Hacker News new | past | comments | ask | show | jobs | submit login

> if Signal downloaded Cellebrite-pwning shellcode to its app

The transmission in this legal context is the other way imo. Cellebrite's device is transmitting Signal data out, and Signal is not intentionally sending data to these devices.




So, let's say for the sake of argument that Signal does download files that are intended to exploit these Cellebrite vulns to users' phones.

The part of the statute we're talking about triggers when someone:

- knowingly causes the transmission of a program, information, code, or command

- and as a result of such conduct, intentionally causes damage without authorization to a protected computer

Notice: this didn't require someone to transmit code to the victim machine: they knowingly cause code to be transmitted somewhere, and that intentionally causes damage as a result. Isn't that what you have here? In our assumed world, Signal's devs have written the app to pull down the exploit to the users' phones, thereby knowingly causing it to be transmitted. I think it'd be hard to claim with a straight face that your Cellebrite-targeting code (that you told the world about) wasn't intentionally targeting Cellebrite.

Under your rule of "you have to intentionally send data to the victim device," what result if you write malware and post it, say, on Facebook: just as you intended, anyone who clicks is infected, but the payload is inert as to Facebook's servers. Are you in the clear because the harmed users all initiated the download themselves?


Are you trying to convince a jury, or just bring charges?


I'm not going to pretend it's a 100% open-and-shut case: the CFAA in its great broadness is a fairly controversial area, and this is a "weird" case. And as always, who knows what a jury will do.

On the other hand, in the hypothetical scenario where this actually happened and damaged some law-enforcement-owned machines, I don't see the average jury being too sympathetic.

It's certainly problematic enough that it's a legitimate concern, I'd say.


But those are two separate actions:

- Signal transmits a code (exploit) and keeps it in its cache, the code is dormant, nothing is being damaged here, it could stay like this forever, no harm.

- Cellebrite transmits Signal's files and cache, including the exploit, and gets hacked by reading it with their scanner.

The key is that the first action is harmless, and the second action is performed by Cellebrite, so can't blame Signal for it. I don't think these two actions can be consider as one.

And the main difference from the malware scenario is that this Signal code is not meant for reading, it is inaccessible and harmless for anyone except the Cellebrite hackers. The exploit is activated by unauthorized use, unlike the malware.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: