Computer Ethics, Fall 2010 Week 13
December 6
Corboy Law Room 523
4:15-6:45 Mondays
paper 2:
Just because it's free doesn't mean that we have to let FB do anything with our data.
Facebook provides no way to select which of your friends is to see what.
One concern is information available to advertisers. It is not clear that any information is released directly to advertisers.
Another, though, is information made available to Friends: through
mini-feeds, Beacon, like buttons, and other tools FB introduces that
have unanticipated side effects.
Perhaps Facebook should be prepared to outline potential consequences of changes.
Are there different kinds of change: eg new "technical" rules, new information-availability pathways, new rules on what must be world-viewable.
A brief history of hacking
TJX attack
Identity theft
Legal tools
Bidders' Edge
Citrin
Felony prosecutions
Kutztown 13
Randall Schwartz
Terry Childs
Julie Amero
Zero-day exploits
cisco & Mike Lynn
MBTA & MIT
Jurisdiction
eHarmony
Blue Note case
Zippo v Zippo
LICRA v Yahoo & Yahoo v LICRA
David Carruthers
Hacking
Stage 3: even now, not all
attacks are about money.
Baase, p 259:
"In 1998, the US Deputy defense secretary desribed a series of attacks
on US military computers as 'the most organized and systematic attack
the Pentagon has seen to date.' Two boys, aged 16 and 17, had carried
them out."
What about the London attack of about the same era on air-traffic
control?
2000: the "Love Bug" or ILOVEYOU virus, by someone named de Guzman. If
you read the subject and opened the document, an MS-word macro launched
the payload.
MS-word macros were (and are) an appallingly and obviously bad idea. Should
people be punished for demonstrating this in such a public way? Was
there a time when such a demonstration might have been legitimate?
Yahoo ddos attack & mafiaboy, aka Michael Calce
The attack was launched in February 2000. Calce got discovered by
bragging
about the attack pseudonymously on chatrooms. Alas for him, he'd
previously used his pseudonym "mafiaboy" in posts that contained
more-identifying information.
Conficker worm, April 1, 2009, apparently about creating a network of
email 'bots.
Putting a dollar value on indirect attacks
This is notoriously hard. One of Mitnick's colleagues (Phiber Optik?)
was facing damage claims from one of the Baby Bell companies in excess
of $100,000, when it was pointed out that the stolen document was in
fact for sale for under $25.
Mark Abene (Phiber Optik) was imprisoned for a year. That was rather
long for the actual charge. Mitnick himself spent
nearly five years in prison, 4.5 of which were pre-trial. That situation is similar to that of Terry
Childs in San Francisco, who is still in prison.
Calce, Abene & Mitnick now both work in computer security. Is this
appropriate?
One theory is that gaining notoriety for an exploit is the way to get a security job. Is that
appropriate?
If not, what could be done differently?
Modern phishing attacks (also DNS attacks)
Stealing credit-card numbers from stores. (Note: stores are not supposed
to retain these at all.
However, many do.)
Boeing attack, Baase p 262: how much should
Boeing pay to make sure no files were changed?
TJX attack: Baase p 87 and p 271
The breakin was discovered in December 2006, but may have gone back
to 2005.
40 million credit-card numbers were stolen! And 400,000 SSNs, and a
large number of drivers-license numbers.
Hackers apparently cracked the obsolete WEP encryption on wi-fi
networks to get in, using a "cantenna" from outside the building. Once
in, they accessed and downloaded files. There are some reports that
they eavesdropped on data streaming in from stores, but it seems likely
thatdirect downloads of files was also involved.
Six suspects were eventually arrested. I believe they have all now
been convicted; there's more information in the privacyrights.org page
below (which also pegs the cost to TJX at $500-1,000 million).
For a case at CardSystems Solutions,
see
http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html.
Here the leak was
not due to wi-fi problems, but lack of compliance with standards was
apparently involved. Schneier does a good job explaining the
purely contractual security requirements involved, and potential
outcomes. Schneier also points out
Every credit card company is terrified
that people will reduce their
credit card usage. They're worried that all of this press about stolen
personal data, as well as actual identity theft and other types of
credit card fraud, will scare shoppers off the Internet. They're
worried about how their brands are perceived by the public.
The TJX and CardSystems attacks were intentional, not just data gone missing.
When attacks ARE about money, often the direct dollar value is huge.
And tracing what happened can be difficult. An entire bank account may
be gone. Thousands of dollars may be charged against EVERY stolen
credit-card number.
Here's a summary of several incidents: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.
An emerging standard is Payment
Card Industry Data Security Standard (PCI DSS), supported by
MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php
for some particulars; a more official site is https://www.pcisecuritystandards.org.
Note that PCI DSS is not a law, but is "private regulation". Once upon
a time, the most effective regulators of steam-powered ships were
insurance companies [reference?]. This is similar, but MasterCard and
Visa are not quite the same as insurers. From the FAQ above:
Q: What are the penalties for
noncompliance?
A: The payment brands may, at their
discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI
compliance violations. The banks will most likely pass this fine on
downstream till it eventually hits the merchant. Furthermore, the bank
will also most likely either terminate your relationship or increase
transaction fees. Penalties are not openly discussed nor widely
publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement,
which should outline your exposure.
