Bad raps for non-hacks
Show up bureacrats at your peril
A few odd cases show that you don't have be a digital desparado to be accused of a cybercrime... particularly if you embarrass the wrong bureaucrats.
Some recent (and not so recent) cases illustrate how computer security professionals and well intentioned whistle-blowers face a genuine risk of running afoul of computer crime statutes simply for forgetting to ask the right person, "May I?," before doing a computer security assessment.
Take the case of Scott Moulten, a computer security professional in Georgia. He was the principal person responsible for computer security (through a private company) for a county in Georgia. The county worked with various cities coordinating and providing 911 Emergency Response Services. When one city wanted to hook up to the county's 911 network, Moulten performed a port scan and throughput test on that city's network to see if the computers were vulnerable to exploit.
Of course, they were. Moulten wisely went no further, and never attempted to penetrate any of the computers he scanned, and the city eventually plugged the holes.
Did the city award him a medal? A raise? A new contract? No... they promptly contacted the Georgia Bureau of Investigation, which searched and seized his computer and arrested him for violating the Georgia computer crime laws. The statue in question made it a felony to use a computer with the intention of "obstructing, interrupting, or in any way interfering with the use of a computer program or data... regardless of how long the alteration, damage, or malfunction persists." Since the port scan infinitesimally slowed the computer, the government supposed, Moulten violated the statute.
Thousands of dollars of legal fees later (and a civil case to defend as well), the government abandoned the criminal prosecution with no charges filed.
Things went worst for Stefan Puffer, a Houston computer security consultant who briefly worked as a contractor with the Harris County, Texas district clerk's office. Puffer conducted a "war driving" exercise, reportedly accompanied by the head of Harris County's Central Technology Department, and a reporter for the Houston Chronicle. Puffer demonstrated that the Harris County clerk's office's 802.11b network was misconfigured to allow anyone to have access to the network. It was reported that Puffer uploaded a ".gif" file on one of the computers to demonstrate the ease with which an outsider could access the network -- an allegation Puffer denied.
The County clerk initially poo-pooed the incident, claiming that no data was compromised and that the wireless network was simply a "test" network which wasn't in full use. But once the Houston Chronicle ran an article describing the wireless vulnerability, embarrassed county officials brought their network up to snuff.
For his efforts, Puffer was investigated by FBI agents, who kicked in his door at 6AM, seized his computers and all electronic media and effectively put him out of business. Then he was indicted by a federal grand jury for violating the federal Computer Fraud and Abuse Act -- with the "damages," bizarrely, assessed as the money the county spent the close the hole. Efforts to convince the United States Attorney's Office in Texas to dismiss the charges were unsuccessful, and Puffer eventually had to stand trial -- at a cost of tens of thousands of his own and taxpayer dollars. The jury acquitted him in 15 minutes.
Even just writing about computer security can get you in trouble. In 1997, Justin Boucher wrote an article for an underground high school newspaper describing, in the most general terms, common computer security vulnerabilities at the High School - most notably bad passwords. The article prodded his classmates to exploit the vulnerabilities, but also implored them to "never harm, alter or damage any computer, piece or software, or person in any way; if damage has been done do what is necessary to correct that damage, and to prevent it from occurring in the future and inform computer managers about lapses in their security, when you're done exploiting it."
Boucher himself never illegally accessed any school computers, nor is there any evidence that others did using this information he published. Nevertheless, the young whistleblower was expelled from school for one year -- an expulsion that was affirmed by the courts.
The critical part of the school board's -- and the court's -- decision was the conclusion that the publication of the article constituted a criminal act, because it "provided instruction to the public and unauthorized persons on how to access the school district computer programs and disclosed restricted access information to the school district's computers" in violation of Wisconsin's computer crimes law." The court pointed out that the Wisconsin law made it a crime to "Disclose restricted access codes or other restricted information to unauthorized persons." Thus, telling the wrong people about the vulnerabilities discovered can lead to jail.
All of these cases had a few things in common. First, there was no intent to damage or destroy computers or information contained in them, and any damage done was exceedingly minimal. There was likewise no intent to extort the owners of the computers -- like Russian hacker Alexi Ivanov, who exposed security vulnerabilities in an effort to get paid to fix them. Third, in each of the cases, those responsible for security at the organization were publicly embarrassed by their poor security.
The final commonality is the lack of express consent. One key trigger to virtually all computer crime statutes is the "access" to a computer without authorization, or in some cases, in excess of authorization.
The combination of broad computer crime laws mixed with defensive bureaucrats embarrassed by their own failings could harbor dangers for non-professionals doing seemingly harmless non-invasive procedures like port scans and wireless drive-bys on networks that they arguably have some interest in seeing protected.
That's because many state computer crime statutes define "access" to a computer as any communication with it, or use of the resources of the computer -- however slight. Thus, to stay legal, a one must obtain permission from someone in authority prior to performing even mild tests, preferably in writing, and preferably explaining the entire scope of the test and the possibility of damage (a waiver of liability would be nice too.).
Professional penetration testers already know to get explicit authorization in writing before beginning work. But given the dramatic sweep of some of these laws, and the growing history of their abuse, simple authorization may not be enough. Pen testers should have the client detail exactly the scope and extent of the network to be tested -- a range of IP addresses, domains, or physical locations. Straying beyond these ranges may land the tester in legal hot water.
And whatever happens, don't write about it for your local High School newspaper. © SecurityFocus
SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.