Skating on Stilts

 Well, that was quick.  At the age of 6, my grandson, Asa Baker-Rouse, has already accumulated more Internet clout than I’ve been able to assemble in a career.  What’s more he did it with pure sweetness. (Perhaps that’s where I went wrong.)  A Middlebury student named Bianca Giaever turned one of Asa’s stories into a 7-minute film that has now received hundreds of thousands of hits.  

 

It has no political content whatsoever, but it does have a lesson of sorts.  And for those of you who always want the backstory, Asa's younger brother is named Toby.

I've just looked at the new proposal for revising the Computer Fraud and Abuse Act (CFAA) offered by Orin Kerr, Jennifer Granick and the EFF. Essentially, they would set a higher threshold for deciding when a hacker has accessed a computer “without authorization,” by requiring that the defendant circumvent a technological barrier that “effectively controls” access.

On first impression, it looks to me like a pretty bad idea, for any number of reasons.

1. First, if this is meant to be “Aaron’s Law,” a cure for the overreaching by federal prosecutors in the Swartz case, it misses the mark. By the time he was through playing cat and mouse with MIT security officers, Swartz was clearly circumventing an effective technological control – unless you define “effective” very strictly, a bad idea I’ll get to in a minute.

2. The EFF proposal doesn’t come from thin air. It’s directly borrowed from the Digital Millennium Copyright Act, which lets copyright holders sue anyone who circumvents technical copy-protection measures, as long as those measures “effectively control access to a work” protected by copyright.

Let’s pause for a moment to consider why the EFF equates the DMCA and the CFAA. On one level it seems obvious. Aaron Swartz was trying to “liberate” IP-protected data in much the same way that, say, the authors of DeCSS sought to “liberate” movies sold from the DVD restrictions set by the studios. EFF wants to borrow the concepts it relied upon in the DMCA cases and use them to defend CFAA cases.

But the CFAA is not primarily about protecting intellectual property. It’s about protecting the security of all kinds of data – national security secrets, privileged client confidences, and the most private personal data stored online by governments, companies, and individuals themselves. Many CFAA defendants, in other words, are egregious privacy violators. So, faced with a choice between protecting privacy and protecting “open data” campaigners, EFF has decided to favor open data over privacy.

Put another way, the EFF isn’t comfortable admitting that there's a threat to privacy except from business and (mainly the U.S.) government. Acknowledging that ordinary people have a stake –- indeed, a privacy stake -– in prosecuting hackers puts too much strain on their worldview. To avoid that strain, though, they’re advocating measures that will actually harm our privacy.

3. That choice might make sense if the only kind of hacking that we faced was a handful of Aaron Swartzes. But in fact, we are in the middle of the worst cybersecurity crisis -– and the most massive loss of data to hackers -– since the dawn of the computer age. It’s an odd time for sophisticated technology observers to propose weakening our computer crime laws.

I recognize that the CFAA has problems, and that it’s been rewritten too often by prosecutors eager to ensure that they can win any case they choose to bring, but in light of the massive increase in cyberespionage, I think that Orin, Jennifer, and the EFF should at least show that their proposal will not interfere with prosecution of the hackers who are currently stealing us blind.

4. They don't make that showing, and I question whether they can. Making criminal liability turn on breach of an “effective technical control” will hamper a lot of legitimate prosecutions, or so it seems to me.

First, I assume that under their proposal the effectiveness of the technical control will be an element of the crime, one that the government must prove beyond a reasonable doubt. That’s a heavy burden, and it makes any ambiguities in the new test very risky for prosecutors.

Second, there’s a problem with the concept of “effective technical control” that resembles the problem of “obviousness” in patent law. Anything that’s been invented starts to look more and more obvious as time goes on. And any technical control that a hacker has successfully bypassed starts to look, well, ineffective. As I remember, groups like EFF argued in the context of the DMCA that encrypting copyrighted material with a 40-bit key was “ineffective” because the encryption could be broken by brute force cryptanalysis.

Do we really want hackers to be able to argue to juries that they can’t be prosecuted for stealing personal data because their victims used too small a key or too obvious a password -- or that their security wasn't proof against Metasploit or some other widely available penetration tool?

5. Do we even want to protect data only if access is effectively controlled by technology?

Let me offer the example of a government database containing passport or drivers’ license data. Because the access that government officials need to this database is not predictable, the system depends principally on a strong audit system to prevent abuse. Everyone who accesses a file is tracked, audited, and monitored for misuse after the fact. Now suppose that a government worker uses these files to settle some personal score and evades the audit system by stealing the login credentials of another worker.

He’s clearly subject to prosecution under today’s CFAA. But under the Kerr- Granick-EFF proposal, the government has to show that its audit system “effectively controls access” to the data. Even putting aside the hindsight problem I described earlier, an audit system doesn’t “control” access in the sense of preventing access; instead, it is designed to identify and punish improper access. It seems to me that even the most abusive access to that data would be hard to prosecute under the revised law.  

UPDATE:  To reflect Orin Kerr's reply to this post on the Volokh Conspiracy, in which he makes clear that he does not support the EFF's"effective control" test.

Anonymous claims to have struck a blow in Aaron Swartz’s memory.  It has hacked the website of the US Sentencing Commission and posted a long manifesto and a group of files named after Supreme Court Justices.  The manifesto suggests that the files contain embarrassing secrets and declares that the secrets will be revealed in installments unless Congress adopts sentencing and computer crime changes.

Exactly what the files contain the screed leaves uncertain: "The contents are various and we won't ruin the speculation by revealing them. Suffice it to say, everyone has secrets, and some things are not meant to be public.”

It’s possible that this is an elaborate publicity ploy.  The manifesto’s authors don’t exactly say they have information stolen from Supreme Court justices.  And they are careful to suggest that if investigators find no sign of intrusion, well, that’s just proof that Anonymous is “far more ambitious, and far more capable” than investigators think: “Over the last two weeks we have wound down this operation, removed all traces of leakware from the compromised systems, and taken down the injection apparatus used to detect and exploit vulnerable machines.”  So this might be a big deal, or, having made a media splash out of simple website defacement, the hackers may announce in two weeks that all they wanted to do was cause a frenzy of investigative activity without actually hacking any Justice’s computer.

In the meantime, though, the episode is likely to sully Aaron Swartz’s memory. Swartz was egregiously overcharged, but there isn’t much doubt that he violated the Computer Fraud and Abuse Act.  We see the charges as unfair because Swartz’s “liberation” of data was motivated by a commitment to open data and not by any criminal intent.  Now comes Anonymous, claiming to be liberating data in Swartz’s name but doing so with unquestionably criminal intent -- to extort policy changes and to cause pain to government officials for their views and actions.

The exploit is probably counterproductive too.  Apart from turning those who want reform of computer crime law into the allies of lawbreakers, Anonymous has substantively hurt the case for amending the CFAA. Heavy criminal penalties are entirely appropriate for people who hack a Supreme Court Justice’s account and disclose personal secrets. But it’s not easy to redraft the CFAA so it reflects the difference between Swartz and the Anonymous hackers, at least not without relying on precisely the prosecutorial discretion that the Swartz prosecutors misused.

Finally, I wonder if this incident won’t affect the Supreme Court’s approach to cybercrime issues.  As Frank Rizzo once said, a conservative is a liberal who’s been mugged.  If that’s true, every time Anonymous mugs one of the Justices in cyberspace, it could be making the Court just a little less enthusiastic about limiting the tools the government uses to deter computer crime.

PHOTO: Victor Diamante

 

The denial of service attacks now afflicting American banks are widely attributed to Iran. They’ve grown so serious that US banks have asked the National Security Agency for help.

That has provoked the usual response from privacy advocates.  Faced with a serious threat to the security of our online banking accounts, they are happy to tell us who we should really be worried about: “’The dual mission of the NSA, to promote security and to pursue surveillance, creates an intractable privacy problem,’ said Marc Rotenberg, executive director of the Electronic Privacy Information Center.” 

I’m more interested in the actual, uh, attacker. Assuming it’s Iran, as I do, what do these attacks mean?  One thing is sure, they’re the opposite of the cyber Pearl Harbor everyone’s talked about. Unless Adm. Yamamoto called up the Navy on December 7, 1941, and said, “We’ll be attacking Pearl Harbor for an hour and then the Philippines for an hour, but only on Tuesdays, Wednesdays, and Thursdays.” Because that’s pretty much how the bank attacks are going – short duration, scheduled disruptions.