If you are a store, you can refuse to pay the fine. But then you
will lose the ability to accept credit cards. This is extremely bad!
Visa's CISP program is described at http://www.visa.com/cisp.
The PCI standards do allow merchants to store the name and
account-number data. However, this is strongly
discouraged. Sites that
keep this information are required by PCI to have it encrypted.
CardSystems
was keeping this data because they were having a higher-than-expected
rate of problems with transactions, and they were trying to figure out
why.
To some extent, PCI DSS compliance is an example of how ethical
behavior is in your own long-term best interest.
Identity Theft
what is it? What can be done?
And WHO IS RESPONSIBLE??
The most common form of identity theft is someone posing as you in
order to borrow money in your name, by obtaining a loan, checking
account, or credit card. When someone poses as you to empty your bank
account, that's generally known as "just plain theft".
Note that most "official" explanations of identity theft describe it
as something that is stolen from you; that is, something bad that has
happened to you. In fact, it is probably more accurate to describe
"identity theft" as a validation error made by banks and other lenders;
that is, as a lender problem.
This is a good example of nontechnical people framing the discourse to make it look
like your identity was stolen from you,
and that you are the victim, rather than the banks for making loans
without appropriate checks. And note that banks make loans without
requiring a personal appearance by the borrower (which would give the
bank a chance to check the drivers-license picture, if nothing else)
because that way they can make more
loans and thus be more profitable.
Hacking and probing
Is it ok to be "testing their security"?
What if it's a government site?
Should you be allowed to run a security scanner against other sites?
What if the security in question is APPALLINGLY BAD?
What if you have some
relationship to the other host?
Baase, p 270:
"The Defense Information Systems Agency estimated that there were
500,000 hacker attacks on Defense Department networks in 1996, that 65%
of them were successful, and
that the Dept detected fewer than 1%". But 1996 was a long long time
ago.
Do we as citizens have an obligation
to hack into our government's
computers, to help demonstrate how insecure they are?
What about hacking into Loyola's computers? Are we obligated to do that? What about
Loyola's wireless network?
Ok, failing that, what is our obligation to prevent intrusions that are not likely to be directly
harmful to us?
Hactivism
In 2006, Kevin Mitnick's sites were defaced by a group. There's some
irony there.
Other Baase cases:
several attacks against Chinese gov't sites, due to repressive
policies
pro-Zapatista groups defacing Mexican government sites
US DoJ site changed to read "Department of Injustice"
Legal tools against hackers
Once upon a time, authorities debated charging a hacker for the value
of electricity used; they had no other tools. The relative lack of
legal tools for prosecution of computer breakins persisted for some
time.
Computer Fraud & Abuse Act of 1986: made it illegal to access
computers without authorization (or to commit fraud, or to get
passwords)
USAP AT RIOT act:
extends CFAA, and provides that when totting up the cost of the attack,
the victim may include all costs of response and recovery. Even
unnecessary or irresponsible costs.
Trespassing?
"Trespass of Chattels": maybe.
This is a legal doctrine in which one party intentionally interferes
with another's chattels,
essentially personal property (including computers). Often actual harm
need not be proven, just that the other party interfered, and that the
interference was intentional and without authorization.
In 2000 e-bay won a case against Bidder's
Edge where the latter used
search robots to get information on e-bay auctions. The bots used
negligible computation resources. The idea was for Bidder's Edge to
sell information to those participating in eBay auctions. In March
2001, Bidder's Edge settled as it went out of business.
Later court cases have often required proof of actual harm, though.
In 1998 [?], Ken Hamadi used the Intel email system to contact all
employees regarding Intel's allegedly abusive and discriminating
employment policies. Intel sued, and won at the trial and appellate
court levels. The California Supreme Court reversed in 2003, ruling
that use alone was not sufficient for a trespass-of-chattels claim;
there had to be "actual or threatened interference".
After reviewing the decisions analyzing unauthorized electronic contact
with computer systems as potential trespasses to chattels, we conclude
that under California law the tort does not
encompass, and should not
be extended to encompass, an electronic communication that neither
damages the recipient computer system nor impairs its functioning. Such
an electronic communication does not constitute an actionable trespass
to personal property, i.e., the computer system, because it does not
interfere with the possessor’s use or possession of, or any other
legally protected interest in, the personal property itself. [emphasis
added]
How do you prosecute when there is no attempt to damage anything?
Part of the problem here is that trespass-of-chattels was a doctrine
originally applied to intrusions,
and was quickly seized on as a tool against those who were using a
website in ways unanticipated by the creator (eg Bidder's Edge). Is
that illegal? Should the law discourage that? Should website owners be
able to dictate binding terms of use
for publicly viewable pages (ie pages where a login is not required)?
International Airport Centers v Citrin
Generally the Computer Fraud & Abuse Act (CFAA) is viewed as being
directed at "hackers" who break in to computer systems. However,
nothing in the act requires that a network breakin be involved, and it
is clear that Congress understood internal breakins to be a threat as
well.
Just when is internal access a violation of the CFAA? Internal access is
what Terry Childs is accused of.
In the 2006 Citrin case, the
defendant deleted files from his company-provided laptop before quitting
his job and going to work for himself. From http://technology.findlaw.com/articles/01033/009953.html:
Citrin ultimately decided to quit and
go into business for himself,
apparently in breach of his employment contract with the companies.
