The CFAA is in fact pretty complicated. The text of the law isn't, but the implications of that text are, and so is the jurisprudence. Rockenhaus's CFAA case does not appear to have been at all complicated, though.
I seem to remember cases or interpretations of the CFAA in which even guessing the username password combo of "admin:admin" would violate the act, resulting in teenagers or children being caught up in cYbEr FrAuD
It doesn't matter if you brute forced their crappy login with commonly-used credentials. You think it's OK for someone to rummage around in your garage just because they correctly guessed your keycode was 12345? Of course not.
> Doesn't this posture also criminalize white-hat hackers, whose disclosures would protect you from the people who actually want to do damage?
There is no law for "white-hat hackers". You don't get to break into a system because the color of your hat.
"White-hat hackers" have contracts, or very specific rules of engagement. Having run many a bug bounty, if someone was malicious, we would absolutely work to prosecute.
You can also find bugs in software freely, as long as you don't obtain unauthorized access to other people's systems.
This isn't true: there is, jurisdictionally dependent and I think also dependent on DOJ norms, a broad exception for good-faith white hat vulnerability research that would otherwise violate CFAA. Like I said, CFAA is very complicated in practice.
To stick with this analogy: I think a white hat equivalent would be more like driving down the street with a garage door remote set to a default code and then notifying anyone whose door opens in response that they should change their code. I don't think that should be illegal.
Walking through an unlocked door that has a sign "private property, do not enter", searching for sensitive information, finding it and exposing it surely could.
Or not, depending on how the party who owns what's inside that door feels. But if it feels he should be prosecuted, then hell yes, the state should do that. My 2c.
Still sounds like petty crime that doesn't need the FBI to roll in.
The point is that in the physical world there is some notion of proportionality in the response to trespassing depending on the actual damage done and sophistication and premeditation of the act. We don't generally lock up people because they accidentally walked into an area they shouldn't have. But once computers are involved we have laws that automatically make even even minor infractions into a big scary issue that allows the government to essentially destroy someone's live.
So now the door is unlocked?? Where are the goal posts?
Don't mess with people's stuff if they don't want you to. This seems very simple to me. But I'm aware that you're trying to find some fringy gray area where you think it will be OK to mess with people's stuff even though they don't want you to.
If we're making an analogy to the Weev case then yes the door was unlocked, with the explicit intent that the general public could come through that door and access some of the documents.
Strictly speaking, unless you do destructive actions, it's not stealing, but instead unauthorized access.
If I walk into your house, take a picture of your financial documents, that's not theft. That's still (potentially:) breaking and entering, trespassing, and depending on what I do with those pictures also fraud, but it's not theft.
This is all semantics of course, but I just really dislike the idea that digital data can be "stolen".
---
But also: No one deserves to get their things broken into, but if you expose things to the internet without proper security, you can't cry too much if you get broken into I think. It's not okay (and possibly illegal? idk) for me to read other patients' medical records if they're in open display when I go to the doctor's office, but they also have an obligation to secure this information.
I do like the approach of "Mens rea" / "Guilty mind" overall, to differentiate of children/teenagers fucking around (ofc depends on the extent of what they do), white hat researchers finding vulnerabilities (should not be criminalized), and black hat people doing things with criminal intent.
But CFAA charges should, and this is the issue a lot of people have with them afaict, have a sliding scale for premeditation though.
If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw.
A lot of the CFAA excesses are maximum penalties from the CFAA being thrown at people using minimally sophisticated / premeditated methods, in addition to charges about the underlying crime.
That doesn't seem just or fair.
In practice it's turned into an if(computer){increase maximum penalty} clause, solely at the government's discretion.
>If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw.
Why? (I'm not a lawyer...) - shouldn't intent and harm (i.e. the value of the stolen item) be the only relevant details? Now of course its much easier to demonstrate intent if there's a crowbar involved, but once that's already established, it seems irrelevant.
