cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Baechle
Advocate I

Unauthorized Access or Fixing a Technical Complication?

Colleagues,

 

I'd like to get the community dialog regarding the legal term, "Unauthorized Access".  I've seen quite a few articles in recent history that condemn the language in the current set of acts making up Title 18 U.S.C. § 1030 as being too restrictive of computer security researchers by simultaneously being too vague.  I've heard very reasonably sounding arguments on both sides that simply fail logic tests.

 

Georgia recently vetoed a bill proposing language in its state laws defining "Unauthorized Access," (Senate Bill 315, Computer Crimescreate a new crime of unauthorized computer access; penalties, http://www.legis.ga.gov/legislation/en-US/Display/20172018/SB/315).  I'm personally confused why we feel the need to define this further than we commonly use the words, unauthoized and access.  

 

In reading the Wired article by Lily H. Newman, A Georgia Hacking Bill Gets Cybersecurity All Wrong (https://www.wired.com/story/georgia-sb315-hacking-bill-wrong/), there was a reference to a prior Wired article from 2014 authored by Kim Zetter, Hacker Lexicon: What is the Computer Faud and Abuse Act? (https://www.wired.com/2014/11/hacker-lexicon-computer-fraud-abuse-act/).In the earlier article, Zetter argues that the language of the current CFAA criminalizes legitimate security research.  I've read, and reread this article.  I've read numerous other articles making the same claim.  Each of them has a similar argument, so I'm only referencing the first and primary one by Zetter here.

 

 

In the Zetter article, the argument is made for Prosecutorial abuse by overstretching the language of unauthorized access to mean creating a Sock Puppet account against a service provider's terms of service.  Here is my take on this concept.  If the person would otherwise have been able to obtain an account by using their true identity and registration details, then this is not an unauthorized access but a breach of terms of a contract.  If, on the other hand, the person would not have been able to obtain an account with their true identity and registration details because they had been banned personally or because they are a member of a group that was banned (for example, an employee of a competitor), then this would be unauthorized access.  In the first case the use of false identity is simply a misuse of the service, while in the second it's clearly an attempt to circumvent being denied an account.

 

The Zetter article continues to discuss the proposed "Aaron's Law" amendment to the CFAA that would specifically exempt changing MAC or IP addresses as exemplar methods of circumventing access controls.  Here is the essential breakdown.  We have one set of security professionals running around saying, Port Security and IP Tables are forms of network Access Control Lists.  Then, we have another set of security professionals running around saying that things like circumventing Access Control Lists isn't a method of gaining "Unauthorized Access".

 

 

Which side of this argument do you reside?

 

18 Replies
JoePete
Advocate I

Rather than worrying about creating a new concept of "unauthorized access," we could just apply the traditional definition of "trespass" to the digital realm. Broadly, trespassing has been defined as knowingly entering another person's property without permission. In the US we also have case law that further defines trespassing. The problem is legislators and judges think we need new laws because we are dealing with new crimes. These are just old crimes being performed in a new medium.

Baechle
Advocate I

Thanks Joe,

 

I appreciate your input.  If my memory serves me right, we used to define "unauthorized access" as "electronic trespass".  

 

 


@JoePetewrote:

The problem is legislators and judges think we need new laws because we are dealing with new crimes. These are just old crimes being performed in a new medium.


In this case, we have security pros saying that they should have the right to perform security based research and that the wording of the CFAA is so vague that it wraps their activities up in the criminal definition of "Unauthorized Access."  For example, an organization that provides WiFi access for their employees limits that access through a combination of static IP assignment and MAC filtering (presumably because 802.1x is currently too expensive to field/maintain with their current budget and staff).  The security researchers propose that solely on the basis that these security controls are easy for them to circumvent, then they are legally the equivalent of no security control.

How do you feel about that position?

 

 


 

denbesten
Community Champion

@JoePete has the correct analogy.  

 

Should a self-proclaimed "security researcher" have the right to come up to my front door and ring the doorbell?  Absolutely.  Check if the door is locked?  Questionable.  Come inside to "see" if my TV is bolted down?  Absolutely not.  If the "researcher" keeps ringing my doorbell and I ask them to go away, they must do so.

 

The digital domain needs similar thresholds.