Before returning the laptop to the companies, Citrin deleted all of the
data in it, including not only the data he had collected [and had
apparently never turned over to his employer -- pld], but also data
that would have revealed to the companies improper conduct he had
engaged in before he decided to quit. He caused this deletion using a
secure-erasure program, such that it would be impossible to recover the
deleted information.
His previous employer sued under the CFAA, noting that the latter
contained a provision allowing suits against anyone who "intentionally
causes damage without authorization to a protected computer". Citrin
argued that he had
authorization to use his company-provided laptop. The District Court
agreed. The Seventh Circuit reversed, however, arguing in essence that
once Citrin had decided to leave the company, and was not acting on the
company's behalf, his authorization ended. Or (some guesswork here),
Citrin's authorization was only for work done on behalf of his
employer; work done against the
interests of his employer was clearly not authorized.
Once again, the court looked at Citrin's actions in broad context,
rather than in narrow technological terms.
Note that Citrin's specific act of
deleting the files was pretty clearly an act that everybody
involved understood as not what his employer wanted. This is not a grey-area case.
Compare this to the Terry Childs or Randall Schwartz cases. below. We
don't
have all the facts yet on Childs, but on a black-and-white scale these
cases would seem at worst to be pale eggshell (that is, almost white).
It seems very likely that Schwartz's intent was always to improve
security at Intel; it seems equally likely that at least in the three
modem-related charges against Childs there was absolutely no intent to
undermine city security, or to act in any way contrary to what the city
would have wanted if it had in fact any clue.
Felony prosecutions: Kutztown 13,
Randall Schwartz, Terry Childs, Julie Amero
Kutztown 13
Students were issued 600 apple ibooks in 2004
The
admin password was part of school address, taped to the back! The
password was changed, but the new one was cracked too. Some of the
students got admin privileges and:
bypassed browser filtering
installed chat/IM software, maybe others
disabled monitoring software
The students were accused of
monitoring teachers or staff, but that seems unlikely.
The school's security model was hopelessly flawed. Who is responsible for that?
The
school simply did not have the resources to proceed properly.
The offenders were warned repeatedly.
But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge was
for felony computer trespass.
The school argued that the charges were filed because the students
signed an "acceptable use"
policy. But why should that make any difference in whether felony
charges were pursued?
http://www.wired.com/news/technology/0,1282,68480,00.html
cutusabreak.org:
now gone
Wikipedia:
Kutztown_Area_high_School
Randall Schwarz
http://www.lightlink.com/spacenka/fors
Oregon made it a FELONY to do anything UNAUTHORIZED.
Also, taking
a file without authorization was declared to be THEFT.
Schwartz faced three counts:
- Installation of an email backdoor at Intel (he thought he had some
kind of permission)
- Taking password file
- Taking
individual passwords
These he did as a former sysadmin, now assigned to other duties, but
still concerned about password security. All he did was to run the
"crack" program to guess passwords. This involved copying the public
/etc/passwd file, which at that time contained the encrypted passwords,
and to this day contains the username-to-userid mapping used every time
you run ls -l.
The appeals court argued that although "authorization" wasn't
spelled out
in the law, Schwartz did things without authorization as narrowly
interpreted. The appellate court also upheld the trial court's
interpretation of "theft": taking anything without permission, even if
the thing is essentially useless or if the taking is implicitly
authorized.
The appellate court also seemed to believe that Schwartz might have
been looking for flaws to take credit for them, and that such personal
aggrandizement was inappropriate. But employees all the time look for problems at work
and try to fix them, hoping to receive workplace recognition.
Schwartz and Kutztown 13 cases have in common the idea that sometimes
the law makes rather mundane things into felonies. For Schwartz, it is
very clear that he had no "criminal" intent in the usual sense,
although he did "intend" to do the actions he was charged with.
Felony prosecutions: Kutztown 13,
Randall Schwartz, Terry Childs, Julie Amero
What
do you do if you are a system administrator, or a database
administrator, and your nontechnical supervisor wants the root password?
Terry Childs
Childs was a Cisco-certified Internetwork Expert (CCIE)
working for San Francisco; he was the only one with the router
passwords for the city's fiberWAN network.
He was suspended for insubordination on July 9, 2008,
apparently for refusing to turn over router passwords. There are GOOD
reasons for limiting access to such passwords on a need-to-know basis,
BUT refusing to turn them over might be going pretty far. Especially when this locks the owners of the system out.
However,
there are some mitigating factors, including the fact that there was an
open speakerphone call in progress at the time Childs was asked for the
passwords. We do not know if Childs was given another chance to turn
over the passwords, or told to turn them over privately to his
immediate supervisor, or to create another account. There were allegations at the trial that Childs
knew he was expected to turn over the passwords, after the
confrontation, but did not do so. However, it seems plausible that if
Childs had turned over the passwords at the initial conference, he might have been prosecuted for doing so.
At the trial, Childs claimed he was only asked (by his supervisors and by the police) for his username and password, not
for access to the systems in question (which he could have granted by
creating another account). Other accounts claim that Childs clearly
knew what his supervisors wanted, and refused to give it to him.
Most accounts describe the July 9 meeting as a "confrontation",
ultimately as much due to poor San Francisco management as Childs'
behavior.
Note that the password in question was not a personal password, but
rather an administrative password for a set of Cisco routers. The
routers had been configured so as to be difficult to update without the
password.
He was arrested by SF police on Saturday, July 12, 2008 on four
counts of computer tampering. He was never granted bail, and he
remained in prison through his April 27, 2010 conviction. (As of December 2010, he is still in prison.)
He refused to give the police valid passwords at his arrest
(such refusal without having the opportunity to consult with a lawyer
is protected by the 5th Amendment, although it is not clear whether he continued to refuse).
He did give the passwords to then-mayor Gavin Newsom of SF, on July 21, 2008, while
in prison.
It seems likely that Childs would have had opportunities to
negotiate with his supervisors for the handover of the passwords
between the July 9 confrontation and his arrest, though he was suspended.
At no point did Childs do anything to damage the network, and the network was never
down at any time.
Childs had some past history: he committed a burglary at age 17 and
spent 4 years in prison. This apparently has no bearing on the present
case.
The city's main claim is that Childs was arrested because he placed
the city systems in jeapordy. However:
- Refusal to share passwords is complicated to see as a criminal act.
After all, Childs could always quit. Or, for that matter, die.
- The city knowingly created and encouraged the environment in
which
Childs was the only one with the passwords.
- No working systems were ever at risk.
The biggest concern to computing professionals is that San Francisco
then created a
laundry list of criminal allegations against Childs that in fact are
standard practices:
- Childs knew several other people's passwords. (A list of 150 such
was found in Child's house, and entered into evidence at his bail
hearing without redacting the
passwords themselves.)
- He had network sniffers in place
- He had "back-door" access to the routers, through several
modems
(three in the final criminal count). But these were pretty clearly for
emergency access.
- Routers were configured to resist password recovery (this is
standard practice when the physical security of the device is in
question).
- Configurations were not written to flash memory (same as 4)
- Childs' pager was sent a page by one of the routers (duh)
Childs seems to have been "security-conscious to the point of paranoia".
But most good computer-security people are!
In opposing bail reduction for Childs, the city's attorneys wrote in
July 2008:
In the training room locked by the
Defendant, they discovered two modems that allowed access to the City's
network from unauthorized
locations. A further analysis of the network by Principle Security
Consultant Anthony Maupin determined that the Defendant had configured
multiple Cisco network devices with a command that erases
all configurations and data in the event somone tried to recover the
password. Further, the Defendant had created his own private network
that bypassed all City monitoring and security systems. He had programs
that monitored and detected any intrusions
and notified the Defendant if others were monitoring or trying to
access his information. The Defendant had implemented his own email server
and had multiple remote access systems, some which [sic] were hidden in
locked storage cabinets and connected to modems. This permitted the
Defendant to access the City's network infrastructure undetected. An
additional modem was discovered in a locked cabinet near his cubicle
that was connected to a phone line and had access to the network.
... There are over 1100 different devices, routers, switches, modems,
etc, scattered throughout the city's offices that the Defendant
may have configured and even locked with his own passwords. ...
there is a serious threat to the City's network system if the Defendant
was out of custody without the City having full control over all the
1100 devices as the Defendant may have access any of these devices
[sic].
The final four charges (pretty close to the original, but none of the
tantalizing allegations of the bail-reduction motion making it in): one
of "disrupting or denying computer services" (by not revealing the
passwords) and three of "providing a means of accessing a computer,
computer system, or computer network" (one for each of the three
modems).
The latter three charges were finally dropped on August 21, 2009, over a year later. Bail remained at $5
million, even though the state's original argument against bail
reduction was based on the three dropped charges and the idea that the
"unauthorized" modems might mean that Childs had other
backdoors into the city network. Also, San Francisco had plenty of time to
tighten up security. It is possible that the three dropped
"unauthorized modem" charges were dropped because of the impossibility
of proving that they were in fact unauthorized, though that is to some
extent exactly the defense's point.
Childs is charged with "disrupting or denying computer services".
However,
- He did not disrupt any computer services
- He did eventually
reveal the correct password
- He
could have been charged under the same law had he revealed the password
when first asked, given the full circumstances surrounding that
confrontation.
Note that in the first "disrupting or denying computer services"
charge, no computer services were actually disrupted. The only thing
denied was the password.
He did configure the
network in a manner that made it difficult for coworkers to
reconfiguring it. Was this about prudence, or job security? He
apparently did not
face day-to-day clear lines of authority; he definitely was not asked
to make the master passwords available to supervisors until the Dispute.
There are no charges (as filed in
February 2009) of network tampering; these appeared in court documents
in
July and August 2008 but were dropped. ("Network tampering" appears to
have been
replaced by the three modem charges.)
The modems were all apparently legitimate: the first was to dial
Childs' pager if there was a problem (through the What's Up Gold monitoring package),
the
second was to allow immediate dialin access to some SF networks
(not apparently the FiberWAN), and in addition was apparently installed
before Childs was hired, and the third was to provide an alternative
communications paths to emergency services across the San Andreas
fault. (See http://www.infoworld.com/d/data-management/could-childs-case-put-all-network-admins-in-danger-979)
If there was any additional illegitimate
purpose, it does not appear to be documented anywhere in any filings to
date.
