Bad Raps for Non-Hacks

[InfoSec News <isn () c4i org>]

http://www.securityfocus.com/columnists/167

By Mark Rasch
June 16, 2003 

A few odd cases show that you don't have be a digital desparado to be
accused of a cybercrime... particularly if you embarrass the wrong
bureaucrats.

Some recent (and not so recent) cases illustrate how computer security
professionals and well intentioned whistle-blowers face a genuine risk
of running afoul of computer crime statutes simply for forgetting to
ask the right person, "May I?," before doing a computer security
assessment.

Take the case of Scott Moulten, a computer security professional in
Georgia. He was the principal person responsible for computer security
(through a private company) for a county in Georgia. The county worked
with various cities coordinating and providing 911 Emergency Response
Services. When one city wanted to hook up to the county's 911 network,
Moulten performed a port scan and throughput test on that city's
network to see if the computers were vulnerable to exploit.

Of course, they were. Moulten wisely went no further, and never
attempted to penetrate any of the computers he scanned, and the city
eventually plugged the holes. Did the city award him a medal? A raise?  
A new contract? No... they promptly contacted the Georgia Bureau of
Investigation, which searched and seized his computer and arrested him
for violating the Georgia computer crime laws. The statue in question
made it a felony to use a computer with the intention of "obstructing,
interrupting, or in any way interfering with the use of a computer
program or data... regardless of how long the alteration, damage, or
malfunction persists." Since the port scan infinitesimally slowed the
computer, the government supposed, Moulten violated the statute.

Thousands of dollars of legal fees later (and a civil case to defend
as well), the government abandoned the criminal prosecution with no
charges filed.

Things went worst for Stefan Puffer, a Houston computer security
consultant who briefly worked as a contractor with the Harris County,
Texas district clerk's office. Puffer conducted a "war driving"  
exercise, reportedly accompanied by the head of Harris County's
Central Technology Department, and a reporter for the Houston
Chronicle. Puffer demonstrated that the Harris County clerk's office's
802.11b network was misconfigured to allow anyone to have access to
the network. It was reported that Puffer uploaded a ".gif" file on one
of the computers to demonstrate the ease with which an outsider could
access the network -- an allegation Puffer denied.

The County clerk initially poo-pooed the incident, claiming that no
data was compromised and that the wireless network was simply a "test"  
network which wasn't in full use. But once the Houston Chronicle ran
an article describing the wireless vulnerability, embarrassed county
officials brought their network up to snuff.

For his efforts, Puffer was investigated by FBI agents, who kicked in
his door at 6AM, seized his computers and all electronic media and
effectively put him out of business. Then he was indicted by a federal
grand jury for violating the federal Computer Fraud and Abuse Act --
with the "damages," bizarrely, assessed as the money the county spent
the close the hole. Efforts to convince the United States Attorney's
Office in Texas to dismiss the charges were unsuccessful, and Puffer
eventually had to stand trial -- at a cost of tens of thousands of his
own and taxpayer dollars. The jury acquitted him in 15 minutes.

Even just writing about computer security can get you in trouble. In
1997, Justin Boucher wrote an article for an underground high school
newspaper describing, in the most general terms, common computer
security vulnerabilities at the High School - most notably bad
passwords. The article prodded his classmates to exploit the
vulnerabilities, but also implored them to "never harm, alter or
damage any computer, piece or software, or person in any way; if
damage has been done do what is necessary to correct that damage, and
to prevent it from occurring in the future and inform computer
managers about lapses in their security, when you're done exploiting
it."

Boucher himself never illegally accessed any school computers, nor is
there any evidence that others did using this information he
published. Nevertheless, the young whistleblower was expelled from
school for one year -- an expulsion that was affirmed by the courts.


Staying Legal

The critical part of the school board's -- and the court's -- decision
was the conclusion that the publication of the article constituted a
criminal act, because it "provided instruction to the public and
unauthorized persons on how to access the school district computer
programs and disclosed restricted access information to the school
district's computers" in violation of Wisconsin's computer crimes
law." The court pointed out that the Wisconsin law made it a crime to
"Disclose[] restricted access codes or other restricted information to
unauthorized persons." Thus, telling the wrong people about the
vulnerabilities discovered can lead to jail.

All of these cases had a few things in common. First, there was no
intent to damage or destroy computers or information contained in
them, and any damage done was exceedingly minimal. There was likewise
no intent to extort the owners of the computers -- like Russian hacker
Alexi Ivanov, who exposed security vulnerabilities in an effort to get
paid to fix them. Third, in each of the cases, those responsible for
security at the organization were publicly embarrassed by their poor
security.

The final commonality is the lack of express consent. One key trigger
to virtually all computer crime statutes is the "access" to a computer
without authorization, or in some cases, in excess of authorization.

The combination of broad computer crime laws mixed with defensive
bureaucrats embarrassed by their own failings could harbor dangers for
non-professionals doing seemingly harmless non-invasive procedures
like port scans and wireless drive-bys on networks that they arguably
have some interest in seeing protected.

That's because many state computer crime statutes define "access" to a
computer as any communication with it, or use of the resources of the
computer -- however slight. Thus, to stay legal, a one must obtain
permission from someone in authority prior to performing even mild
tests, preferably in writing, and preferably explaining the entire
scope of the test and the possibility of damage (a waiver of liability
would be nice too.).

Professional penetration testers already know to get explicit
authorization in writing before beginning work. But given the dramatic
sweep of some of these laws, and the growing history of their abuse,
simple authorization may not be enough. Pen testers should have the
client detail exactly the scope and extent of the network to be tested
-- a range of IP addresses, domains, or physical locations. Straying
beyond these ranges may land the tester in legal hot water.

And whatever happens, don't write about it for your local High School
newspaper.


SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the 
Justice Department's computer crime unit, and now serves as Senior 
Vice President and Chief Security Counsel at Solutionary Inc. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.