Am a lawyer - You're correct. Intent is key and almost all laws are based around intent or, in legal parlance, "Mens rea" or the guilty mind. That is what separates a legal act from an illegal act: the intention behind it.
Suppose you are leaving a store and heading to your car. For whatever reason, the button on your keys unlocks someone else's car that is the exact same make and model as yours. You hop into the car, your key starts the ignition, and you drive off (Yes, this has really happened). That isn't legally theft because you legitimately believed that was your car - aka you didn't intend to take something that wasn't yours.
For 98% of laws, in order to be convicted, the government needs to prove you intended to commit the crime. Obviously, I'm oversimplifying what is a very complicated topic you spent two years learning, but that's the gist
Because that's the way most method-specific laws work, at least in the US.
There's an underlying result crime (eg causing business harm by destroying a database), then the method by which one chose to do it (eg exceeding authorized access to a computer with the intent to cause harm).
The CFAA was originally passed under the erroneous worry that existing laws wouldn't be enforceable against cybercrime, which turned out to generally be false.
When you cause damage, there's almost always a law by which someone can sue you for those damages.
What there wasn't, and what the CFAA created, were extra penalties for computer crimes and an ability to charge people with computer crimes where there were no damages (eg Aaron Swartz).
And why should those things need to exist? Theft is theft. Destruction is destruction.
It fit with 'premeditated intent' intensifiers (where penalties escalate if premeditated intent can be proven)... but that wasn't actually how it was written or how it is used. Instead, it's a method-based checkbox that allows prosecutors to tack on additional charges / penalties. If a computer was used to destroy this thing, add X years the sentence.
It does sound like a crime to me too. But was it a password or other credential that was guessed, or was it just some sequential primary key? The latter is not an authorization system, and I do not believe it a crime to do that unless you have specific knowledge that it is likely to cause damage and/or the intent to cause that damage.
As far as I am concerned, I am allowed to send any traffic I wish to public-facing hosts, and if they respond with content that the owners would not wish me to see, I have no responsibility to refrain. The only traffic I am not permitted to send are credentials I am not authorized to use (this would include password guessing, because if I manage to guess correctly, I was still not permitted to use it).
You are not allowed unauthorized access regardless of how the key works.
> I am allowed to send any traffic I wish to public-facing hosts
No you're not. Denial of service is a federal crime.
> I have no responsibility to refrain
Yes you do, and this is just beyond silly. The nuance of how you obtained it will be decided in a court. Stop making everything so reductionist and lazy.
> The only traffic I am not permitted to send are credentials I am not authorized to use
Absolutely not. Use of a vulnerability to cause a data breach is OBVIOUSLY a federal crime.
> You are not allowed unauthorized access regardless of how the key works.
You and I seem to both speak/write English, but there is a language barrier. For me, "authorization" means that they have given me credentials, and any content locked down under those credentials is off-limits.
For you, "authorization" is a magical term that has no real meaning. It means that they want me to have the content. But I am no telepath, and I do not know what they want me to have or do not want me to have. The only way, from my point of view, to know what they want me to have or not is to try to retrieve the content without credentials, and if it succeeds, it's legal.
Of course, there are a few corner cases. What if I discover some software defect that very clearly shows they intended to require credentials, and a test without credentials shows that it is indeed off-limits, but exploiting the defect produces that content? I wouldn't do that, that'd be illegal.
But your way of (non-)thinking is alien to me, and no reasonable judge or legislator could possibly mean what you claim that law states. Or at least what you seem to claim.
>No you're not. Denial of service is a federal crime.
Only with intent. If I send reasonable content that shouldn't be DoS, how was I to know? I intend no crime.
>Yes you do, and this is just beyond silly.
You're the one being silly. You can't even decide what you mean by "authorized".
>The nuance of how you obtained it will be decided in a court.
I'm never going to trial, I'm not even going to be noticed.