 

Authorized red teams protect themselves with a contract that explicitly includes scope-of-work, safeword provisions and authorization to proceed.  If a self-proclaimed security researcher wants this level of protection, they need a similar legal instrument. I understand that getting permission from "everyone" is difficult and perhaps impossible, but that hurdle should not shield them from damage claims if they cause harm.

 

 

That said, we likely need to enumerate the digital equivalents of "ringing the doorbell" through legislative action before case law does it for us.

 

 

JoePete
Advocate I


@Baechlewrote:

 

I appreciate your input.  If my memory serves me right, we used to define "unauthorized access" as "electronic trespass".  


Good point.

 



In this case, we have security pros saying that they should have the right to perform security based research and that the wording of the CFAA is so vague that it wraps their activities up in the criminal definition of "Unauthorized Access." 


Two aspects of physical trespass recognized in many US states are

  1. Some sort of intent - you know you're not supposed to be there but you go there anyway.
  2. The property owner has to give you some sort of warning.

For security researchers, let's say someone is just probing different networks, access points, I think we need to define at one point you in fact trespass vs. you are just looking around. If you manage to obtain an IP address on a network that could be an important distinction. But if all I am doing is intercepting, examing WiFi traffic or doing a port scan of an Internet facing server, to me that is the equivalent of standing at the edge of someone's property and looking. Arguably even gaining an IP from a poorly secured network might not be unauthorized access any more than stepping onto to private property that isn't marked or secured as such is physical trespassing. I think there is also a concept of "abandoned" property. Just as if I am walking down the street and I see on the curb a TV, I can assume someone has left it there for the trash or to be picked up for free, if I come across a network or device on a network that lacks any reasonable care - never been patched, poorly secured, can I assume it is abandoned and free for exploration or use? Certainly that raises issues. Ethically, you should never enter a network without permission, but in broader legal context, it raises and interesting defense.

vt100
Community Champion

It is an interesting question.

 

I posit that the definition and qualification of "Security Researcher" should be defined in addition to the "Unauthorized Access".

 

If you are registered, qualified and are subject to the code of conduct with repercussions for violations, you should be able to perform research that, as well as reporting of its findings, are governed by law.

 

Should the above be omitted, we'll be at the mercy of the foreign crime perpetrators that seldom care about our interpretation of the terms.

 

 

Baechle
Advocate I

Joe,

 


@JoePetewrote:
Two aspects of physical trespass recognized in many US states are
  1. Some sort of intent - you know you're not supposed to be there but you go there anyway.
  2. The property owner has to give you some sort of warning.

One of the problems that I think we run into is that we often attempt to describe the online world through physical parallels and analogies without running them to their end.  As you point out, in the physical world trespass often requires notice and then willful disobedience of the notification. 

 

The problem with applying this physical parallel to the online world is that we often stop here.  The logical translation of this parallel to the online world means that there has to be some banner announcement or click-wrap agreement telling someone they're not welcome to meet the online version of "notice."

 

We've failed to fully apply the custom from the physical world in that context. In the physical world we equate certain physical barriers (like a locked door) with notice.  For example, a locked door doesn't mean we can crawl in through the bathroom window or smash the front windows with a brick.  It generally means "go away"; or at most, come back and try [to open the front door normally] again later.  A host that answers the door, telling you the business is closed for a private party for township residents doesn't mean you can then lie about your home address (or IP address) to gain admittance.  Knowingly providing materially false information (an address) that is relied upon to confer a benefit (admittance) is the textbook definition of fraud.  

 

 


@JoePetewrote:

For security researchers, let's say someone is just probing different networks, access points, I think we need to define at one point you in fact trespass vs. you are just looking around. If you manage to obtain an IP address on a network that could be an important distinction. But if all I am doing is intercepting, examing WiFi traffic or doing a port scan of an Internet facing server, to me that is the equivalent of standing at the edge of someone's property and looking.

I'm with you here, but you also changed the scenario.  This is less on par with the arguments that were being made by security researchers, and more on par with a civil case involving Google mapping WiFi hot-spots.  Google eventually won in appeals.

 

Let's talk about looking around.  We can't throw a brick through the window; or send a destructive packet without invoking the CFAA's damage clause.  So, let's assume that we sent data but it's just getting dropped.  We might make an assessment that the target is using 802.1x, MAC or IP filtering.  In my opinion, that's as far as looking around goes.  That is the equivalent of seeing something that looks like a bathroom window on the side of the building. 

