The title is a little bait-y, but the piece is worth reading.
What decision-makers are not really thinking is that by threatening legitimate security researchers (or well-meaning insiders), they leave the field open to the malicious hackers. However, with government money in play, there could be an interest to leave backdoors open for other shenanigans (like rigged tendering).
I'm glad you think it's worth reading. The title isn't bait, however. President Obama wants to make 18 U.S.C. 1030 tougher than it already is, and it already prescribes automatic jail time for anyone the government thinks is a so-called cyber threat.
President Obama does not want to throw me, personally, in jail. That's link bait. A deceptive headline used to draw eyes.
Slinging mud at specific politicians is not productive, since most of them don't know enough to understand why this language is unacceptably vague. I'd hazard that most of Congress is in favor of this language. We need to educate them as to why this language is dangerous, not start a partisan battle. The problems with this legislation are way bigger than Obama.
Of course it's bait. Not only is it inaccurate (President Obama has never even heard of me, so I'm sure he doesn't actively want me in jail) it entirely fails to tell the reader what the hell it's talking about.
Is it about drugs? Is it about software piracy? Is it about fisheries law? I don't know, I haven't actually bothered to click on the article because I object to being baited with such a mysterious-sounding headline.
I just came into the thread to complain about the headline. Hi there!
You can hardly expect politicians to understand the ramifications of the legislation they're proposing. Most of it they haven't even read.
Though, to be fair, malicious hackers are the people they're out to get, just that well-meaning people would get caught in the crossfire. Granted, matters are much too complex to be understood by politicians or even many corporate lawyers.
>> You can hardly expect politicians to understand the ramifications of the legislation they're proposing.
> That anyone would ever say this in a non-ironic sense is flabbergasting.
Legislators write the laws and then courts figure out the ramifications. Laws get written because of some catalyst, but I wouldn't expect anybody to be able to understand the full ramifications until the law is in place for a while and people have started testing it in the legal system.
You can hardly expect politicians to understand the
ramifications of the legislation they're proposing.
Sound of jaw hitting floor
If there is one thing I expect politicians to understand, it is exactly that: the laws they propose. Passing the laws that serve their country the best, that is the most important part of their job. Everything else can be delegated, but this is why they spend time together in a room, debating issues and voting on laws. They don't even need to read it: they need a trusted expert to tell them what decision they are taking for the future of their country.
No, I suspect he probably agrees. And when he suggests that he is being asked to do the impossible, he is blamed for the problem by a public that doesn't want to face the more complex reality (kind of like blaming a security researcher for finding a bug).
This common attitude ensures that successful politicians are the ones who maintain the illusion of competence and decisiveness in all circumstances.
The article contains nothing relevant to the claim that 18 USC 1030 "prescribes automatic jail time for anyone the government thinks is a so-called cyber threat".
A companies servers is a companies problem, that's all there is to it. No one forced Sony to store sensitive customer information, but they chose to -- and they also chose to neglect the security ramifications around it.
Imagine your bank decided to store your money in an unprotected vault, no security, and then it goes missing one day. Yes, a criminal stole it, but it was only possible because the bank deceived the customers into thinking their money was secure. As far as I'm concerned, there's two criminals in this equation.
I had never really thought about it before, but there is such a fuzzy line between so-called white-hat hackers, grey-hat hackers and black hat hackers. In fact the only difference between them is what you do with the information AFTER hacking into a system.
Even if you deduce that there might be a flaw in some web site design, you actually need to illegally hack the site in order to prove such flaw exists. In the article, the author noticed he could associate himself with any company that works with the US government and change their info. To prove that, he broke the law. And is lucky he is not in jail for doing so.
I can see from the company's point of view, from the FBI, from the government, from senators and congressmen writing the laws - trying to find flaws in a system is by definition hacking, illegal entry, unauthorized use. You don't have to be stealing credit card numbers for it to be a crime. Logging in to a computer system you are not authorized to is a crime. Period.
So the moral of the story is, if you want to stay out of jail, don't try to find flaws in web sites. Just don't. Or if you do, have a theory and report it to the company, but don't test your theory.
But I do agree companies should have a way to be contacted about security flaws, and be held criminally liable if a flaw was reported and not fixed in a timely manner. But even white-hat hackers are breaking the law and only by their actions after (reporting it to the company) are they not getting arrested or sued for it.
I just updated the post with a point I forgot to include when I wrote it last night:
The one thing new legislation should do is require companies, and especially banks, government agencies, and health care organizations, to have a defined channel for reporting security flaws anonymously and in detail. By reporting the GSA eOffer flaw to the agency's Inspector General, I followed proper procedure (and was punished), but most of the time, there is no proper procedure. I reported the PayMaxx flaw to the only people who would listen--my sales representative and customer service representatives--and unsurprisingly, the critical information went nowhere. I reported the Facebook flaw to Mark Zuckerberg, and unsurprisingly, he placed the blame on someone else, telling me that he hadn't written the code in question. Responses like these aren't good enough. On the FaceCash payment system web site, this is why we've put a link to our security response form on the bottom of every single page. (If you run a web site, you should do the same.)
This puzzles me. You correctly note how absolutely abysmal the political arena is for crafting well-defined rules regarding technical issues, and yet you immediately start agitating for more regulation. Do you really want to be compelled to conform to whatever (likely flawed) procedural policy the politicians and bureaucrats would come up with? A policy which would require further legislation to fix (much to the joy of lawyers and lobbyists)?
How about this instead: repeal some legislation. Repeal the laws that prosecute Good Samaritans who, after a reporting a security flaw to a firm, release it to the public who might be harmed by the flaw. If the firm has no procedures in place to deal with the reports, then too bad for them; they don't get to use the state as a club against others.
I'm fully aware that none of that will happen. The police power of the state confers no wisdom on those willing to wield it. Nor do they have any incentive to write good laws, but on the contrary are encouraged by interested parties to write bad laws (intentionally or not). So please, stop agitating for new laws in the vain hope that finally, this time, they won't create a plethora of unintended consequences and injured innocents.
We're all entitled to our political views. Mine are that regulation and deregulation are both potentially dangerous, but that if we all assume the worst--that no regulation can ever be effective, so we shouldn't have any--we'll get nowhere fast. So I advocate for regulations that make sense, despite being aware that politics isn't always so logical or straightforward.
I'd like to see some automatic procedure set in place for notification in channel. Vague arm waiving at this point, but would be nice if there were something to indicate at least a kind of 'we heard you' back from government organizations. Can't do much for the rest, they can pretend to their hearts content. Given human nature (the bureaucrat/politician subset) this is a tough problem...
There's no way to rule innocent men. The only power government has is the power to crack down on criminals. When there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws.
This is absolutely the type of stuff that should be flagged--linkbait, politics, off-topic.
How can anyone take an article seriously when the title is so intellectually dishonest, hyperbolic, and factually untrue? Please keep this stuff on Reddit.
I'm glad you and others seem to like the article, but I'm perplexed by the weight everyone is giving the title. I have a 2006 letter from the U.S. Attorney's office saying that (as of that time) they are considering opening a criminal investigation into my actions under a statute that requires automatic jail time. The President wants to make this kind of letter more common, or skip the letter step altogether.
Not every piece of literature ever written has a title that perfectly summarizes the contents. I like my title, but regardless, the issues discussed in the piece are what's important.
What decision-makers are not really thinking is that by threatening legitimate security researchers (or well-meaning insiders), they leave the field open to the malicious hackers. However, with government money in play, there could be an interest to leave backdoors open for other shenanigans (like rigged tendering).