EFF Warns of Harsher CFAA (eff.org)

← Back to Stories (view on slashdot.org)

EFF Warns of Harsher CFAA (eff.org)

Posted by EditorDavid on Saturday May 28, 2016 @01:30AM from the 30-year-old-laws dept.

An anonymous reader writes: The Computer Fraud and Abuse Act is "vague, draconian, and notoriously out of touch with how we use computers today," warns the EFF. But instead of reforming it, two U.S. Senators "are on a mission to make things worse..." The senators' proposed Botnet Prevention Act of 2016 "could make criminals of paid researchers who test access in order to identify, disclose, and fix vulnerabilities," according to the EFF. And the bill would also make it a felony to damage "critical infrastructure," which may include software companies and ISPs (since they're apparently using the Department of Homeland Security's definition).

The harsher penalties would ultimately give prosecutors much more leverage for plea deals. But worst of all, the proposed bill even "empowers government officials to obtain court orders to force companies to hack computer users for a wide range of activity completely unrelated to botnets. What's worse is that the bill allows the government to do this without any requirement of notice to non-suspect or innocent customers or companies, including botnet victims... These changes would only increase -- not alleviate -- the CFAA's harshness, overbreadth, and confusion."
The CFAA was originally written in 1986, and was partly inspired by the 1983 movie "WarGames".

25 of 44 comments (clear)

Min score:

Reason:

Sort:

The Senators in question are by Kobun · 2016-05-28 01:39 · Score: 3, Informative

Sens. Sheldon Whitehouse (D) and Lindsey Graham (R). Remember that "bipartisanship" is a Newspeak term that roughly translates to "Two sides of the same coin double plus good".
1. Re:The Senators in question are by Kobun · 2016-05-28 01:48 · Score: 2
  
  I know you're joking, but I'd like to point out that this is the sort of bill that most of the media pointedly ignores. No one in power benefits from attention being called to their work to grab more power.
Only 163 shopping days left by fustakrakich · 2016-05-28 01:40 · Score: 1

You all know what needs to be done.

--
“He’s not deformed, he’s just drunk!”
1. Re:Only 163 shopping days left by Opportunist · 2016-05-28 02:26 · Score: 2
  
  Yes, but I think it's still illegal to blow up large parts of Washington D.C.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Only 163 shopping days left by fustakrakich · 2016-05-28 03:47 · Score: 1
  
  We can purge the entire House of Representatives perfectly legally without blowing anything up. The choice is ours.
  
  --
  “He’s not deformed, he’s just drunk!”
3. Re:Only 163 shopping days left by Opportunist · 2016-05-28 10:37 · Score: 1
  
  Cute. He believes elections can change anything.
  If they could, they'd have been outlawed by now.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Only 163 shopping days left by fustakrakich · 2016-05-28 11:58 · Score: 1
  
  Nobody can win without your votes. If you want to vote for big money, that is your choice. Same goes for everybody.
  
  --
  “He’s not deformed, he’s just drunk!”
5. Re:Only 163 shopping days left by Opportunist · 2016-05-28 23:03 · Score: 1
  
  Oh yeah, and if we all stop shopping at $company to show them we hate them for $policy_change we can make them take it back!
  Keep on dreaming.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:Only 163 shopping days left by fustakrakich · 2016-05-29 04:20 · Score: 1
  
  Just just defeatist. Best not to do anything I guess, right? Oh well, as long as you aren't one of the crybabies out there complaining about the big bad government/corporation....
  ...The world continues to deteriorate.
  Give up!
  
  --
  “He’s not deformed, he’s just drunk!”
A solution: Professional association by VikingNation · 2016-05-28 01:47 · Score: 1, Flamebait

Registration of security researchers
Security researchers provides a valuable service. Why not establish a professional association, establish codes of conduct, and a method to register professionals. These professionals could submit proposals for pen testing, security scans, etc. to the professional organization and they would be held in private from others. In the event an incident comes up the government would contact the professional association and they would check if a registered professional is doing research on said network.
1. Re: A solution: Professional association by Chas · 2016-05-28 02:33 · Score: 1
  
  Because going "we don't do X' means there are, automatically swaths of vulnerabilities that are ignored.
  These researchers' jobs are to think like bad guys. An sure ad shit, bad guys have no such limits.
  
