Cybersecurity

Prosecutors Can Screw With Hackers Just for Saying 'Fuck Shit Up,' Warns Security Expert

Vaguely written laws give federal prosecutors the power to target hackers at will.

|

Alex Muentz
Hope X

At the Hackers On Planet Earth (Hope X 2014) conference in New York City last weekend, hundreds of hackers got a crash course in computer crime in a session that drew as many laughs as gasps.

Philadelphia-based information security specialist Alex Muentz, who teaches a course in computer crime at Temple University, said that the three-word phrase he most frequently urges hackers to avoid is "Fuck shit up."

"I've read this line in more indictments and sentencing briefings," Muentz told a Hope X panel on Saturday, before trailing off amidst crowd laughter. "I think I see it at least 20 times a day."

Muentz meant it, though.

"Most of the CFAA [Computer Fraud and Abuse Act section 18 USC 1030 indictments] I've read are for people who got in trouble not for what they did but for talking about what they did."

A colorful speaker with a ponytail draped over the back of a loose-fitting gray suit, Muentz wasn't above a little lawyer improv to get his point across that hackers need to think hard about what they write online.

'You Breathe Like Hitler'

"Think of a prosecutor as a person you've been in a hot car with on a four day road trip with no air conditioning, [after you've] spilled Coke on the seats so everything is sticky," Muentz said. "Think of it as anything you say to a person who just wants you to die. Someone who feels like, you know, 'You breathe like Hitler.'

"I want you to interpret everything that you say as if it was interpreted by someone who hates you at that level. … So 'fuck shit up' means 'I want to ruin this machine and everyone connected to it and cause death and destruction.'"

More laughter, and then a palpably uneasy silence.

A Texas hacker, Jesse William McGraw, pleaded guilty in May 2010 to two counts of transmitting malicious code after prosecutors said he hacked into a Dallas hospital computer and installed malware.

"In McGraw's conversation with a probation department, that line 'You can really get in there and fuck shit up,'—the prosecutors argued and the judge bought—showed proof that he had intended to cause damage," Muentz told me this week in a follow-up conversation.

"That line earned him 18 months."

Muentz said the same line was quoted in a 2013 computer crimes indictment against Matthew Keyes, a former Thomson Reuters social media staffer charged last year with providing the log-in information in December 2010 to a computer server belonging to the Tribune Company. Tribune owns the KTXL Fox 40, where Keyes had worked as a web producer before being terminated in October 2010. (Disclosure note: As a Thomson Reuters staff reporter in 2013, on several occasions I sought Keyes' help via email in distributing my Reuters reporting on social media.)

 "It's maybe misunderstood in the hacker community that 18 USC 10-30 is really, really vaguely written, and if a prosecutor squints at what you [wrote] long enough they'll find in your behavior evidence of a CFAA violation," Muentz told me.

At the heart of the divide between law enforcement and hackers, two communities that once rarely crossed paths, is a simple clash of cultures, Muentz said in his speech.

Many well-intentioned—or "white hat"—hackers end up in legal crosshairs without even realizing they are breaking any laws, he told audience members.

"Why does a white hat [hacker] go and [digitally] knock something over and drop a vulnerability, drop even an exploit [into a company's computer software]," he asked.

"We think we're doing a good thing, right? 'I'm going to force that company to secure their stuff and if not I'm going to humiliate them.' That makes perfect sense to me.

"Except to outsiders, it's, 'Why are you making things less secure?'"

Modern Day Nader's Raiders?

Muentz sees white hats as digital consumer advocates.

In his early days as a consumer safety advocate, Muentz said,  "Ralph Nader was viewed as an enemy."

"People were saying things like 'Why are you trying to hurt General Motors?'" after Nader began to publicly criticize automakers for lax safety standards in the late 1950s.  

"'Uh," he responded rhetorically—drawing a parallel between lax auto safety and weak digital security—"because you're making crappy cars that kill people, that fold up like tin cans?"

"The outside world does not view our shenanigans when we're talking about consumer protection the same way that we do," he told the audience.

Muentz told me that for him, "a 'white hat' is someone who is probing for digital vulnerability like Ralph Nader did with GM, a pain in the ass, a gadfly—and I'm sure at General Motors there were bottles of Pepto-Bismol with his name on it—but they are gadflies with good intentions.

"Black hats are usually just 'I want to fuck shit up' or 'I want to make money,' and you can usually tell by their behavior. Most straight up criminal hackers I know are either dumb assholes that watch a couple of YouTube videos and think they know a thing or two and then get caught….Either that, or straight-up, honest-to-god really talented people who get a rush out of getting over on you."

"Gray hats—depending on their mood—will do a little of both," he explained, "and they are usually the ones I end up defending."

'Stupid Arguments on Reddit'

Among the free legal advice Muentz offered Hope X hackers (he's also a licensed attorney, but mostly consults on legal cases rather than leading the defense):

  • "Prosecutors will go through anything you've done, and everything you've ever said is coming back at you. Those stupid little arguments you've got on on Reddit? Those will come back at you." To prosecutors," he said, "you aren't just an amusing little prankster, you're an evil bastard coming to take America down."
  •  "If you're arrested, do not say things like 'I want you to dox the prosecutor. I want you to dox the judge,'" Muentz said. (Urbandictionary.com refers to 'dox' as "a technique of tracing someone or gather information about an individual using sources on the internet, [whose] name is derived from "Documents" or "Docx".) "If you're arrested, Muentz told the crowd, "You can't make things better, but you can always make things worse."
  • "Consider beforehand the legality of what you're doing, the evidence you're leaving behind, and who will know about it—and if you get legal attention, shut up and lawyer up."
  • "They will send the biggest, dumbest looking agent to talk to a hacker. The agent has extensive training, may not have two degrees in computer science, but has a lot of skills. He does the best dumb act possible. 'I don't know shit about computers man, what happened here?' There's a temptation to explain things. We've all done the help desk thing."
  • "In a lot of laws there are loopholes exceptions. There isn't in this one. There is no 'good reason' or self-defense exclusion in CFAA, Muentz said. "Even for active self defense—'I'm going to hack back…I'm going to strike back,'" there is no exceptions or loopholes in CFAA, Muentz said. "There is no First Amendment [freedom of speech] defense. No 'I WAS doing it but'—there is none of that." Plus, he said, "criminal defenses are expensive. Even if you're not out ripping or trying to screw things up, a basic CFAA violation is still at least three to four years minimum in federal prison—and also many states have equivalent laws."

During a question and answer session at the end of his speech, Muentz jokingly agreed with an audience member who suggested that prosecutions under the CFAA can lead to such severe sentences that "if you want to get back at someone with a computer, you should beat them to death with it physically rather than actually using it."