December 2014

Is it illegal to test websites for security flaws? Heartbleed & the CFAA

Erin Fleury, MJLST Managing Editor

Earlier this year, the general public became acutely aware of the Heartbleed security bug which exposed vast amounts of encrypted data from websites using OpenSSL technology (estimated to affect at least 66% of active websites). Software companies are still fixing these vulnerabilities but many servers remain vulnerable and surely victims could continue to suffer from these data breaches long after they occurred. While Heartbleed, and the fact that it was around for nearly two years prior to detection, is troubling by itself, it also raises concerns about the scope of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, and white-hat hackers.

The CFAA prohibits “intentionally accessing a computer without authorization or exceed[ing] authorized access” and thereby “obtain[ing] information from a protected computer.” See § 1030(a)(2). It would appear that the Heartbleed bug operates by doing exactly that. In very simplistic terms, OpenSSL authorizes limited requests for information but Heartbleed exploits a flaw to cause systems to send back far more than what is intended. Of course, the CFAA is meant to target people who use exploits such as this to gain unauthorized access to computer systems, so it would seem that using Heartbleed is clearly within the scope and purpose of the CFAA.

The real problem arises, however, for people interested in independently (i.e. without authorization) testing a system to determine if it is still susceptible to Heartbleed or other vulnerabilities. With Heartbleed, the most efficient way to test for the bug is to send an exploitive request and see if the system sends back extra information. This too would seem to fall squarely within the ambit of the CFAA and could potentially be a violation of federal law. Even testing a website which has been updated so that it is no longer vulnerable could potentially be a violation under §1030(b)(“attempting to commit a violation under subsection (a)”).

At first glance it might seem logical that no one should be attempting to access systems they do not own, but there are a number of non-nefarious reasons someone might do so. Perhaps customers may simply wish to determine whether a website is secure before entering their personal information. More importantly, independent hackers can play a significant role in finding system weaknesses (and thereby helping the owner make the system more secure), as evidenced by the fact that many major companies now offer bounty programs to independent hackers. Yet those who do not follow the parameters of a bounty program, or who discover flaws in systems without such a program, may be liable under the CFAA because of their lack of authorization. Furthermore, the CFAA has been widely criticized for being overly broad because, among other reasons, it does not fully distinguish between the reasons one might “exceed authorization.” Relatively minor infractions (such as violating the Terms of Service on MySpace) may be sufficient to violate federal law, and the penalties for fairly benevolent violations (such as exploiting security flaws but only reporting it to the media rather than using the obtained information for personal gains) can seem wildly disproportional to the offense.

These security concerns are not limited to websites or the theft of data either. Other types of systems could pose far greater safety risks. The CFAA’s definition of a “protected computer” in § 1030(e)(1-2) applies to a wide range of electronics and this definition will only expand as computers are integrated into more and more of the items we use on a daily basis. In efforts to find security weaknesses, researchers have successfully hacked and taken control of implantable medical devices or even automobiles. Merely checking a website to see if it is still susceptible to Heartbleed is unlikely to draw the attention of the FBI, so in many ways these concerns can be dismissed for the simple reason that broad enforcement is unlikely and, of course, many of the examples cited above involved researchers who had authorization. Yet, the CFAA’s scope is still concerning because of the chilling effect it could have on research and overall security by dissuading entities from testing systems for weaknesses without permission or, perhaps more likely, by discouraging individuals from disclosing these weaknesses when they find them.

Without question, our laws should punish those who use exploits (such as Heartbleed) to steal valuable information or otherwise harm people. But the CFAA also seems to apply with great force to unauthorized access which ultimately serves a tremendous societal good and should be somewhat excusable, if not encouraged. The majority of the CFAA was written decades ago and, while there have been recent efforts to amend it, it remains a highly-controversial law. Surely, issues surrounding cybersecurity are unlikely to disappear anytime soon. It will be interesting to see how courts and lawmakers react to solve these challenging issues in an evolving landscape.


