Hacking and Computer Crime

Hacking

To some of you, hacking is clearly wrong and there shouldn't even be a question here. If you're one of them, just pay attention to the legal-strategies-against-hackers part. However, is using a website in a manner contrary to the provider's intentions always hacking? A more serious example is logging on to a site, but not changing anything and in particular not committing theft.

Baase's "three phases of hacking"

1. Early years: "hacking" meant "clever programming"

2. ~1980 to ~1995:
    hacking as a term for break-in
    largely teenagers
    "trophy" hacking
    phone lines, BBSs, gov't systems
    lots of social engineering to get passwords
  
1994 Kevin Mitnick Christmas Day attack on UCSD (probably not carried out by Mitnick personally), launched from apollo.it.luc.edu. [!]
   
3. post-1995: hacking for money

early years / trophy hacking

A common argument is that during this era the word "hacking" meant clever programming; certainly the word was frequently used that way. But it was also used to describe "phone phreakers": those who hacked the phone system. The following purports to identify the "first recorded usage of 'hacker'" in 1963: manybutfinite.com/post/first-recorded-usage-of-hacker, and it is clearly a reference to phone phreaking.

Phone phreaking: see Baase, 4e p 232, 247
Joe "The Whistler" Engressia was born blind in 1949, with perfect pitch. He discovered (apparently as a child) that, once a call was connected, if you sent a 2600 Hz tone down the line, the phone system would now let you dial a new call, while continuing to bill you for the old one. Typically the first call would be local and the second long-distance, thus allowing a long-distance call for the price (often zero) of a local call. Engressia could whistle the 2600 Hz tone.
       
According to the wikipedia article on John Draper, Engressia also discovered that the free whistle in "Cap'n Crunch" cereal could be modified to produce the tone; Engressia shared this with Draper who popularized it. Draper took the nickname "Cap'n Crunch".

As an adult, Engressia wanted to be known as "Joybubbles"; he died August 2007
       
Draper later developed the "blue box" that would generate the 2600 Hz trunk-line-idle tone and also other tones necessary for dialing.
       
How do we judge these people today? At the time, they were folk heroes. Everyone hated the Phone Company!
   
Is phone-phreaking like file sharing? Arguably, there's some public understanding now that phone phreaking is wrong. Will there later be a broad-based realization that file-sharing is wrong?
   
How wrong is what they did? Is there a role for exposing glitches in modern technology?
   
From Bruce Sterling's book The Hacker Crackdown: Law and Disorder on the Electronic Frontier, mit.edu/hacker:

What did it mean to break into a computer without permission and use its computational power, or look around inside its files without hurting anything? What were computer-intruding hackers, anyway -- how should society, and the law, best define their actions? Were they just browsers, harmless intellectual explorers? Were they voyeurs, snoops, invaders of privacy? Should they be sternly treated as potential agents of espionage, or perhaps as industrial spies? Or were they best defined as trespassers, a very common teenage misdemeanor? Was hacking theft of service? (After all, intruders were getting someone else's computer to carry out their orders, without permission and without paying). Was hacking fraud? Maybe it was best described as impersonation. The commonest mode of computer intrusion was (and is) to swipe or snoop somebody else's password, and then enter the computer in the guise of another person -- who is commonly stuck with the blame and the bills.

  
What about the Clifford Stoll "Cuckoo's Egg" case: tracking down an intruder at Berkeley & Livermore Labs; Markus Hess was a West German citizen allegedly working for the KGB. Hess was arrested and eventually convicted (1990). Berkeley culture at that time was generally to tolerate such incidents.

Robert Tappan Morris (RTM) released his Internet worm in 1988; this was the first large-scale internet exploit. Due to a software error, it propagated much more aggressively than had been intended, often consuming all the available CPU. It was based on two vulnerabilities: (1) a buffer overflow in the "finger" daemon, and (2) a feature [!] in many sendmail versions that would give anyone connecting to port 25 a root shell if they entered the secret password "wiz".

Were Morris's actions wrong? How wrong? Was there any part that was legitimate? RTM was most likely trying to boost his academic reputation by discovering a security vulnerability. There was no financial incentive.

