EFF Warns of Harsher CFAA

An anonymous reader writes: The Computer Fraud and Abuse Act is "vague, draconian, and notoriously out of touch with how we use computers today," warns the EFF. But instead of reforming it, two U.S. Senators "are on a mission to make things worse..." The senators' proposed Botnet Prevention Act of 2016 "could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities," according to the EFF. And the bill would also make it a felony to damage "critical infrastructure," which may include software companies and ISPs (since they're apparently using the Department of Homeland Security's definition).

The harsher penalties would ultimately give prosecutors much more leverage for plea deals. But worst of all, the proposed bill even "empowers government officials to obtain court orders to force companies to hack computer users for a wide range of activity completely unrelated to botnets. What's worse is that the bill allows the government to do this without any requirement of notice to non-suspect or innocent customers or companies, including botnet victims... These changes would only increase -- not alleviate -- the CFAA's harshness, overbreadth, and confusion."
The CFAA was originally written in 1986, and was partly inspired by the 1983 movie "WarGames".

The Senators in question are

[Kobun]

Sens. Sheldon Whitehouse (D) and Lindsey Graham (R). Remember that "bipartisanship" is a Newspeak term that roughly translates to "Two sides of the same coin double plus good".

Re:The Senators in question are

No way man, they both have to be Democrats, ultra-liberal ones at that, or the media would have identified this as more Republican fear mongering.

Re:The Senators in question are

[Kobun]

I know you're joking, but I'd like to point out that this is the sort of bill that most of the media pointedly ignores. No one in power benefits from attention being called to their work to grab more power.

Re:The Senators in question are

Wait, each coin has two sides?! That is indeed double plus good!! Two times the value for each coin! What great times we live in!

Only 163 shopping days left

[fustakrakich]

You all know what needs to be done.

Re:Only 163 shopping days left

[Opportunist]

Yes, but I think it's still illegal to blow up large parts of Washington D.C.

Re:Only 163 shopping days left

[fustakrakich]

We can purge the entire House of Representatives perfectly legally without blowing anything up. The choice is ours.

Re:Only 163 shopping days left

[Opportunist]

Cute. He believes elections can change anything.

If they could, they'd have been outlawed by now.

Re:Only 163 shopping days left

[fustakrakich]

Nobody can win without your votes. If you want to vote for big money, that is your choice. Same goes for everybody.

Re:Only 163 shopping days left

[Opportunist]

Oh yeah, and if we all stop shopping at $company to show them we hate them for $policy_change we can make them take it back!

Keep on dreaming.

Re:Only 163 shopping days left

[fustakrakich]

Just just defeatist. Best not to do anything I guess, right? Oh well, as long as you aren't one of the crybabies out there complaining about the big bad government/corporation....

...The world continues to deteriorate.
Give up!

A solution: Professional association

[VikingNation]

Registration of security researchers
Security researchers provides a valuable service. Why not establish a professional association, establish codes of conduct, and a method to register professionals. These professionals could submit proposals for pen testing, security scans, etc. to the professional organization and they would be held in private from others. In the event an incident comes up the government would contact the professional association and they would check if a registered professional is doing research on said network.

Re: A solution: Professional association

[Chas]

Because going "we don't do X' means there are, automatically swaths of vulnerabilities that are ignored.

These researchers' jobs are to think like bad guys. An sure ad shit, bad guys have no such limits.

Re:A solution: Professional association

[Opportunist]

Question for 100: How would you become such a professional? It's not like you're born a hacker, ya know...

Re:A solution: Professional association

[Clomer]

The problem I see with this is that sometimes security vulnerabilities are accidentally found by people that aren't even looking for them. Such a person should be able to report the vulnerability without fear of legal reprisal, but the current legal landscape makes that impossible.

Re:A solution: Professional association

We've got all that and more.

Call it..

"NSA"

Mostly Harmless

could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities,"

Laws don't work that way. If a prosciutto.. I mean prosecutor says it does they can eat it. Surely a contract for penetration testing will be legal even if this law goes through.

And the bill would also make it a felony to damage "critical infrastructure," which may include software companies and ISPs (since they're apparently using the Department of Homeland Security's definition).

Is this a bad thing somehow? Apprehending those copper thieves finally gets easier.

Re:Mostly Harmless

[NormalVisual]

Surely a contract for penetration testing will be legal even if this law goes through.

Sure, for those few companies that are willing to spend the money to do it. Everyone else would rather pocket that money and plead ignorance to their customers and shareholders.

Re:Mostly Harmless

[sjames]

Yes, a contracted pentest would still be legal. However, there are many interests where the company will not contract for a pentest or even agree to a free test but exposing their security weaknesses is in the public interest.

Re:A solution: Professional association

Question for 100: How would you become such a professional? It's not like you're born a hacker, ya know...

If this association is like the CISSP it is incestuous in the sense the only way to become a member and become certified is to already work for a current CISSP member for a certain number of years. Again the chicken and egg problem raises its head. I have worked with certified professionals who were worse than useless.