>Use of a vulnerability to cause
Use of a clear defect. The biggest and most dangerous vulnerabilities are the apathy and stupidity of their employees, their lack of a sane business model and attainable vision, and so on. Using those is just common sense. There is a popular magazine that is subscription only. But they have the pdf download links hidden with display: none CSS. These links require no authorization. Just knowledge. I retrieve those quite punctually.
You're both veering out of CFAA jurisprudence in different ways. But you know you're in trouble when you start saying things like "I am no telepath", because in fact a big part of an ambiguous CFAA case will be determining what a reasonable person (ie: the jury) would think confronted with the computer system under discussion. There will in fact be mind reading involved; your intent would in fact be tried.
There's nothing at all CFAA-specific about this; this is really basic US criminal law and it comes up in all sorts of different criminal justice contexts. The terms you're both dancing around are mens rea and actus reus.
>But you know you're in trouble when you start saying things like "I am no telepath",
I'm not in trouble. There is virtually zero chance of this ever being noticed by law enforcement, and even less chance than that of them giving a shit.
Also note, I am not arguing what the worst possible interpretation might falsely convict someone of, but how the law should be viewed, or, if someone can demonstrate to my satisfaction that the law disagreed with, then how it should be altered.
If I have to guess what retards (read: juries) might think is reasonable, then there can be no public internet. We're just a few years after journalists were arrested for looking at html source with "view source", aren't we?
>The terms you're both dancing around are mens rea
I'm only mildly ignorant. Has CFAA ever been considered to describe strict liability crimes?
Well, I guess it's a good thing for me that they're unable to notice or care and in general incompetent.
I am still permitted to do this. None of the details of this case give me the impression that they're using CFAA in such a way as to offend my sensibilities. Sounds like he sabotaged a former employer and caused hundreds of thousands in (tort not physical) damages. I guessed the urls for some issuu.com links that aren't available in search, and downloaded the page images to make a pdf. I was never prompted for a password. Arrest me, I'm a notorious hacker.
I mean... if someone walked into your house cause you only closed the screen door while running to the store quick you'd still call the cops cause there was someone breaking into your house lol.
There used to be the "Oregon sales tax loophole" where residents of neighboring states (Washington, California, Idaho) would make large purchases (car) just over the border in Oregon where there was no sales tax.
That loophole got closed once inter-state data sharing became possible and Oregon merchants were required to start collecting those out-of-state taxes at the point of sale.
> That loophole got closed once inter-state data sharing became possible and Oregon merchants were required to start collecting those out-of-state taxes at the point of sale.
Oregon merchants are not required to collect sales tax for any other jurisdictions outside of Oregon. And they don’t, any non Oregonian can go to any merchant in Oregon right now, and you will be charged the same as any other customer who lives in Oregon.
Also, it was never a loophole to buy things in Oregon to evade sales tax. All states with sales tax require their residents to remit use tax for any items brought into the state to make up the difference for any sales tax that would have been paid had it been purchased in their home state.
How would that have ever worked for a car in OR as a CA resident? You don't need inter-state data sharing when you have to register the newly-purchased car with the CA DMV and fill out the form saying you bought it inside or outside of CA. If you said "inside" when you didn't CA could likely catch that discrepancy against purely in-state dealer/tax records; if you said "outside" then they're gonna make you pay the tax difference.
Now, buying a fancy computer or something... but a car?
> How would that have ever worked for a car in OR as a CA resident? You don't need inter-state data sharing when you have to register the newly-purchased car with the CA DMV and fill out the form saying you bought it inside or outside of CA.
I haven't seen it as much in WA, but I used to see a lot of Oregon plates on new vehicles in Northern California where I had reason to believe the driver was a resident of CA. I do know someone who was pulled over for driving like a Californian while having out of state plates, so there's some enforcement that way anyhow. (Changed several lanes from the fast lane to the exiting lane in a continuous motion)
You are correct, virtually every state has a law that says “If you buy something in another state and pay less sales tax than we charge, you owe us the sales tax we would’ve charged you.”