It is indeed possible that Childs decided not to have configurations
written to flash memory for "job security"; ie so that, if there was a
problem, he would be irreplaceable. Alternatively, it could have been
because Childs was having conflicts with management and wanted them to
know they couldn't work without him. There is no hard evidence, though,
of
this.
The formal allegation against Childs did not
spell out any specific evidence
of intent
to disrupt the network (though it did not have to). There is
considerable evidence, though, that Childs did indeed intend to give
himself "job security" by making sure no one else could manage the
network.
One possible reason Childs has been denied reasonable bail is the fact
that a
search of his residence just before his arrest turned up some 9mm
ammunition, and Childs had in 1985 been convicted of a felony: armed
robbery (with a knife). Possession of
ammunition by a convicted felon
is illegal in California (and many other states). Also, the fact
that
Childs had $10,000 in cash in his house was interpreted by the police
as evidence that he was a flight risk. Finally, Childs lied to his
supervisors when he said he had no past felony convictions, and lied
again on the day of his management confrontation when he said his
fiberWAN password no longer worked. Both of these are perhaps
understandable, and in principle they shouldn't matter, but one doesn't
know.
It does seem likely, however, that a big part of the reason Childs
remains in jail is that the City keeps raising the specter that he
could break in. But if he could, even a few months later, let alone
close to two years, then so could anyone else, and the City's security
is just plain negligent.
One plausible charge against Childs is the allegation that he
configured the routers not to store their configurations, and that this
was done in order that if the network crashed, only he could ressurect
it. From the arrest-warrant affidavit of
police officer James Ramsay:
Mr Maupin [the city's security
consultant] was also able to determine and validate that Mr Childs had,
in fact, intentionally configured multiple Cisco network devices with a
command that erases all configuration and data in the event that
someone tries to restore administrative access or tries to perform
disaster recovery. This command was created for military applications
that require the deployment of network devices in areas that may have
the possibility of hostile forces that could get physical access to
network devices.
Officer Ramsay also was the one to tell Childs initially that failure
to divulge the passwords was "a denial of service as defined under
Penal Code violation Section 502(c)(5)". This claim remains farfetched,
at face value, given the lack of clear authority within DTIS, although
it might apply if Childs had withheld the password with malicious intent.
Note that the quoted line "this command was created for military
applications ..." is both misleading and a bit of a stretch. It seems
likelier that the command was suggested
for military applications, but even if it was created for that, so was GPS.
As for the configuration-to-erase claim, Childs' attorneys claimed in
his bail-reduction motion that one of his colleagues, Carl Sian,
intentionally kept (as for study) computer viruses, and later spread
one to Childs (possibly accidentally). Somewhat later, Childs'
supervisor Herb Tong made some technically inappropriate changes to the
fiberWAN system. In light of those events, Childs may very well have
felt that the "hardened" configuration of the routers was appropriate.
The early case documents are back online at http://www.infoworld.com/d/data-management/terry-childs-case-in-its-own-words-928.
Overall, it seems to me that people who work in very structured
environments have no sympathy for Childs; he clearly broke the rules.
Partly that is not the point; just about everyone agrees his firing was
legitimate.
Here are a couple comments from one of the jurors, Jason Chilton, who, like Childs, was a CCIE.
The questions were, first, did the defendant know he caused a
disruption or a denial of computer service. It was rather easy for us to
answer, "Yes there was a denial of service." And that service was the
ability to administer the routers and switches of the FiberWAN.
That
was the first aspect of it, the second aspect was the denial to an
authorized user. And for us that's what we really had to spend the most
time on, defining who an authorized user was. Because that wasn't one of
the definitions given to us.
From blogs.sfweekly.com/thesnitch/2010/08/terry_childs_sentenced_hacker.php:
It almost seemed like paranoia. Especially after he found out there
would be some organizational changes, I believe the security he was
putting in place wasn't to prevent attackers but to prevent people from
getting rid of him. He would be needed because no one
else could take care of this network. It was so secure, only he could
have access.
On August 6, 2010, Childs was sentenced to four years in prison. It is
likely that he will be released soon. This is an extraordinary sentence
if you believe the case was the result of a workplace misunderstanding.
The Schwartz, Childs and Amero cases have in common the idea that
behavior that some people might find well within the range of
acceptable, while others might find seriously criminal. These aren't
like banking-industry cases; none of the defendants was trying to push
the envelope in terms of what they could "get away with". All three
felt they were "just doing their jobs".
Julie Amero case
On October 19, 2004, Amero was a substitute teacher (7th grade) at Kelly
Middle School,
Connecticut. At some point early in the school day, the teachers' desk
computer started displaying an onstoppable stream of pornographic web
pages. Clicking the close button on one simply brought up others. This
is by now a well-known javascript vulnerability.
Amero had been explicitly told never
to disturb
anything in the classroom,
and in particular not to turn the computer off. So she didn't. She had
apparently no idea how to turn off just the monitor. She spent much of
her day at her desk, trying to fix the problem by closing windows. She
did not attempt to tape something over the monitor, or cover the
monitor with something.
Someone apparently decided that she was actively surfing porn. Within
two days, she was told she couldn't substitute at that school; she was
arrested shortly thereafter.