  --
  
  Chas - The one, the only.
  THANK GOD!!!
Re:A solution: Professional association by Opportunist · 2016-05-28 02:27 · Score: 1

Question for 100: How would you become such a professional? It's not like you're born a hacker, ya know...

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:A solution: Professional association by Clomer · 2016-05-28 02:41 · Score: 1

The problem I see with this is that sometimes security vulnerabilities are accidentally found by people that aren't even looking for them. Such a person should be able to report the vulnerability without fear of legal reprisal, but the current legal landscape makes that impossible.

--
Intelligent responses welcome, flames will be met with marshmallows.
Just another tool by JustAnotherOldGuy · 2016-05-28 03:08 · Score: 1

This is just another tool to use against people that the authorities don't like. This gives them another peg on which to hang you.
Perhaps your fiddling around on the net probing stuff or finding a vulnerability on a website wasn't explicitly a crime before, but now....now it is. And the penalties will be harsh, count on it. Expect the word "terrorism" to be in there somewhere as well.

--
Just cruising through this digital world at 33 1/3 rpm...
Systematic subversion of the rule of law by karlandtanya · 2016-05-28 04:21 · Score: 4, Insightful

TLDR: You can't control an innocent man.
"...much more leverage for plea deals..."
The 'rule of law' means that the law is supreme. Not the guy wearing the uniform that week or the guy sitting in the oval office that year or the guy wearing the robe. The rule of law is meant to keep the *person* charged with the duty to serve the public from abusing the power they were given along with that duty.
This is the point, right here. Making 'hacking' 'security research' or even ordinary computer use illegal is not the point. The point is to make *everything* illegal. Nobody, including law enforcement, gives a rat's butt whether you abused or frauded a computer or if you botted a net.
Law enforcement knows who the bad guys are, they always have--it's their job. The problem is all these civil liberties and protections for the accused make their jobs--protecting you--damned near impossible.
Solution--you're all criminals. We've got a job to do, and we understand you don't like part of it. Maybe part of it is you paying a fine, turning over some information, or even going to jail. You're going to do it because we--the people who protect you from the bad guys--have fucking told you to do it.
Now--if you want to challenge our lawful orders or appeal to a higher authority, call a lawyer, stand in front of a judge, or whatnot, let us show you what you're guilty of. Here's a *long* list we just put together without even trying. And here's the time you're going to get behind bars if you DO push the issue.
You're guilty. If you want to stay out of jail, just let us take what we need in order to do our jobs protecting you. When we're done you can get back to your life. And you can keep your mouth shut if you don't want to see us again.
Because we're just here to protect you.

--
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
1. Re:Systematic subversion of the rule of law by BlueStrat · 2016-05-28 05:43 · Score: 1
  
  TLDR: You can't control an innocent man.
  "...much more leverage for plea deals..."
  This has all been foretold.
  "Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted â" and you create a nation of law-breakers â" and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with." - Ayn Rand, Atlas Shrugged
  "The only proper purpose of a government is to protect man's rights, which means: to protect him from physical violence. A proper government is only a policeman, acting as an agent of man's self-defense, and, as such, may resort to force only against those who start the use of force. The only proper functions of a government are: the police, to protect you from criminals; the army, to protect you from foreign invaders; and the courts, to protect your property and contracts from breaches or fraud by the others, to settle disputes by rational rules, according to objective law. But a government that initiates the employment of force against men who had forced no one, the employment of armed compulsion against disarmed victims, is a nightmare infernal machine designed to annihilate morality: such a government reverses its only moral purpose and switches from the role of protector to the role of man's deadliest enemy, from the role of of policeman to the role of a criminal vested with the right to the wielding of violence against the victims deprived of the right of self-defense. Such a government substitutes for morality the following rule of social conduct: you may do whatever you please to your neighbor, provided your gang is bigger than his." - Ayn Rand, Atlas Shrugged
  Pretty much the only thing lacking at this point is "Directive 10-289" which I could see any of the current US Presidential candidates issuing if they won.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
2. Re:Systematic subversion of the rule of law by Megol · 2016-05-28 06:06 · Score: 1
  
  Quoting Ayn Rand means having read her work - having read her work can lead to a serious case of mushy brain. Don't do that.
  Her works are illogical, unrealistic paintings of a terrifying world where psychopaths are the ideal. She never followed those ideals herself BTW instead choosing to be a leach on so many levels...
3. Re:Systematic subversion of the rule of law by BlueStrat · 2016-05-28 06:42 · Score: 1
  
  Quoting Ayn Rand means having read her work - having read her work can lead to a serious case of mushy brain. Don't do that.
  Her works are illogical, unrealistic paintings of a terrifying world where psychopaths are the ideal. She never followed those ideals herself BTW instead choosing to be a leach on so many levels...
  [Runs text through BS-to-truth translator]
  "Pay no attention to the principles and concepts presented here! Don't think about them! Only think about the messenger, *do not* consider or think about the message! That person is a dirty [insert derogatory term/ad hominem] and is probably insane and doesn't even take their dog for a walk...they probably beat their spouse and children, too!"
  Thanks for your input, Dr. Ferris! Didn't know you actually existed as a real person, never mind also posting on /.!
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
"Critical infrastructure" definition in the bill by raymorris · 2016-05-28 04:42 · Score: 1

The bill includes this definition of "critical infrastructure":
"(2) the term âcritical infrastructureâ(TM) means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have catastrophic regional or national effects on public health or safety, economic security, or national security."
Re:Mostly Harmless by NormalVisual · 2016-05-28 06:24 · Score: 1

Surely a contract for penetration testing will be legal even if this law goes through.

Sure, for those few companies that are willing to spend the money to do it. Everyone else would rather pocket that money and plead ignorance to their customers and shareholders.

--
Please stand clear of the doors, por favor mantenganse alejado de las puertas
Re:Mostly Harmless by sjames · 2016-05-28 08:57 · Score: 1

Yes, a contracted pentest would still be legal. However, there are many interests where the company will not contract for a pentest or even agree to a free test but exposing their security weaknesses is in the public interest.
Re:A solution: Professional association by Opportunist · 2016-05-28 10:47 · Score: 1

Given the amount of toilet paper hanging behind me in nice frames in my office and me being probably the worst in the team when it comes to pure hacking know-how (pretty much the proverbial parrot joke, "we have no idea what tricks this bird can do 'cause he never talked, but the other two call him boss in 4 different languages"), I can't help but agree.
There are a few certificates that actually show off what you can or can't do, but most are just like you say, mostly proof that you've been in the industry for a while and went to some circle-jerk events.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re: Yep, SSDY by jsh1972 · 2016-05-28 11:40 · Score: 1

Because regular firearms won't work in schools, only assault weapons. Because... magic?
Holy crap you have a bs-to-truth translator? by karlandtanya · 2016-06-02 05:05 · Score: 1

tldr: don't feed the trolls.
The primary function of BS in a debate is not to convince the audience (the fear the opponent's BS will convince the audience is bait for the primary purpose). The primary function is to get you to waste your attention and the audience's patience with you.
It's just rope-a-dope.

--
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
1. Re:Holy crap you have a bs-to-truth translator? by BlueStrat · 2016-06-02 05:27 · Score: 1
  
  Holy crap you have a bs-to-truth translator?
  tldr: don't feed the trolls.
  The primary function of BS in a debate is not to convince the audience (the fear the opponent's BS will convince the audience is bait for the primary purpose). The primary function is to get you to waste your attention and the audience's patience with you.
  It's just rope-a-dope.
  Yes, I have a BS-to-truth translator. It's called a brain capable of logical, critical thought.
  Look, I know you're just trying to help and I appreciate the effort you took. I know that was a troll post I replied to. Most people who are capable of understanding what was being said also know. I turned it around and used it to illustrate the lack of logic and to highlight the concepts that are vital for people who wish to live in a free & open society to understand.
  That's the one thing Statists fear most...an informed and thinking populace that doesn't respond to emotion-based, knee-jerk, trigger-memes that are their primary weapon against a free & open society.
  Strat
  
  --
  Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.