Is it illegal to test websites for security flaws? Heartbleed & the CFAA

Erin Fleury, MJLST Managing Editor

Earlier this year, the general public became acutely aware of the Heartbleed security bug which exposed vast amounts of encrypted data from websites using OpenSSL technology (estimated to affect at least 66% of active websites). Software companies are still fixing these vulnerabilities but many servers remain vulnerable and surely victims could continue to suffer from these data breaches long after they occurred. While Heartbleed, and the fact that it was around for nearly two years prior to detection, is troubling by itself, it also raises concerns about the scope of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, and white-hat hackers.

The CFAA prohibits “intentionally accessing a computer without authorization or exceed[ing] authorized access” and thereby “obtain[ing] information from a protected computer.” See § 1030(a)(2). It would appear that the Heartbleed bug operates by doing exactly that. In very simplistic terms, OpenSSL authorizes limited requests for information but Heartbleed exploits a flaw to cause systems to send back far more than what is intended. Of course, the CFAA is meant to target people who use exploits such as this to gain unauthorized access to computer systems, so it would seem that using Heartbleed is clearly within the scope and purpose of the CFAA.

The real problem arises, however, for people interested in independently (i.e. without authorization) testing a system to determine if it is still susceptible to Heartbleed or other vulnerabilities. With Heartbleed, the most efficient way to test for the bug is to send an exploitive request and see if the system sends back extra information. This too would seem to fall squarely within the ambit of the CFAA and could potentially be a violation of federal law. Even testing a website which has been updated so that it is no longer vulnerable could potentially be a violation under §1030(b)(“attempting to commit a violation under subsection (a)”).

At first glance it might seem logical that no one should be attempting to access systems they do not own, but there are a number of non-nefarious reasons someone might do so. Perhaps customers may simply wish to determine whether a website is secure before entering their personal information. More importantly, independent hackers can play a significant role in finding system weaknesses (and thereby helping the owner make the system more secure), as evidenced by the fact that many major companies now offer bounty programs to independent hackers. Yet those who do not follow the parameters of a bounty program, or who discover flaws in systems without such a program, may be liable under the CFAA because of their lack of authorization. Furthermore, the CFAA has been widely criticized for being overly broad because, among other reasons, it does not fully distinguish between the reasons one might “exceed authorization.” Relatively minor infractions (such as violating the Terms of Service on MySpace) may be sufficient to violate federal law, and the penalties for fairly benevolent violations (such as exploiting security flaws but only reporting it to the media rather than using the obtained information for personal gains) can seem wildly disproportional to the offense.

These security concerns are not limited to websites or the theft of data either. Other types of systems could pose far greater safety risks. The CFAA’s definition of a “protected computer” in § 1030(e)(1-2) applies to a wide range of electronics and this definition will only expand as computers are integrated into more and more of the items we use on a daily basis. In efforts to find security weaknesses, researchers have successfully hacked and taken control of implantable medical devices or even automobiles. Merely checking a website to see if it is still susceptible to Heartbleed is unlikely to draw the attention of the FBI, so in many ways these concerns can be dismissed for the simple reason that broad enforcement is unlikely and, of course, many of the examples cited above involved researchers who had authorization. Yet, the CFAA’s scope is still concerning because of the chilling effect it could have on research and overall security by dissuading entities from testing systems for weaknesses without permission or, perhaps more likely, by discouraging individuals from disclosing these weaknesses when they find them.

Without question, our laws should punish those who use exploits (such as Heartbleed) to steal valuable information or otherwise harm people. But the CFAA also seems to apply with great force to unauthorized access which ultimately serves a tremendous societal good and should be somewhat excusable, if not encouraged. The majority of the CFAA was written decades ago and, while there have been recent efforts to amend it, it remains a highly-controversial law. Surely, issues surrounding cybersecurity are unlikely to disappear anytime soon. It will be interesting to see how courts and lawmakers react to solve these challenging issues in an evolving landscape.


Somnophilia, The “Sleeping Beauty” Disorder

Becky Huting, MJLST Editor

To date, at least 19 women have come forward accusing Bill Cosby of some type of sexual abuse. The majority of the women have told similar stories that involve some variant of being drugged, sexually assaulted, or being drugged and also sexually assaulted by Cosby. The New York Times recently published a piece entitled “When a Rapist’s Weapon is a Drug” that talks about a particular kind of paraphilia that some hypothesize is present in Cosby: a sexual deviation that involves drugging and raping unconscious partners. While it is important to note there is no indication of any formal diagnoses of Cosby (nor of criminal charges), this narrative has opened the dialogue about the contours of sexual disorder diagnosis and what it might mean in our legal regime.

The DSM, or Diagnostic and Statistical Manual of Mental Disorders, is authored by the American Psychiatric Association (APA) and offers a standardized classification of mental disorders. According to the APA, the DSM is “intended to be applicable in a wide array of contexts and used by clinicians and researchers of many different orientations (e.g., biological, psychodynamic, cognitive, behavioral, interpersonal, family/systems).” The DSM’s 5th Edition (DSM 5) is the 2013 update to the APA tool, superseding the last (DSM-IV-TSR), which was published in 2000.

Paraphilic disorders are defined by an unusual sexual preference that becomes compulsive. The DSM 5 contains eight distinct groups of disorders that constitute paraphilia. They include: exhibitionistic disorder, fetishistic disorder, frotteuristic disorder (arousal from touching or rubbing against a stranger), pedophilic disorder, sexual masochism disorder, sexual sadism disorder, transvestite disorder, and voyeuristic disorder.

Now returning to Cosby: date rape incidents involving drugs being dosed to victims are very common. Alcohol is the most commonly used drug in sexual assaults, but some perpetrators use so-called “knock-out” drugs. Experts view the motives for the former simple opportunism, but some of the latter category of druggers have a different motive in mind: they like unresponsive partners. This preference for unconscious partners, and the erotic arousal dependent upon intruding upon an unresponsive partner, and sometimes waking the person, is being labeled “sleeping beauty syndrome” or “Somnophilia.” Somnophilia is a less common compulsion, but under a more common umbrella of a motive guided by coercion where the perpetrator is aroused by domination of their drugged partner.

According to Dr. Michael First, a psychiatrist and editorial consultant on the new DSM 5, the kind of coercion and domination achieved by drugging a partner is common enough that the APA actually contemplated adding it as a distinct diagnosis as a paraphilia disorder, but the idea was shelved in part because of concerns that doing so would give rapists added recourse in legal cases. This should be of interest for legal practitioners: it begs the question – should doctors be thinking about legal implications when they classify disorders? If they are indeed guided by what might be a legal defense, one could imagine the whole composition of the DSM changing tomorrow. Just a couple examples come quickly to mind. Schizophrenia is a widely accepted mental disorder included on the DSM, and yet is not infrequently used to bolster a legal defense for very horrific crimes. Consider also sleep-walking disorders. These too are on the DSM 5, and yet, criminal defendants have been known to use sleep-walking as a legal defense for equally ghastly crimes. It seems incongruous to say that leaving these kind of “excusing” mental disorders off is the policy here. They are already on the DSM, and criminal defendants have used them for quite some time. If the APA is willing to sacrifice classifying valid mental disorders in the name of some sense of legal responsibility, they must also consider the consequences for the field of psychiatry and the name of treatment.

Clearly here the concern by the American Psychiatric Association is that giving disorders like Somnophilia a name legitimizes it – those ostensibly like Bill Cosby will now have a diagnosis to stand behind in court. They can say: “it wasn’t my fault, it’s my disposition. I have a disorder.” (It is also unclear that a jury would give any sympathetic weight or credence to this). But the clear question is whether lawyers want doctors doing the legal work for them behind the scenes. Will psychiatry and its patients actually benefit by this kind of legal policy gut-checking, or should we just ask politely ask doctors to do what they do best – classify, diagnose, and treat?