 

If you then change your MAC or IP address to gain access, you have done the equivalent of walking up and opening the window on the precipice of going inside; or lied about your home address and age to the bouncer at the front door.  In the physical world you can stop there and turn away.  You can open the window (presumably without sticking your fingers inside - known as crossing the threshold) or lie to the bouncer, and then never actually go inside the building.  In the online world you can't well separate the preparatory act of transmitting the spoofed-MAC/IP packet (either opening the window or lying to the bouncer) with the functional act of accessing the network (going inside the building).  

 

EDIT:  These acts online simultaneously cross the threshold and place the actor inside the network.  In my opinion therefore, an actor just gained Access to the system using the common definition of access.  Because they had to lie about the origin of their traffic by masking their MAC or IP Address, circumventing an Access Control List, then it was Unauthorized.  Hence, Unauthorized Access.

Baechle
Advocate I


@vt100wrote:

I posit that the definition and qualification of "Security Researcher" should be defined in addition to the "Unauthorized Access".

 

If you are registered, qualified and are subject to the code of conduct with repercussions for violations, you should be able to perform research that, as well as reporting of its findings, are governed by law.

 


It sounds like you are in favor of a formal licensing scheme for computer security practitioners, something on the order of Private Investigators, Accountants, Engineers, Doctors, etc.?

 

I personally don't think we need to go any further in defining what unauthorized access is.  I believe that we need to start spending more time thinking critically about what defines "unauthorized" in the online world.  I think based upon several conversations with folks that have admitted to hacking, that the problem is we psychologically devalue the stress and cost of gaining unauthorized access to a computer because it's usually not in-person.  We don't see the nonverbal cues of annoyance, anguish, violation in a person's facial expressions or body language like we might if we happened to crawl in through someone's side window and silently peer at all their personal belongings, flip through their wedding album and check book, then silently leave again without stealing anything.

 

I believe the definition of "unauthorized access" is fine in its common form.  What I think we need to do is to think more critically about what the impact of various online actions are.

Baechle
Advocate I

William,

 


@denbestenwrote:

 

Authorized red teams protect themselves with a contract that explicitly includes scope-of-work, safeword provisions and authorization to proceed.  If a self-proclaimed security researcher wants this level of protection, they need a similar legal instrument.


I think you hit the nail on the head with this statement.  If you are going to attempt to gain access to a system, that you don't otherwise have authorization to access then you should have an agreement or other contract permitting you to do so.  The agreement is then you're authorization.

 


@denbestenwrote:

 

That said, we likely need to enumerate the digital equivalents of "ringing the doorbell" through legislative action before case law does it for us.

 

I think that these standards already exist.  I believe where we are getting into trouble is by failing to put enough time into critically thinking about the consequences of various online actions.

 

I don't want to start a religious discussion but another parallel is in order.  Many of my friends argue over religion, and one of the tools that they use is cherry picking their arguments from the religious texts.  Cherry picking involves taking the portion of a statement that supports their claim and leaving the portion out that either would negate or refute their claim.  I believe this is what we as a community have been doing with our Online to Physical analogies.

 

The discussion about "notice" under trespass rules is a perfect example.  We often stop at defining notice for the online world meaning something a person has to read and agree to, in order to move on.  Lacking a notice, a person has free range.  

 

What we forgot to do is apply the common understanding that other scenarios are equivalent to "notice".  A locked door is equivalent to notice.  A qualifier check that you don't meet is equivalent to notice, ie. a bouncer that refuses you access because of your age or residency status; or an IP address filter that drops traffic from your range.

 

If you know that you have to lie about the origin of your traffic to gain admittance, then you have been properly notified (or given the knowledge) that traffic from your IP address is unwelcome... and logically you would have had to have been notified for you to have acted on that knowledge in circumventing that access control.

Lamont29
Community Champion

I think that the proponents of either side have either misinterpreted or stretched the meaning of authorized/unauthorized access. The word ‘access’ is so normalized in the information security profession, I barely know how to break it down any further. Maybe the law clerks or lawyers who are writing these laws have a poor understanding of information systems? These are poor semantics and misinterpretations as far as I can tell. I might dig deeper later.

 

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE