Shall We Play a Game? 30 Years of the CFAA - Leonard Bailey, Jen Ellis
Show original YouTube description
Show transcript [en]
specify exactly what sort of computer you would have to be accessing so from the outset we were dealing with really a financial institution's computer or a government computer those were sort of there at the beginning as time went on and there was an amendment where there would be a protected computer oh protect the computer yes jen well just out of interest like what you know since sort of you know the casio calculator of 1988 what is not a protected computer these days right just out of interest so fair point um which is that protected computer is in fact a very very broad term so as i mentioned when the statute was first passed it was focused on sort of government
computers now security information it was intended to protect a federal interest so a federal interest computer in fact was the term that was in the statute and that made sense in 1984 or 1986 depending on which timeline you use by and large the government was one of the principal victims of a computer crime so the federal interest was narrowly defined moving from 1984 we had eight percent of computers in households to now we have somewhere bordering on 90 essentially and um i'll protect the computer the class has expanded and to your point yes essentially by the definition essentially anything that's connected to the internet would constitute a protected computer under the statute okay well i since that's super broad i
hope that the rest of the statute's not super broad as well moving hard to understand so so you also have to obtain information from the computer that you have accessed uh what sorry i yeah sorry what does that tony information mean thank you somebody could hold up cue cards so obtaining information um does it mean that you must download and copy and take away no uh merely viewing the information on the screen would be enough to be obtaining information if you saw the directory structure of a remote computer that under the cfa would be obtaining information under the statute and so now we come really to the nub of the issue this is really where what is considered
the malicious activity is kind of defined and captured it is that all of that must happen without authorization or while exceeding authorized access how do we normally look at this term so for us in the lion's share of our cases involve people with malicious intent what do i mean by and large most of our our cases involve people who are breaking into computers to monetize that information and sell it either on the black market or to extort people numerous extortion cases people who clearly have malicious intent in breaking into a computer or an alternative we have a number of cases and these are actually our favorites because they're the easiest there's the mad sis admin who walks out
the door and with a firm middle finger tears down the system right your your universe of of suspects is fairly narrow in that case um and this happens with greater frequency than you may imagine can we can we just have a momentary pause and a hand for leonard who created slides that include a guy with devil's horns and no hoodies and no bark lovers anywhere so what does this term mean though there's been a lot of and i think most of the the debate and most of the controversial statute is around what does this term mean without observation or exceeding authorized access when you're dealing with something like what your community deals with that is when is it your
interaction with a remote conservative remote server is in fact authorized now there is a definition under the statute for what it means to exceed authorized access but many upon reading it still scratch their head and say i don't feel like i have a better idea of what this actually means yeah because here you go you're defining exceeds authorized access without a definition of authorization so if obtaining information is just seeing it then what if a website owner accidentally exposes information why am i the one who has the liability as the person who goes to the website and sees that information you don't have a definition of authorization that's a lot of breadth okay so there is not a definition of
authorization in the statute that is true there's been case law that kind of has tried to address this and give it greater form to greater or less success the one thing i would flag is this has been the subject of some disagreement in the courts so the federal judicial system is divided into circuits so you have your 11 circuits and you've got the dc circuit a circuit is essentially a cluster of courts you have your district court your trial court where you go and you still make your case if you lose there you can appeal to the appellate court the appellate court actually decides the law for the entire circuit so you've got 12 these
cross-country in this instance you have what we call a circuit split that means is we have three circuits that have adopted a narrow interpretation of what exceeding authorized access means and what these courts have said is for example let's take the nozzle case oops the nozzle case in the nozzle case what you had was an employee who leaves a company looking to start up another company and make money he uh convinces his friends who are still at the company to log into the network get data and send it to him that would be used in the adverse interest of the company that he used to work for which violated the employment agreement he had and he
signed when he joined the company he was prosecuted under the cfaa under the theory that when the computer was accessed for that purpose and the information was subsequently used in this other way that was contrary to the agreement what the court said was you cannot use authorized access like these people who actually had access to the system by agreement to later on oh you you're i'm sorry i have to call you because you are okay i please that someone leaves their company they take proprietary information they pass it over okay i'm not american as you can probably hear i'm from australia in australia this also happens and this is what simplifies it why is this a crime okay that's why i
i get that succeeding organization it's doing bad things all about right why on earth is that the government's anything else well so i think then i'll give you a quick answer but i also think i'll get debated in the panel i'm sorry that's it's good it's good right so i mean this is this reminds me of a number of statues that we actually have to deal with for example the ip statutes intellectual property statutes that have a civil remedy along with a criminal remedy and when do you go which way a large question may be like what is the actual damage there's actually a rubric of of considerations that we have when we decide whether to bring a
federal case and whether it represents a substantial enough federal interest by rules we are supposed to compare the case to this rubric of considerations and decide whether it warrants a criminal uh prosecution in this case we apparently did and we decided there was enough damage uh enough cost that we would proceed with this as a criminal matter um so that's the short answer to that sir um but the courts the appellate court eventually came back and said that's not okay uh you have turned what is a hacking statute into a misappropriation statute the fact this information was taken and used for another purpose wasn't a hacking crime in and of itself you had two other circuits the fourth and the
second who reached a similar decision the the second circuit cannibal cop case where you had the police officer who was trolling the police databases to find potential victims to kidnap and assault the government's theory there was when you were accessing that database police officer you were not doing that consistent with your employment agreement and therefore your access to it was a violation of law of the cfaa second circuit came back and said just like a menos case no that's not the way it works because this individual had legitimate access to the the network um and you cannot turn that into unauthorized access because of a mere violation of the way that that they chose to use the computer at the time
in contrast to this you have three circuits that went the other wave up that basically say the agreement can actually determine whether authorization is legitimate so if an employer says you know you're allowed to use a computer for x but not y if you're on the computer you're using it for x and then you use y that's enough to constitute a cfa violation kind of under the property law being able to control that which is your property to make this more complicated there was a second nozzle case so the gentleman nozzle who was acquitted because of the uh the reversal um the first time around the government re-prosecuted him under a different theory under the cfaa as opposed to
saying he exceeded authorized access the argument was he didn't have access to start off with because he had left the company and had his privileges revoked and therefore when he used other people to get access to that information he essentially was doing so without authorization and indeed the appellate court said you know what that's an okay theory under the cfa so you have a variety of different theories under which the cfa is proceeding in the criminal and in the civil lane for you my heart um okay so um we've talked about the fact that the lack of clarity around what authorization means has resulted in circuit splits and has made things um somewhat more contentious and
difficult i'm going to talk about some of the additional challenges that come out as additional criticisms so the first is just um the kinds of things that most people would think probably shouldn't be federal crimes could arguably get swept up in this so for example you're on match and match's rules say that you're expected to represent yourself as you are and yet my profile says that i'm tall built and stunning you are you are that is very sweet of you but you're undermining the point that i'm lying um but thank you girl power um okay so should that be a federal crime should i in fact end up going to prison where i can use my match profile to attract an
entirely different type of person um or should it not um another example would be that i sit at work all day checking my baseball scores which clearly i do all the time love baseball mad for it um again like am i am i exceeding authorized access or accessing without authorization because work says hey guess what guys when you're at work you should be working and we really want you to use work computers for work and checking your baseball scores isn't really work uh should that be a federal crime should i go to prison probably not um so this kind of highlights the fact that the gray area in exceeds authorization um or in sorry in defining authorization
can be pretty far reaching can have some fairly foolish leonard is dying here leonard have there ever been any prosecutions based on this of this kind so the answer to that is with one qualification because i believe you're talking about the laurie drew case um which i'm going to get to okay which we would say is an exception to this no this is not the type of case that we spend federal resources on in fact in the nozzle case the first nozzle case the dissent that is the one judge who disagreed with the opinion that was appointed down basically said we're creating straw men here as a way of saying that the statute would not be used this way and we would
agree with that because this is not a case that we would prosecute which sounds very good and reasonable and we do like the fact that doj is not wasting taxpayers dollars on this kind of thing however the problem is that we have security researchers and they look for bugs and oftentimes the work that they do falls into this morass of gray area where it is unclear if they are accessing without authorization or exceeding authorized access and for researchers it's really hard to know what the line is and i have this sort of like weirdly naive old-fashioned view that i feel like if i'm covered by a law i should be able to understand what the
law means and like know how to toe the line i may not like the line i may feel like the line is in the wrong place but it would be really good if there was a clear line and i could say okay i'm on the side of the line that's not going to put me in an orange jumpsuit so this is the big problem for me is this piece like this is the piece that gets me fired up about the cfa is that i feel like researchers for those who can't see my t-shirt hackers manifesto feel like researchers may be considered criminals but mostly their crime is curiosity and we need them we rely on them how many people in
here do research do security research a whole bunch of people thank you by the way we really appreciate the work you do i as a consumer of technology appreciate the work that you do and this is a real problem that it's not clear so recently when i were going through the slides i said to him is internet scanning port scanning a violation of the cfa and he said in my early way it depends so so this is this is the problem of technology and we we deal with this every day for example i part of my job is dealing with investigators who want to do interesting investigative things and in almost each of those cases the
question is hey can i actually go and search this computer using this tool and the question is the answer is it depends how are you going to do it where is the computer located what exactly are you searching on the computer there are a lot of questions that are pivot points that would change the legality of these things and this isn't i think about just the statute those are surveillance laws it's about technology it's it's not a simple answer so with port scanning for example um by and large if you are simply running a normal port scan you're getting immersed out protocols what software numbers things of that sort from a remote computer that would not be a cfa violation
however what's a harder question is for example if you were dealing with a heartbleed export and what you decided to do was to craft packets to see what you're going to actually get back from a server and whether you're going to get kicked back the data that's not supposed to get back in the heartbleed um exchange that comes closer to the line and so this is why it it depends on what you're doing and i understand this is difficult for people working technology but i would submit it's a problem that is inherent in technology perhaps not in the statute itself um i'm really glad that you opened the door for the heartbeat example yes uh sahabi is a great example of this
because when hartley came out um lots of people were told hey and when i say lots of people i mean every internet user was told hey go change your password for any site you actually care about the information on the problem was that if the site itself had not taken the necessary steps to protect itself from heartbleed all you would be doing is throwing new passwords into the void not helpful so lots of nice people we'll call them security researchers said hey we'll we've created this little free tool for you and this enables you to test whether the site is still vulnerable to heartbleed or not for those who don't know the words test whether the site is still vulnerable to
heartbleed equals exploit heartbleed um so all of those people who are let's say my mum were happily exploiting websites without knowing it right they didn't really think about it in those terms but this is what they had to do to figure out whether the site was still vulnerable in order to then change their password and protect themselves now granted the fbi did not come crashing into my mom's living room she's all good um nonetheless the point remains that if you have a situation where the way that the law is written basically means that that action which is so sort of like innocent and well-meaning and is do designed to promote better cyber security which should be what this is all about
that kind of suggests that that law might be a little bit broken a little bit so on to my next points um this is this is my biggie so authorization and the lack of definition is a really big problem the problem though is massively exacerbated by section g of 10 30. 1030 is the cfa um so section g basically says uh yeah basically if you violate any of this is also cause for civil action and that's a huge problem because again how many people in here do you research hands up okay how many of you have received legal threats how many of you have received criminal legal threats yeah that's what i thought how many of
you received civil legal threats so pretty much everybody who gets a threat it comes because of section g which is civil action and that's what creates the big chilling effect right is people are worried that companies who are naturally protective of their reputation will use the cfa as a big stick to fight off researchers and i pretty much every researcher that i know of rapid seven has had a threat at some point and it's always come from civil cases there's very few there are a couple that have had criminal threats um and this is this is a big problem this is what we all tell each other about this is what stops people talking at conferences this is what creates the
big chilling effect and not to muddy two different talks but um tomorrow we're going to be going through survey data from the ntia disclosure process surveys and um uh 65 i think it was of the researchers we surveyed said that they were very very worried about legal threats and that impacts the way that they think about um about disclosing and they often don't disclose because of it but don't you think you've got a bad scale problem most people don't want to talk about and been threatened by federal prosecutors and as for westwell in particular more than 90 of federal cases are settled because the penalties are so draconians he also aaron schwartz so this is a
terrible metric for reporting how often do you think so so to to so patrick's basically saying we have a a bad we have a bad uh model and so in terms of this i think this is a way of us creating graph to show you something in terms of my sources we surveyed the internet um which i have been mocked for many times so have at it um we've also done stuff like we polled the metasploit community um all that kind of stuff we consistently hear from people this response every time i've done a cfa talk which is now a bunch of times i always ask for a show of hands and it's always the case that i get lots
of people who've had civil threats and very few had criminals also too oh sorry this date is consistent let me also toss in that um that chart really was about trends not raw numbers because you're right there are lots of reasons people also wouldn't report cases in wrestling so it really was about numbers right um but i'll have a set of numbers in a moment that they actually go to this can you very quickly explain what west lawrence oh i'm sorry west law is basically a it's it's a system whereby cases are uh reported they're held in a database so that lawyers like me can go and research and see what the case law is on any
particular issue to cite them in briefs and for legal research not every case is the subject of a uh a report in west law so yes there is but i i did believe going through the data you could at least capture some trends absolutely right who decides well who decides what goes on yes um okay so for me i i would like to see the core language addressed but failing that and there is a real challenge i'm getting alignment on um on getting language for what authorization means um but finding that i would like to see section g removed now the good thing is that when we have the panel there's going to be some