Re: A solution: Professional association

While I see your point, the original poster's conclusion is still a valid one. A professional organization, like ASME, ASME, IEEE, etc, would be able to write a code of ethics, provide lobbying support so legislation like this would have at least some opposition, and go to bet for security researchers. In a mechanical and systems engineer, and a member of ASME and INCOSE. I rarely use the resources they provide (the free magazines have some interesting articles every once in a while) but I understand that their biggest advantage is looking after the interests of engineers like me. Networking is also a big part of being a member.

Professional organizations have a way of benefiting everyone in the field, not just members.

Just another tool

[JustAnotherOldGuy]

This is just another tool to use against people that the authorities don't like. This gives them another peg on which to hang you.

Perhaps your fiddling around on the net probing stuff or finding a vulnerability on a website wasn't explicitly a crime before, but now....now it is. And the penalties will be harsh, count on it. Expect the word "terrorism" to be in there somewhere as well.

Re:Just another tool

The ironic thing is that it will do little to nothing to stop the main sources of the attacks, which are offshore. All this bill does, is allow more people to be hauled off to prison.

Wonder how much Corrections Corporation of America's stock will jump if/when this becomes law, as those are the only organization that would benefit from this. Offshore attacks will continue, and that is the primary source.

Here is the sad part: Computer security people in the US, since Operation Sun Devil, are very scarce. Laws like this ensure that this disparity continues, and that other countries like China, Russia, and Saudi Arabia have Internet supremacy when it comes to computer security.

it is

Unless we make Oritz and her family life hell, nothing will change. Enact just punishment. Make her life hell. Or nothing will change, they will not fear us otherwise.

Yep, SSDY

Yep, same shit, different year. Back in the 1990s, Clinton was pushing for the CDA to get passed, and first drafts of the law would make the sender, receiver, and every node/ISP/network provider in between all arrestable for 2-10 if someone decided to E-mail the word "fuck" across the Internet. There was the DMCA fight, which the EFF rolled over on.

The sad thing is that it was China and Russia which vetoed SOPA/PIPA. They made is clear that blocking a site on their soil would be similar to a naval blockade... i.e. an act of war, and would be retaliated against as such.

The only good thing that the Dems do is try to bring the US into a modern age... True patriots like the Dem from Rhode Island have put in bill 4269 which bans all assault weapons, so we can join Australia in the modern age, free from school shootings on a daily basis.

Re: Yep, SSDY

[jsh1972]

Because regular firearms won't work in schools, only assault weapons. Because... magic?

Systematic subversion of the rule of law

[karlandtanya]

TLDR: You can't control an innocent man.

"...much more leverage for plea deals..."

The 'rule of law' means that the law is supreme. Not the guy wearing the uniform that week or the guy sitting in the oval office that year or the guy wearing the robe. The rule of law is meant to keep the *person* charged with the duty to serve the public from abusing the power they were given along with that duty.

This is the point, right here. Making 'hacking' 'security research' or even ordinary computer use illegal is not the point. The point is to make *everything* illegal. Nobody, including law enforcement, gives a rat's butt whether you abused or frauded a computer or if you botted a net.

Law enforcement knows who the bad guys are, they always have--it's their job. The problem is all these civil liberties and protections for the accused make their jobs--protecting you--damned near impossible.

Solution--you're all criminals. We've got a job to do, and we understand you don't like part of it. Maybe part of it is you paying a fine, turning over some information, or even going to jail. You're going to do it because we--the people who protect you from the bad guys--have fucking told you to do it.

Now--if you want to challenge our lawful orders or appeal to a higher authority, call a lawyer, stand in front of a judge, or whatnot, let us show you what you're guilty of. Here's a *long* list we just put together without even trying. And here's the time you're going to get behind bars if you DO push the issue.

You're guilty. If you want to stay out of jail, just let us take what we need in order to do our jobs protecting you. When we're done you can get back to your life. And you can keep your mouth shut if you don't want to see us again.

Because we're just here to protect you.

Re:Systematic subversion of the rule of law

[BlueStrat]

TLDR: You can't control an innocent man.

"...much more leverage for plea deals..."

This has all been foretold.

"Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted â" and you create a nation of law-breakers â" and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with." - Ayn Rand, Atlas Shrugged

"The only proper purpose of a government is to protect man's rights, which means: to protect him from physical violence. A proper government is only a policeman, acting as an agent of man's self-defense, and, as such, may resort to force only against those who start the use of force. The only proper functions of a government are: the police, to protect you from criminals; the army, to protect you from foreign invaders; and the courts, to protect your property and contracts from breaches or fraud by the others, to settle disputes by rational rules, according to objective law. But a government that initiates the employment of force against men who had forced no one, the employment of armed compulsion against disarmed victims, is a nightmare infernal machine designed to annihilate morality: such a government reverses its only moral purpose and switches from the role of protector to the role of man's deadliest enemy, from the role of of policeman to the role of a criminal vested with the right to the wielding of violence against the victims deprived of the right of self-defense. Such a government substitutes for morality the following rule of social conduct: you may do whatever you please to your neighbor, provided your gang is bigger than his." - Ayn Rand, Atlas Shrugged

Pretty much the only thing lacking at this point is "Directive 10-289" which I could see any of the current US Presidential candidates issuing if they won.