The jury that convicted him spent several hours discussing Morris's argument that when a server listened on a port (eg an email server listening on port 25), anyone was implicitly authorized to send that port anything they wanted. That is, it is the server's responsibility to filter out bad data. While the jury eventually rejected this argument, they clearly took it very seriously.

Morris went on to become a professor at MIT.

Mitnick attack: how much of a problem was that, after all? There are reports that many Mitnick attacks were part of personal vendettas. (Most of these reports trace back to John Markoff's book on Mitnick; Markoff is widely believed to have at a minimum tried to put a slant on the facts that would drive book sales.)

Stage 3: even now, not all attacks are about money.

Calce, Abene & Mitnick all now work in computer security. Is this appropriate? Of course, if you believe the charges themselves were inappropriate, you might readily agree.

One theory is that gaining notoriety for an exploit is the way to get a security job. Is that appropriate?

If not, what could be done differently?

Legal tools against hackers

Once upon a time, authorities debated charging a hacker for the value of electricity used; they had no other tools. The relative lack of legal tools for prosecution of computer breakins persisted for some time.

The Computer Fraud & Abuse Act of 1986 made it illegal to access computers without authorization (or to commit fraud, or to get passwords). Robert Tappan Morris was the first person convicted under this law.

USAP AT RIOT act:
Extends CFAA, and provides that when totting up the cost of the attack, the victim may include all costs of response and recovery. Even unnecessary or irresponsible costs. Even costs they should have already implemented.
   
Trespassing?
"Trespass of Chattels": maybe. This is a legal doctrine in which one party intentionally interferes with another's chattels, essentially personal property (including computers). Often actual harm need not be proven, just that the other party interfered, and that the interference was intentional and without authorization.

In 2000 e-bay won a case against Bidder's Edge where the latter used search robots to get information on e-bay auctions. The bots used negligible computation resources. The idea was for Bidder's Edge to sell information to those participating in eBay auctions. In March 2001, Bidder's Edge settled as it went out of business.

Later court cases have often required proof of actual harm, though. In 1998 [?], Ken Hamidi used the Intel email system to contact all employees regarding Intel's allegedly abusive and discriminating employment policies. Intel sued, and won at the trial and appellate court levels. The California Supreme Court reversed in 2003, ruling that use alone was not sufficient for a trespass-of-chattels claim; there had to be "actual or threatened interference".

How do you prosecute when there is no attempt to damage anything?

Part of the problem here is that trespass-of-chattels was a doctrine originally applied to intrusions, and was quickly seized on as a tool against those who were using a website in ways unanticipated by the creator (eg Bidder's Edge). Is that illegal? Should the law discourage that? Should website owners be able to dictate binding terms of use for publicly viewable pages (ie pages where a login is not required)?

International Airport Centers v Citrin

• Use of Google.com (even for searching) by a minor, prior to March 1, 2012 (when the Google ToS changed)
• Personal web browsing while at work, if the workplace prohibits such actions
• Creating a Facebook account under a pseudonym.
  

US v Nosal

See also Volokh's blog.

US v Van Buren

Georgia police officer Van Buren accessed a state police database, and sold information he obtained there. In 2021 the Supreme Court decided [https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf] that his use did not "exceed authorized access", because he had authorized access to the system. Justice Barrett wrote:

This provision covers those who obtain information  from  particular  areas  in  the  computer—such  as files, folders, or databases—to which their computer access does not extend.  It does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them

That would certainly seem to suggest Citrin's actions would be legal in the future. It also would appear to suggest that terms-of-service violations are not criminal.

However, the case does not entirely answer when someone does exceed authorized access. Is all access via the standard user interface of necessity "authorized"? What if someone uses the standard API for accessing the system, but in a way not anticipated by the owner, as in the Auernheimer case below?

Craigslist v 3Taps, Craigslist v PadMapper

hiQ v LinkedIn

hiQ labs scraped public user profiles from LinkedIn. LinkedIn objected, and sent a cease-and-desist letter. From LinkedIn's perspective, at that point hiQ's access became unauthorized, and thus a violation of the CFAA.

The district court found in hiQ's favor, and granted a preliminary injunction. LinkedIn appealed that injunction to the Ninth Circuit, which upheld the injunction in September 2019.

Technically, the case has not been tried on the merits, even at the district court level. But, realistically, it may be time for LinkedIn to give up.

One approach is for LinkedIn to hide all user profiles until the viewer has logged in to LinkedIn and thus presumptively accepted the LinkedIn terms of service. Of course, this may not be popular with users who want their LinkedIn profiles to be highly visible.

In June 2021, following the Van Buren decision, the Supreme Court vacated and remanded the Ninth Circuit's decision for further review under the Van Buren standard. In one sense, hiQ, certainly was accessing the data using the standard user interface, though there were terms-of-service issues. In another sense, hiQ was definitely accessing the data in a way unanticipated by LinkedIn.

Attacks Involving Money

Modern phishing attacks (also DNS attacks)

Stealing credit-card numbers from stores. (Note: stores are not supposed to retain these, except in special circumstances. However, many do. And Target did not; their data was stolen "on the fly")

Boeing attack, Baase 4e, p 235: how much should Boeing pay to make sure no files were changed? Is there a real safety issue here?

TJX attack: Baase 4e p 54 and p 243

This was the biggest credit-card attack, until it was dwarfed by the Target attack in 2013. (Though by the time of the Target attack, the credit-card companies had become much more adept at detecting fraud patterns and thus limiting the number of stolen cards that could actually be used.)

The break-in was discovered in December 2006, but may have gone back to 2005.

40 million credit-card numbers were stolen, and 400,000 SSNs, and a large number of drivers-license numbers.

Hackers apparently cracked the obsolete WEP encryption on wi-fi networks to get in to the company's headquarters network, using a "cantenna" from outside the building. Once in, they accessed and downloaded files. There are some reports that they eavesdropped on data streaming in from stores, but it seems likely that direct downloads of files was also involved.

Six suspects were eventually arrested. I believe they have all now been convicted; there's more information in the privacyrights.org page below (which also pegs the cost to TJX at $500-1,000 million). The attacks were apparently masterminded by Albert Gonzalez, one of the six: http://www.cio.com/article/500114/Alleged_Kingpin_of_Data_Heists_Was_a_Computer_Addict_Lawyer_Says. Gonzalez was sentenced to 20 years, though part of that was for other crimes.

For a case at CardSystems Solutions, see http://www.schneier.com/blog/archives/2005/06/cardsystems_exp.html. Here the leak was not due to wi-fi problems, but lack of compliance with standards was apparently involved. Schneier does a good job explaining the purely contractual security requirements involved, and potential outcomes. Schneier also points out

The TJX and CardSystems attacks were intentional, not just data gone missing.

When attacks ARE about money, often the direct dollar value is huge. And tracing what happened can be difficult. An entire bank account may be gone. Thousands of dollars may be charged against EVERY stolen credit-card number.

Here's a summary of several incidents: http://www.privacyrights.org/ar/ChronDataBreaches.htm#CP.

TJX attack and PCI DSS

An emerging standard is Payment Card Industry Data Security Standard (PCI DSS), supported by MasterCard, Visa, Discover, American Express, and others. See http://www.pcicomplianceguide.org/pcifaqs.php for some particulars; a more official site is https://www.pcisecuritystandards.org. Note that PCI DSS is not a law, but is "private regulation". Once upon a time, the most effective regulators of steam-powered ships were insurance companies [reference?]. This is similar, but MasterCard and Visa are not quite the same as insurers. From the FAQ above:

If you are a store, you can refuse to pay the fine. But then you will lose the ability to accept credit cards. This is extremely bad!

Visa's CISP program is described at http://www.visa.com/cisp.

The PCI standards do allow merchants to store the name and account-number data. However, this is strongly discouraged (although it is becoming more acceptable). Sites that keep this information are required by PCI to have it encrypted. CardSystems was keeping this data because they were having a higher-than-expected rate of problems with transactions, and they were trying to figure out why.

