Colleagues,
I'd like to get the community dialog regarding the legal term, "Unauthorized Access". I've seen quite a few articles in recent history that condemn the language in the current set of acts making up Title 18 U.S.C. § 1030 as being too restrictive of computer security researchers by simultaneously being too vague. I've heard very reasonably sounding arguments on both sides that simply fail logic tests.
Georgia recently vetoed a bill proposing language in its state laws defining "Unauthorized Access," (Senate Bill 315, Computer Crimes; create a new crime of unauthorized computer access; penalties, http://www.legis.ga.gov/legislation/en-US/Display/20172018/SB/315). I'm personally confused why we feel the need to define this further than we commonly use the words, unauthoized and access.
In reading the Wired article by Lily H. Newman, A Georgia Hacking Bill Gets Cybersecurity All Wrong (https://www.wired.com/story/georgia-sb315-hacking-bill-wrong/), there was a reference to a prior Wired article from 2014 authored by Kim Zetter, Hacker Lexicon: What is the Computer Faud and Abuse Act? (https://www.wired.com/2014/11/hacker-lexicon-computer-fraud-abuse-act/).In the earlier article, Zetter argues that the language of the current CFAA criminalizes legitimate security research. I've read, and reread this article. I've read numerous other articles making the same claim. Each of them has a similar argument, so I'm only referencing the first and primary one by Zetter here.
In the Zetter article, the argument is made for Prosecutorial abuse by overstretching the language of unauthorized access to mean creating a Sock Puppet account against a service provider's terms of service. Here is my take on this concept. If the person would otherwise have been able to obtain an account by using their true identity and registration details, then this is not an unauthorized access but a breach of terms of a contract. If, on the other hand, the person would not have been able to obtain an account with their true identity and registration details because they had been banned personally or because they are a member of a group that was banned (for example, an employee of a competitor), then this would be unauthorized access. In the first case the use of false identity is simply a misuse of the service, while in the second it's clearly an attempt to circumvent being denied an account.
The Zetter article continues to discuss the proposed "Aaron's Law" amendment to the CFAA that would specifically exempt changing MAC or IP addresses as exemplar methods of circumventing access controls. Here is the essential breakdown. We have one set of security professionals running around saying, Port Security and IP Tables are forms of network Access Control Lists. Then, we have another set of security professionals running around saying that things like circumventing Access Control Lists isn't a method of gaining "Unauthorized Access".
Which side of this argument do you reside?
@Lamont29wrote:The word ‘access’ is so normalized...
I think the more relevant discussion is around the word "Unauthorized" (or authorized).
An interesting thought exercise is at what point does "bobby tables" cross the line from authorized to unauthorized access? As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.
It also raises the question of negligent software design, but that is a whole different conversation.
@JoePetewrote:
I think there is also a concept of "abandoned" property. Just as if I am walking down the street and I see on the curb a TV, I can assume someone has left it there for the trash or to be picked up for free.
If it is next to the trash can on trash day, that seems a reasonable presumption. However, if it were a kids bike on some other day, it is much more likely to be mislaid property, which you have an obligation to return to the true owner. Check out wikipedia for more comprehensive insight.
William,
EDIT: I apologize, I had to edit this reply. It was apparent when I reread your example, you were clearly stating that this was not an example of "Unauthorized Access". This example however, does pick one of the handful of clauses of the CFAA (18 USC § 1030) that deals with causing or attempting to cause damage, regardless of the level of access.
So, I'm leaving my original reply with the caveat that it is off topic.
@denbestenwrote:An interesting thought exercise is at what point does "bobby tables" cross the line from authorized to unauthorized access?
I absolutely love this example. Not only is it cute, but it also subtly illustrates what I believe is an input to the problem. Computer folks, especially security professionals, and hackers likely the most of all, think they’re clever.
Let me break this cartoon down using legal analysis. The mother names her son using the construct of an SQL injection. It’s clever because it causes data destruction and presumably avoids a penalty because the school staff are the ones that entered the command.
@denbestenwrote:As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.
If I understand your conjecture right, you either think (a) this doesn't meet the definition of "Unauthorized Access"; or (b) you believe that this type of behavior is legitimate. I agree with (a), but completely disagree with (b).
The problem is that that the same example shows knowledge and intent to cause damage, meeting the conditions of 18 USC § 1030(a)(5)(A). First, you might presume that the child’s name was just a random happenstance except that it was specifically the exact syntax needed to cause an SQL injection, the likelihood of such a random occurrence being so low as to be unreasonably a coincidence. Second, the mother then confirms she understood the concept of SQL commands and tables, SQL syntax, and input sanitization; effectively stating that she knew or should have known that the name had a high probability of causing a damage-inducing SQL injection. And putting in process a chain of events so as to cause another person to input the data qualifies under 18 USC § 1030(a)(5)(A) . So, it is not as clever as originally thought.
Lamont,
I appreciate you weighing in on this!
@Lamont29wrote:The word ‘access’ is so normalized in the information security profession, I barely know how to break it down any further. Maybe the law clerks or lawyers who are writing these laws have a poor understanding of information systems?
I respectfully request that you re-read the thread with the understanding that the claims on either side are being made by security professionals – not lawyers and law clerks. There is a divide in our own profession.
We are talking specifically about the active evasion or circumvention of a security control. Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control.
Where do you sit on this debate?
@Baechlewrote:
We are talking specifically about the active evasion or circumvention of a security control. Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control.
Where do you sit on this debate?
