Lock down gambling sites, go to jail

Rough justice for security professionals - DoJ style

  • alert
  • submit to reddit

High performance access to file storage

A new Justice Department policy threatens to jail security professionals who help lock down online gambling sites anywhere in the world.

For example, you're a computer security expert who's hired by an offshore casino in the Cayman Islands to develop a security and authentication technology. Your client is a licensed Cayman casino that has been operating for over 30 years, and wants to make a foray into online gaming.

You perform a standard penetration test, a security assessment, an architecture and code review, help establish the SSL and authentication protocols, and help with firewall implementation and monitoring - you know: the full suite of security services. You test the beta site and its configuration, and give your stamp of approval.

With check in hand, you return to America and days, weeks or months later, the site goes active. A few weeks after that, you are visited by an FBI agent with a federal grand jury subpoena seeking records relating to your security work. Weeks after that, a knock on the door announces the arrival of deputy US Marshals with a warrant for your arrest for violation of 18 U.S.C. 1084 and 18 U.S.C. 2.

Your computer security consulting may have earned yourself a one-way ticket to the hoosegow.

US law generally makes it a crime if you are "engaged in the business of betting or wagering" and you "knowingly [use] a wire communication facility for the transmission in interstate or foreign commerce of bets or wagers or information assisting in the placing of bets or wagers on any sporting events, or contest..." This statute, 18 USC 1084, is called the "wire act" and has been applied for more than 70 years to go after offshore bookies who seek to evade US law by locating overseas.

However, Internet gambling is legalized in Liechtenstein, Gibraltar, Australia, New Zealand, Costa Rica, and a few Caribbean islands. So the first question is whether Internet gaming by a company in a country that permits it is a violation of US law. The US Justice Department argues that it is - and has the arrests and convictions (well, guilty pleas) to prove it. The theory is that entities that are in the business of betting or wagering (even where this is legal), who use international communications facilities like the Internet, and in some way "enter" or "affect" the United States or US citizens, are violating the Wire Act.

What does this mean to you, the security professional? You aren't in the "business" of betting or wagering. You haven't taken any bets over international wires.

Living Vicariously

A recent New York Times article reports that US prosecutors are beginning to use the federal aiding and abetting statute to investigate and potentially prosecute those who, through perfectly lawful activities, assist online gaming companies that flout US law. This includes banks, broadcasters, ISPs and advertisers who help these casinos get their message out. The same net could easily snare information security professionals who, either deliberately or inadvertently, assist the gamers in their activities.

This represents a potentially dangerous trend for information security professionals. Security, by its nature, is intended to facilitate concealment. It ensures that only those authorized to "enter" may do so. If properly implemented, it can protect the confidentiality of communications, prevent unwanted parties from accessing files, and even arrange for files to "self destruct" when improperly accessed.

With this power comes some responsibility, and some duty to inquire about the use of the technology. Clearly if a narco-trafficker in Bogota or a member of al-Qaeda in Afghanistan seeks assistance in concealing their activities, the moral as well as legal answer is a resounding, "no." In fact, in the case of the terrorist (or a group designated by the government as a terrorist organization), providing "material support" is a criminal offense, even without the aiding and abetting language.

But the US government's assault on those who assist gamers presents a much more difficult issue. It essentially imposes responsibility on the security professional to inquire of his or her clients the reason they are seeking confidentiality, integrity or availability, and to make an independent judgement about whether these reasons may violate the laws of any nation that may touch the networks - all under penalty of criminal prosecution.

Thus, a network administrator for Arthur Anderson who provides copies of Norton utilities runs a risk (albeit a small one) of indictment when the software is used to wipe files relating to Enron.

The criminal conspiracy statute, 18 U.S.C. 371, is known as "the prosecutor's friend" because of its talent for incarcerating people even tangentially connected to criminal activity. Yet even this statute requires the government to show an agreement to commit a crime. The aiding and abetting statute requires no such proof. It only requires the government to show that, with knowledge (express or implied) that a party intends to commit a crime, the defendant provided material support for that person.

And the punishment for aiding and abetting is the same as for committing the underlying crime.

Applying this rationale to Internet crimes and information security professionals is a dangerous and inherently slippery slope. The information security professional who sets up a secure website for people to protest against Chinese occupation of Tibet runs the risk of criminal and capital punishment in China. The man who sets up the secure payment system for a Norwegian purveyor of dirty pictures may be prosecuted in the United States for a vicarious violation of US "indecency" laws.

A line must be drawn - clearly. If a person with intent to facilitate criminal activity deliberately does so, then it's fair game to prosecute. But we should not impose on the security professional a duty to know what the laws of the world are as applied to Internet activities. Hell, even us lawyers can't keep track.

Copyright © 2004, 0

Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story


Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.