Target

Here are some amazing articles on this by Brian Krebs, in which he identifies "Rescator" (rescator.so is one of the sites selling stolen Target cards) as one Mikhail Shefel. The most recent article, in which Shefel admits the hack, is at https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot-hacker. An earlier article on the same issue, when it wasn't quite as clear that Shefel was the perpetrator, is at https://krebsonsecurity.com/2023/12/ten-years-later-new-clues-in-the-target-breach. And while Shefel was certainly involved, we still cannot rule out that Shefel is claiming his role was more central than it was in order to boost his reputation.

Identity Theft

Baase 4e §5.3. What is it? What can be done?

And WHO IS RESPONSIBLE??

The most common form of identity theft is someone posing as you in order to borrow money in your name, by obtaining a loan, checking account, or credit card. When someone poses as you to empty your bank account, that's generally known as "just plain theft".

Note that most "official" explanations of identity theft describe it as something that is stolen from you; that is, something bad that has happened to you. In fact, it is probably more accurate to describe "identity theft" as a validation error made by banks and other lenders; that is, as a lender problem.

This is a good example of nontechnical people framing the discourse to make it look like your identity was stolen from you, and that you are the victim, rather than the banks for making loans without appropriate checks. And note that banks make loans without requiring a personal appearance by the borrower (which would give the bank a chance to check the drivers-license picture, if nothing else) because that way they can make more loans and thus be more profitable.

Hacking and probing

Is it ok to be "testing their security"?
What if it's a government site?

Should you be allowed to run a security scanner against other sites?

What if the security in question is APPALLINGLY BAD?

What if you have some relationship to the other host?
 
Baase, 3e p 270:
"The Defense Information Systems Agency estimated that there were 500,000 hacker attacks on Defense Department networks in 1996, that 65% of them were successful, and that the Dept detected fewer than 1%". But 1996 was a long long time ago.

Do we as citizens have an obligation to hack into our government's computers, to help demonstrate how insecure they are? Well, no. But at some level there is an obligation to expose collective "security through cluelessness" (bad protocols that most people don't realize are bad).

What about hacking into Loyola's computers? Are we obligated to do that? What about Loyola's wireless network?

Ok, once upon a time there might have been some notion of an obligation to inform "friendly" sites that there were problems with their security, but unsolicited probing is pretty much a bad idea today.

What is our obligation to prevent intrusions at other sites that are not likely to be directly harmful to us?

Hactivism

In 2006, Kevin Mitnick's sites were defaced by a group. There is some irony there.

Other Baase cases:

• several attacks against Chinese government sites, due to repressive policies
• pro-Zapatista groups defacing Mexican government sites
• US DoJ site changed to read "Department of Injustice"

Maybe the most famous example right now is the Anonymous group. See the wikipedia list at http://en.wikipedia.org/wiki/Timeline_of_events_involving_Anonymous. Most of the attacks have some connection with some form of authoritarian governmental crackdown, though some of the crackdowns are "only" against copyright infringement. Occasionally an attack is to harass a particularly conservative group, as seen from a relatively juvenile perspective (see the entry in the above wikipedia timeline for "No Cussing Club").

Most of the attacks are based on distributed denial-of-sevice methods.

More serious entries:

• Iranian election protests
• Zimbabwe
• Support of Wikileaks
• Arab Spring support
• Westboro Baptist Church
• Operation Malasia
• Operation DarkNet (arguably an attack against internet privacy!)
  
• Occupy Wall Street
• Operation Nigeria
• Operation Russia

• Operations Didgeridie and Titstorm (about Australian internet censorship)
• Operation Sony (in response to Sony's lawsuits against George Hotz)
• Cox DNS server attacks
  

Can these sorts of activities be justified? What about hacking Sony over rights to use the Playstation 3 as users see fit?

Zero-Day Exploits

Should they be tolerated? Encouraged?

1. Sometimes vendors ignore exploit reports without the publicity.
   
2. Sometimes users really need a script to tell them if they are vulnerable; such a script is typically tantamount to an exploit
3. Sometimes announcing a flaw gives crackers all they need to exploit it; withholding details merely gives false security.

Consensus seems to be that zero-day exploits are a bad idea, that one has some responsibility to let vendors know about an exploit so a patch can be developed. Though there is also a fairly significant consensus (perhaps not quite as universal) that if the vendor doesn't respond you have to do something public.

Microsoft's Patch Tuesday has long been followed by Exploit Wednesday.

Cisco 2005 case involving Michael Lynn: see http://www.schneier.com/blog/archives/2005/07/cisco_harasses.html

MBTA Card

Buenos Aires and Voting

• ordered local ISPs to block access within BA to Sorianello's information
• authorized a police raid on Sorianello's home and seizure of his computers.

Hackers Remotely Kill Jeep Cherokee

• change the radio volume and station
• turn on the A/C full blast
• start the wipers
• disengage the transmission
• turn off the engine
• disable the brakes

As of this writing, Miller and Valasek were not able to take over the steering, unless the car was in reverse.

Miller and Valasek presented their techniques at Black Hat in August 2015. Months before, they notified Chrysler of the problem, which then had time to prepare a fix.

Chrysler stated that they "appreciated" the work. They also said, however,

Under no circumstances does [Fiat Chrysler Automobiles] condone or believe it's appropriate to disclose 'how-to information' that would potentially encourage, or help enable hackers to gain unauthorized and unlawful access to vehicle systems.... We appreciate the contributions of cybersecurity advocates to augment the industry's understanding of potential vulnerabilities. However, we caution advocates that in the pursuit of improved public safety they not, in fact, compromise public safety.

The problem here is that, without the potential for publicity, it is unlikely Miller and Valasek would have bothered. Academics and independent security researchers are motivated by publication. If this is discouraged, security will be left to professional security firms, who to date have not shown the same willingness to innovate.

More at http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/.

Dejan Ornig

Justin Shafer

An FBI swat team raided Justin Shafer's Texas home on May 24, 2016. Shafer had just recently exposed a software vulnerability at Harry Schein Dental Software (www.dailydot.com/politics/dental-records-hack-schein-dentrix-g5-settlement/), but the raid apparently was the result of Shafer's exposure of an earlier vulnerability in the Eaglesoft dental software system of Patterson Dental. Shafer had discovered that Patterson Dental kept protected patient information on an anonymous FTP server (that is, an FTP server that does not require a password to access the stored documents). Patterson Dental claimed to the FBI that Shafer's access of this FTP server was "unauthorized" and hence a felony under the CFAA. Shafer had earlier notified Patterson Dental, and had not published his results until the data was secured, or at least no longer accessible without a password. More at www.dailydot.com/politics/justin-shafer-fbi-raid/.

A year later, Shafer was arrested, for allegedly "stalking" an FBI agent. This became five felony counts, but all were eventually dropped. See databreaches.net/prosecution-drops-five-felony-charges-against-justin-shafer-accepts-plea-to-one-misdemeanor-charge.

Hacking Summary

What legal responses are appropriate?

Should we criminalize having hacking tools?
What about magnetic-stripe readers? RFID readers?
What about Pringles cans (for use as cantennas)?
What about DVD players that bypass the region code?
What about C compilers?
What about jailbroken phones or other "sealed" devices?

Note that it is in fact already de facto illegal (in the sense that police will arrest you if they find out, and you belong to a Suspicious Group) to possess certain things that can have illegal uses, such as automotive dent pullers (used to pull cylinders out of locks) and tools that look like they might be lock picks.

Felony prosecutions:

• Kutztown 13

• Randal Schwartz

• Terry Childs

• Julie Amero

• Jeremy Hammond

• Weev

Kutztown 13
High-school students in Kutztown Pennsylvania were issued 600 apple ibooks in 2004
The administrative password was part of school address, taped to the back! The password was changed, but the new one was cracked too. Some of the students obtained administrative privileges and:

• bypassed browser filtering
• installed chat/IM software, maybe others
• disabled monitoring software

The students were accused of monitoring teachers or staff, but that seems unlikely.

The school's security model was hopelessly flawed. Who is responsible for that?
The school simply did not have the resources to proceed properly.
       
The offenders were warned repeatedly. But why didn't the schools simply take the iBooks away? Why were felony charges pursued? The charge was for felony computer trespass.

Randal Schwartz
    http://www.lightlink.com/spacenka/fors

Oregon made it a felony to do anything unauthorized, even if harm was not shown (or did not exist). Here is the text of part of the law; note the lack of mention of harm:

Also, taking a file without authorization was declared to be theft. The problem is that, in the real world, authorization is often rather indirect. If you're doing something for the benefit of your employer, and your employer does not object, would that always be considered "authorized"?

The biggest issue with the Schwartz case (and he was convicted, not just charged) is that it seems likely Schwartz had no intent to cause any harm. In closing arguments the prosecutor focused on the fact that Schwartz knew he wasn't supposed to be doing what he did, and did it anyway. Never mind that it might have been done for Intel's benefit. And never mind that no actual harm was caused.

Schwartz was a contract employee at Intel. He faced three counts:

1. Installation of an email backdoor at Intel (he thought he had permission)
2. Taking the password file
3. Taking individual passwords

Here are the official versions of the latter two charges:

• That the above named defendant(s) on and between August 1, 1993 and November 1, 1993, in Washington County, Oregon, did unlawfully and knowingly access and use a computer and computer network for the purpose of committing theft of the Intel SSD's password file
• That the above named defendant(s) on and between October 21, 1993 and October 25, 1993, in Washington County, Oregon, did unlawfully and knowingly access and use a computer and computer system for the purpose of committing theft of the Intel SSD individual user's passwords

Schwartz had been responsible for SSD system administration and security, and had monitored the system for weak passwords as part of this position by using the crack password-cracking program. In 1992 Schwartz had a conflict with the SSD manager (Poelitz), and agreed to move on to another position at Intel. However, he continued to monitor the SSD passwords, as it was clear to him that the new system administrator was not doing so (it was particularly clear after the fact: 48 out of 600 passwords were easily broken). Schwartz did not need any elevated privileges to monitor the passwords. (Supposedly Schwartz's access to the SSD network was supposed to have been disabled, but it was not, and there was no reason for Schwartz to believe that continued access was a problem.)

Schwartz's password-cracking actions have been described by Wikipedia as "penetration testing", but this is a bit of a misnomer as he didn't penetrate the systems involved at all. When weak passwords were discovered, he would eventually notify the user or the applicable system administrator, though sometimes there was delay. There was never, however, any evidence that Schwartz ever misused any of the passwords, or ever intended to. It seems clear, both at the time and in retrospect, that Schwartz not databreaches.net/prosecution-drops-five-felony-charges-against-justin-shafer-accepts-plea-to-one-misdemeanor-chargeonly never had any intent to cause any harm at Intel, but that in fact his intent had been to prevent harm at Intel, by continuing to monitor for weak passwords. This turned out not to matter.

As for the email backdoor in the first charge, here are some comments from Jeffrey Kegler's comments at lightlink.com/spacenka/fors/intro.html.

Randal's original reason for writing a gateway was a request from Dave Riss's staff at Intel, who needed to access their data and E-mail while at Carnegie Mellon. Riss approved the result and his group used it for a time. Later, Randal was traveling extensively and performing duties at Intel which required the same kind of access, as Intel knew. Randal created a more secure gateway for this purpose. That Intel knew and approved of Randal's use of gateway programs for his own duties is shown by the evidence.

When two Intel employees were troubled by the security of the gateway they asked Randal not to shut it down, but to change it to run more securely. They checked Randal's changes and passed off on them. This shows a proper concern about the security implications of gateways, but it also shows that it was generally recognized at Intel that Randal was allowed to and did run gateways.

Intel strongly pushed for his prosecution. There is no evidence, however, that before Schwartz's arrest Intel was in any way dissatisfied with his job performance. Intel's Mark Morrissey insisted that "Randal did not have permission for this activity," which was doubtless true narrowly construed, but Schwartz had file-access permission to read the encrypted passwords and general Intel permission to run work-related programs. In Morrissey's report, it appears that Intel security people "found" evidence of Schwartz's cracking, but Schwartz himself had never made any attempt to conceal it.

During Schwartz's trial, it turned out that Intel VP Ed Masi had also violated the Oregon Computer Law, regularly. He was not prosecuted.

At no point was any evidence presented of Schwartz's "criminal intent".

The appeals court (updated link to the opinion) held that although "authorization" wasn't spelled out in the law, Schwartz did things without authorization as narrowly interpreted. The appellate court also upheld the trial court's interpretation of "theft": taking anything without permission, even if the thing is essentially useless or if the taking is implicitly authorized.

The appellate court also seemed to believe that Schwartz might have been looking for flaws to take credit for them, and that such personal aggrandizement was inappropriate:

Apparently, defendant believed that, if he could show that SSD's security had gone downhill since he had left, he could reestablish the respect he had lost when he left SSD.

But employees all the time look for problems at work and try to fix them, hoping to receive workplace recognition. In many other contexts, employees who make the extra effort to "look for flaws" are considered exemplary.

See w2.eff.org/legal/cases/Intel_v_Schwartz/schwartz_case.intro.

Schwartz' conviction was expunged in 2007. Intel has never apologized.

Schwartz and Kutztown 13 cases have in common the idea that sometimes the law makes rather mundane things into felonies. For Schwartz, it is very clear that he had no "criminal" intent in the usual sense, although he did "intend" to do the actions he was charged with.

Terry Childs

Julie Amero case

Jeremy Hammond

Andrew "Weev" Auernheimer

The issue was with a particular iPad settings option (Settings -> Cellular Data -> View Account). When opened, this settings applet made an http GET request to the AT&T server, attaching the iPad's ICC-ID, a kind of "serial" number associated with the iPad's SIM card. AT&T would then return user information corresponding to that ICC-ID, as obtained at the time the iPad was registered. The settings applet then displayed this information, along with an empty password field; users were expected to type the password to log in. The settings applet did not resemble a browser page, other than by making an http request.  Cookies were not used.

The underlying http GET request could be sent by an ordinary browser, as well, and the AT&T server would not know the difference. An ordinary browser would, however, not be configured to automatically look up the device ICC-ID; that would have to be entered manually as one of the option fields in the GET request.

Auernheimer and his colleague Daniel Spitler figured out that the applet's queries were ordinary GET requests, and that if you tried a random ICC-ID number, and it happened to match someone's real serial number, AT&T would serve up that someone's real email address. The actual ICC-ID is too long for this to work (22 digits), but most of the fields would be known; only the "individual account identification number" would need to be guessed, and these were apparently allocated sequentially. (There was also a check digit.)

Further information is at gizmodo.com/the-little-feature-that-led-to-at-ts-ipad-security-brea-5559686.

In Kerr's words:

Matthew Keys

Summary of Crime

Computers and Ordinary Criminals

Jurisdiction online

Jurisdictional issues apply to both criminal and civil law. Oddly, criminal law is more ambiguous; we databreaches.net/prosecution-drops-five-felony-charges-against-justin-shafer-accepts-plea-to-one-misdemeanor-chargewill start with civil law. For online shopping, one of the first questions is where did the sale take place? Here are some legal theories that have been applied (eg in the LICRA/Yahoo case):

• the "affects" test: the court decides that the remote action affects its own local citizens. A passive website would count here.
  
• the "affects intentionally" test: the court decides that the source intended to have an effect on its local citizens
• the "targeting" test: the court feels that the action was actually directed at its local citizens, with some level of intent.
• the "primarily affects" test: the court decides that the action's primary effect is on its local citizens
• the plaintiff test: the affected party (buyer or the one defamed, for example) lives in the local jurisdiction
• purposeful availment: by choosing to engage in local commerce, the remote entity "purposefully avails" itself of the legal system of the local country.
• contract: the remote site has a contract with parties in the local jurisdiction

The following are the traditional three rules for a US court deciding it has "personal jurisdiction" in a lawsuit:

1. Purposeful availment: did defendant receive any benefit from the laws of the jurisdiction? If you're in South Dakota and you sell to someone in California, the laws of California would protect you if the buyer tried to cheat you. Generally, this is held to be the case even if you require payment upfront in all cases. The doctrine of purposeful availment means that, in exchange here for the benefits to you of California's laws, you submit to California's jurisdiction.
   
2. Where the act was done.
3. Whether the defendant has a reasonable expectation of being subject to that jurisdiction.

Jurisdiction and criminal cases

International crime

Gary McKinnon

Richard O'Dwyer

David Carruthers