Okay,
I have a better understanding now. The only issue to consider is the ‘intent’ as a matter of legality. We as information security professionals are also required to consider common laws, criminal laws and other forms of regulations and the spirit of those laws and regulations. A hacker cannot offer a defense in court “because it was so easy…” and expect to be exonerated for breaching that access. If I wanted to legally mitigate a perpetrator’s action of making my yard a short-cut, then the I only need to post “Do Not Trespass” signs. There’s nothing etched in law that requires me to build a 10-foot high, razor, electric fence around my property the prisoners would admire.
I may choose to set up a small business network utilizing Windows NT (easy to break). Yet, if I put in the security controls, the banners, and do my due diligence to keep the information residing in my NT network from prying eyes, no court will step out of the box and say, “Well you could have used BSD, LINUX or Windows 2008 or higher for better security!” The answer to this question that well all ought to adopt is clearly stated in our code of ethics as ISC2 professionals: “Act honorably, honestly, justly, responsibly, and legally.”
Maybe we can offer better advice to discourage poor security configurations, but we should never use our knowledge, skills, and ability to do harm.
A more realistic example are the last names O'Conner and den Besten. Often times, they will error-out a web site that does not sanitize data inputs, or the web site will corrupt them into Oconner, Denbesten, or Besten.
My intended observation was that entering malicious input through the published web interface is likely "authorized access", whereas mucking about with the page to bypass an input validator is much more likely to be "unauthorized".
You correctly highlight that even being authorized access, the cartoon taken at face value likely would run afoul of other laws, but that is not the point of Bobby Tables. It's goal is to remind developers to skeptically handle inputted data, and does so in an engaging fashion that a techie can quickly grasp.
@Baechlewrote:The mother names her son using the construct of an SQL injection. It’s clever because it causes data destruction and presumably avoids a penalty because the school staff are the ones that entered the command.
@denbestenwrote:As described it the XKCD, I think it remains "authorized", but if one started to work around intentional protections (e.g. rewriting javascript in the browser) to get it submitted, I can see the line being crossed.
If I understand your conjecture right, you either think (a) this doesn't meet the definition of "Unauthorized Access"; or (b) you believe that this type of behavior is legitimate. I agree with (a), but completely disagree with (b).
The problem is that that the same example shows knowledge and intent to cause damage, meeting the conditions of 18 USC § 1030(a)(5)(A). First, you might presume that the child’s name was just a random happenstance except that it was specifically the exact syntax needed to cause an SQL injection, the likelihood of such a random occurrence being so low as to be unreasonably a coincidence. Second, the mother then confirms she understood the concept of SQL commands and tables, SQL syntax, and input sanitization; effectively stating that she knew or should have known that the name had a high probability of causing a damage-inducing SQL injection. And putting in process a chain of events so as to cause another person to input the data qualifies under 18 USC § 1030(a)(5)(A) . So, it is not as clever as originally thought.
"We are talking specifically about the active evasion or circumvention of a security control. Some security professionals believe that because it was relatively easy for them to circumvent (e.g. using a VPN/Proxy, or changing a MAC address to evade a network Access Control List) that this means it is not legally a security control."
I need to learn the quoting methodology here!
Just because the security "professional" knows more then the Geek Squad kid who knows just enough to keep his 70 year old customer safe is not license to step beyond the border of the elderly person's enclave. Both physically and logically that border is defined by an IP/Mac combination (logic) and NIC/FIOS Gateway (physical). I don't think FIOS would agree with the security "professionals" definition of probing their network to see which gateway units are stock or modified with tighter controls.
This is not subjective. We professionals that do take security seriously, that have scruples and respect the intent of others even if they aren't as knowledgeable as us, are duty bound to continually educate those in our sphere of influence on new trends in securing themselves and the issues that are out there.
I do this with my facebook community and those that I lead in church.
Mark,
@Flyslinger2 wrote:I need to learn the quoting methodology here!
I recently got schooled in this also. 🙂
@Flyslinger2 wrote:
Just because the security "professional" knows more then the Geek Squad kid who knows just enough to keep his 70 year old customer safe is not license to step beyond the border of the elderly person's enclave. Both physically and logically that border is defined by an IP/Mac combination (logic) and NIC/FIOS Gateway (physical). I don't think FIOS would agree with the security "professionals" definition of probing their network to see which gateway units are stock or modified with tighter controls.
I completely agree with your assessment. Knowledge of how to circumvent a security control != authority to then circumvent that control. Using that logic, the attackers' mere knowledge of a method to circumvent a security control invalidates that security control as a legal barrier to entry.
Many public facing web sites use products that have vulnerabilities in them specifically, or in the combination of several products working together. Someone with the knowledge to tamper with variables in a URL/URI should know the difference between sending "&strip=1" in a Google query and sending "&record=[someone else's private data]" after realizing site is passing database queries through the browser, is exceeding their authorized access.
What are your thoughts on the last example? I concede that we've moved beyond unauthorized access to exceeding authorized access in the discussion.
Sincerely,
Eric B.
Many public facing web sites use products that have vulnerabilities in them specifically, or in the combination of several products working together. Someone with the knowledge to tamper with variables in a URL/URI should know the difference between sending "&strip=1" in a Google query and sending "&record=[someone else's private data]" after realizing site is passing database queries through the browser, is exceeding their authorized access.
What are your thoughts on the last example? I concede that we've moved beyond unauthorized access to exceeding authorized access in the discussion.
Sincerely,
Eric B.
In this example you are authorized, by publication, to access the website. You are NOT authorized to put your expert knowledge to the test to see what controls they have in place. Only the contractor that has all the rules in place for their pen testing has that right.