That raises a couple of questions.  First, why would a country launch such a limited attack?  It could be a demonstration designed to show capability without actually provoking a response -- sort of like sending an aircraft carrier to a trouble spot but staying in international waters.  Indeed, some of the details of these DDOS attacks do show surprising sophistication, and there’s no doubt the actual impact of the attacks could be greatly ramped up if the attacker wanted to. Second, if that’s the case, the best response would be to demonstrate that our defense can counter the attacker’s offense – sort of like surfacing an undetected submarine alongside the carrier.

So, how are we doing at showing our defensive strength?  Not so good, I’m afraid.  The attacks persist, and we don’t seem to have a simple way to nullify them.  That’s pretty troubling from a security point of view, particularly if you believe as I do that denial of service attacks are the least dangerous form of cyberattack.  If we can’t defend against scheduled, short-duration, denial of service attacks, our vulnerability to other attacks is even more worrisome.

Which brings me to a third point: If these are Iranian attacks, Iran is probably doing us a favor.  It’s teaching us some important lessons, exposing the weakness of our defenses in dramatic form without actually destroying any infrastructure or causing serious harm.  It’s also revealing the weird priorities of the privacy groups, which seem to hate parts of our government more than Iran’s, even when they’re faced with an actual Iranian attack. And it’s giving us a kind of live-fire exercise in which to practice our cyberdefenses until we find something that works.  With enough time, maybe we’ll find a way to get our planes in the air, our ships out to sea, and our anti-aircraft guns unlimbered before a second wave of planes appears in the sky.

Turns out that hackers can use Cisco phones to monitor our communications, says Sal Stolfo of Columbia University, and Cisco evidently has taken its own sweet time to fix the problem.

And the FAA's fancy new NextGen traffic control system will allow hackers with $1000 worth of equipment to send fake GPS signals to commercial planes, says Paul Rosenzweig of Red Branch Consulting. That would apparently be enough to get the planes to land in unexpected places. Like the Capitol.

Ellen Nakashima of the Washington Post has another ground-breaking article on novel approaches to network defense. I've blogged before about honey tokens, deceptive files that leave hackers with false data while flagging the intrusion to defenders.  Nakashima's article suggests that their use is growing, as other defensive techniques prove ineffective:

Brown Printing Co.,...began planting fake data in Web servers to lure hackers into “rabbit holes” in the hopes of frustrating them into giving up. The bait was varied — including bogus user log-ins and passwords and phony system configuration files. Anyone who took it was being watched by Brown, their computer locations tagged and their tactics recorded.

“We’re taking the hackers’ strengths and we’re making it their weaknesses,” said Nathan Hosper, a senior information technology officer at Brown. “They get caught up in this cycle of fake information.”

So far, so good.  What's sad is the FBI's reaction, which will be familiar to those who know how big city police departments view homeowners who use guns to defend themselves:

U.S. officials and many security experts caution companies against taking certain steps, such as reaching into a person’s computer to delete stolen data or shutting down third-party servers.

Those actions probably would violate federal law, FBI officials said. The bureau also warns that the use of deceptive tactics could backfire — hackers who identify data as bogus may be all the more determined to target the company trying to con them.

Actually, I'm being too kind to the FBI.  If you call 911 to report a home invasion, at least the police will send someone to your house who is armed and ready to take on the intruder. (Whether they'll arrive in time is a different question, leading to the familiar saying, "When seconds count, the police are just minutes away.")  

If you call the FBI to report a network intrusion, though, you'll get a stifled yawn and a request to meet with your CEO for relationship building purposes. Given the government's feeble capabilities against cyberespionage, discouraging corporate self-help is particularly irresponsible.

Not everything the bureau said was wrong. Shutting down third party servers probably is illegal under the Computer Fraud and Abuse Act. In contrast, I doubt that companies are acting unlawfully when they delete their own files from a hackers' computer, though I recognize that Orin Kerr has a different view, and the Justice Department may be closer to Orin than to me on this. 

But I don't know anyone who thinks that it violates federal law to deploy honeytokens on your own network.  So when FBI officials caution that using deceptive files that way could make you more of a target, they aren't giving legal advice.  They're giving "leave it to the FBI" advice, in a field where leaving it to the FBI is a recipe for failure. 

Also, I suspect they're talking through their, uh, hats. In what way will deploying fake files "backfire"?  OK, fake files may not work forever; the hackers may come back and look harder for the real stuff, but is that really a reason not to deploy them? 

Let's perform a thought experiment: In option A, you don't use fake files, so bad guys who break into your network steal your data.  In option B, you do deploy fake files, so the bad guys steal bad data, and you find out that you're a target whose current security isn't sufficient. After that, either the bad guys are fooled by the bad data and they waste time and money acting on it, or they figure out that it's bad data and they have to go back and find the real data on a system that you've had time to harden. And the FBI thinks that option B is the one that might "backfire"?

(I recognize that it's also possible that the hackers will get mad about being fooled and will destroy files or take other retaliatory actions that they wouldn't take if they got the good stuff right away.  But I'm skeptical. First, that's a big escalation in tactics that we haven't seen yet from cyberspies, probably for good reason. Second, that would be astonishing advice from a law enforcement ageny, the equivalent of:  "Better let these criminals steal you blind; otherwise they might burn down the store" or  "Cooperate with hijackers so they don't have to kill any hostages" or "Resisting a rapist will only get you beaten, stabbed or shot." If that's the FBI's official position on cybercrime, it means they've oficially given up.)

The Justice Department's National Security Division may be getting on the cyberspace attribution/retribution bandwagon -- and in the process, reshaping US strategy for deterring cyberespionage.

First, NSD is creating a new liaison position in US Attorney offices across the country -- the National Security Cybersecurity Specialist, or NSCS (rhymes with "discus meniscus" for you knee trauma buffs).  The idea is that companies across the country are suffering from cyberespionage, much of it state-sponsored, and there need to be cleared, cyber-smart prosecutors in each federal prosecutor's office who can work with local victims, not to mention the FBI, which already has specialists in each field office who deal with local victims of cyberespionage.

This is a good thing, and part of NSD's coming of age.  But what's most important is this simple fact:  the Justice Department doesn't designate prosecutors to give speeches, or to hold industry's hand and offer sympathy.  It designates prosecutors to prosecute. 

So, implicit in this new initiative is a new willingness to prosecute cyberespionage cases -- a development very much fueled by the growing body of attribution evidence accumulating in federal files.

In fact, John Carlin, a top NSD official, has more or less declared that the Department will start prosecuting cyberspies, perhaps soon.

Well big whoop, you might say.  Why should a foreign government cyberspy care that he's being investigated by some prosecutor from the Northern District of Minnesota?  Maybe it is mildly embarrassing to be indicted, but it won't make a real difference in his life. He can just give Justice the finger.

But Justice isn't limiting its focus to the guys stealing the data.  The real targets are the guys consuming the stolen data:

  Carlin said the best possible target for a prosecution might be a case where a company that uses stolen technology could be charged.

“Whether it is a state-owned enterprise or a state-supported enterprise in China — if you can figure out and prove that they’ve committed the crime, charging the company means they can’t do business in the U.S., or in Europe,” he said. “It affects their reputation and that then causes them to recalculate: ‘Hey, is this worth it?’”

I think Carlin is exactly right.  There's no point in stealing data from Exxon or Nortel if it's just going to sit in some military intelligence filing cabinet somewhere. It's only worth stealing if you can give it to Exxon's or Nortel's state-sponsored competitors, because those are the only people who can actually use it effectively. That simple observation drives a surprising conclusion: Most of the cyberspies now infesting US companies are very likely working in the end for state-owned enterprises that compete with Western commercial enterprises. 

And that's their vulnerability.  Those enterprises can't compete with Western companies unless they compete globally.  Which means doing business in Japan, Europe, and the United States. And companies that do business here can be prosecuted here.  They can't give prosecutors the finger, at least not if they want to stay in business here.

So if NSD is successful, it can force state-owned companies to choose between the value of cyberespionage and the value of their US business. There are a lot of uncertainties in this approach.  We'll have to take our newfound attribution capabilities another long step forward, identifying not just the thief but his customer.  But if we can pull that off, and I think we can, this is the first plausible strategy for deterring mass Chinese cyberespionage we've come up with in twenty years. 

Plus, think of the entertainment value.  What I really want is the popcorn concession at that first trial.

The Wall Street Journal thinks it's found another scandal in government.  It has, but the scandal isn't about privacy.  It's about how the government is slowly unlearning the lessons of 9/11.

DHS has passenger lists for flights in and out of the US.  It uses those lists to watch for terrorists.  The National Counter Terrorism Center also watches for terrorists.  So it asked for DHS's lists. The first rule of bureaucracy is never to share information with a rival. So it's no surprise that DHS didn't want to hand over its data to Matt Olsen's NCTC.

It's not even a surprise that DHS claimed it was fighting for Americans' privacy.  But, really, how silly is that?  Do you know anyone who resonates to this slogan:  "I''m glad Janet Napolitano has my travel records, but I will fight to the death to keep them out of Matt Olsen's hands"?

What's troubling is that DHS, born out of 9/11, is leading the effort to roll back the lessons we learned then. Its argument in the WSJ article sounds exactly like the arguments that prevented information sharing in the run-up to 9/11. Then, it was the intelligence community that didn't want to share its data or its turf with law enforcement.  The intelligence community persuaded the FISA court that keeping intelligence from law enforcement was a privacy issue, and the court bought in. 

In fact, the court enforced "the wall" between intelligence and law enforcement so harshly that the FBI was afraid to let its enormous and highly competent Cole bombing task force go looking for the 9/11 hijackers in the two weeks before the attack, even though the bureau knew al Qaeda leaders were in the country and up to no good.  As a result we lost our last, best chance to stop the attack before it happened. (I told this story in the third chapter of Skating on Stilts.)

Now it looks as though we're headed down the same road, but with DHS taking the role of the intelligence community. Funny, you'd think three thousand deaths would resonate longer in our government's memory.

I’ve thought for a while that attribution of hacker attacks was improving rapidly. Now we have confirmation from a Ken Dilanian scoop in the LA Times. Dilanian reports that “the U.S. intelligence community is nearing completion of its first detailed review of cyber-spying against American targets from abroad, including an attempt to calculate U.S. financial losses from hacker attacks based in China.” And the intelligence estimate shows just how far the US has come in identifying the source of particular intrusions:

Intelligence analysts disagree over the extent to which the intrusions are organized by Chinese authorities, but the CIA and National Security Agency have traced cyber-attacks and thefts to Chinese military and intelligence agencies…. "We know much more about who is doing this than we did even two years ago," one official involved in the effort said. "We have traced attacks back to a desk in a [People's Liberation Army] office building."

Nice work, intell community.

For those who think I’m a little paranoid on the subject of cybersecurity, I suggest this story – a nightmare made in China for a small US businessman. Brian Milburn’s parental control software was pirated and used in a China’s infamous Green Dam software. 

When he sued, hackers tied to the Chinese government attacked his networks relentlessly, nearly destroying his business:

 

For three years, a group of hackers from China waged a relentless campaign of cyber harassment against Solid Oak Software Inc., Milburn’s family-owned, eight-person firm in Santa Barbara, California. The attack began less than two weeks after Milburn publicly accused China of appropriating his company’s parental filtering software, CYBERsitter, for a national Internet censoring project. And it ended shortly after he settled a $2.2 billion lawsuit against the Chinese government and a string of computer companies last April.

In between, the hackers assailed Solid Oak’s computer systems, shutting down web and e-mail servers, spying on an employee with her webcam, and gaining access to sensitive files in a battle that caused company revenues to tumble and brought it within a hair’s breadth of collapse.

There are two particularly interesting, and troubling, aspects of the story. First, the hackers immediately attacked Milburn’s law firm as well as his company.  This tactic is now part of the standard playbook for China’s hackers, but US law firms have not fully adapted to the threat. Second, I’ve long wondered when the Chinese hackers would go from stealing information to sabotaging networks.  According to Milburn, that’s exactly what they did here:

While bulk sales and orders over the phone were up, 60 percent of Solid Oak’s business depended on users buying the $39.95 program directly from the website. As the network problems continued, so did the fall in sales. Milburn wouldn’t provide month-to-month sales figures, saying it could aid competitors, but he says the normally profitable company dipped into the red after a big drop in web sales the month the lawsuit was filed. Net losses averaged $58,000 a month after that, even as Milburn slashed expenses, he says.

Tracing the drop, he could see that customers were coming to the website to buy the software like always. They’d type in credit card numbers and click submit, but most of the orders -- on some days 98 percent -- weren’t going through, Milburn says. He replaced servers and tried other fixes. Nothing worked.

He went without pay, and DiPasquale agreed to forego her salary for a few months too. She and her husband, a professional chef, drew down their savings, but by the summer of 2010, the money was running out.

…

Examining the script that controlled the payment processing function in November that year, he noticed that a single character was missing from the string -- an apostrophe. That was enough to cause the page to time out, rather than to complete the credit card transaction. Customers were leaving in frustration.

The apostrophe was sometimes there and sometimes not, so some payments went through. There may have been other ways that the hackers were sabotaging his sales, but Milburn was sure he had found at least one.

“A hacker could certainly edit the script and break it so it wouldn’t work,” says Stewart, the DellSecureWorks threat expert. “That would be a great way to do it without calling attention to the fact that they were in the system.”

If this is a harbinger of future Chinese conduct, the silent cybersecurity crisis is going to become very public, and very ugly.

Photo credit:  Wikipedia

Security professionals probably spend too much time and money securing their systems and too little checking to see whether their security measures have failed.  After putting a new security solution in place at great cost, it’s only natural to think that you’ve, well, solved your security problems. But the history of computer security, not to mention the history of humanity, tells a different tale.  While you’re basking in a sense of achievement, your adversary is working to overcome your new defenses. Sooner or later, he will. How will you know?  Today, most companies figure it out when the FBI or someone else shows up to tell them their systems are spewing data to known bad sites.

That’s a little late, and a little random. Ideally, we’d all have automatic security checks to tell us that we’ve been compromised, just as a good accounting system has backend checks to flag suspicious transactions.  In the network security world, one of the more developed tripwire technologies are honey traps – irresistible targets for hackers that, among other things, let you know when some or all of your defenses have been penetrated.  Gloria Gaynor pretty much summed up the strategy:  hackers come for the honey and end up getting stung.

Now comes a good new report on honey trap technologies from the European Network and Information Security Agency, or ENISA, which is rapidly becoming my favorite European institution. (Granted, there’s not much competition.) ENISA’s report is a good practical evaluation of a host of honey technologies.  Among the things I liked was its discussion of “honeytokens” – fake files left on your system and watched carefully for any signs of access. I’ve experimented with crude versions of that approach myself, and I’m quite surprised that it is not a standard part of all security deployments.  Unfortunately, the report’s practical evaluation charts don’t actually evaluate commercial technologies using honeytokens, but it does cite a few additional publications in the footnotes (here’s one; here’s another; and another) for those who share my enthusiasm for the concept.

Photo credit: Stefan-Xp through Wikimedia commons

A few posts back, I told the story of how Trend Micro identified “Luckycat,” a Chinese hacker who had attacked the Dalai Lama, aerospace firms, and other targets. Based on what we know so far, it looks likely that the hacker is Gu Kaiyuan, formerly a student at Si Chuan University’s Information Security Institute and currently employed by Tencent, the huge Chinese instant message firm. Gu insists that two people used some of the credentials in question, and that he’s innocent.  According to the New York Times, the University issued what seem like a carefully limited statement that it never “hired any unit or individual to participate in Internet attacks or hacking activities.” Tencent’s statement is similarly cautious: “We have checked with our colleague Mr. Gu Kaiyuan, who denied he was involved in any hacking activities…..Nor was he named by the author of the report as a hacker.”

It’s clear that Trend Micro has taken attribution pretty far, but more needs to be done if we’re going to get to the bottom of the case.  The usual assumption in these cases is that nothing more can be done.  The Chinese government isn’t likely to help, and Gu isn’t likely to come to the US any time soon.

But it’s a globalizing world. And the US has more leverage than it’s using. Let’s start with Tencent.  It’s a big Chinese company, but it seems to do plenty of business in the United States as well. It has a joint venture in China with Groupon that might require CFIUS approval. It has a gaming company in Boston with 10 to 50 employees, so its executives are likely to want visas to come to the United States. Whether it’s seeking CFIUS approval or more visas, Tencent cannot afford to acquire a reputation for hiring hackers.  If the United States asks for more information about Gu, or a chance to interview him, Tencent cannot say no.

Or take Si Chuan University. We’ve got some leverage there, too.  The University sends plenty of students to the United States, and it accepts US exchange students as well. In fact, just three weeks after the Trend Micro report had fingered Si Chuan University for possible complicity in hacking American companies, the State Department sent a couple of consular representatives to the school to encourage its students to apply early for visas to study in the United States.

That of course was the wrong message for our diplomats to send, and it suggests that the State Department is still not taking hacker attribution and retribution seriously. Instead, the Department of Homeland Security, which has cybersecurity responsibilities as well as student visa authority, should open an investigation into Si Chuan University and its Information “Security” Institute.  Those institutions may or may not be complicit in the Luckycat attacks, but the public data about Si Chuan and its Information Security Institute isn't particularly comforting on that score.

The Information Security Institute was China’s first, established in December 1997. It doesn't just do research; it actually produces products, and it benefited from “Program 863,” a government research program to develop and acquire sophisticated technologies in a handful of high priority fields. (A Chinese spy was convicted last year of stealing US technology and giving it to Program 863-- and to a Chinese university.) Among the Institute’s products that have been highly praised in China are systems “to improve network attack and defense and network behavior regulation, strengthen information security management, real-time monitoring, tracking competitors , industry, government and other sectors dynamic, capture, analysis, favorable or unfavorable information.” (Emphasis added.) It would be wrong to condemn the institution based only on the Google Translate version of an Internet report, but it’s surely fair to ask Si Chuan University if its products really do improve “network attack” or facilitate “real-time monitoring” of people in public networks. (Readers who know Chinese are invited to offer their views in the comments.)

The answers to these questions are surely relevant to how welcome Si Chuan researchers should be in the United States. After all, if the University is a front for organized attacks on US institutions, or a handmaiden of Chinese repression, or if it just refuses to cooperate in an inquiry, why should the United States grant visas to its students or professors?

Indeed, you kind of wonder why American schools, where academic boycotts to show moral disapproval of apartheid South Africa and even of Israel have been widely mooted, aren’t reconsidering their ties to Si Chuan over its possible complicity in attacks on the Dalai Lama.  (If you'd like to ask them yourself, here’s a list of Si Chuan’s Western exchange program partners.)

“I … watch him working at the stove.  His easy concentration, economical movements, setting up in me a procession of sparks and chills.”

-- Alice Munro, Dear Life

Three pages after this passage, Alice Munro’s virginal young narrator goes to bed with the man at the stove. That will come as no surprise to most readers, but it's an aspect of human nature that seems to have eluded the Transportation Security Agency.

***

It’s Thanksgiving weekend, when most of us get to spend at least some time thinking about TSA. I’ve spent mine puzzling over the roots of TSA-hatred.

There’s no doubt that it’s virulent. As a privacy skeptic and national security conservative, I’m used to hostile comments.  But it’s only when I defend TSA that the comments go beyond hostile to visceral and occasionally even spittle-flecked.

Why is that? Notwithstanding the venom of the TSA-haters, polls show that most Americans support TSA, including the decision to use whole body scanners. But for a very vocal minority opposing the agency isn’t political. It’s personal.

I can’t explain the women who hate TSA with a passion.  But I’m not sure how many there are.  Anti-TSA sites and comments have a distinct whiff of testosterone. If you’re one of those men, I ask whether this sounds familiar:

It starts before you get to the airport. Get your liquids in a clear, quart-size bag. I keep a cache of travel-size toothpaste and shaving cream in a sandwich-size baggie; I’ll reuse it on about a half-dozen trips before it wears out. Put the baggie on top of everything in your carry-on. The people who have the hardest time are the ones opening up their bags in line to find their liquids. That wastes precious time. I put my laptop and Kindle in an accessible pocket outside my carry-on. Next, take your ID out of your wallet and put it in a breast pocket with the boarding pass. I almost always wear a sports jacket when traveling. Why do I do that? Pockets. Take all of your small electronics and put them in jacket pockets, along with change, keys, and your wallet. When you get to the line, you just take your jacket off and put it in the tray. That’s the main trick: Instead of unloading my pants pockets in the line, I prepack my jacket. In the airport, after you show your documents, put your license back in your pocket—you don’t want to lose it. At the bag screening, the shoes go off first—I always wear loafers. Then I put my jacket in a tray behind the shoes, and my liquids on top of the jacket. The laptop goes in the next tray, then my carry-on follows. I sequence it that way so I can reverse the unpacking process at the other end. You put your shoes and your jacket on, then your hands are free to grab the liquids and the laptop, and the bag’s right there.

That’s Michael Chertoff talking, former Secretary of Homeland Security, my former boss, and a legal and financial force in Washington.  He’s got a lot to think about. Is this really a good use of his time?  After all, how efficiently he performs in the security line is going to make – what? –- maybe a one-minute difference in how fast he gets through the line?

It may not make sense. But I’m willing to bet that a lot of the men reading this have similarly choreographed plans for the security line.

I know I do. And if I’m honest with myself, the rituals of the screening line aren’t really about speed.  They’re about performance.  I feel a kind of competitive pressure to keep the line moving. I’m not happy to see more than about six inches of distance between my luggage and the bags in front of me on the belt. Every delay in pulling out my laptop or my liquids, every last minute bit of change I have to throw haphazard into the bin, every stutterstep as I realize it’s a whole-body scanner, not a metal detector, so belt and watch have to come off too –- all detracts from the performance.

Every once in a while, though, everything goes right, and I feel great. I’m Michael Chertoff, baby, all smooth competence, no wasted motions, no hesitation, no gaps on the conveyor belt.

OK, that’s a little embarrassing to admit.  But it gets worse when I ask myself why I care.  If you’re the kind of guy who can’t throw away a piece of paper without wadding it up and arcing it across the room, you already know.

In part we do it to keep our place in the hierarchy of guys.  But in the end, what we’re really hoping for is an Alice Munro moment -- that our easy concentration and economical movements will set up in someone “a procession of sparks and chills,” followed a few pages later by, well, what we deserve for all that demonstrated competence.

And that means that TSA has an Alice Munro problem.  Because it’s the TSA agent who points to the phone that’s still on your waist and sends you on the walk of shame back to the conveyor belt, every prospect of chills and sparks annihilated.

Worse,  TSA keeps changing its routine.  Shoes in the bin or shoes on the belt? Wallet in the bin or in your pocket? Boarding pass in your hand or on the belt?  Just when we learn the ritual, there’s something new. How well would LeBron perform if the NBA kept moving the basket?

It’s even more of a problem if the TSA officer shows even the slightest attitude. The only thing worse than failing publicly is having your nose rubbed in the failure.  Every time I walk the walk of shame, I find myself on full alert for even a hint of criticism or superiority from the TSA officers around me; I'm just one word or lifted eyebrow away from going into full junior-high-school rebellion mode.

***

If I’m right about the roots of TSA-hatred, there's a lot the agency could do to ease the problem. Start with the officers. They’ve already become far more professional and hard to provoke.  That’s good, but there's room for more.  When protocols change, in particular.  After a week, the officers know the new routine cold, but for months after a change they’ll be dealing with people who don’t. It’s natural -- but unwise -- for officers to treat deviations from the new protocol as mistakes. Instead, to avoid triggering performance anxiety, the agency should adopt a self-deprecating and even apologetic tone. For months or years, the officers will need to say,  “I’m sorry.  We changed the rules again. Now we’re asking people to put their shoes on the belt, not in the bin.”

In fact, the agency should avoid any hint that it is judging our performance from on high. How about a sign on the way to the belt that says, “Forty of the forty-two TSA officers now on duty have forgotten their cell phones at least once while walking through the scanner.  We’re hoping this sign will help you avoid our mistake”? Or one that says, “We change our protocols from time to time to make life harder for terrorists.  We know it makes life harder for you too, and we’re sorry.  If you’ve got questions about the new procedures, just ask”? Maybe that video of John Pistole could include an interview where he talks about all the stuff he’s mistakenly tried to take through security -- water or pen-knives (maybe even guns – he was after all an FBI guy for most of his career).

In short, maybe TSA needs a simple new message for travelers:  We’re not judging you, we’re just trying to keep dangerous stuff off planes. Oh, and you’re not in a competition; you’re in a security line.

The new approach may not stop some travelers from hoping that our displays of easy concentration and economical movements in the security line could still inspire a procession of sparks and chills. But at least we won’t blame TSA when they don’t.

It’s worth a try.  We could call it the Munro Doctrine.

NOTE: Comments explaining that TSA is an intolerable intrusion on our freedoms that the rest of the country simply fails to grasp are inevitable, but those using the word "sheeple" or linking to stories from PrisonPlanet may be removed, or mocked.

FURTHER NOTE: No, that's not a real Craigslist ad.

The harshest blow yet has been struck against the European Commission‘s wacky “right to be forgotten.” What’s worse, the blow came from another European Union agency, the European Network and Information Security Agency, or ENISA.  And, worst of all, ENISA trashed the right to be forgotten in the most innocent and most devastating way possible:  By trying to take the idea seriously.

ENISA’s report simply asks how government will implement an individual "right to be forgotten" when data are so often plural –- concerned with more than one person and freely exchanged with many more.  How, ENISA asks, would government force the forgetting of a couple's photograph when one person wants the photo forgotten and the other doesn't?  And how can data be tracked down and “forgotten” when we don’t even know who has seen or stored it?

Consider Alice viewing Bob’s personal information on a computer screen, while she is allowed to do so (i.e., before Bob has invoked his right to be forgotten). Alice can take a picture of the screen using a camera, take notes or memorize the information. It is technically impossible to prevent Alice from doing so, or even to recognize that she has obtained a copy of Bob’s personal data.

Faced with such obstacles, you might think the European Commission would acknowledge reality and give up on the unenforceable right to be forgotten.  But remember the recording industry. When told that enforcing its rights over easily copied digital files would require suing masses of music fans, the industry said, “You think we won’t?  Watch us.” 

In the same spirit, perhaps European data protectors could hire aging Stalinist photo retouchers to edit photos person by person, and take tips from 1984 on how to monitor everything that appears on our computer screens, just in case it turns out that the war with Eastasia has to be forgotten, fast. 

Attribution of cyberattacks is getting easier, but we’re still bad at the next step:  retribution.  A case in point is Brian Krebs’s clever investigation of a new antivirus company, Anvisoft. He offers compelling reasons to believe that Anvisoft is run by a notorious Chinese hacker who helped attack a DoD contractor and others several years ago, according to an iDefense report.  The hacker, Tan Dailin, is pictured on the right.

If Brian’s suspicions are correct, this is a great case for retribution. After all, Anvisoft is offering its software for download in the United States. The company has subjected itself to US jurisdiction, and it probably needs the US market if it’s going to succeed globally.  This is an opportunity for the US government to demonstrate that hacking US companies isn’t something we’re likely to forget or forgive. Indeed, if the government were taking foreign government hacking seriously, it would already be investigating Anvisoft.

To be a bit more pointed about it, where the hell is the Federal Trade Commission when we need it?  It sure sounds like consumer fraud for an anti-US hacker to try to sell security software to Americans while hiding his past.

Of course, the FTC is resource constrained.  But it’s spending boatloads of money litigating with Wyndham Hotels, claiming that the hotel chain didn’t do enough to keep hackers from breaking into the hotel network and stealing credit card numbers. 

Jon Leibowitz, call your office.  Given a choice, I think we’d all be happier, and safer, if you devoted your scarce enforcement resources to investigating the perpetrators of crime before suing the victims.

I got a call the other day from Ralph Langner, the man who reverse-engineered Stuxnet. He wanted to compare views on cyberweapons and industrial control systems.

These systems have now been installed in most of the infrastructure that supports civilian life. But Stuxnet showed how vulnerable such systems can be to cyberattack. I fear that civilians will be targeted by cyberweapons in future conflicts – and that we have no good response to that threat.

Langner, a German national whose consulting firm remediates infrastructure risks, knows a lot about these issues. Here is an edited version of a conversation that left me both disturbed and, oddly, optimistic.

BAKER: After Stuxnet, am I right to worry that we could see a cyberattack on industrial control systems with the kind of massive civilian damage that will look and feel like war?

LANGNER: There’s no doubt that cyberattacks on industrial control systems are possible. And that they could cause large-scale disasters. It’s just not that hard, and definitely does not require the resources of a nation state, to cause major physical damage by changing the code being executed on an industrial control system.

BAKER: Like what?

LANGNER: The big difference between IT and control systems is that manipulating the latter doesn’t simply change data, but physical reality – such as destroying equipment, maliciously changing products (think about food and beverages for example), or causing explosions. And those changes cannot be fixed by simply restoring from backup tapes.

It's not just the loss of infrastructure we need to worry about.  Chemical plants run on industrial control systems; they could be remotely instructed to release gases that will kill the people in surrounding neighborhoods in a Cyber Bhopal scenario. That’s a huge problem because there are several thousand potential chemical targets in the US alone.

BAKER: Even if the industrial control system is fully separated from the Internet?

LANGNER: Sure. You can cause the damage using rogue code which is infiltrated via contractors’ BYOD ["bring your own device” –- a recent IT trend allowing employees to use their own equipment on corporate networks – SB] to jump the air gap, as in the Stuxnet scenario. Such rogue code operates autonomously once it’s released into the system.

BAKER: A kind of “fire and forget” weapon, like a cruise missile?

LANGNER: Right. And once it reaches the target, it can cause disaster within minutes. Stuxnet again showed the way. Its authors were never in direct communication with the malware’s payload after it infected the Natanz enrichment facility. They didn't need to be. The rogue code did all the damage on its own.

BAKER: So, are widespread civilian infrastructure disasters inevitable in future conflicts? Are we just screwed?

LANGNER: Only if we are stupid. There’s a lot we can do to prevent those disasters. The technical problem is solvable. The real problem is political will.

In recent years, Orin Kerr of the Volokh Conspiracy has debated hacking law with two of his cobloggers, Stewart Baker and Eugene Volokh.  The issue:  whether federal law prevents network owners from hacking those who are hacking them.

Spread over several years and multiple posts and comments, the debates have been hard to find and harder to read. 

No more.  I’ve pulled the dialogue into a single document, with introduction, and posted it here, on the Steptoe Cyberblog. 

As the fight over SOPA wound down, I predicted that SOPA might be turn out to be a watershed, permanently turning Tea Party Republicans into copyright skeptics: 

For Republicans, opposition to new intellectual property enforcement is starting to look like a political winner. It pleases conservative bloggers, appeals to young swing voters, stokes the culture wars and drives a wedge between two Democratic constituencies, Hollywood and Silicon Valley.

That prediction is starting to look pretty good.  The conservative-led Republican Study Committee just put out a Policy Brief that questions forty years of bipartisan support for tougher copyright enforcement.

Indeed, the Republican Study Committee expresses support for expanding fair use, treating the reduction of statutory copyright damages as a kind of tort reform, punishing false copyright enforcement claims, and limiting copyright terms to twelve years, with increasingly expensive extensions available for no more than 34 years. It is the most radical proposal for overhauling copyright that we have seen in recent years, and the most head-turning change of direction in decades for either party on intellectual property issues.

UPDATE: That was fast. The policy brief has been withdrawn. The study committee's executive director's statement explained the withdrawal this way: "Yesterday you received a Policy Brief on copyright law that was published without adequate review within the RSC and failed to meet that standard. Copyright reform would have far-reaching impacts, so it is incredibly important that it be approached with all facts and viewpoints in hand." 

That’s a trick question. Government is always tempted to punish those who reveal unwelcome truths, just as it’s always tempted to protect the rich and powerful by selective enforcement of vague laws.

But even good liberals and libertarians seem to have trouble seeing the problem when suppression of truth and protection of the powerful is done in the name of privacy.

Here as elsewhere, though, events in Greece are doing much to strip the gauze off our illusions:

Prosecutors on Monday set a fast-track trial date for the investigative journalist arrested last weekend after publishing a politically sensitive list of Greeks said to have Swiss bank accounts.

The snowballing case has raised questions about press freedom and Greece’s willingness to crack down on tax evasion.

Prosecutors said that Kostas Vaxevanis, the editor of Hot Doc magazine, would be tried Thursday in Athens on charges of interfering with sensitive personal data in a one-hearing procedure that is routine in Greece for misdemeanors. If found guilty, he could face a minimum prison term of one year and a fine of around €30,000, or about $39,000, one of his lawyers said.

For more, here’s NPR on the same case.

UPDATE I: The trial did occur on Thursday, and Vaxevanis was acquitted. The prosecutor's strategy will leave litigators scratching their heads:

The prosecutor, Iraklis Pasalidis, called no witnesses and sat stone-faced during most of the trial. He submitted a blank witness list to the judge, a move that one lawyer deemed “an analogy of the blank nature of the allegations.” ... Pasalidis nevertheless argued strongly that Vaxevanis should be found guilty for defaming people without determining their guilt. “These are the culprits, take them and crucify them,” Pasalidis told the court. “Is this a solution to the country’s problems? Cannibalism?”  

UPDATE II: Privacy campaigners sure can be persistent where the rich and powerful fundamental rights to privacy are concerned.  Prosecutors have announced that they will retry Vaxevanis:

The Athens public prosecutor’s office found the judge’s verdict in Mr. Vaxevanis’s case to be “legally mistaken” and wants it re-examined, a court official said, adding that a date for a retrial had yet to be set. “Such appeals by the prosecutor are not unusual, particularly in cases where personal privacy are concerned,” said Aristides Hatzis, a professor of law at the University of Athens."

Transcending parody, the European Union has proposed a privacy regulation that will inevitably deprive many people of their privacy. The regulation, now working its way through the tortuous Brussels process, includes a "right to data portability." This is typically oversexed Commission-speak for a regulatory requirement that information services must hand over all of a subscriber's historical data upon request, and "without hindrance."  

Peter Swire and Yianni Lagos recently released a nice paper demonstrating the high risk that Europe's privacy regulation will turn all of us into privacy victims. The new right, they say with admirable restraint, "raises serious risks for another principle of data protection law, which is protecting the security of an individual’s personal data – in our world of weak authentication and rampant identity theft, moving all of a person’s data to another system “without hindrance” creates security risks that can outweigh the portability benefits."

I don't always agree with Peter, but in this case I do. Swire and Lagos rely heavily on the work of an FTC advisory committee on data access and security.  I served on that committee, which explored exactly this problem.  Here's a excerpt from my now-twelve-year-old concurring statement:

[A]s the Report says, "Giving access to the wrong person could turn a privacy policy into an anti-privacy policy." If access to personal data is turned into a legislative right, Americans’ personal data will be at risk of exposure to con men, private investigators, suspicious spouses – anyone who has the chutzpah and the scraps of information needed to plausibly impersonate their target.

That’s bad for all of us, but it is especially bad for the companies forced to set up some sort of access system. If they demand clear and convincing proof of identity before releasing personal data, they will be accused of offering access in theory while denying it in practice. But if they relax the rules, they will surely be sued every time a con man exploits the relaxed rules to steal a consumer’s identity. 

The European Commission has now had more than a decade to study the US work on the topic, a decade in which hacking and bad Internet authentication have only grown into more serious security threats.  

How does the data portability provision ease the threat to the security of our data? "Unfortunately," Swire and Lagos note, the provision "makes no mention of the right to data security."  

That's privacy law in a nutshell: Rights first. Regrets later.

 

 

 

I've been beating the drums for the value of tracking down the cyberspies who are attacking US government agencies and private companies alike. Somebody seems to be listening. Counterhackers have already unmasked a Chinese cyberspy.

And now the government of Georgia has landed an even bigger fish, seizing control of a cyberspy's computer and taking screen shots of him. Adding insult to injury, the Georgians also managed to steal files from his computer that strongly suggest ties to Russia's intelligence service. Network World has the story:

The photos of the hacker were taken after investigators with the Georgian government's Computer Emergency Response Team (Cert.gov.ge) managed to bait him into downloading what he thought was a file containing sensitive information. In fact, it contained its own secret spying program.

...

They allowed the hacker to infect one of their computers on purpose. On that computer, they placed a ZIP archive entitled "Georgian-Nato Agreement." He took the bait, which caused the investigators' own spying program to be installed.

From there, his webcam was turned on, which resulted in fairly clear photos of his face. But after five to 10 minutes, the connection was cut off, presumably because the hacker knew he had been hacked. But in those few minutes, his computer -- like the ones he targeted in the Georgian government -- was mined for documents.

One Microsoft Word document, written in Russian, contained instructions from the hacker's handler over which targets to infect and how. Other circumstantial evidence pointing to Russian involvement included the registration of a website that was used to send malicious emails. It was registered to an address next to the country's Federal Security Service, formerly known as the KGB, the report said.

For those who can't get enough of this satisfying story, here's the original Georgian CERT report on the sting.

But I can't help thinking the Stylistics said it best: "Payback is a dog."    

Now the debate with Orin is actually getting somewhere. Sort of. Orin has posted a further reply. Here’s a scorecard:

 1. Does authorization depend exclusively on ownership?

 Orin’s latest post does a good job of showing that the CFAA often draws a coherent distinction between rights in data and rights in a computer, and that rights in the computer are the statute’s principal focus. I don’t disagree.

Where we differ is how much that matters. Orin seems convinced that this distinction makes rights in data irrelevant to the question of what constitutes authorized access to a computer.  He doesn’t really offer a reason for treating it as irrelevant.  He just assumes it must be, probably because he also assumes that authorization is an all or nothing concept, so that if the owner has authorization no one else has any, and vice versa.

But Orin's assumption has no basis in the statute that I can see. As my last post says, that’s like assuming that because a trespass statute protects the owners of land, everyone else must be punished as a trespasser, no matter what other rights they have to enter the property.  That would make felons of rescuers, people in hot pursuit of thieves, easement holders, and government officials.  You could come to that conclusion if that’s what the law unequivocally said, but in this case the law only makes felons of people who are not authorized (or not entitled) to access the computer. 

So why would we ignore other claims of entitlement – especially when ignoring those claims makes a felon of someone performing an act with undeniable social value?

Orin’s reluctance to defend his assumption is striking. Maybe he's got a good response; but he hasn't offered it yet.

 2. Should policy influence the interpretation of "authorization"?

 Orin continues to look down his nose at the introduction of policy into the interpretation of this central but undefined term.  He thinks I’m requesting a new statute.  In fact I’m asking the courts to recognize a perfectly plausible reading of “authorization,” in a criminal context where ambiguity would ordinarily be resolved in favor of the defendant.

I agree with Orin that this interpretation requires the courts to decide which entitlements should be recognized and which should not. He thinks that's a role for Congress, not the courts, an argument that might be more persuasive in discussing a civil statute, or a criminal statute that was not deterring companies from responding aggressively to a dangerous intelligence attack on our economy and our society.  

That said, I welcome Orin’s acknowledgement that maybe Congress should permit counterhacking in some circumstances. Though I fear the CCIPS Old Guard lives on in his heart, and that somehow no actual amendment will ever quite pass muster there.

 3. Is necessity a defense for counterhacking?

 Orin suggests that a federal criminal necessity defense might be more apt in this case.  Maybe so, but he acknowledges that it is at best controversial.  At worst, in fact, it doesn’t exist . So, while I won’t spurn even a modest agreement with Orin, the chance to prove an affirmative defense that may not apply isn't likely to offer much comfort for companies that want to gather information about their attackers.

 ***

I don’t want to prolong this debate for readers who have lost interest, so I won’t be making any further posts. If you want to follow it further, check the Volokh Conspiracy for a continuation of the debate in the comments to my post or to Orin Kerr's last post.

Orin Kerr and I agree that “authorization” is the central, and undefined, key to criminal liability under the CFAA. 

In Orin’s view, “authorization” can be determined by asking two questions:  First, does the CFAA protect computers or data? And, second, who controls a computer, the data owner or the computer owner?

It seems to me that the right answer to each question is “both.” The CFAA can and should protect both computers and data stored on computers. Similarly, more than one person can have rights to data on a computer.

In contrast, Orin insists that the CFAA forces a choice.  If it protects computers it can’t protect data.  And the authorization it describes must be binary – you either have full authorization or you have none. But he musters strikingly little support for a point that is so fundamental to his claim.

If anything the statute refutes that argument.  The only textual clue to what the statute means by “authorized” is found in a section that imposes liability on users who exceed their authorized access to a computer; that term is defined as follows: “[T]he term ‘exceeds authorized access’ means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.”  Put another way, you exceed authorized access if you obtain or alter information you're not entitled to obtain or alter.

This definition undercuts both of Orin’s assumptions about authority. It blurs his sharp line between machine and information by saying that a user’s access to the computer exceeds authorization if the user exceeds his authorized access to the information. And it treats “authorized” and “entitled” as more or less synonymous, which isn't exactly consistent with the idea that authorization is all-or-nothing.  If I'm attending a demonstration on the Mall, and the Park Police tell me to move on, I’m likely to say, “Sorry, but I’m entitled to be here.”  As I am.  But that doesn’t mean that I can then tell them to move on.  They’re entitled to be there too.  And what if I try to enforce my edict by taking a swing at one of them? He might say, “You're entitled to be here, but you’re not entitled to do that here.” Quite right, too; it’s jail for me. It turns out my entitlement was real, but it was neither exclusive nor unlimited.

So too with computers under the CFAA.  I may be entitled to retrieve my stolen data stolen from a machine without being entitled to take the machine to a pawn shop and sell it, or to tell the innocent owner what he can and can't do with it.

In real life, what I’m entitled to do on a piece of ground depends a lot on who owns it, but it depends also on a host of other rules that limit and define the rights of owners, visitors, trespassers, polluters, police, and even outraged victims in hot pursuit of thieves.   All those players are entitled to do some things but not others on that property. 

There’s no sign in the CFAA that Congress intended to exclude that complexity from its definition of “authorization” and instead to decide criminal liability by simply asking, “Who owns this box?” And what about policy? 

Which reading of the statute produces better results (an argument that Orin, inexplicably channeling early 19th century jurisprudential style, derides as an “I-like-it-and-therefore-it-is-the-law argument”)?

To understand the policy consequences of the choice, let's begin with a reminder of our strategic situation. Right now, every computer and network in the country is vulnerable to intrusion by authoritarian foreign governments if not criminals.  We live, or soon will, in Orwell's world -- surveilled in our homes, at work, and as we form our thoughts, keystroke by keystroke.

The intruders have one clear vulnerability; they collect this stolen data on command-and-control machines, which may in some cases belong to other innocent victims. Victims could gain access to these machines, could render the stolen information worthless, could gather clues about the attackers, and could even identify hundreds of other victims who probably don't yet know they've been compromised. That would be a very good thing.

In Orin's world, though, it's illegal. In his world, the hundreds of victims go unnotified, the evidence goes ungathered, the stolen data goes, well, to China, until law enforcement gets around to the cyber equivalent of stolen-bicycle paperwork.

Why? Well, says Orin, because any other rule would authorize Disney to hack everyone’s computers in pursuit of pirated videos and would license crime victims to hack any computer as long as they had a good faith belief that the hacking might turn up evidence. In full CCIPS Old Guard mode, he insists that because attribution is hard, the right to counterhack is “not a power that we want to give to every person in the U.S. who happens to own or control a computer.”

I can’t help noticing how determinedly Orin trivializes the threat we face:  The counterhackers aren’t  people “who happen to own or control a computer.”  They’re people who are being victimized in a profound and society-changing fashion. Nor are the intruders remotely like a “neighbor [who] borrowed your baseball glove and you want it back.” They're Orwell's nightmare, showing up late and requiring us to buy the gear that spies on us.

And what of all those bad policy outcomes that Orin conjures – the crazed vigilantes and the RIAA rummaging in everyone's computers?  The answer is that we, or at least the courts, don't have to recognize their authority to do that. The courts don’t have to treat “good faith” as creating a counterhacking entitlement; they could as easily insist on a higher standard, such as probable cause.  They could recognize the counterhacker's authority to gather evidence but not to harm innocent third parties, just as they distinguish today between demonstrators who are entitled to throw insults but not punches on park property. They could reject the notion that the copying of 99-cent music files justifies the same response as a campaign to compromise every network in the country. They could distinguish, in short, between baby and bathwater.

It's true that my definition of authorization is more complicated than Orin's, that it requires more line-drawing.  But so does life.  Orin’s alternative is as simple -- and as unjust -- as applying the murder laws equally to serial killers and to homeowners who shoot home invaders.  

Nothing in law or policy requires that we adopt such a reading.

More good news for network security:  It turns out that the tools attackers use to control compromised computers are themselves full of security holes. A couple of undergrads interning for Matasano Security have reverse-engineered the Remote Access Tools (RATs) that attackers use to gain control of compromised machines. 

According to Dark Reading, Jesse Hertz and Shawn Denbow found numerous flaws in commonly used RATs, including SQL injection, arbitrary file reading, and weak encryption.

"This shows that it is possible, and that it's not hard, to pick apart attacker tools and come up with proactive defenses against them," says John Villamil, senior security consultant with Matasano, who served as Denbow and Hertz's adviser for the project. "If nothing else, it can help forensics companies analyzing traffic from compromises ... and help build tools that analyze these Trojans, and provide signatures [to detect them]."

Vulnerability research into attacker tools is rare, but not unheard of. "It's very rare to see this type of research," Villamil says.

RATs, which typically conduct keylogging, screen and camera capture, file management, code execution, and password-sniffing, for example, basically give the attacker a foothold in the infected machine as well as the targeted organization.

This is great news for cybersecurity.  It opens new opportunities for attribution of computer attacks, along lines I’ve suggested before: “The same human flaws that expose our networks to attack will compromise our attackers’ anonymity.”

In this case, the flaws identified by Hertz and Denbow could allow defenders to decrypt stolen documents and even to break into the attacker’s command and control link – while the attacker is still on line. That opens up the possibility of a true counterhack, in which the defender exploits a flawed attack to gain control of the attacker’s machine.

It’s only a matter of time before counterhacks become possible. The real question is whether they’ll ever become legal. Both the reporter and the security researcher agree that, “legally, organizations obviously can't hack back at the attacker.”

I think they're wrong on the law, but first let's explore the policy question.  Should victims be able to poison attackers' RATs and then use the compromised RAT against their attacker?

We'll start with the obvious.  Somebody should be able to do this.  And, indeed, it seems nearly certain that somebody in the U.S. government -- using some combination of law enforcement, intelligence, counterintelligence, and covert action authorities -- can do this.  (I note in passing, though, that there may be no one below the President who has all these authorities, so that as a practical matter RAT poisoning may not happen without years of delay and a convulsive turf fight. That's embarrassing, but beside the point, at least today.)

Asking government to do the job has some drawbacks, though. Counterhacking is likely to work best if the attacker is actually on line, when the defenders can stake out the victim’s system, ready to give the attacker bad files, to monitor the command and control machine, and to copy, corrupt, or modify exfiltrated material.  Defenders may have swing into action with little warning. 

Who is going to do this?  Put aside the turf fight. Does anyone think that NSA or the FBI or the CIA have enough technically savvy counterhackers to stake out the networks of the Fortune 500, waiting for the bad guys to show up?

And even if they do, who wants them there? Privacy campaigners will hate the idea of giving the government that kind of access to private networks, even networks that are under attack. For that matter, businesses holding sensitive data won’t much like the stark choice of either letting foreign governments steal it all or giving the US government wide access to their networks.

From a policy point of view, surely everyone would be happier if businesses could hire their own network defenders to do battle with attackers. Hiring defenders would greatly reinforce the thin ranks of government investigators.  It would make wide-ranging government access to private networks less necessary.  And busting the government monopoly on active defense would probably increase the diversity, imagination, and effectiveness of the counterhacking community.

But, you ask, what about vigilantism, that tired bugaboo of the Justice Department’s Old Guard?

First, as I’ve suggested elsewhere, allowing private counterhacking doesn’t mean reverting to a Hobbesian war of all against all.  Government can set rules and discipline violators, just as it does with other privatized forms of law enforcement, from the securities industry’s FINRA to private investigators.