Strat

Re:Systematic subversion of the rule of law

[Megol]

Quoting Ayn Rand means having read her work - having read her work can lead to a serious case of mushy brain. Don't do that.

Her works are illogical, unrealistic paintings of a terrifying world where psychopaths are the ideal. She never followed those ideals herself BTW instead choosing to be a leach on so many levels...

Re:Systematic subversion of the rule of law

[BlueStrat]

Quoting Ayn Rand means having read her work - having read her work can lead to a serious case of mushy brain. Don't do that.

Her works are illogical, unrealistic paintings of a terrifying world where psychopaths are the ideal. She never followed those ideals herself BTW instead choosing to be a leach on so many levels...

[Runs text through BS-to-truth translator]

"Pay no attention to the principles and concepts presented here! Don't think about them! Only think about the messenger, *do not* consider or think about the message! That person is a dirty [insert derogatory term/ad hominem] and is probably insane and doesn't even take their dog for a walk...they probably beat their spouse and children, too!"

Thanks for your input, Dr. Ferris! Didn't know you actually existed as a real person, never mind also posting on /.!

Strat

Re:Systematic subversion of the rule of law

Well played.

Re:Systematic subversion of the rule of law

"Her works are illogical, unrealistic paintings of a terrifying world where psychopaths are the ideal"
Unrealistic? no, that's the real reality, and it's terryfyng.

Re:Systematic subversion of the rule of law

... terrifying world where psychopaths are the ideal.

You're not asking why so many people are saying "Fuck you, I got mine", or why so much of business is ruled by a "Winner takes all" mentality.

Re:Systematic subversion of the rule of law

But a government that initiates the employment of force against men who had forced no one

What the "had forced no one" means is of course dependent of the bias and opinions of the observer. Some people see passive resistance as a use of force against, say, execution of lawful decisions of a court. Others see the government actions in such cases as fascist violence against the protesting citizens, even if that use of force was securing the rights of other citizens.

"Critical infrastructure" definition in the bill

[raymorris]

The bill includes this definition of "critical infrastructure":

"(2) the term âcritical infrastructureâ(TM) means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have catastrophic regional or national effects on public health or safety, economic security, or national security."

Re:STOP BREAKING THE LAW, ASSHOLE!

You may not be aware of this, but the bad guys often aren't under U.S. jurisdiction and wouldn't care if they were. I guess it's better just to leave knowledge of vulnerabilities to them alone.

Plea Deals

Should be illegal.

They smell of inquisition methods of extracting confessions.

You only get 2 years prison if you confess to such and such. And we forget about the rest.

WarGames

The CFAA was originally written in 1986, and was partly inspired by the 1983 movie "WarGames".

Well, color me surprised that our elected representatives are such clueless dipshits that they'd take a Hollywood movie as an accurate representation of reality.

Dumb niggers run our government

A person with an IQ of 40 can hold office, no experience needed.

Re:A solution: Professional association

[Opportunist]

Given the amount of toilet paper hanging behind me in nice frames in my office and me being probably the worst in the team when it comes to pure hacking know-how (pretty much the proverbial parrot joke, "we have no idea what tricks this bird can do 'cause he never talked, but the other two call him boss in 4 different languages"), I can't help but agree.

There are a few certificates that actually show off what you can or can't do, but most are just like you say, mostly proof that you've been in the industry for a while and went to some circle-jerk events.

Pre-Crime is now Crime

"violating or about to violate section 1030(a)(5) of this title where such conduct has caused or would cause damage"

You don't have to commit a crime under this bill, you only have to be accused of preparing to commit a crime.

Holy crap you have a bs-to-truth translator?

[karlandtanya]

tldr: don't feed the trolls.

The primary function of BS in a debate is not to convince the audience (the fear the opponent's BS will convince the audience is bait for the primary purpose). The primary function is to get you to waste your attention and the audience's patience with you.

It's just rope-a-dope.

Re:Holy crap you have a bs-to-truth translator?

[BlueStrat]

Holy crap you have a bs-to-truth translator?

tldr: don't feed the trolls.

The primary function of BS in a debate is not to convince the audience (the fear the opponent's BS will convince the audience is bait for the primary purpose). The primary function is to get you to waste your attention and the audience's patience with you.

It's just rope-a-dope.

Yes, I have a BS-to-truth translator. It's called a brain capable of logical, critical thought.

Look, I know you're just trying to help and I appreciate the effort you took. I know that was a troll post I replied to. Most people who are capable of understanding what was being said also know. I turned it around and used it to illustrate the lack of logic and to highlight the concepts that are vital for people who wish to live in a free & open society to understand.

That's the one thing Statists fear most...an informed and thinking populace that doesn't respond to emotion-based, knee-jerk, trigger-memes that are their primary weapon against a free & open society.

Strat