debate over that because you know there are very legitimate reasons for section g and fortunately kristen from microsoft is going to help us understand what some of those are um but that that would be my personal thing if i was king for a day no why do i always do that i'm a girl if i was queen for a day i would take out um all right so a couple of other criticisms of the cfa um these are not researchers specific but these are the two biggies that we've not covered so far so the first is um that it is aggressively used for cases that probably shouldn't be um cfa violations and the other is harsh
penalties so laurie drew is the very famous example that people use for aggressive use so very quickly um larry drew was a woman whose daughter was being bullied and she was incensed about this and so she went on to myspace and she created an account posing as a teenage boy and she flirted with her daughter's bully and eventually after she'd got sort of into a quasi relationship with her daughter's bully she kind of ended the relationship and then started bullying the bully and unfortunately the girl took it very hard and she killed herself so when this happened understandably there was a sort of outcry people felt that this was a huge tragedy and that something needed to be done
and so because there was no real other way to go at lori drew they used the cfa and they said myspace is terms of service say that you cannot misresemble misrepresent who you are which again goes back to that match.com example mod super not super dissimilar so she was prosecuted on the cfa for this and and she was convicted and then it was overturned and appeals that's right yeah okay so this is used as a very famous example of the overreach the over-aggressive use of the cfa in terms of harsh penalties um their there is a a lot of criticism and i think we'll go into this much more in the panel and then we'll also speak to
in his next section but there's a lot of criticism that um the the penalties are are high and that a lot of people's efforts to reform actually look at increasing penalties minimizing the number of uh misdemeanors um making things much more into felonies that kind of thing which is a huge challenge because most people i know who work in cyber security started out cutting their teeth by doing some things that were a little questionable legally and that's how you learn and that curiosity is actually a pretty healthy part of our our community so if you have a situation where you're likely to face serious prison time for that then that becomes a real problem for our community
which considering we also already have a skill shortage could uh can exacerbate that problem quite a lot back to you my friend thank you so just want to rush through some information about how the cfa is in fact being used ideally to give you a little bit of comfort about the way in which we actually administer the the statute um one thing i'm gloria drew i would say is laurie drew that was a case that was tried in 2008 um upon appeal upon having against reverse we did not appeal that and there has not been a case since then in which we've used that theory um so how does the department of justice approach the cfaa the economic flag is
every year we have about 55 000 uh federal cases that are filed that involve sort of things that you'd imagine um immigration violations uh fire violations on narcotics violations now in that massive 55 000 or so you've got 153 computer fraud uh cases um yes sir just a question before you dive into this are there degrees to cfa and if they're not should there be like is there first degree the second degree yes they're miss smears and felonies that'll be the next slide the one after that so yeah i'll get to that um so 453 cases the lion's share are what i think we would all agree are bad guys um none of you one thing we did we as i men mentioned
we administer the network of prosecutors across the country about 300 prosecutors in 94 different districts who bring these cases and we did a data call we said in the last five years can you tell us how many cases you've had prosecutions or investigations that have had uh involved computer security researchers who are engaged in computer security research and the answer to those five years was less than five um all cases that were in the press that we all know about so at the end of the day what we had is about two tenths of a percent of the cases that are broad year are computer fraud cases and about six tenths of a percent of that two percent
involve computer security researchers um so it is very very very very unusual for a computer security researchers and to end up in a federal criminal case the trend has not been you know violently different over the years last five years from 138 cases a low to 194 from last year now to your point yes there is a felony and a misdemeanor uh violation of 1030 a2 um it is a misdemeanor unless you have one exaggerating factor one it was offense committed for the purposes of commercial advantage or private financial gain it was committed in further names of any criminal or torturous act um or the value of the information obtained exceeds five thousand dollars wow five
thousand dollars why is that not in this inflation so right no uh no it's later than that it was updated late on that fight yeah i was not doing it but but still it's old that this is a question and so one thing that i think we're looking at we'll get to in a moment um
no it's not it for sensing purposes it would go to the damaged loss but it is not the value of the information obtained right under the statute now that said people have criticized the statute and they believe they can get the five thousand dollars fairly quickly i i will concede that um that that is one of the issues that that has come up repeatedly i don't know who yeah okay i think we have a few questions and we're really behind on time so we're going to race through and then when we get to the panel we'll open the question so i'll keep ordering so just so you know uh just how the courts have viewed a cfa violation
compared to other crimes securities fraud health care fraud id theft typically the the sentence for a cfa violation on average is 23 months now understand that that's for a crime where the maximum is five years where you may have multiple counts invariably there is something called the u.s sensing guidelines that help courts determine where to fix a sentence and the guidelines were created because there were concerns way back in the 1970s about disparity in sentencing they actually took judges asked in the sentence a whole bunch of similarly situated defendants who were notional not real and found the judges had violently different uh sentences that they imposed so they created the sentencing guidelines that have a very
complicated matrix of offense characteristics characteristics of the um of the offender uh various aggravating circumstances that sets out what is a guideline range that would be seen as as reasonable in roughly 50 of the cases judges will sentence a defendant to within the guideline range in about 49 of the cases and both computer fraud and abuse cases and federal offenses they will send us a defendant below the guideline range you'll have a judge departing above the guideline range and roughly around one percent of the cases that are brought in the federal system you're not seeing maxed out dependence in the federal system for cfaa violations demonstrably okay so leonard if that's the case if if judges are typically sentencing below
the guidelines why do people want to increase the penalties fair question um so i believe that generally congress does view this issue of the length of sentencing is some indication of the importance and concern about the crime so yes there has been a drive to increase certain sentences so for example where we didn't see that there was sufficient punishment potentially for a critical infrastructure system we might say hey we think there should be an aggravator for someone who breaks into you know the electric grid and causes some some some sort of damage there that might result in large uh you know casualties uh again i think sensing is one of the harder thing because there's a line
drawing function people disagree mightily about where the right punishment should be um i'm just going to skip through this one yeah there's actually usually they agree well i mean the federalism generally you have about 93 fleet rate um i guess i would disagree that that's because of draconian sensing i would say that usually that's because we tend to bring a federal case when we have very very very good evidence um you know and so the benefits of going to trial versus pleading militant in favor of pleading in those instances um so that's yours oh okay um all right so we're going to talk about some of the reform um suggestions that have been made uh in the past couple of years
um so the first the most famous is erin's law uh how many people have heard of aaron's law all right most of you so i'm going to be super brief on this um so i'm not going to talk about where aaron's law came from because you guys are presumably familiar with that story um and basically what it looks to do is uh three main things one it would make commercial terms of service no longer a violation of the cfa uh two it would try and create a little bit more crispness over what authorization means in other words you would have to circumvent a technological protection which is very like the dmca and then the third is basically saying
that um you can't be done for the for multiple counts of the same thing in one go um and it would increase the the it would sorry change the way that the value of information is being figured out um the reality is on this aaron's law is normally passed i did get reintroduced um but it it is incredibly contentious um for a number of reasons partly because of what's in it but mostly because of political attachments and associations with aaron and sopra pippa so aaron's not aaron's law is not likely to move back and this will come on the panel like i said has the questions i think nate probably will address these yeah so
whether aaron's law actually makes the world clearer than cfa right in the discussion but um administration proposal last year the administration had his own proposal for dealing with the cfa actually what we see is one of the problems about the cfaa is not so much the authorization issue but that it applies to any information so if you obtain any information essentially on the cfa under a2 you are facing potential of a criminal prosecution what we would propose is to cabin the information proposal to make that more specific to a certain type of information that would be more indicative of criminal conduct so um it has these elements 5 000 or more the furthest of a felony or story on the
government computer now this ran into a trouble not really for the a2 provisions in fact we heard not a lot of criticism of the a2 amendment it was the fact that we at the same time were requesting other authority to go after other types of crime and the sorts of things that we had listed as additional authority we wanted drew some fire from from folks in the community saying we think that these are too expansive and capture conduct that that would implicate for example computer security researchers would be fair to say that when the administration came out with this proposal they heard from me a lot interestingly um that was not our intent and we could
explain why each of these visions were included and in view of that we actually attempted to amend it in various ways that would still allow us to go after what we were attempting to go after while minimizing likelihood that it would implicate computer security researchers uh one last thing on that uh just before you go back to it so this little tiny sort of throwaway bullet point at the bottom that you know leona's kind of stuck in there amended password trafficking offense sounds so innocuous um amongst other things that would have made metasploit illegal uh which was kind of awesome so we were on a call there was a whole bunch of people giving feedback i was the only
non-lawyer on the call so i was very quiet very intimidated and uh the the folks from the white house said jen you haven't said anything what do you think and i went well you've made menace point illegal and there was this silence and then they just went oh [ __ ] it was awesome i'm like yeah we didn't mean to do that we'll have to look at it again for the record we don't actually think we did but you totally did um so the good thing is though that through this whole process we went backwards and forwards and they were really really receptive to feedback and they never gave up even though this was not going to be a
version that went to congress they continued to listen to the feedback they continued to make adjustments and that meant that when this came out there were some of the feedback that we had provided was reflected in this so basically senators graham and white house created a um a draft proposal based largely on what the administration had come up with but also had a number of other things it was initially called the international cyber crime prevention act then they shortened it down to be an amendment to cesar that didn't get accepted as an amendment um then they reintroduced it this year and it's called something like prevention of botnets prevention act um and they're still working on it so
there's likely to be another version introduced that has some other stuff in it um and basically it addresses the terms of service issues so it basically says commercial terms service is not it's not a violation um it adds in some stuff to address botnets as you would assume from the title so what they're trying to get at is if you are someone who didn't create the botnet but you're selling access to it today the lawyer can't really cope with that so that's why they've added this sort of means of access um again we had to do some back and forth over whether that captured things like research and metasploit so the language got adjusted and again
the thing i would say that's good about this is in the past year since they came out with the original icpa um the staffers have been really really receptive to talking about this and making changes so we eventually got to a point where all the big criticisms that we had from a research point of view they had actually addressed and the version that came out as a cser amendment at the end of last year which as i said did not move forward cesar um actually was pretty much i would say neutral for researchers it definitely did not make the situation worse for researchers there are other things in it that people may not like um that we may
get to in the panel depending on how much time we have but i would keep an eye on this one again this is not going to move i mean for those who don't know there's kind of some stuff going on in politics at the moment and it's really unlikely that anything's going to move anytime soon but i think it's very likely that next year we will see um senators graham and white house and possibly one or two others pick up an updated version of this bill and reintroduce it so next year we're likely to see another cfa reform effort so that brings us to the panel discussion so i'm going to ask my panelists to come
up now why do i keep looking at my uh uh really however you wanna i'm next to leonard on the screen so i'll be next to leonard is that so you can punch him right um and you shouldn't i mean you guys shouldn't read too much into who is and isn't wearing the i'm a criminal shirt no uh okay so uh yeah okay so i'm gonna actually let the panelists introduce themselves real quick i'm kristy goodwin i'm a cyber security lawyer at microsoft hi i'm todd beardsley i am the security research manager at rapid seven and i have my hands in meta split quite a bit too i'm nate cardozo i'm a senior staff attorney at the electronic frontier
foundation in san francisco and i work on our coders rights team representing people like you against people like him and i'm people like him well yeah to be fair also against people like christine and like you know guys i think one thing that you should you should just kind of give them all ahead because kristen and leonard both knew what they were in for coming to do this they both knew that they were likely to have us kind of uh villainize them a little bit and they still agree to come and they're being really good
we're not done yet um okay so did everyone everyone win all right so um really we're going to keep this super simple we've really got two questions that we're going to ask people one is if you can just do a quick round of what do you think of the cfa how do you feel about it as it is today and then we're gonna ask people like what they think should happen with it and that's probably when we're gonna get a little bit more into the debate session and um and then if we have time which hopefully we'll never stop checking my wrist because there's nothing uh we'll open it up to questions from the floor
and we're running straight into lunch if people want to stay you're welcome to but um leonard has to get the hell out of here before we start bombing in all right so do you want to just go first on what you think of the cfa who wants to go first i think they should go first oh you know i'll go first um the cfa is vague over broad not understandable and creates serious chilling effects in almost all areas of my practice the exceeds authorized access definition that leonard and jen talked about earlier is fatally vague we can't put that into practice um and actually in my practice and this goes to a question that we had earlier
the the slide that they showed with civil versus criminal my practice is almost exclusively civil cfaa my clients get civil cfaa threats up one side and down the other you know twitch tv which is owned now by amazon is suing a number of people who run bots to to increase advertising and that's a it's a perfectly acceptable lawsuit twitch needs to protect its business they have uh unfair competition problems here they have trademark problems here they have breach of contract problems here and of course they threw in a cfaa cause of action because the people running these spots on twitch are violating twitch's terms of service and those will be damned they're still gonna claim it that's a problem
right that's not hacking the cfa criminalizes and makes civilly illegal all sorts of things that aren't hacking we need to fix that and aaron's law went a little bit of the way towards fixing that oracle stepped in and killed it uh in its infancy because oracle is oracle and that's what they do and so you know there are a lot of things that cfa makes illegal that should be illegal that people should go to jail for and there are a lot of things like port scanning should never be illegal sort of full stop there's no reason that anyone should ever go to jail for port scanning and as uh that question as as leonard said right
will they go to jail it depends and that answer is unacceptable and and he's i'm not saying that that leonard's answer is unacceptable because he's right right it does depend and it shouldn't so microsoft has used the cfaa in several civil actions it's not something that we use often but it has been a part of our digital crimes unit strategy so then when we're looking at some of our botnet takedowns and malware eradication cases it's it's a useful tool and when you look at our complaints that we file are civil complaints it's usually one of six or seven causes of action that will bring in a civil case typically we're not going for the you
