Computer Crime Year In Review: MySpace, MBTA, Boston College and More

Similar documents
COMPUTER FRAUD AND ABUSE ACT. US Code as of: 01/05/99 Title 18 Sec Fraud and related activity in connection with computers

Updated Administration Proposal: Law Enforcement Provisions

18 USC NB: This unofficial compilation of the U.S. Code is current as of Jan. 4, 2012 (see

Cybercrime: A Sketch of 18 U.S.C and Related Federal Criminal Laws

H. R. To amend titles 17 and 18, United States Code, to strengthen the protection of intellectual property, and for other purposes.

Computer Fraud & Abuse Act

COLORADO IDENTITY THEFT RANKING BY STATE: Rank 8, 89.0 Complaints Per 100,000 Population, 4328 Complaints (2007) Updated November 28, 2008

CHAPTER 121 STORED WIRE AND ELECTRONIC COMMUNICATIONS AND TRANSACTIONAL RECORDS ACCESS

Section Fraud and related activity in connection with identification documents and information

State Enforcement of Privacy Laws. Phil Ziperman. Mark Pacella. Allen Brandt, CIPP/US, CIPP/E

HACKING FOR FUN, PROFIT AND AN A TO BOOT! Vicki Miller Luoma, Minnesota State University Mankato, Minnesota

GLOSSARY OF SELECTED LEGAL TERMS

SENATE... No The Commonwealth of Massachusetts. In the Year Two Thousand Fourteen

J.V. Industrial Companies, Ltd. Dispute Resolution Process. Introduction

Please see Section IX. for Additional Information:

Accountability Report Card Summary 2013 Massachusetts

Electronic Communications Privacy Protection Act. SECTION 1. {Title} This Act may be cited as the Electronic Communications Privacy Protection Act.

Purpose, origin, and content of the Bill of Rights and other important Amendments to the Constitution

Vocabulary Builder Activity. netw rks. A. Content Vocabulary. The Bill of Rights

CHAPTER 5-4 ABUSE OF ELDERS AND VULNERABLE ADULTS

TITLE I FORMER VICE PRESIDENT PROTECTION ACT

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Handbook on Conducting Research on Social-Networking Websites in California 1

FEDERAL LAW ON FIREARMS AND DOMESTIC VIOLENCE June 10, 2015

Act CLXV of on Complaints and Public Interest Disclosures. 1. Complaint and public interest disclosure

[Discussion Draft] [DISCUSSION DRAFT] H. R. ll

109TH CONGRESS 1ST SESSION. discourage spyware, and for other purposes. To amend title 18, United States Code, to AN ACT H. R. 744

CYBERCRIME LAWS OF THE UNITED STATES

Legislative Language. Law Enforcement Provisions Related to Computer Security

BUSINESS ASSOCIATE AGREEMENT ( BAA )

The Law of Web Application Hacking. CanSecWest March 9, 2011 Marcia Hofmann, EFF

INCREASED PENALTIES FOR CYBER SECURITY OFFENSES

State Laws Legalizing Marijuana Do Not Make Marijuana Legal Under

Because of the immense explosion of computer use and the internet over the last

INTERNATIONAL LEGAL ASSISTANCE LAW

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

Committee on Civil Liberties, Justice and Home Affairs - The Secretariat - Background Note on

Chapter 15 Criminal Law and Procedures

Information Security Law: Control of Digital Assets.

Exhibit A. Federal Statutes Impacting Data Security

Anti-Bribery and Books & Records Provisions of. The Foreign Corrupt Practices Act. Current through Pub. L (November 10, 1998)

Prevention of Fraud, Waste and Abuse

Comment [1]: BDERIV. Comment [2]: EDERIV

HB By Representative Hall. RFD: Judiciary. First Read: 23-APR-13. Page 0

SENATE DOCKET, NO. 176 FILED ON: 1/14/2015. SENATE... No The Commonwealth of Massachusetts PRESENTED BY: Marc R. Pacheco

FEDERAL LAWS RELATING TO FRAUD, WASTE AND ABUSE

BILL ANALYSIS. Senate Research Center C.S.S.B By: Wentworth Jurisprudence 4/5/2007 Committee Report (Substituted)

MISSOURI IDENTITY THEFT RANKING BY STATE: Rank 21, 67.4 Complaints Per 100,000 Population, 3962 Complaints (2007) Updated January 11, 2009

UNITED STATES DISTRICT COURT EASTERN DISTRICT OF ARKANSAS INSTRUCTIONS FOR FILING COMPLAINT BY PRISONERS UNDER THE CIVIL RIGHTS ACT, 42 U.S.C.


INDIANA FALSE CLAIMS AND WHISTLEBLOWER PROTECTION ACT. IC Chapter 5.5. False Claims and Whistleblower Protection

State of Nature v. Government

Unauthorized Practice of Law

MANDATORY REPORTING LAWS & RULES

Public Records SHOW SLIDE: So let s discuss in greater detail starting with the Act s provisions governing public records.

Clients Legal Needs in HIPAA Security Compliance

and Immigration #ht&hg data deleqd t. U. S. Citizenship

ORDERED, ADJUDGED AND DECREED,

MARYLAND FALSE CLAIMS ACT

BOBCAT COMPUTING POLICY

The Juvenile and Domestic Relations District Court

COMPUTER SOFTWARE AS A SERVICE LICENSE AGREEMENT

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA

House Proposal of Amendment S. 7 An act relating to social networking privacy protection. The House proposes to the Senate to amend the bill by

Credit Report Protection Act Chapter 8, Article to

Terms of Service. Your Information and Privacy

As used in this chapter, the following words shall, unless the context clearly requires otherwise, have the following

MASSACHUSETTS IDENTITY THEFT RANKING BY STATE: Rank 23, 66.5 Complaints Per 100,000 Population, 4292 Complaints (2006) Updated January 17, 2009

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

WITNESS PROTECTION ACT

WEST VIRGINIA LEGISLATURE. Senate Bill 411

First Regular Session Sixty-ninth General Assembly STATE OF COLORADO INTRODUCED HOUSE SPONSORSHIP

Public Act No

Accountability Report Card Summary 2013 New Mexico

KENTUCKY VICTIMS RIGHTS LAWS1

Department, Board, Or Commission Author Bill Number

No An act relating to structured settlements and to prohibiting collusion as an antitrust violation. (H.778)

CYBERTERRORISM THE USE OF THE INTERNET FOR TERRORIST PURPOSES

Lesson 1. Health Information and Litigation ASSIGNMENT 1. Objectives. Criminal versus Civil Law

Chapter One: Our Laws. Lessons: 1-1 Our Laws & Legal System 1-2 Types of Laws

CYBERCRIME LAWS OF THE UNITED STATES Compiled October 2006 by Al Rees, CCIPS

Witness Protection Act 1995 No 87

Enterprise PrivaProtector 9.0

Kenneth L. Smith, in propria persona Genesee Village Rd. COURT USE ONLY Golden, CO Phone: (303)

BASIC CRIMINAL LAW. Joe Bodiford. Overview of a criminal case Presented by: Board Certified Criminal Trial Lawyer

The NREMT Certification Eligibility, Discipline and Appeals Policy

NORTH CAROLINA GENERAL ASSEMBLY 1979 SESSION CHAPTER 697 HOUSE BILL 1134

NEW JERSEY FAMILY COLLABORATIVE LAW ACT. An Act concerning family collaborative law and supplementing Title 2A of the New Jersey Statutes.

BUCKS COUNTY DEPARTMENT OF HEALTH RULES AND REGULATIONS FOR CONDUCTING AND OPERATING FOOD FACILITIES

THE ROLE OF THE ANTI-MONEY LAUNDERING COUNCIL (AMLC) IN IDENTIFYING, FREEZING, CONFISCATING, AND RECOVERING PROCEEDS OF CORRUPTION

Criminals; Rehabilitation CHAPTER 364 CRIMINAL OFFENDERS; REHABILITATION

HOUSE DOCKET, NO FILED ON: 2/28/2014. HOUSE... No The Commonwealth of Massachusetts PRESENTED BY: Paul R. Heroux

IRONSHORE SPECIALTY INSURANCE COMPANY 75 Federal St. Boston, MA Toll Free: (877) IRON411

Case 0:15-cv WJZ Document 6-2 Entered on FLSD Docket 03/03/2015 Page 1 of 21

American Polygraph Association. Antitrust Compliance Program

DISCHARGE. The Discharge in Bankruptcy. From an individual. debtor s standpoint, one. of the primary goals of. filing a bankruptcy case

INSTRUCTIONS FOR FLORIDA SUPREME COURT APPROVED FAMILY LAW FORM (a), PETITION FOR INJUNCTION FOR PROTECTION AGAINST DOMESTIC VIOLENCE (06/12)

Criminal Justice System Commonly Used Terms & Definitions

MILITARY SERVICE AND POST-ACTIVE DUTY STUDENT DEFERMENT REQUEST William D. Ford Federal Direct Loan (Direct Loan) Program/Federal Family

Transcription:

Computer Crime Year In Review: MySpace, MBTA, Boston College and More Jennifer Stisa Granick, EFF Civil Liberties Director Kurt Opsahl, EFF Senior Staff Attorney Black Hat Briefings July 29, 2009 1

Topics 1. Computer Crime Law Overview 2. MBTA v. Anderson 3. United States v. Lori Drew 4. Calixte/Boston College 5. Lessons and Strategies 2

www.eff.org 3

Other Work We Do Codersʼ Rights DRM Fair Use Free Speech Privacy 4

Computer Fraud and Abuse Act Eight subsections (a-h): (a) Seven (or more) prohibitions (b) Attempt and conspiracy (c) Sentences for criminal violations (d) Secret Service may investigate 5

CFAA (con t) (e) Definitions (f) Law enforcement and intelligence agencies exception (g) Civil cause of action (h) Reporting to Congress 6

CFAA Offenses (a)(1): Espionage prohibitions (a)(2): Obtaining information (c) from a protected computer (used in interstate or foreign commerce or communication) (a)(3): Trespass on government system 7

CFAA Offenses (con t) (a)(4): With intent to defraud (a)(5): Causes damage (a)(6): Password trafficking (a)(7): Threatens a computer 8

Unauthorized Access: 1030(a)(2) Whoever... accesses without authorization or exceeds authorized access and thereby obtains-- (A) information from a financial institution, credit card issuer or consumer reporting agency (B) information from any department or agency of the United States; or (C) information from any protected computer 9

Causes Damage: 1030(a)(5)(A) Whoever... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer 10

MBTA v. Anderson 11

12

13

Term paper for Professor Ron Rivest Reverse engineering Charlie Ticket Theoretical attack on RFID MiFare card 14

DEFCON 16 Anatomy of a Subway Hack: Free Rides for Life 15

Meeting with MBTA August 4, 2008 16

Friday before the talk, August 8 Lawsuit! Filed complaint, TRO, four declarations, 7 exhibits, but no advance notice 17

Claims: Computer Fraud and Abuse Act: 18 U.S.C. 1030(a)(5)(A) Negligent supervision vs. MIT 18

Relief Requested Treble damages and attorneys fees Gag order: canʼt say security is compromised Canʼt imply MIT approved research or presentation Canʼt say free subway rides Forced to provide research to MBTA 19

The EFF Is In Booth 20

Glad we were in Vegas DEFCON gave us a war room Able to get an expert declaration In the middle of the night from 3ric Johansen Robyn Wagner chipped in 21

Hearing set for 8:00 a.m. Saturday, August 9 22

Saturday Hearing, August 9 We appear by telephone Judge Woodlock issues gag order 23

Gag Order MIT Undergrads are hereby enjoined and restrained from providing program, information, software code, or command that would assist another in any material way to circumvent or otherwise attack the security of the Fare Media System Presentation is cancelled 24