Amero had complained to other teachers later that day. Why she didn't
demand that something be done during the lunch hour is not clear. Why
she didn't tape something over the screen is not clear. Amero claimed
that two kids used the computer before the start of class, at a
hairstyles site, but others claimed that could not have happened
because it was not allowed.
It later turned out that the school's content-filter subscription had
lapsed, and so the filter was out of date. Also, the computer had
several viruses or "spyware" programs installed. In retrospect, some
sort of javascript attack seems to have been the proximate cause.
In January 2007, she was convicted of impairing the morals of a child.
This was despite computer-forensic evidence that a hairstyles site
triggered a scripting attack that led to the Russian porn sites.
The prosecutor's closing arguments hinged on the idea that some of the
links in question had "turned red", thus "proving" that they had been
clicked on (ie deliberately by Amero) rather than having been activated
via scripting. This is false at several levels: link colors for
followed links can be any color at the discretion of the page, and if a
page has been opened via a script, links to it are indistinguishable
from links that were clicked on.
In June 2007 Amero was granted a new trial, and in November 2008 she
pleaded guilty to a misdemeanor disorderly conduct charge and forfeited
her teaching credentials.
Amero's failure to regard the computer problem as an emergency probably
contributed to her situation.
I discussed her case with a School of Education class once, and the
participants were unanimous in declaring that Amero was incredibly
dense, at best.
zero-day exploits
Should they
be tolerated? Encouraged?
- Sometimes vendors ignore exploit reports without the publicity.
- Sometimes users really need a script to tell them if they are
vulnerable; such a script is typically tantamount to an exploit
- Sometimes
announcing a flaw gives crackers all they need to exploit it;
withholding details merely gives false security.
Consensus seems to be that zero-day exploits are a bad idea, that
one has some responsibility to let vendors know about an exploit so a
patch can be developed.
Patch Tuesday is now followed by Exploit Wednesday.
Cisco 2005 case involving Michael Lynn: see http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html
Cisco threatened legal action to stop
the [July 2005 Black Hat] conference's organizers from
allowing a 24-year-old researcher for a rival tech firm to discuss how
he says hackers could seize control of Cisco's Internet routers, which
dominate the market.
Cisco called the disclosure "premature" and claimed Lynn had "illegally
obtained" the information by reverse-engineering. Lynn acknowledged
that he had disassembled some Cisco code, based on an announced Cisco
patch, but found an additional problem that could allow an outsider to
take over the router. Note that a patch had already been released by
Cisco, but many customers had not installed it because Cisco had not
indicated it was important.
Lynn demoed his findings to Cisco in June 2005. Initially there had
been talk about a joint security presentation, but these broke down.
The Black Hat conference was in late July 2005.
At the 2006 Black Hat conference, Cisco was a sponsor. Lynn was invited
to the party the company sponsored.
Schneier also has a 2001 essay on full disclosure (with advance notice
to the vendor) at http://www.schneier.com/crypto-gram-0111.html.
MBTA Card
In 2008, three MIT students, Russell Ryan, Zack Anderson, and Alessandro
Chiesa, developed Anatomy of a Subway
Hack (see http://cs.luc.edu/pld/ethics/charlie_defcon.pdf
(especially pages 5, 8, 11/12, 24ff, 41, 49, and 51)). One of the
methods of attack was to take advantage of a vulnerability in the
Mifare Classic RFID chip used by the MBTA's "Charlie Card". They
intended to present their findings at the 2008 Defcon.
US District Judge George O'Toole granted a 10-day preliminary
restraining order against the group, but then let it expire without
granting the five-month injunction requested by the MBTA. The MBTA's
legal argument was that the paper violated the Computer Fraud and Abuse
Act, but the problem is that the CFAA normally applies to worms and
viruses themselves, and not to
publishing information about them.
Much of the information in the report is highly embarrassing to the
MBTA, such as the photographs of gates left unlocked. Should they be
allowed to block that?
The MIT group apparently asked their professor, Ron Rivest (the R of
RSA), to give the MBTA an advance heads-up, but it apparently did not
happen immediately as Rivest was traveling at the time, and in any
event would have amounted to just a week or so. The MBTA was eventually
informed, and quickly pushed for an FBI investigation.
The MIT group's RFID hack was based on the work of Gans, Hoepman, and
Garcia in finding flaws in the Mifare Classic chipset; see http://cs.luc.edu/pld/ethics/mifare-classic.pdf.
This is a serious academic paper, as you can tell by the font. Their
work is based on earlier work by Nohl and Plötz, which they cite. On
page 4 of my copy the authors state
We would like to stress that we
notified NXP of our findings before publishing our results. Moreover,
we gave them the opportunity to discuss with us how to publish our
results without damaging their (and their customers) immediate
interests. They did not take advantage of this offer.
Note also that the attack is somewhat theoretical, but it does allow
them to eavesdrop on the encrypted card-to-reader communications, and
to read all of data-block 0 stored on the card (and other blocks, if
the data is partially known).
Nohl has said, "It has been known for years that magnetic stripe cards
can easily be
tampered with and MBTA should not have relied on the obscurity of their
data-format as a security measure".
Hacking
What legal responses are appropriate?
Should we criminalize having hacking tools?
What about magnetic-stripe readers? RFID readers?
Pringles cans (for use as cantennas)?