know billions of dollars types of remedies we're looking for civil injunctions you know whoever is the the bot herder uh you know the citadel botnet the botnet uh creator had a crm associated with it and was working on providing a really bespoke customized botnet solution for his customers and so we use the cfa as a tool to help bring a case against that individual to stop him you know it's the kind of thing where you look at it as a civil tool should that be the the realm of the police officers and and leonard space and the doj quite possibly but we were seeing such an impact against millions of our customers it was a tool that we could
use to help protect them and it's been an important tool for us why why is it a better tool to use than going over it yeah why a better tool than going criminal so i don't think this one can can we turn this this mic on it yeah sort of so hello is it me you're looking for so the the question was uh why not go criminal well it's a matter of philosophy you know we're not looking necessarily to to bring a criminal case we're looking to to find the best remedy to help protect our customers and so if it's to get the botnet taken down uh we'll we'll look at the cfaa as a tool
it's actually surprising how few companies use that or use lanamac claims or or other other ip related claims to try to do this but it's a it's a legal way of of community policing when the police aren't there so like jen said earlier um she surveyed the entire internet found that uh through the ntia survey found that 65 of the researchers had had some kind of run-in nate's practice is almost entirely consumed by by runs with ca cfa that are almost entirely civil um and and that's you know like if i had my druthers as well yeah sure let's knock out you know the the civil um component of cfaa but clearly uh you're using it
right so there are times when it's used for good sure um yeah when i asked around every meta-split contributor um just a few months ago um i said hey have you guys ever had a threat on the cfa and if so would you like to talk about it um it was about 400 we have about 400 historical contributors over the whole life of mendisplate there's a couple in this room and i got a lot of responses so i got no responses back of i've ever had a cfa threat i got i got none of those i had about of the 400 i had about 40 or so that said i've had i'm worried about it and please
let me know what you're going to be doing with this and and i know a friend like a couple knew a guy who knew a guy there were a couple that were outside of the us that had their own run-ins in australia and yes so so there yeah so there was that um but it wasn't cfa specific but the fact that the respondents all like felt like like it's kind of textbook chilling right like because they're so worried about it like that's kind of like half of i wouldn't say half but anyway but it's it's some large percentage of the reason why like i kind of picked up this vulnerability disclosure mantle at rapid seven so we could help the metasploit
contributors like do uh disclosure publish exploits that prove vulnerabilities and do all that because we i have you know the the good luck of having like awesome boston lawyers awesome eff lawyers on my side that that regular researchers you know who are maybe hobbyists this is not their real job maybe they're pen testers maybe they're just software developers that they feel very uncomfortable doing on their on their own i think things are changing now with the advent of bug bounties and how that's all getting normalized or has been normalized and you have things like the pentagon saying like hey it's it you know recognizing at least that some things are okay to test um but
i mean fundamentally the the original question of like how do you feel about the cfa um i'm with nate there are reasons to prosecute people criminally and i know that people are using the cfa as a tool in their civil practice but when you have issues like the recent early morning uh you know it was like a time machine right so like in may uh justin shafer who uh found that there was an ftp server with hard-coded credentials that had health data listed on it this was in houston texas yeehaw texas um and he got raided uh you know at gunpoint by fbi guys uh you know right out of you know hackers movie and
it felt like i woke up that morning and it felt like it was like 1988 all over again um and so yeah i mean there aren't a lot of criminal prosecutions but when there are ones like that one real recent that it really hurts it really hurts and i know you're a nice guy so everyone else speaks i've talked a lot already but let me say a few things the first one being one of the challenges we face at the barber shelves as as policy makers is that we don't have the luxury of simply saying too hard right we have a job to do that is to go out and try to deter people who
are clearly using this in criminal ways to take information they shouldn't um to invade people's privacy to do damage to computers and we want to make sure we preserve our ability to do that um while listening to the concerns from a community that we think is very important and figuring out exactly how we navigate that this distinction is it's not simple because while addressing the concerns here we're gonna make sure that again we don't open some huge gap in the statute that makes it harder for us to go after people who i think we would all agree we should be going after i think one thing that makes this difficult going forward is essentially that is a terrific well-crafted statute
said no one ever i mean simply put for many years the spackle that has held together statutes from overreach and or being overbought at times is a view that prosecutorial discretion would take care of that and in recent years in recent years i think that is a concept that is you know not accepted as well it's it's it's something that people are not as comfortable with so the goal is to draft statutes that are very narrowly tailored that only capture criminal conduct and nothing else and to give you an example of how difficult that can be i think this would be the logical parallel i understand it's different but i think there's an analog here to saying
you know the problem with with cyber security is bad code so you should just write perfect programs because there's always some use of a program that you did not anticipate something that someone will do that's on the fringes and that by and large is what the statutes are doing they're trying to by and large go after criminal conduct there are fringe cases in which there may be issues i think many of these instances are kind of fringish but still concerns because what you're doing is very important and so figuring out how to address these concerns while leaving what we need to do intact i think is one of our our big challenges so i want to address something that
leonard said i i agree with 98 of what he just said um but i want to make a point about prosecutorial discretion uh we have in in our criminal justice system in the united states we rely on prosecutorial discretion all the time who here drives faster than the posted speed limit right everybody we we assume that the that the cops aren't going to pull you over unless you're driving a lot faster than the speed limit or in the rain or if it's dangerous other otherwise or you know if you're black but we can talk about that in another panel
and prosecutorial discretion is is a necessary component of our criminal justice system but uh we don't have the sorts of bounds that we need to on it and i want to make a special call out here to the dutch government the dutch government released earlier this year a binding set of prosecutorial guidelines in computer crimes specifically the dutch equivalent of the cfaa which has some fancy dutch name now has a set of binding guidelines that prosecutors must abide by so even if something is a technical violation of the law if no one was really hurt by it and the hacker who who did the technical violation of the law had didn't have malicious intent even if
they might have satisfied men's rhea there's no prosecution we need something like that in the states we need uh good folks like leonard to say look you all you all being us attorneys in the 94 districts 94. 94 districts all around the country um don't prosecute these crimes unless someone was really hurt the the aaron schwartz prosecution was done by the united states attorney for the district of massachusetts right not by sea subset maine justice the u.s attorney for the district of massachusetts can do whatever she wants we need to make that not as true anymore specifically in computer crimes um and i would point to the dutch prosecutorial guidelines as at least a good starting point on this
i have to put pressure on the notion of how laws evolve you know as you think about uh what we do in the property law you know we heard leonard start with the fact that that these computer crime laws are based in trespass and property law well you don't see people constantly going up to their neighbor's house testing if their doors are actually locked and you don't see people trying to go into their neighborhood company and give a physical security review you know the analogy broke down and it broke down a good 10 to 15 years ago and we have not had that public dialogue about the next generation of actual computer law you know the computer fraud
and abuse act isn't really talking in a lot of instances about fraud or abuse is talking about straight up criminality and crime and so you know we at microsoft when researchers provide us vulnerable details and we can use those to issue a patch and we put the finder's names in our security bulletins and we look at this globally you know the cfa is an inherently american problem but we're working with finders all around the world
