That was bullshit.— Matthew Keys (@MatthewKeysLive) October 7, 2015
A jury in Sacramento, California, today found former Reuters deputy social media editor Matthew Keys guilty of computer hacking under the Computer Fraud & Abuse Act (CFAA).
The Entrepreneurship & Intellectual Property Law Clinic was partly inspired by the death of Aaron Swartz, who was hounded by federal prosecutors with MIT's complicity. Read the rest
Raja Bhatia was the original CTO of Avid Media, Ashley Madison's parent company; in an email to Avid CEO Noel Biderman in the latest Ashley Madison dump, he hacked the back-end of Nerve, a competing dating site. Read the rest
They were all running mods that let them automate away the tedious grinding that is so integral to the way that MMOs incentivize players to devote thousands of hours to their products. Read the rest
Security researcher Jeremy Richards has called the Hospira Lifecare PCA 3 drug-pump "the least secure IP enabled device" he's examined. Read the rest
Senators Mark Kirk [R-IL] and Kirsten Gillibrand [D-NY] announced a bill that increases the maximum jail time for "obtaining information from a protected computer without authorization" -- which covers anything you do that violates the BS Terms of Service we all break all day long. Read the rest
Lisa Rein writes, "This year's annual Aaron Swartz Day event is happening Saturday, November 8th at 6pm at the Internet Archive in San Francisco. The reception starts at 6pm, and activities are going on straight through until 10:30 pm." Read the rest
Laws like the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act put security researchers at risk of felony prosecution for telling you about bugs in the computers you put your trust in, turning the computers that know everything about us and watch everything we do into reservoirs of long-lived pathogens that governments, crooks, cops, voyeurs and creeps can attack us with. Read the rest
The CIA's Inspector General has asked the Justice Department to consider criminally charging CIA agents who spied on a senate committee that was engaged in writing a report that was highly critical of the CIA's use of torture. Senator Mark Udall, who sits on a CIA oversight committee and whose staff was spied on by the CIA alleges that the CIA surveilled overseeing senators and their staff with Obama's knowledge and consent.
In a recent hearing, Senator Ron Wyden asked the CIA director repeatedly whether the Computer Fraud and Abuse Act, America's major anti-hacking statute, applied to the CIA, and whether the CIA spied domestically. CIA director John Brennan replied "yes" and "no," respectively. If Udall's allegations are correct, this means that Brennan lied to Congress (in the second instance) and committed a felony (in the first instance).
The report that caused some CIA agents to spy on their bosses was about how the CIA was wasting time, getting nowhere and doing something illegal and cruel when it kidnapped terror suspects and tortured the shit out of them. Read the rest
In Matot v. CH, et al, a middle school assistant principal named Adam Matot asked a court to find that two students who'd set up parody social media accounts mocking him had violated the Computer Fraud and Abuse Act, and when the court laughed that out the door, asked the court to find that the students had violated the RICO Act and were engaged in organized crime. Thankfully, the court understood that this was raw sewage disguised as legal theory [PDF] ("Congress did not intend to target the misguided attempts at retribution by juvenile middle school students against an assistant principal in enacting RICO.") and found for the kids. Here's some trenchant analysis from Venkat Balasubramani: Read the rest
A large group of "security researchers, academics, and lawyers" have signed onto a letter to Congress demanding that lawmakers enact "Aaron's Law," which would reform the antiquated and terrible Computer Fraud and Abuse Act, which US prosecutors claim makes violating online terms of service into a felony punishable by imprisonment. This is the law that was used to persecute Aaron Swartz, who was accused of violating terms of service by automatically downloading academic articles, rather than accessing them one at a time. The federal prosecutor threatened Aaron with 35 years in prison. Read the rest
Stephen Heymann is the assistant US attorney who made it his mission to see Aaron Swartz sent to prison for violating terms of service by downloading scientific papers with an automatic script, rather than individually, by hand. Heymann spent a lot of time working with MIT on this -- Aaron used MIT's network to allegedly violate the terms of service -- and in his efforts to get MIT to stay involved in the face of public criticism for their cooperation, he compared Aaron to a rapist who blames his victim. Aaron's lawyers have asked the DoJ to investigate Heymann for breaches of professional standards. Read the rest
The Electronic Frontier Foundation's Legal Director Cindy Cohn writes in detail about the MIT report on its involvement in Aaron Swartz's prosecution. She criticizes MIT's claim to neutrality in the matter, showing the way that the university went to great, voluntary lengths to help the government prosecute Aaron, and eventually siding with the government in motions to keep the evidence that it turned over to the prosecutor admissable. Cohn shows that MIT's likeliest motivation for this was saving face. Ultimately, Cohn says, "MIT's actions in helping the government prosecute Aaron are shameful, and betray the institution’s commitment to technologists."
Update: Cohn wrote in to add, "The prosecution turned on whether Aaron's access to JSTOR via the MIT network was 'unauthorized' and MIT had tremendous power over which way that decision went in the case. The report acknowledges this but simply repeats MIT's assertion that it didn't actually realize it without criticism or noting how unreasonable (or not believable) this assertion is. The CFAA isn't unknown or unknowable and the folks handling this are in the General Counsel's office. 'Unauthorized access' is the statutory language. And of course MIT's belief that Aaron's access might be unauthorized (as in violation of MIT's policies or maybe JSTOR's) is why they called the police and why he was arrested at their instigation. The idea that after they called the cops they didn't understand what law might have been broken or why their network openness and policies mattered to that determination, such that they never even volunteered the information or asked the prosecution for its theory or more importantly gave information about this to the defense, just isn't believable." Read the rest
Update: EFF has retracted this post. The Electronic Frontier Foundation's Trevor Timm explains a disturbing and overlooked fact about the trial of Bradley Manning; the charge-sheet against him included two separate felonies under the Computer Fraud and Abuse Act, an ancient anti-hacking statute that has been used as a club to threaten security researchers and activists like Aaron Swartz. The CFAA makes it a separate offense to leak classified information using a computer, such that anyone caught doing so can be charged twice: first under the Espionage Act and again under the CFAA.
This gives tremendous and terrible leverage to prosecutors, who come to the negotiating table with double the ammo: "We'll drop the CFAA charges if you plead guilty to the Espionage Act charges" (or vice-versa). The reality is that there's nothing special about using a computer to leak documents -- indeed, these days you'd be hard pressed not to use a computer -- now that photocopiers, fax machines, phones, cameras and even the daily paper are all built out of computers.
Several Congresses have failed to modernize the CFAA, because the DoJ has forcefully argued that the ability to threaten people with decades in jail for simply using computers has given them the leverage to force "bad guys" to plead guilty, rather than getting a day in court. Read the rest