Are we all hackers?

In 1986, personal computer technology was still in its relative infancy. Yet in that same year, the first PC virus appeared in the wild. In response to the growing threat of hackers, lawmakers passed the Computer Fraud and Abuse Act (CFAA), establishing any act of unauthorized access (or one that exceeds authorized access) to a computer as illegal.

Over the years, security researchers, pen testers, and others in the IT field have expressed concern about the vagueness of the law. Without defining what “without authorization” means, those in cybersecurity have questioned the ability of US courts to accurately interpret its meaning — without unduly punishing security professionals for doing their jobs.

So when the Supreme Court heard arguments in the computer crimes case Van Buren vs. the United States on Monday, November 30, the IT and security communities took notice. Their ruling in this case could significantly broaden or narrow the scope of the law.

With the Department of Justice bringing charges against one of their own for using a database he already had access to (but for a different purpose), several justices expressed alarm that a ruling in their favor “risked making a federal criminal of us all.”

The 1986 Computer Fraud and Abuse Act (CFAA) states that whoever has “knowingly accessed a computer without authorization or exceeding authorized access” is subject to a fine and imprisonment relative to the type of information obtained or damage caused to the personal computer. Seems pretty straight-forward on the surface. But as you dig deeper into the law’s provisions, the broad range of prohibited actions and protected data described can spin the head of the most seasoned security professional. For example, here are some of the types of data that are illegal to obtain according to the law:

  • Data that requires protection from disclosure for national security purposes
  • Information contained in a financial record of a financial institution
  • Information from any department or agency of the United States
  • Information from any protected computer

Besides the aforementioned “unauthorized access” statute, the CFAA also bans the following actions:

  • Knowingly causing the transmission of a program, information, code, or command, and as a result, causing damage to a protected computer
  • Knowingly and with intent to defraud traffic using a password or similar information to access a computer, which affects commerce or is used by or for the US government
  • With intent to extort, transmitting any communication containing any threat to cause damage to a protected computer

Amendments to the law over the years have resulted in this hodge-podge of changing provisions, and the punishments for violating any one of them range from a slap-on-the-wrist fine to up to 20 years in prison. For a pen tester who needs to knowingly access unauthorized systems as part of her job, the danger of a judge misinterpreting any one of these provisions likely keeps her up at night.

The ruling in the Van Buren case, then, could set the stage for either clarifying an obscure law or for making a mess for bug testers, ethical hackers, or even folks sharing their Netflix password. (Under the current interpretation of the law, sharing a password to an account is technically illegal, though no prosecutor has ever charged someone for this “crime.”)

Looking closely at the spirit of the law, its original intent was to prevent cybercriminals from hacking into personal or business computers and stealing data or causing damage. However, without a firm definition of the meaning of “authorized access,” including addendums for potential exceptions to the rule, the Supreme Court could possibly make hackers of us all. After all, anytime you access a website, a server, the cloud, a streaming service — you are accessing someone else’s computer.

Let’s hope the Supreme Court gives this law the 21st century update it requires by adding sharper focus that serves a punishment fit for the crime, while letting the good guys keep fighting the good fight.

For more information on the CFAA, here’s an article from the National Association of Criminal Defense Lawyers:

And for a closer legal analysis of the Supreme Court case:


Malwarebytes brand exploited through search

It’s not often that I search for the term Malwarebytes on Google. I know how to get to my own company’s website by typing it into the address bar. However, when a friend or family member asks me how to get to our website, I almost always instruct them to search.

Unfortunately, there exists a market where bad people benefit by preying on our users. They create websites which advertise that they distribute Malwarebytes and instead, download a product of their own onto our user’s machine. They advertise on Google and turn up in search results. I’d equate this to a cereal company packaging their generic, less delicious brand into a Cheerios box and putting it on shelves.

If you see a page like this, it is fraudulent and you should go directly to instead.

It makes me sick, and I refuse to let it go on. Today, I instructed our legal team to pursue all of these cheaters in hopes that we can wipe them from the face of the Internet.

But that’s not all. How far is too far? Should advertisers on Google be allowed to use company names as keywords? If I search for Cheerios, should the first advertisement be for the generic brand? It’s allowed, a common practice, and in my opinion completely unethical.


California looks to fight cybercrime

In August, the state of California created the nation’s largest e-crime unit, “a group of 20 investigators and prosecutors whose sole mission will be to thwart and prosecute cybercrimes like identity theft, Internet scams, computer theft, online child pornography and intellectual property theft across the state.” (source)

While this all sounds fantastic, I strongly doubt a team of 20 investigators can handle the amount of fraud, identity theft, and even such a broad category such as Internet scams which include malicious software. I wonder how closely this e-crime unit will work with reputable companies in the security industry to help find these criminals.