The Limits of Free Speech

Paul Overbee, MJLST Editor

A large portion of society does not put much thought into what they post on the internet. From tweets and status updates to YouTube comments and message board activities, many individuals post on impulse without regard to how their messages may be interpreted by a wider audience. Anthony Elonis is just one of many internet users that are coming to terms with the consequences of their online activity. Oddly enough, by posting on Facebook Mr. Elonis took the first steps that ultimately led him to the Supreme Court. The court is now considering whether the posts are simply a venting of frustration as Mr. Elonis claims, or whether the posts constitute a “true threat” that will direct Mr. Elonis directly to jail.

The incident in question began a week after Tara Elonis obtained a protective order against her husband. Upon receiving the order, Mr. Elonis posted to Facebook, “Fold up your PFA [protection-from-abuse order] and put it in your pocket […] Is it thick enough to stop a bullet?” According the Mr. Elonis, he was trying to emulate the rhyming styles of the popular rapper Eminem. At a later date, an FBI agent visited Mr. Elonis regarding his threatening posts about his wife. Soon after the agent left, Mr. Elonis again returned to Facebook to state “Little agent lady stood so close, took all the strength I had not to turn the [expletive] ghost. Pull my knife, flick my wrist and slit her throat.”
Due to these posts, Mr. Elonis was sentenced to nearly four years in federal prison, and Elonis v. United States is now in front of the Supreme Court. Typical state statutes define these “true threats” without any regard to whether the speaker actually intended to cause such terror. For example, Minnesota’s “terroristic threats” statute includes “reckless disregard of the risk of causing such terror.” Some states allow for a showing of “transitory anger” to overcome a “true threat” charge. This type of defense arises where the defendant’s actions are short-lived, have no intent to terrorize, and clearly are tied to an inciting event that caused the anger.

The Supreme Court’s decision will carry wide First Amendment implications for free speech rights and artistic expression. A decision that comes down harshly on Mr. Elonis may have the effect of chilling speech on the internet. The difference between a serious statement and one that is joking many times depends on the point of view of the reader. Many would rather stop their posting on the internet instead of risk having their words misinterpreted and charges brought. On the other hand, if the Court were to look towards the intent of Mr. Elonis, then “true threat” statutes may lose much of their force due to evidentiary issues. A decision in favor of Mr. Elonis may lead to a more violent internet where criminals such as stalkers have a longer leash in which to persecute their victims. Oral argument on the case was held on December 1, 2014, and a decision will be issued in the near future.


Asteroid Mining–Not As Crazy As It Sounds

Kirsten Johanson, MJLST Staff Member

Over the last few years, companies and private individuals have fully embraced novel space activities. Felix Baumgarner completed a space jump with the Red Bull Stratos making him the first human to break the sound barrier without any engine power. SpaceX developed the first reusable rocket, the Grasshopper, and was the first private company to deliver a shipment to the International Space Station. Recently, for the first time in history, the European Space Agency’s Rosetta mission successfully landed its space probe, Philae, on a comet. All of these ventures pushed the boundaries of space exploration beyond limits previously imagined and all indications are that such ventures will continue. One such undertaking is the concept of asteroid mining.

Asteroid mining is exactly what it sounds like–humans landing equipment on asteroids (and other celestial bodies) and mining for the minerals that exist on such bodies. This concept might seem far-fetched but, in reality, it is a serious topic of debate primarily because of the usefulness of the minerals that exist in the crust of asteroids. NASA has released an estimate “that the mineral wealth resident in the belt of asteroids between the orbits of Mars and Jupiter would be equivalent to about 100 billion dollars for every person on Earth today.” The reason such minerals are so valuable is because of their potential usefulness in “developing the space structures and in generating the rocket fuel that will be required to explore and colonize our solar system in the twenty-first century.”

Today, the physical process of actually mining these minerals is still not cost-effective. As a result, the bigger debate on this issue is currently over the legal implications of mining these minerals and returning them to earth. In space, no single country’s laws apply but, in 1967, over one hundred countries signed the United Nations’ Outer Space Treaty of 1967. This treaty is the current law governing space and it prevents the appropriation of outer space or any celestial body in space by any nation in its space explorations. While this law unequivocally applies to sovereign nations, the recent dispute is over the extension of this treaty to private companies participating in asteroid mining. If it does not, companies like Deep Space Industries, Planetary Resources, SpaceX, or other private players in the space exploration field could begin developing mining procedures that would give them rights to any mined asteroid minerals. However, if it does extend to private companies, this opportunity will likely die before it gets started.

Many in the public and private sector in the United States are pushing for a narrow application of the law to nations which would leave open a huge industry for private development. In Congress, the American Space Technology for Exploring Resource Opportunities In Deep Space (ASTEROIDS) Act was recently introduced in the House of Representatives to officially clarify the law. The Act states that “[a]ny resources obtained in outer space from an asteroid are the property of the entity that obtained such resources.” This would mean that any asteroid mining company would have unlimited access and appropriation rights over any asteroid materials they mine but not over the asteroid itself.

Proponents of such a reading have introduced various statutory interpretation arguments that get them to this conclusion, but it is still unclear which of these will likely be the winning argument. Or even if there will be a winning argument. While asteroid mining does present significant opportunities well into the future, it is still a long-term venture unlikely to launch anytime soon. As a result, if the ASTEROID Act does find enough support in Congress, that is only the first step. The United States will still have to assert an international position amenable to other countries.

Overall, this Act and the publicity it will need to generate to garner sufficient support of this industry is an important first step but it cannot be the only step. Other countries, particularly the signers of the Outer Space Treaty of 1967, must develop a workable solution to the ownership question of asteroid materials. However, with the potential technological advancements and economic realizations of such an industry, it is unlikely that countries with active space exploration will be opposed. Hopefully, these countries see the development opportunities as outweighing the costs because, if there is wide acceptance, this might be the real start of space development and colonization.


The Limits of Free Speech

Paul Overbee, MJLST Editor

A large portion of society does not put much thought into what they post on the internet. From tweets and status updates to YouTube comments and message board activities, many individuals post on impulse without regard to how their messages may be interpreted by a wider audience. Anthony Elonis is just one of many internet users that are coming to terms with the consequences of their online activity. Oddly enough, by posting on Facebook Mr. Elonis took the first steps that ultimately led him to the Supreme Court. The court is now considering whether the posts are simply a venting of frustration as Mr. Elonis claims, or whether the posts constitute a “true threat” that will direct Mr. Elonis directly to jail.

The incident in question began a week after Tara Elonis obtained a protective order against her husband. Upon receiving the order, Mr. Elonis posted to Facebook, “Fold up your PFA [protection-from-abuse order] and put it in your pocket […] Is it thick enough to stop a bullet?” According the Mr. Elonis, he was trying to emulate the rhyming styles of the popular rapper Eminem. At a later date, an FBI agent visited Mr. Elonis regarding his threatening posts about his wife. Soon after the agent left, Mr. Elonis again returned to Facebook to state “Little agent lady stood so close, took all the strength I had not to turn the [expletive] ghost. Pull my knife, flick my wrist and slit her throat.”

Due to these posts, Mr. Elonis was sentenced to nearly four years in federal prison, and Elonis v. United States is now in front of the Supreme Court. Typical state statutes define these “true threats” without any regard to whether the speaker actually intended to cause such terror. For example, Minnesota’s “terroristic threats” statute includes “reckless disregard of the risk of causing such terror.” Some states allow for a showing of “transitory anger” to overcome a “true threat” charge. This type of defense arises where the defendant’s actions are short-lived, have no intent to terrorize, and clearly are tied to an inciting event that caused the anger.

The Supreme Court’s decision will carry wide First Amendment implications for free speech rights and artistic expression. A decision that comes down harshly on Mr. Elonis may have the effect of chilling speech on the internet. The difference between a serious statement and one that is joking many times depends on the point of view of the reader. Many would rather stop their posting on the internet instead of risk having their words misinterpreted and charges brought. On the other hand, if the Court were to look towards the intent of Mr. Elonis, then “true threat” statutes may lose much of their force due to evidentiary issues. A decision in favor of Mr. Elonis may lead to a more violent internet where criminals such as stalkers have a longer leash in which to persecute their victims. Oral argument on the case was held on December 1, 2014, and a decision will be issued in the near future.