What Happened? Fear, uncertainty, doubt Potentially danger with massive implications vs. kids not giving a speech Time not seen as of the essence Culture clash 25

Defense Motion for reconsideration Letter from computer scientists Declaration re: prior meeting with MBTA CFAA does not apply 26

CFAA: Whoever... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer; and [causes or would have caused certain specified loss or harm] shall be punished as provided in subsection (c) of this section. 27

MBTA: The term transmission includes verbal communication 28

MBTAʼs Version of Responsible Disclosure: The term responsible disclosure refers to the method of disclosing a technological vulnerability to the developer so that the developer can fix the vulnerability before the general public finds out about it. 29

30

First Amendment Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances. 31

Hearing on Thursday, August 14 Judge OʼToole More discovery 32

Hearing on Tuesday, August 19 33

The Comma 34

CFAA Whoever... knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer... 35

No federal claim Motion for preliminary injunction denied Gag order lifted 36

Resolution: Settlement Agreement Collaboration Agreement 37

Current status of the case 38

Calixte/Boston College Case 39

United States v. Lori Drew 40

Terms of service violation is unauthorized access Judge overturned conviction months later How did we get here? EF Cultural Travel v. Explorica Shurgard v. Safeguard Storage 41

Common TOS Violations You may not use the Services and may not accept the Terms if you are not of legal age to form a binding contract with Google. Google Terms of Service [Y]ou agree to... provide accurate, current and complete information about you as may be prompted by any registration forms on the Site ( Registration Data )... [and] maintain and promptly update the Registration Data, and any other information you provide to Company, to keep it accurate, current and complete.... Facebook Terms of Use You must be at least eighteen (18) years of age and single or separated from your spouse to register as a member of Match.com or use the Website. Match.com Terms of Use Agreement 42

Boston College/Calixte Matter 43

From: Bc Glbtq Sent an Email Subject: BC GLBTQ Welcomes: Former Roommate Hello, The Boston College GLBTQ Community would like to welcome [roommate] to the community! When [roommate] first reached out to us, hoping that we could help him come out, we were greatly excited that he chose to do so with the support of our community here at Boston College. Coming out is always difficult, so please be understanding as this is a crucial time for him. Please give [roommate] all your support! And [roommate] was kind enough to send us his Adam4Adam profile if anyone was interested in personally contacting him. Again, please celebrate with him. This is a joyous moment! 44

Search Warrant Sought 45

Search Warrant Sought 46

Massachusetts Computer Crime Statute Chapter 266: Section 33A obtaining computer services by fraud or misrepresentation 47

Massachusetts Computer Crime Statute Chapter 266: Section 120F unauthorized access to computer system Whoever, without authorization, knowingly accesses a computer system by any means, or after gaining access to a computer system by any means knows that such access is not authorized and fails to terminate such access, shall be punished by imprisonment in the house of correction for not more than thirty days or by a fine of not more than one thousand dollars, or both. The requirement of a password or other authentication to gain access shall constitute notice that access is limited to authorized users. 48

Police Seized: computers storage drives cell phone ipod Touch flash drives digital camera Ubuntu Linux CD 49

Commonwealth Argument 50

51

52

Single Justice of Supreme Court Opinion 53

Lessons The CFAA is dangerous 54

Lessons The CFAA is dangerous Instructional speech is less likely to be protected by courts 55

Lessons The CFAA is dangerous Instructional speech is less likely to be protected by courts First contact situations are the hardest 56

Lessons The CFAA is dangerous Instructional speech is less likely to be protected by courts First contact situations are the hardest 57

Lessons (conʼt) Atmospherics matter Litigation can be grueling Responsible disclosure as a norm vs. a rule 58

What researchers can do: Donʼt agree to terms of service Get permission for testing Test only your own systems Seriously consider atmospherics 59

What researchers can do (conʼt): Work with and educate vendors Be prepared for litigation Write to Congress Consult an attorney 60

Questions? 61

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information