It’s called a ‘use tax’. In practice, nobody pays (personal) use tax, myself included.
So, all of those people going to Oregon to shop without sales tax and not paying use tax were technically breaking the law, not using a loophole. I’m not judging them, I don’t pay use tax either :)
Washington at least will refund sales tax paid for goods purchased in Washington for use exclusively outside of Washington if purchased by residents of US states and CA provinces with low sales taxes, if the forms are followed.
I understand it used to be possible to show ID in store and have sales tax not be applied, but now you need to submit receipts and etc.
Avoiding taxes. It's different. It was always perfectly legal to travel to another state to buy something expensive and bring it back home. No crimes were committed.
It was a loophole that you could buy in Oregon specifically to avoid $1,000s in sales taxes.
> It was always perfectly legal to travel to another state to buy something expensive and bring it back home.
It was legal to do that. If it was purchased out of state with the intent of bringing it back home, then (assuming the home state was California) California use taxes were always owed on it. Other states with sales taxes also tend to have similarly-structured use taxes with rates similar to the sales tax rates.
They were legally avoiding sales taxes, but also illegally evading use taxes, and, moreover, there is very little reason for the former if you aren't also doing the latter, unless you just have some moral objection to your taxes being taken at the point of sale and the paperwork and remittance to the government being done by the retailer instead of being a burden you deal with yourself.
It was the same for WA, so you're right, this was always (illegal) tax evasion, not mere avoidance.
AFAIK it's not that Oregon changed anything, either. It's that Washington passed additional laws that require out-of-state merchants to collect the tax when selling to customers in WA, and said out-of-state merchants complied.
Prior to this ruling, if you were a merchant in state A and you mailed something to someone in State B, you were not considered to have an economic nexus in state B, and hence state B had no jurisdiction over you to enforce sales tax collection.
Previous definitions of economic nexus involved having physical buildings or employees operating within a jurisdiction's boundaries.
South Dakota v Wayfair said that mailing something to a customer established economic nexus in the customer's jurisdiction, hence the merchant now has to register as a business in the customer's jurisdiction and collect applicable sales taxes and follow all the laws of that jurisdiction.
The whole ruling is weird though, because the justification came down to it's messing up the order of things, and since Congress can't be bothered to fix it with legislation, the Courts have to make up stuff to prolong the status quo.
I think the point was that interstate data sharing closed the loophole on evading use-taxes. Now states report to each other about large purchases. It's no longer possible to buy a car or tractor in Oregon and never report the unpaid sales tax back to Washington or California. They will know.
I was addressing the debate that that prompted over whether the situation before that was tax evasion or mere tax avoidance, but yes, the point about interstate data sharing is what that tangent spun off from several posts upthread.
The situation petcat described is tax evasion (illegal, since use tax is due in lieu of paying sales tax at point of purchase, assuming item is brought back to home state).
Tax avoidance is simply minimizing tax liability, completely legal.
If you do not pay sales tax on items bought in neighboring states, you typically owe your state use tax on those items. Many people simply did not report these purchases however, and this is evasion.
It's all so ironic considering Denmark took control of Greenland purely by conquest/claim and many Greenlanders view it historically as colonial/imperial.
But now Denmark is apparently upset that an even bigger, greedier bully is trying to take it from them?
I don't care about it one way or the other. I imagine an agreement will be made where USA gets something like 80% of the resource rights in exchange for Denmark getting to keep the title and then we'll all forget about this.
It's all so ironic considering Denmark took control of Greenland purely by conquest/claim and many Greenlanders view it historically as colonial/imperial.
Isn't that what the US is doing based on this article? Create a bit of story around the people of Greenland wanting to free themselves from Denmark (even if just minority of Greenland believes so) and then come in as the hero?