DVD players that bypass the region code?
What about c compilers?
Note that it is in fact already illegal to possess certain things that
can have illegal uses, such as automotive dent pullers (used to pull
cylinders out of locks) and tools that look like they might be lock
picks.
Jurisdiction online
jurisdictional issues: where did the sale take place? This one is very
important for e-commerce.
Traditional three rules for lawsuit jurisdiction:
- Purposeful availment: did
defendant receive any benefit from the laws of the jurisdiction? If
you're in South Dakota and you sell to someone in California, the laws
of California would protect you if the buyer tried to cheat you.
Generally, this is held to be the case even if you require payment
upfront in all cases. The doctrine of purposeful availment means that,
in exchange here for the benefits to you of California's laws, you
submit to California's jurisdiction.
- Where the act was done.
- Whether the defendant has a
reasonable expectation of being subject to that jurisdiction.
eHarmony lawsuits, for alleged discrimination against homosexuals
eHarmony is headquartered in California.
New Jersey lawsuit by Eric McKinley, 2005
California lawsuit by Linda Carlson, 2007
How does jurisdiction apply? Should it have applied in New Jersey?
Is the fact that users must enter their address the deciding factor?
Would it have mattered if eHarmony was a free service?
Could eHarmony simply have agreed not to do business in NJ and CA?
What if residents of Newark (or Princeton) simply gave NYC addresses?
sales
trademarks
libel/defamation
criminal law
laws governing sales: seller can sue in his home state/country
This is more or less universal.
laws governing trademarks
Trademark scope
The Blue Note Cafe was located in NYC
The Blue Note, St Louis
(actually Columbia, MO) was a club, sued for trademark infringement by
Blue Note New York because they had a web site.
The case: Bensusan Restaurant Corp v King, 937 F. Supp. 295
(SDNY 1996)
The case was brought in federal district court, which decided there was
a lack of jurisdiction. Before that, however, note that the Missouri
club began using the name in 1980, and the NYC club did not register
the trademark until 1985. Note that, generally
speaking, in this sort of situation the Missouri club retains
the right to continue to use the name locally,
while non-local use is reserved to the federal trademark-holder.
The district court did look at the "long-arm statute" of the "forum
state", that is, New York. The New York law provides that
a New York court may exercise personal
jurisdiction over a
non-domiciliary who "in person or though an agent" commits a tortious
act within the state.
The State-court interpretation of this was that the act had to be
committed in New York State,
and the federal court deferred to this interpretation.
Another part of the NY state law did provide for jurisdiction when
the other party was outside the state. However, the law also
... restricted the exercise of
jurisdiction under sub-paragraph (a)(3)
to persons who expect or should reasonably expect the tortious act to
have consequences in the state and in addition derive substantial
revenue from interstate commerce
The second circuit decided that Blue Note Missouri did not derive revenue from interstate
commerce. End of case.
Blue Note St Louis had a mostly passive web site, although they did
advertise tickets online, to performances at the club itself. These
tickets had to be picked up at the
Missouri box office; they were never mailed. Does this matter? Does it matter that
the tickets were technically not sold over the internet, but instead you
had to call a phone number?
This case was decided on jurisdictional
grounds: NY State did not have
jurisdiction.
The second-circuit appellate decision is at http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=2nd&navby=docket&no=969344.
This was a reasonable decision, but notice that it sure doesn't
offer many guarantees that your website won't infringe on a trademark
far far away.
Domain names
zippo v zippo, 1997
See
http://cyber.law.harvard.edu/metaschool/fisher/domain/dncases/zippo.htm
zippo lighters v zippo.com
trademark infringement filed under PA state law, but filed in federal district court.
PA "long arm" statute
zippo.com was a news service. They had email customers in PA, and two
ISP customers.
(1) the defendant must have sufficient "minimum contacts" with the
forum state,
(2) the claim asserted against the defendant must arise out of those
contacts, and
(3) the exercise of jurisdiction must be reasonable.
We find Dot Com's efforts to
characterize its conduct as falling short of purposeful availment of
doing business in Pennsylvania wholly unpersuasive. At oral argument,
Defendant repeatedly characterized its actions as merely "operating a
Web site" or "advertising." Dot Com also cites to a number of cases
from this Circuit which, it claims, stand for the proposition that
merely advertising in a forum, without more, is not a sufficient
minimal contact. [FN7] This argument is
misplaced. Dot Com has done more than advertise on the Internet
in Pennsylvania. Defendant
has sold passwords to approximately 3,000 subscribers in Pennsylvania
and entered into seven contracts with Internet access providers to
furnish its services to their customers in Pennsylvania.
[emphasis added]
Decided JURISDICTIONAL issue, plus others: PA did have jurisdiction
Note the gray area between a completely passive website, just an
"electronic billboard", and “the knowing and repeated transmission of
computer files over the Internet”. Usually the latter means
subscriber-specific information.
What about google.com? Should Illinois courts have jurisdiction?
Internationally, we already looked at LICRA v Yahoo, filed in France
(and won by LICRA) for Yahoo's selling of Nazi memorabilia on its
auction site in the US. Yahoo had initially agreed to comply with the
French order, and then later changed its mind, and filed suit in the US
asking that the US court declare that the french court did not have
jurisdiction. That case ended in a draw (specifically, in a declaration
that the case was not "ripe").
