitive and potentially embarrassing secrets and internal communications could be exposed to the world.”
It is obvious that hackers do not discriminate what websites they choose to target, which call to question how many breaches have truly occurred and are not reported. Here is a link to an awesome interactive graphic on breaches over 30,000 records: http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
Moreover, I question the probability of a cyber attack that will delete information or render a system completely inoperable. While CodeSpaces was clearly a case of substandard security (http://www.networkcomputing.com/cloud-infrastructure/code-spaces-a-lesson-in-cloud-backup/a/d-id/1279116), the increase sophistication of hacking leaves the question, what are large corporations doing proactively to ensure our data is being kept safe.
Reference:
O'Farrell, N. (2014) Why The Sony Hack Could Be A Game Changer For Us All. Huffington Post. Retrieved from: http://www.huffingtonpost.com/creditsesamecom/why-the-sony-hack-could-be-a-game-changer_b_6335082.html
Tasha (talk) 15:13, 31 March 2015 (EDT)
I really appreciate that the readings today highlighted the danger of the broad and vague nature of the Computer Fraud and Abuse Act. “The Impact of ‘Aaron’s Law’ on Aaron Swartz Case” enlightened me about the challenges facing CFAA’s Obtaining Information Through Unauthorized Access to a Protected Computer section. Clearly, the law is so broad that it can be applied inappropriately and disproportionally as this reading states. Aaron Swartz’s case was only one example that we looked at this week. The articles “Reporting, or illegal hacking” and “Appeals court reverses hacker/troll ‘weev’ conviction and sentence” raise the same issue. Though of course the main issue in the latter of these two articles was venue in persecuting Internet crime, the CFAA issue cannot be ignored. I agree with Andy’s statement that the way the law exists today: “a persecutor can frame many benign activities online as a felony” and also that the proper role of a persecutor is to “be reactive to the will of Congress and not stretch laws as… a way of sending of message.” I could relate personally to the CFAA issue because I was once accused of overstepping authorization and illegally hacking a work computer. The fact that I was formally accused of computer crime by a prestigious Los Angeles law firm is a laughable joke for anybody who knows anything about my computer abilities !!! It was a compliment, really, for the people I worked with to think me capable of such a feat. I was threatened criminal persecution for this “hacking” when really, just as the examples we read today, I accessed documents that were readily available without any expertise or authorization needed. The files I accessed were downloaded and saved in the “Download” folder on the MAC desktop that I shared with coworkers nearly everyday, without any sort of password requirement. I had not attempted to spread the “sensitive” material that I had accessed on the computer in any way. I simply told my boss and another person who had limited access to the same computer that I had found the documents. (People in entertainment can be high strung). Of course, in my case, no criminal charges were pursued because it really was a laughable claim, but it definitely is unpleasant to get a threatening phone call and email from a strange lawyer. It is unacceptable that companies or individuals that fail to put up proper protection – such as TerraCom and AT&T - can tarnish the reputations of individuals like Wolf and Aurnheimer due to the fact that a very important law has weak syntax. Of course, I do not know all the facts of either case, but it is very clear to me that the CFAA is too often used inappropriately. We need a reform that protects against hacking, but with more clarity so as not to bloat our judiciary system. We can start with revisions of the terms “without authorization” and “exceeding authorized access.” Batjarks (talk) 15:23, 31 March 2015 (EDT)
After reading the Bill Hardekopf’s article summarizing of the biggest data breaches of 2014, I was left with the impression that all those attacks were led by people with financial motivation, which hardly inspires sympathy, on the other hand reading the analysis made by Mr. Sellars on Aaron Swartz case makes my have a totally different attitude towards the act committed and the accused. What was made clear to me is that the CFAA is criminalizing the simple act of “Accessing a Computer and Obtaining Information” which is penalized by 1 to 5 years. It is said by the USDJ that the “Violations of this section are misdemeanors unless aggravating factors exist". I would say that the logic is reversed here. A certain act is criminalized but it is said in advance that in most of the cases the negative effect this act would have on the society would be negligible and should not be punished. The CFAA is creating a legal norm for the exception. This is leading to a wide range of interpretation to be made by the enforcement authorities which are given a tool they could use or not under their discretion. It would be wrong to compare a security breach like the ones in Sally Beauty or White Lodging with the actions of Arron Swarts for example. The motivation which lies behind an action could not be irrelevant. leaving a back door for the law enforcement authorities, by giving them a legal act which could be broadly interpreted depending on the person who does it, is not reassuring. The case of Scripps Howard News Service is another prove that when there is too much space for interpretation of the legal norms, this could be a reason for misinterpretation of what is just and instead of protecting the society to harm it.
Obvious from today’s readings that the risks to our personal information are neither isolated nor narrow. The fact that Sony’s IT Security officer at the time was the former Director of the National Cyber Security Center at the Department of Homeland Security does not give me reason to sleep better. Protected against familiar DDoS but not direct access to critical txt files.
Some language from United States v. Nosal should be considered in looking and Andy’s points about Schwartz: “The rule of lenity not only ensures that citizens will have fair notice of the criminal laws, but also that Congress will have fair notice of what conduct its laws criminalize. We con- strue criminal statutes narrowly so that Congress will not unintentionally turn ordinary citizens into criminals.
“[B]ecause of the seriousness of criminal penalties, and because criminal punishment usually represents the moral condemnation of the community, legislatures and not courts should define criminal activity."
Gary Brown (talk) 16:01, 31 March 2015 (EDT)