More cyberpunk than this would be for the official author side to be a `.onion`, with a vanity subdomain that took a borrowed farm of GPUs a week to compute, and an RSS/Atom reader feed from that, plus a Fediverse/Mastodon account for the normies that you host yourself from an offshore data haven, paid for with mixed BTC, and a Reddit account just to keep some twerp from grabbing your name, all of which you access exclusively through Tor Browser, from a dedicated/compartmentalized immutable device. :)
But I'm sympathetic to authors feeling they have to be on the popular social media platforms. I don't know about big-name authors like Mr. Stephenson, but when I looked into writing fiction myself, the advice for new and less-known writers was to actively work marketing on all of Twitter/X, Instagram, especially TikTok (BookTok), and others.
(I decided it was too much demoralizing work, to not only write novels, which is grueling, but then to have to play games with TikTok influencers, if you want enough people to actually read the product of your suffering.)
That's designed for nerds. Like Matrix and the other platforms that will never see mainstream adoption because they lack product management and crazy distribution.
I loved this game! I still have the original rulebook. That my AD&D 2nd ed. books, Star Frontiers and Gamma World boxed sets may be my most prized possessions.
Cool! I had to look "Uncle Al catalogs" up. I remember seeing ads for Car Wars, but never played it myself. There were so many neat games back then.
Gamma World was really neat and timely given how fearful we all were of nuclear war. I remember watching Road Warrior at the time and thinking that Gamma World could actually be the world we live in.
Dragon Magazine would occasionally have articles on Gamma World too. So much food for the young imagination.
Twitter is "lenient" with ban evasion because it runs on cognitive load and they have no time to deal with it themselves. It's just completely beyond cognitive capacity of its controlling parties(including financial owners) that it could appear that they are chill with speeches it hosts as well as unilateral cultural influencing capabilities it has.
> Debi and John Marks moved from Florida to build their dream home in the high desert of Costilla County. They bought property in the ranches two years ago with plans to build a retirement home and live off the grid among the pines
...
> “We wanted to be as independent as possible, and so we searched all over the state for property that would fit our needs, and this fit the bill,” Debi Marks said.
...
> Amanda Ellis bought a house in Costilla County five years ago to live off the grid.
These are people specifically moving to this unincorporated county in order to live "off the grid". This sounds ideological to me.
>These are people specifically moving to this unincorporated county in order to live "off the grid". This sounds ideological to me.
Realtors out there are selling sandcastles in the sky to flatlanders who don't know any better. The property they are buying is parceled out ranch land that went bust generations ago for the same reasons. These aren't "prepper" types so much as folks who want the Colorado high-country lifestyle when they can't actually afford it.
I think a lot of people are just cosplaying as Little House On The Prairie and think they're independent and "off grid" because they don't have monthly utility bills. Except they're buying their propane and buying their water, not to mention their clothes and everything else. So they're actually on-grid, but just with extra steps.
The government in question here is the one representing the tax-paying residents of the town of Fort Garland. They voted to stop selling their scarce water supply to the non-tax-paying residents of unincoporated Costilla County. So it seems to me that the "government" served the interest of their constituents fairly.
How well does it serve those constituents? Shutting off the water cut off 15% of Fort Garland's water revenue (while reallocating 1% of its water). That's a big dent in a budget that was probably directly keeping those tax payers' taxes lower and providing them valuable services.
The water board didn't have to put it up to an immediate, unplanned vote that day, but they were inexperienced in dealing with "hollering" and waffled under a little pressure.
Add to it that they executed the short-term interests of their constituents with such ... alacrity that it put people in physical risk.
So who came out ahead here? I don't disagree that all those folks living off-grid really aren't living off-grid, and reality checks are healthy, but even a 2 week warning would have served everybody's interests, served the same FAFO lesson and maybe kept the animosity down a little.
'Fairly'. I would love to see them argue that with St Peter at the pearly gates. 'Well we drew this arbitrary line on the ground, and refused to sell water to people in the other side of the line so they could drink and survive. We did it so we could water our ornamental lawns'
Don't fuck with other people's shit if they don't want you to.
reply