but this discussion about the cfa how do we solve this issue and to set a new global standard you know when we had the budapest convention come out and everybody went forth and created cyber crime laws in their countries you know that was what 20 years ago 15 years ago it's it's the internet has changed so dramatically and how we think about crime and criminality has changed to the point where it's it's really incumbent upon us to to get the community together again and and provide our own draft law what is a crime what is the exceeding of authorization what are the boundaries from a trespass perspective and what are the rights of researchers there's a place for all of
us to have that conversation it's just not been convened because we keep getting shoehorn back into the cfa space when that may not be the right starting point at all so i'm i'm what do we have five people up here i can math i'm i'm one of two non-lawyers sitting at this table and i know that there's like also like this massive cultural disconnect between attorneys and coders right and so when when coders and hackers see laws like the cfaa it screams ambiguity and when security researchers and hackers in particular see something that's ambiguous that is oh that that's something to exploit right and and and i and and i think i think it could go a long way if um
you know kind of looking at like where do we see the cfa going in the future of really nailing down this whole notion of prosecutorial discretion of having the you know this the stop gap that nate's talking about um having real like serious guidelines on on prosecutions because you know as long as you have this like or anything else kind of clause in cfaa um i mean it's gonna it will continue to chill researchers who would otherwise be doing good right of exposing vulnerabilities and you know letting consumers decide things and finding flaws before bad guys do or possibly concurrently or maybe after bad guys do who haven't said anything and so yeah i think there's i think
there's a that cultural disconnect is it con feeds a lot of the angst into cfaa i mean beyond what's actually written in the law so let me just respond to one thing um let me say that we actually do have u.s prosecutorial guidelines on bringing cfa prosecutions that have been in effect for the last year and there's a required consultation requirement with us at maine justice for any cfa prosecution that is brought i can also tell you personally having reviewed some of those cases that we have consulted against bringing some cases that have in fact not been brought so i guess with the hats off to the dutch authorities um usa usa usa um so um
so yeah when i marched into uh doj two years ago with um the two things that we were asking for was we wanted prosecutorial guidelines and we wanted centralization through seasons because once we met you're kind of not idiots you kind of get this and you actually care about the issues so then we were like oh well then all federal prosecutors should have to talk to you guys because you actually understand computer crime and so the fact that there has been like forward motion on that stuff is super cool and and like i'm not bringing this up to be like oh we asked for this and they did what we need to do actually not what happened at all they
were already thinking about it just it was just a coincidental timing but the point is like that there is progress being made which kind of leads us into the next question so what what additional progress should be made where do we go from here and what do you think like not only in terms of what you would like to see happen what do you think will happen um so one of the things that that we see at eff a lot is because we're a national actually we're a global but for this purpose a national organization is that federal law is only you know one of uh 53 plus legal systems in the united states and we have state equivalence to
the cfaa in i believe every state and it's whack-a-mole right we got a researcher exemption passed in washington yay but then in rhode island they were they had an update to to their state equivalent of the cfaa that would have defined organic devices or would have as computers they included organic devices okay so they're starting to think about interesting future stuff in terms of access they also included the word approach and and in in the definition of computer they included anything that can respond to a command so you can't approach a trained dog without authorization that's now a cfa violation in rhode island or it would have been had we not gotten the bill killed in committee
so my prediction is probably no movement in the fed system and movement all over the place in every conceivable direction in the 50 states yeah and that's kind of a giant problem right because the internet doesn't you know i don't i don't log into my texas internet um you know the the internet is global and and to have that kind of fractured interpretation i guess of cfaa does does does a ton of harm and so i don't know like if we could get like drop it dropping the civil component would be lovely and i doubt it'll ever happen unfortunately um i mean that would knock out 80 percent of just notionally like all those blue bars
like that all goes away right on the graph so we'll find a new way we're lawyers right but that's the thing right is that there are other tools out there for sure there's dmca yeah dmca there there's the wiretapping which is what i think almost always comes along with with at least criminal prosecutions there's almost always some kind of wiretapping component to it anyway so just use that um uh you know and there's there there are other bodies of law that are that are better suited to this um but yeah i mean i'd love i i'm i am exceedingly happy with what's going what's been going on for the last i'd say two years um 2014
and on um you know but for these blips in in houston texas where dentist hackers get get guns pointed at their faces that's not cool he is he hacks dentist software so and hacks meaning researches and you know responsibly and reasonably discloses vulnerabilities so you guys all just had microsoft say that they'd be fine with section g going away right that's what i did you know are we are we uh wedded to the to the concept of section g i think we're wedded to the right that we need a tool that enables us to go after uh the the worst of the worst that are are attacking our customers and our users around the world does it have to
sit inside a criminal statute where it's it's a potentially an afterthought not necessarily you know the the broader point is that we look globally for tools that we can use to stop uh malware from being propagated in really harmful ways and we look for ways to stop bot herders at scale not you know onesie twozies but when we're seeing a million infections a month three million infections a month and so for us g is is a tool but but it's its relationship to the cfa is certain just by virtue of the fact that it's it's there and so does it does it have to stay not necessarily we want another tool in its place probably one better crafted
but uh we work with what we have because we've got a duty to very protect question what actually happened to ftp dentist because i know about the rain he was arresting guns in his face and all of that is he actually charged is he like often well i can so i can't comment simply on a pending matter but i can tell you that um there was a search which is what was laid out there there have not been charges filed i i'm going to point out so that's all right then just you know rides with guards i'm not saying though so i'm going to jump on this i think that's part of one of the things
we have to be careful of for security researchers every case out there there's the fringe ones that get a lot of pressure for everything and it depends also goes to our murder statute because if i kill somebody in self-defense and i ask a prosecutor hey am i going to be charged they're going to come back with well it depends and you know because the investigation is going to go out so it's consistent with our system yeah and i i don't want to you know be the voice of defending the doj how hell no do i want to be that um but i do want to be clear that leonard is not defending this action at
all he cannot comment on it because it is an ongoing situation but he's not i didn't hear anything that he said the sound of like defense but let me also say i mean in terms of going forward in my opinion we need a cfaa like statute and the reason i say that is one people have kind of in a hand-wavy way said can't we just do something else so let's take the wire fraud statute scheme or artifice to defraud someone of of money essentially if you want to talk about something that's vague and broad um i i think you would not want us using that in lieu of a much more specific technical statute that's intended at least to get to this
stuff in which the cfia is the only statute that those crimes can be charged so this is a this is a question so it depends on the facts again so um we often have a cfa as a standalone offense and there are reasons for that so for example we had tried uh one individual um and we learned uh through the appellate court that apparently digital information is not considered property under the inter under uh state threat of stolen property statute right those things happen trade secrets well they may take a trade secret but trade secret is a specific term defined under 18 1839 and not everything is a trade secret so there's a question for example