Second, the "vigilatism" claim depends heavily on sleight of hand.  People who hate this idea invariably call it "hacking back," with the heavy implication that the defenders will blindly fire malware at whoever touches their network, laying indiscriminate waste to large swaths of the Internet. For the record, I'm against that kind of hacking back too.  But RAT poison makes possible a kind of counterhacking that is far more tailored and prudent.  Indeed, with such a tool, trashing the attacker's system is dumb; it is far more valuable as an intelligence tool than for any other purpose.  

Of course, even if they aren't trashing machines, the defenders will be collecting information.  And gathering information from someone else's computer certainly raises moral and legal questions. So let's look at the computers that RAT poisoning might allow investigators to access.  

First, and most exciting, this research could allow us to short-circuit some of the cutouts that attackers use to protect themselves.  I grant that I’m beyond my technical capabilities in saying this, but it seems highly unlikely to me that an attacker can use a RAT effectively without a real-time connection from his machine to the compromised network.  Sure, the attacker can run his commands through onion routers and cutout controllers.  But at the end of all the hops, the attacker is still typing here and causing changes there.  If the software he’s using can be compromised, then it may also be possible to reverse the flow of code inject arbitrary code into his machine and thus compromise both ends of the attacker's communications.  That’s the Holy Grail of attribution, of course. 

Is there a policy problem with allowing private investigators to compromise the attacker's machine for the purpose of gathering attribution information? Give me a break. Surely not even today's ACLU could muster more than a flicker of concern for a thief's right to keep his victim from recovering stolen data.  

The harder question comes when the attacker is using a cutout -- an intermediate command and control computer that actually belongs to someone else.  In theory, gathering information on the intermediate computer intrudes on the privacy of the true owner. But, assuming that he's not a party to the crime, he has already lost control of his computer and his privacy, since the attacker is already using it freely.  What additional harm does the owner suffer if the victim gathers information on his already-compromised machine about the person who attacked them both? Indeed, an intermediate command and control machine is likely to hold evidence about hundreds of other compromised networks.  Most of those victims don't know they've been compromised, but their records are easy to recover from the intermediate machine once it has been accessed.  Surely the social value of identifying and alerting all those victims outweighs the already attenuated privacy interest of the true owner.

In short, there's a strong policy case for letting victims of cybercrime use tools like this to counterhack their attackers. If the law forbids it, then to paraphrase Mr. Bumble, "the law is a ass, a idiot," and Congress should change it.  

But I don't think the law really does prohibit counterhacking of this kind, for reasons I'll offer in a later post.

PHOTO: iStockPhoto

UPDATE: I modified a phrase that turned out to be more colorful than helpful to literal-minded readers.

In an earlier post, I made the policy case for counterhacking, and specifically for exploiting security weaknesses in the Remote Access Tools, or RATs, that hackers use to exploit computer networks. 

Poisoning an attacker's RAT is a good idea for at least three reasons.  First, we can make sure the RAT doesn't work or that it actually tells us what the attackers are doing on our networks.  Second, compromising the RAT can give us access to the command and control machines that serve as waystations that let attackers download stolen data or upload new malware.  Finally, if we're very lucky and very good, we can use the poisoned RAT to compromise the attacker's home machine, directly identifying him and his organization.

The legal case for counterhacking is more problematic, thanks to long-standing opposition from the Justice Department's Computer Crime and Intellectual Property Section, or CCIPS.  Here's what CCIPS says in its Justice Department manual on computer crime:

Although it may be tempting to do so (especially if the attack is ongoing),
the company should not take any offensive measures on its own, such as
“hacking back” into the attacker’s computer—even if such measures could in
theory be characterized as “defensive.” Doing so may be illegal, regardless of
the motive. Further, as most attacks are launched from compromised systems
of unwitting third parties, “hacking back” can damage the system of another
innocent party

This passage is a mix of law and policy. I've already explained why the Justice Department's policy objections -- the risk of damage to innocent parties' systems -- are out of date. 

That leaves the law. Does the Computer Fraud and Abuse Act, or CFAA, foreclose counterhacking?  In fact, the weasel words of the manual -- hacking back "may be illegal," it says, so victims "should not" do it -- are a clue that the law is at best ambiguous.

Really, ambiguity is the heart of the CFAA. To oversimplify a bit, violations of the CFAA depend on "authorization."  If you have authorization, it's nearly impossible to violate the CFAA, no matter what you do to a computer. If you don't, it's nearly impossible to avoid violating the CFAA.

But the CFAA doesn't define "authorization."  It's clear enough that things I do on my own computer or network are authorized. That means that the first step in poisoning a RAT is lawful.  You are "authorized" under the CFAA to modify any code on your network, even if it was installed by a hacker.  (Let's put aside copyright issues; they generally don't enter into CFAA "authorization" analysis, and it's unlikely in any event that a hacker could enforce intellectual property rights against his victim.)

A harder question is whether you're "authorized" to hack into the attacker's machine to extract information about him and to trace your files.  As far as I know, that question has never been litigated, and Congress's silence on the meaning of "authorization" allows both sides to make very different arguments.  The attacker might say, "I have title to this computer; no one else has a right to look at its contents. Therefore you accessed it without authorization." And the victim could say, "Are you kidding?  It may be your computer but it's my data, and I have a right to follow and retrieve stolen data wherever the thief takes it.  Your computer is both a criminal tool and evidence of your crime, so any authorization conveyed by your title must take a back seat to mine."

In a civil suit, Congress's decision to leave undefined the central concept of the statute would make both of those arguments plausible.  Maybe "authorization" under the CFAA is determined solely by title; and maybe it incorporates all the constraints that law and policy put on property rights in other contexts. Personally, I dislike statutory interpretations that fly in the face of good policy, so I think the counterhacker wins that argument.  

But that hardly matters; computer hackers won't be bringing many lawsuits against their victims.  The real question is whether victims can be criminally prosecuted for breaking into their attacker's machine.  

And here the answer is surely not.  

Even if you could find a federal prosecutor wacky enough to bring such a case (and after the Lori Drew case, I'm afraid that's not unthinkable), the ambiguity of the statute makes a successful prosecution nearly impossible; deeply ambiguous criminal laws like this are construed in favor of the defendant.See, e.g.,  McBoyle v. United States, 283 U.S. 25, 27 (1931) ("[I]t is reasonable that a fair warning should be given to the world, in language that the common world will understand, of what the law intends to do if a certain line is passed. To make the warning fair, so far as possible, the line should be clear.") (Holmes, J.).

Much the same analysis applies even to the hardest case, where victims use a compromised RAT to access command and control machines that turn out to be owned by an innocent third party.  An innocent third party is a more appealing witness, but his machine was already compromised by hackers before the counterhacking victim came along, and it was being used as an instrumentality of crime, sufficient in some states to justify its forfeiture. It remains true that the counterhacker is pursuing his own property.

Finally, when he begins his counterhack, the victim does not know whether the intermediate machine is controlled by an attacker or by an innocent third party. Why should the law presume that it is owned by an innocent party -- or force the victim to make that presumption, on pain of criminal liability? (There's room for empirical research here; while a few years ago hackers seemed to favor compromising third-party machines for command and control, the Luckycat study suggests that some attackers now prefer to use machines and domains that they control.  As the latter approach grows more common, a presumption that intermediate machines are owned by innocent third parties will grow even more artificial.)

All told, it seems reasonable to let victims counterhack a command and control machine that is exfiltrating information from the victim's network, at least enough to determine who is in control of the machine, to identify other victims being harmed by the machine, and to follow the attacker back to his origin (or at least his next hop) if the intermediate machine is simply another victim. Requiring the victim not to counterhack if there's uncertainty about the innocence of the machine's owner simply gives an immunity to attackers.

The balance of equities thus seem to me to favor a recognition of the victim's authorization to conduct at least limited surveillance of a machine that is, after all, directly involved in a violation of the victim's rights.  If "authorization" under the CFAA really boils down to a balancing of moral and social rights, and nothing in the law refutes that view, then the counterhacker has at least enough moral and social right on his side to make a criminal prosecution problematic -- unless he damages the third party's machine, in which case all bets are off.