Suppose your bank makes an error. Where do you sue them? What if their
only presence in your state is online? Consider the case Soma Medical v Standard Chartered Bank.
SCB is located in Hong Kong. Soma is in Utah. Soma did banking with SCB
online. Some money disappeared. Soma lost their lawsuit in Utah,
because the court ruled that the fact that SCB had a website accessible
in Utah did not give the State of Utah personal jurisdiction.
[Michael Shamos]
NTP v RIM: RIM's network hub was in Canada. RIM lost on that point, but there remain serious questions
about whether US patent law extends to other countries.
Butler v Beer Across America
http://itlaw.wikia.com/wiki/Butler_v._Beer_Across_America
BAA is an Illinois company selling beer over the internet. Butler's
minor son ordered beer, and it was delivered to him despite rules that
required an adult signature. Butler sued BAA under an Alabama law that
makes it illegal to sell alcohol to minors. In this case, Butler lost
her bid to get Alabama jurisdiction, though the case was transferred by
the Alabama court to Illinois.
Deciding that the sale of beer by
Illinois defendants to an Alabama minor on the Internet occurred in
Illinois, the federal court held that a single sale was insufficient
minimum contacts to establish
personal jurisdiction
over the defendants in Alabama.
Jurisdiction and criminal cases
The 6th amendment to the constitution requires that
In all criminal prosecutions, the
accused shall enjoy the right to a
speedy and public trial, by an impartial jury of the state and district
wherein the crime shall have been committed
But what state and district are involved if you do something allegedly
illegal online?
Venue is extremely important
if "community standards" are at stake. Even if they are not, an
inconvenient venue can be chosen by prosecutors to harass you or make
your defense more expensive; alternatively, a venue can be selected
where longer sentences are handed down or juries are less tolerant of
social differences.
If you are selling something
illegal, the feds may prosecute you in any state in which the material
could be purchased. The Reagan administration did just that when
attempting to crack down on pornography in the 1980's, often filing
parallel lawsuits all over the country.
However, if you are just a buyer,
the legal principle is still muddled. Just where were you in cyberspace
when you were sitting in your living room buying tax-planning software?
Delaware? California?
See Baase, §5.5.2.
International crime
Remember the case of Yahoo selling Nazi memorabilia in California, and
being convicted of that by a French court?
In 2006 the US signed the so-called "cybercrime treaty", to encourage
international cooperation in prosecuting computer crime. However, in an
important area the treaty completely lacked the usual
"dual-criminality" provision, that the action in question must be a crime in both nations for the treaty to apply. The consequence is that US ISPs may be required to
assist in foreign-government investigations of events that are not
illegal under US law, even when the events occurred within the US.
Foreign governments may ask for electronic seizures and searches (eg of
email records), and ISPs must cooperate promptly or face charges.
The treaty also not only permits but requires
the FBI to engage in warrantless wiretapping of Americans if a foreign
government claims that the wiretap is necessary for a cybercrime
investigation.
In Baase §5.5.3, she speculates that the US may have agreed to this
no-dual-criminality wording in order to be able to extend the reach of
its own laws overseas.
British citizen and CEO of BETonSPORTS.com (no longer online) David Carruthers
was arrested in Dallas in July 2006 when changing planes, because in
the US online betting is illegal. He was sentenced on January 8, 2010 to
33 months in prison; apparently this does not include the 3 years already served under house
arrest.
He conducted all his BETonSPORTS business while in England, and was
just passing through the US when arrested. He was charged because some
of BETonSPORTS's customers were allegedly US citizens.
Facing a potential 20-year sentence, he finally agreed to plead guilty
in April 2009.
Carruthers is a major advocate of regulated
internet gambling.
What else could have been done? The real issue with internet gambling is
that it so frequently involves gambling on credit.
(This would not be the case if customers sent in money in advance, but
that greatly complicates use of the sites by impulse gamblers.)
A few other issues
- Employment and empowerment: Do computers take jobs away? Do they
make jobs more stressful? Do they reduce worker privacy to an
unacceptable or inappropriate degree?
- Effects of computing and blogging on the political process:
does
it help democracy or diminish it? The "diminish" theory comes in part
from the idea that parties can now target individual hot-button issues
for most voters, and that the wealth of political information on the
internet is so vast that only "insiders" and professionals can
comprehend it.
- Computers and risk. What is the probability of
software failure?
Under traditional mechanical analysis, it is either 0.0 or 1.0; it
either doesn't fail, or it does. As the latter value implies complete
failure every time, it was generally assumed to be 0.0. Can more
plausible statistical models of failure be developed? If you understand
the failure mode, why don't you just fix the software? Anyway, how do
we analyze software risk? In cars? In air-traffic control systems?
- Star
wars: aka The Strategic Defense Initiative. This was to be a
software-engineering project of such magnitude that it was inaccessible
to traditional methods. It was also untestable, as the only meaningful
test would be all-out nuclear war.
- Given all that, software is
much more reliable than it used to be. How do we adjust to that?
- Professional ethics: what are programmers called upon to do?
Network admins? Database managers?
- How do we evaluate technology
in the schools? What about the
Kutztown 13? Do computers make kids better writers? Does mathematica
make students better at math?