at times of customer lists or credit card numbers or passwords satisfying the definition of a trade secret things that are often stolen so it is often not as simple as finding simply another statute that's plug and play depending upon the facts i think we're in a better place if we actually have a statute that reaches conduct of this sort that is specific to conduct of this sort let's let's move on to another question very quickly before we move on to questions i just want to ask the audience question does anybody here think there should not be an anti-hacking law fine hacking fact
so one of the biggest concerns i have with the cfa is the lack of tolerance when the subjectively interpreted line is crossed it's enormously chilling to worry that if i pursue my curiosity i could risk a felony charge that will effectively preclude me from ever getting a job in tech again i mean that i may spend two years in jail uh is a very significant concern but it's also a lifelong sentence of never getting a job and you know some examples of conduct which i used to consider uh fairly innocuous or would have considered reasonable security research but had a cfaa like um action against them uh i'm gonna have to mention chelsea manning not to defend what he did but
one of the charges under chelsea manning was computer fraud solely for use of the w get command in linux to access information he otherwise had authority to access with a web browser and that is utterly nonsensical to me but he got successfully convicted under that uh and eleven other charges uh another one would be um weave andrew arnheimer weave very contentious person uh say the least especially after what he began with uh to me i see someone who got convicted for iterate for using arithmetic on a url uh oh i'm publicly uh atm t's um i think atp had exposed a lot of consumer information that was not protected of a password do anything you need to do to get different
information a different customer was iterate through a url uh add one to user id add one to user id you get a different user and yet that's effectively a computer fraud charge that he was gone after and that's kind of insane to me as that's uh you know his intent aside uh the action that he was um gone after for was arithmetic on a public url and the last one would be fidel salinas who was on a three-year legal battle with the doj for run unsuccessfully running a web buzzer on a public-facing uh web form uh he was originally uh charged with 44 uh violations of the computer fraud and abuse act uh for unsuccessfully for unsuccessfully
gaining access to a protected computer every single time his web buzzing tool had put an input with a new charge which is just silly to me uh but you know that kind of stuff is very chilling in his his case after three years all felony charges were dropped but it was a long prolonged uh protected legal battle so i just wanted to give these examples of other cases other than uh aaron sports where you know there's been chilling effects uh by the doj fbi uh gardening computer rod and abuse act thank you yeah thanks there are there are obviously other examples in the ones we provided um and we we had a limit on time so we
chose the ones to focus on um i think weave is probably the one that is most relevant to this room and um i think you know the that most people that i hear from uh would agree that uh weave's case should not create an expectation that um that that kind of activity is a violation of the law however on the flip side you don't need to do something 200 000 times to do a proof of concept no pat i will debate this with you after my view yeah right exactly all right so so i do appreciate you coming first of all and and coming to what could be a hostile crowd and i agree with jen that
i've heard generally good things when i've heard c-sp speakers but last week i was attending the cle which is continuing education for lawyers and one of your colleagues brian ressler specifically used the words jack up in the context of we work with companies to jack up the damages they're claiming so we can get some real prison time for people we're charging can you talk about how common that is at csips because again this is a senior trial attorney at csips right i guess i need to know exactly what he said i mean that was the context right well that i mean i so if the question is do we search for additional charges to pile on to get
longer sentences additional damages this is just the damage calculation specifically the numbers for the sentencing guidelines right so i mean we will actually ask a victim what was the damage there are i think the question earlier asked the question about like what goes into the hopper there there are things like what were the expenses you had to incur as a result of this intrusion for example did you have to repair your system and scrub them to make sure there was no other back door inserted there are things like that that we do tally up in an attempt to make sure that there's a reflection of the actual harm it would not be appropriate to spuriously
keep on additional offenses or damage that was not actually incurred um so i i i that's the best i can do with the the facts you gave me um one quick thing on what was said earlier i mean i i agree with jen that i think i think the ornheimer and spitler matter was probably the sole case i know of that is a pure computer security research or cfa matter i mean as in the purest form um and i think it is a very very hard case one thing that we have talked about and i can say this is a actually pointing finger back at the community is we're trying to figure out whether there's a way that we can provide
you guys with a way of avoiding situations where we are most likely to prosecute so for example in an instance where i believe it was 114 000 times with a script that the information was downloaded our ability to distinguish between one a bad guy and a good guy who's now holding a whole lot of private information that we're not clear why there was a need to possess may be the difference between the way that we look at the matter that seems like it would be in stark contrast to saying i've proved that this happened this is possible gone to the company and said you've got this problem without also having in your hand a whole
cache of information that those customers never asked you to possess so that's that's what we struggle with that's true and in a perfect world they would not have done that and there wouldn't be another cache of information out in the world of that private information so there that's the that's if there are ways in which we can get the community to maybe consider some ways of adopting practices that will reduce the likelihood of us looking at an act as criminal the problem is it's a very complicated community and finding a center of gravity through which such guidance would proliferate is not actually simple um so to answer your question about loss and damage calculation it's exceedingly common so matthew keys
who is the la times reporter who gave login credentials to the la times cms to anonymous um one headline was changed to i don't remember it was some silly anonymous joke um for 45 minutes one la times article was defaced for 45 minutes and and he was convicted um for cfa violations under i believe the password sharing or password trafficking provision i don't remember it might have also been off unauthorized access on an accomplice liability theory la times claimed and the doj went with something like 900 000 in loss um that and and that led to whatever it was five 60 months in jail um 16-month sentence recommendation uh for matthew keys um that's two years four years you got two years
two years um that's absurd right why why would it be that someone who defaces a single uh web page a single article for 45 minutes gets two years when someone who spray-painted a massive sign on the same on the la times building would get community service right so can i interject for a second we're at time at 12 25 but because we're up against the your non-conflict lunch time you're welcome to stay i think believe our panelists would like to continue to engage so i just wanted to call official time if anybody's hungry no before everyone leaves can we give a big round of applause uh leonard bailey todd beardsley nate cordozza jen ellis kristen goodwin thank you thank you
so feel free to leave or stay and whatever and with with all due respect my friend nate um on on the keys matter again it's it's been sentenced i believe there'll be an appeal i i guess i i actually don't i can't speak to whether there was 900 thousand dollar figure i i i can say that in terms of characterizing it um there was a sense that essentially this is akin to it was akin to um giving someone who you know was an arsonist the keys to your neighbor's house and saying essentially what he said which was go nuts right now the fact that they had taken precautions to prevent anomals from going nuts on the website
uh may have been the difference between much grander damage and what in fact happened but that's not because of matthew's key matthew keys's culpability or lack thereof but i bring it up specifically for the 900 000 loss calculation one article's defacement for 45 minutes is not 900 000 i don't care how you count it you know if you look at them against someone that that caused 300 million reports of a particular malware pack a month and we brought we brought individuals and uh we saw 200 000 in our own damages about uh i think it's about 500 000 in loss of goodwill and harms and microsoft and we saw a permanent injunction against the guy who's bought into malware so we we
won on the permanent junction and the total amount of damage is granted to us in the civil court was 75 000. so you know it can cut both ways there's an egregious example but then there's a simple example where we went for what we thought was the total value and it came back much much lower so you know it's hard to get wrapped around the examples of particular cases because they they cut all ways but i think the underlying point is that we don't yet have clear parameters for what constitutes the actions of researchers vis-a-vis crime and we continue to look at cyber crime as that paradigm of criminality where we're going after individuals who are trying
