Bad raps for non-hacks

Show up bureacrats at your peril

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

A few odd cases show that you don't have be a digital desparado to be accused of a cybercrime... particularly if you embarrass the wrong bureaucrats.

Some recent (and not so recent) cases illustrate how computer security professionals and well intentioned whistle-blowers face a genuine risk of running afoul of computer crime statutes simply for forgetting to ask the right person, "May I?," before doing a computer security assessment.

Take the case of Scott Moulten, a computer security professional in Georgia. He was the principal person responsible for computer security (through a private company) for a county in Georgia. The county worked with various cities coordinating and providing 911 Emergency Response Services. When one city wanted to hook up to the county's 911 network, Moulten performed a port scan and throughput test on that city's network to see if the computers were vulnerable to exploit.

Of course, they were. Moulten wisely went no further, and never attempted to penetrate any of the computers he scanned, and the city eventually plugged the holes.

Did the city award him a medal? A raise? A new contract? No... they promptly contacted the Georgia Bureau of Investigation, which searched and seized his computer and arrested him for violating the Georgia computer crime laws. The statue in question made it a felony to use a computer with the intention of "obstructing, interrupting, or in any way interfering with the use of a computer program or data... regardless of how long the alteration, damage, or malfunction persists." Since the port scan infinitesimally slowed the computer, the government supposed, Moulten violated the statute.

Thousands of dollars of legal fees later (and a civil case to defend as well), the government abandoned the criminal prosecution with no charges filed.

Things went worst for Stefan Puffer, a Houston computer security consultant who briefly worked as a contractor with the Harris County, Texas district clerk's office. Puffer conducted a "war driving" exercise, reportedly accompanied by the head of Harris County's Central Technology Department, and a reporter for the Houston Chronicle. Puffer demonstrated that the Harris County clerk's office's 802.11b network was misconfigured to allow anyone to have access to the network. It was reported that Puffer uploaded a ".gif" file on one of the computers to demonstrate the ease with which an outsider could access the network -- an allegation Puffer denied.

The County clerk initially poo-pooed the incident, claiming that no data was compromised and that the wireless network was simply a "test" network which wasn't in full use. But once the Houston Chronicle ran an article describing the wireless vulnerability, embarrassed county officials brought their network up to snuff.

For his efforts, Puffer was investigated by FBI agents, who kicked in his door at 6AM, seized his computers and all electronic media and effectively put him out of business. Then he was indicted by a federal grand jury for violating the federal Computer Fraud and Abuse Act -- with the "damages," bizarrely, assessed as the money the county spent the close the hole. Efforts to convince the United States Attorney's Office in Texas to dismiss the charges were unsuccessful, and Puffer eventually had to stand trial -- at a cost of tens of thousands of his own and taxpayer dollars. The jury acquitted him in 15 minutes.

Even just writing about computer security can get you in trouble. In 1997, Justin Boucher wrote an article for an underground high school newspaper describing, in the most general terms, common computer security vulnerabilities at the High School - most notably bad passwords. The article prodded his classmates to exploit the vulnerabilities, but also implored them to "never harm, alter or damage any computer, piece or software, or person in any way; if damage has been done do what is necessary to correct that damage, and to prevent it from occurring in the future and inform computer managers about lapses in their security, when you're done exploiting it."

Boucher himself never illegally accessed any school computers, nor is there any evidence that others did using this information he published. Nevertheless, the young whistleblower was expelled from school for one year -- an expulsion that was affirmed by the courts.

Staying Legal

The critical part of the school board's -- and the court's -- decision was the conclusion that the publication of the article constituted a criminal act, because it "provided instruction to the public and unauthorized persons on how to access the school district computer programs and disclosed restricted access information to the school district's computers" in violation of Wisconsin's computer crimes law." The court pointed out that the Wisconsin law made it a crime to "Disclose[] restricted access codes or other restricted information to unauthorized persons." Thus, telling the wrong people about the vulnerabilities discovered can lead to jail.

All of these cases had a few things in common. First, there was no intent to damage or destroy computers or information contained in them, and any damage done was exceedingly minimal. There was likewise no intent to extort the owners of the computers -- like Russian hacker Alexi Ivanov, who exposed security vulnerabilities in an effort to get paid to fix them. Third, in each of the cases, those responsible for security at the organization were publicly embarrassed by their poor security.

The final commonality is the lack of express consent. One key trigger to virtually all computer crime statutes is the "access" to a computer without authorization, or in some cases, in excess of authorization.

The combination of broad computer crime laws mixed with defensive bureaucrats embarrassed by their own failings could harbor dangers for non-professionals doing seemingly harmless non-invasive procedures like port scans and wireless drive-bys on networks that they arguably have some interest in seeing protected.

That's because many state computer crime statutes define "access" to a computer as any communication with it, or use of the resources of the computer -- however slight. Thus, to stay legal, a one must obtain permission from someone in authority prior to performing even mild tests, preferably in writing, and preferably explaining the entire scope of the test and the possibility of damage (a waiver of liability would be nice too.).

Professional penetration testers already know to get explicit authorization in writing before beginning work. But given the dramatic sweep of some of these laws, and the growing history of their abuse, simple authorization may not be enough. Pen testers should have the client detail exactly the scope and extent of the network to be tested -- a range of IP addresses, domains, or physical locations. Straying beyond these ranges may land the tester in legal hot water.

And whatever happens, don't write about it for your local High School newspaper. © SecurityFocus

SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story


A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.