to make millions of dollars attacking our customers and stealing their creds and cleaning up their bank accounts versus a researcher who's looking at ball and hopefully reporting it to us it's just a different paradigm and the cfaa is probably not the right one and so what can we do about that as a
community i have a question about [ __ ] bounties uh researchers it's working talking to it is this actually on yes oh okay um so there was recently the issue with the facebook instagram thing where a researcher found credibility or found credentials logged into an aws account use those credentials to pivot and discover some other vulnerabilities and so my question it really is what does the doj think about researchers exceeding bug bounty um sort of boundaries you know you have an initial authorization and it can be very fuzzy about where that authorization ends right so the question i believe the question is so what does department of justice think about bug bounties and in an instance where someone perhaps
exceeds the the terms of of the budget right so let me first say that we tend to like coordinate disclosure policies in part because it's exactly what the cfa is intended to avoid that is instances where people are doing things that might be not desired by this network owner and thereby might obtain information they don't want released or do damage to a network so we like having coordinated disclosure policies we like bug bounties um and we want those bounties to be well crafted and clear so that there's no ambiguity if one does exceed the terms of a bug bounty program we would say yes you have now you are now outside of your authorization which
is why we would suggest you ask permission rather than seek forgiveness later in the context of a bug bounty program ideally those programs again are graph crafted clearly enough that that's possible i'll be interested to hear whether you think that is not by and large the case have to also think about the fact that when you're when you're agreeing to participate in the bug bounty it's a on some level it's a contract so there's there's the civil side and the criminal side with the with the uh with the civil entity that you're working with refer that to law enforcement as a criminal act that's gonna depend on who the victim is yeah i mean massive kudos to stamos for
not referring that out i mean i think they even paid the guy the instagram guy they just they threw it they threw a hissy fit and told him not to publish what he ended up actually publishing um but they paid him out and they didn't refer him so kudos and for what it's worth you may hear more about uh i'm sorry sorry um uh there will be a uh as you know the hack the pentagon um program that was successfully ended i think there is a briefing of the results there and you'll hear things about that that i think will be heartening in terms of the way dod certainly looked at how that program would be run and and what was within
scope and what they did about anything that was outside the purple hair can tell you all about that
i'm sorry it's really very um i guess we all know the story of uh you know bill gates at age 15 hacking into dec servers from across the country and causing some kind of system problems i don't know if it was a crash or just issues uh it was a pain in the ass for dec uh but i think they kind of admired the fact that it was a 15 year old kid who did it uh and you know a few years later uh you know steve jobs and and steve wozniak were going around selling blue boxes at the dorms a cow uh you know how much would those guys get prosecuted under the cfaa how much time would they do and
how much frankly is that you know this this how much is a sort of vagueness of the statute suppressing people who would otherwise sort of like you know discover things in their youth and go on to do great and wonderful things just from talking to medisplay contributors and talking to people who want to disclose vulnerabilities and really kind of don't know how i mean i think it's it's the like i said i mean the ambiguity is is kind of the core of it right like if you have to tr just trust that like prosecutors are not going to go after you um that's a little bit hard it's it's gotten a lot easier in the last couple years to make that
case but to also trust that a company's general counsel is not going to go after you either that that that's a harder sell right because you don't because there there are lots and lots and lots of them and they have all kind of different cultures i would have no problem at all with reporting a bugs microsoft on the daily right like i don't have any issue with that um they learn their lesson the hard way like i think you have to learn that lesson the hard way what about oracle todd but what about oracle uh yeah disclosing to a company like shmoracle um that that's a little more fraught right um and and really when it comes down to
it a lot of the bugs that i deal with are in they lately they've been like in iot things and in um you know other like devices that you know that don't look like computers with keyboards or have servers things like that and those companies are learning now like how to do it it's like it's like dealing with microsoft circa in 1999 and it's in in that it's very painful and horrible um and i get i get a lot more angry letters from attorneys from small companies on small firm letterhead then i do like from you know my office of the general counsel from you know a very a real giant company right like i
don't i don't tend to see those anymore i actually haven't seen any from oracle a long time either so i'd also just toss out foes worth i'm not sure that we we aren't in some ways think of the halcyon days of yore when when phone freakers could do whatever they want yeah when we think about like no no no no but my point only being actually they got in trouble too um john draper you know captain crunch um ended up in in in actually some trouble uh there's a book oh god what is the phone exploding the phone thank you it goes back to kind of chronicle the history of phone freakers and a lot of
these folks did get knocks on their door from a t and t i think one of the differences it was a little harder to track them back then on in telephony than it is today with so it may not be day and night between what happened before that said uh we've heard the concern about like our innovators being you know tamped down because they're afraid to play and that's we're trying to figure out how we can talk about the cfa in a way that at least helps people even if we don't have legislation passed discern between what is okay behavior and things that actually will likely end in some sort of prosecution is kind of important but
this is where the doj ghs and commerce we can we can use the institutions of the u.s government to help get model disclosure vulnerability disclosure policies model bug bounty policies we can start to go to the the smaller companies and the medium-sized companies to to to get at some of these issues as a bridging tactic but you know i keep thinking about how is the cfa going to work in 10 years time when one of you figures out a machine a machine you know using machine learning where you're going to have a machine that's not even directed by a human it's going to exceed its authorized access and you're not going to be connected to it at all you
know the cfa is not designed to think about some of those scenarios and so how are we going to evolve that law well we have to get the base policies out bone disclosure bug bounties reporting mitigation uh and make sure that those become much more commonplace and much more norm because i think you know what we hear about in the balls that come into us too or from smaller people that don't know where to send the weekly help with that but um how do we then stall for the cfa problem that's that's the the ten year down the road issue okay so we're getting we're getting the giant crook to get out of the room um
are there any burning questions before we get out of here
one small one regarding the password uh sharing part of the cfaa um like i know what there's very often password dumps online where a database is hacked username password hashes are dumped um i notice a bit of a contentious area regarding trafficking passwords online my perspective security researcher and slash you know a commercial pen tester is uh if there is a commercial double passwords i have to assume every bad actor out there has those passwords as a job related issue i need to acquire my own copy of those that password uh database dump so i can then test against the target website um hire to go after you know are you still using the same
credentials the same username and the same password as this hack database uh i mean is there an issue with uh commercial pentascale is doing that so 1030a6 i would just point to the words with intent to defraud so that's required for there to be a criminal violation of the password trafficking statute so what you described there does not sound like with intent to defraud sure you've been hired authorization
i think that's damage to a computer
so a quick show of hands from you guys on who believes that the cfa should be reformed to protect security researchers what do you mean by reform it depends um and and show of hands who believes that survey reform is a realistic possibility in the next three years three years three years i'm an optimist yeah it's after elections
you know what would help is if we have microsoft support all right thank you
oh
Related talks
25:18
52:56
58:19
56:49
26:22
53:00