Cybersecurity

Prosecutors Can Screw With Hackers Just for Saying 'Fuck Shit Up,' Warns Security Expert

Vaguely written laws give federal prosecutors the power to target hackers at will.

|

Alex Muentz
Hope X

At the Hackers On Planet Earth (Hope X 2014) conference in New York City last weekend, hundreds of hackers got a crash course in computer crime in a session that drew as many laughs as gasps.

Philadelphia-based information security specialist Alex Muentz, who teaches a course in computer crime at Temple University, said that the three-word phrase he most frequently urges hackers to avoid is "Fuck shit up."

"I've read this line in more indictments and sentencing briefings," Muentz told a Hope X panel on Saturday, before trailing off amidst crowd laughter. "I think I see it at least 20 times a day."

Muentz meant it, though.

"Most of the CFAA [Computer Fraud and Abuse Act section 18 USC 1030 indictments] I've read are for people who got in trouble not for what they did but for talking about what they did."

A colorful speaker with a ponytail draped over the back of a loose-fitting gray suit, Muentz wasn't above a little lawyer improv to get his point across that hackers need to think hard about what they write online.

'You Breathe Like Hitler'

"Think of a prosecutor as a person you've been in a hot car with on a four day road trip with no air conditioning, [after you've] spilled Coke on the seats so everything is sticky," Muentz said. "Think of it as anything you say to a person who just wants you to die. Someone who feels like, you know, 'You breathe like Hitler.'

"I want you to interpret everything that you say as if it was interpreted by someone who hates you at that level. … So 'fuck shit up' means 'I want to ruin this machine and everyone connected to it and cause death and destruction.'"

More laughter, and then a palpably uneasy silence.

A Texas hacker, Jesse William McGraw, pleaded guilty in May 2010 to two counts of transmitting malicious code after prosecutors said he hacked into a Dallas hospital computer and installed malware.

"In McGraw's conversation with a probation department, that line 'You can really get in there and fuck shit up,'—the prosecutors argued and the judge bought—showed proof that he had intended to cause damage," Muentz told me this week in a follow-up conversation.

"That line earned him 18 months."

Muentz said the same line was quoted in a 2013 computer crimes indictment against Matthew Keyes, a former Thomson Reuters social media staffer charged last year with providing the log-in information in December 2010 to a computer server belonging to the Tribune Company. Tribune owns the KTXL Fox 40, where Keyes had worked as a web producer before being terminated in October 2010. (Disclosure note: As a Thomson Reuters staff reporter in 2013, on several occasions I sought Keyes' help via email in distributing my Reuters reporting on social media.)

 "It's maybe misunderstood in the hacker community that 18 USC 10-30 is really, really vaguely written, and if a prosecutor squints at what you [wrote] long enough they'll find in your behavior evidence of a CFAA violation," Muentz told me.

At the heart of the divide between law enforcement and hackers, two communities that once rarely crossed paths, is a simple clash of cultures, Muentz said in his speech.

Many well-intentioned—or "white hat"—hackers end up in legal crosshairs without even realizing they are breaking any laws, he told audience members.

"Why does a white hat [hacker] go and [digitally] knock something over and drop a vulnerability, drop even an exploit [into a company's computer software]," he asked.

"We think we're doing a good thing, right? 'I'm going to force that company to secure their stuff and if not I'm going to humiliate them.' That makes perfect sense to me.

"Except to outsiders, it's, 'Why are you making things less secure?'"

Modern Day Nader's Raiders?

Muentz sees white hats as digital consumer advocates.

In his early days as a consumer safety advocate, Muentz said,  "Ralph Nader was viewed as an enemy."

"People were saying things like 'Why are you trying to hurt General Motors?'" after Nader began to publicly criticize automakers for lax safety standards in the late 1950s.  

"'Uh," he responded rhetorically—drawing a parallel between lax auto safety and weak digital security—"because you're making crappy cars that kill people, that fold up like tin cans?"

"The outside world does not view our shenanigans when we're talking about consumer protection the same way that we do," he told the audience.

Muentz told me that for him, "a 'white hat' is someone who is probing for digital vulnerability like Ralph Nader did with GM, a pain in the ass, a gadfly—and I'm sure at General Motors there were bottles of Pepto-Bismol with his name on it—but they are gadflies with good intentions.

"Black hats are usually just 'I want to fuck shit up' or 'I want to make money,' and you can usually tell by their behavior. Most straight up criminal hackers I know are either dumb assholes that watch a couple of YouTube videos and think they know a thing or two and then get caught….Either that, or straight-up, honest-to-god really talented people who get a rush out of getting over on you."

"Gray hats—depending on their mood—will do a little of both," he explained, "and they are usually the ones I end up defending."

'Stupid Arguments on Reddit'

Among the free legal advice Muentz offered Hope X hackers (he's also a licensed attorney, but mostly consults on legal cases rather than leading the defense):

  • "Prosecutors will go through anything you've done, and everything you've ever said is coming back at you. Those stupid little arguments you've got on on Reddit? Those will come back at you." To prosecutors," he said, "you aren't just an amusing little prankster, you're an evil bastard coming to take America down."
  •  "If you're arrested, do not say things like 'I want you to dox the prosecutor. I want you to dox the judge,'" Muentz said. (Urbandictionary.com refers to 'dox' as "a technique of tracing someone or gather information about an individual using sources on the internet, [whose] name is derived from "Documents" or "Docx".) "If you're arrested, Muentz told the crowd, "You can't make things better, but you can always make things worse."
  • "Consider beforehand the legality of what you're doing, the evidence you're leaving behind, and who will know about it—and if you get legal attention, shut up and lawyer up."
  • "They will send the biggest, dumbest looking agent to talk to a hacker. The agent has extensive training, may not have two degrees in computer science, but has a lot of skills. He does the best dumb act possible. 'I don't know shit about computers man, what happened here?' There's a temptation to explain things. We've all done the help desk thing."
  • "In a lot of laws there are loopholes exceptions. There isn't in this one. There is no 'good reason' or self-defense exclusion in CFAA, Muentz said. "Even for active self defense—'I'm going to hack back…I'm going to strike back,'" there is no exceptions or loopholes in CFAA, Muentz said. "There is no First Amendment [freedom of speech] defense. No 'I WAS doing it but'—there is none of that." Plus, he said, "criminal defenses are expensive. Even if you're not out ripping or trying to screw things up, a basic CFAA violation is still at least three to four years minimum in federal prison—and also many states have equivalent laws."

During a question and answer session at the end of his speech, Muentz jokingly agreed with an audience member who suggested that prosecutions under the CFAA can lead to such severe sentences that "if you want to get back at someone with a computer, you should beat them to death with it physically rather than actually using it."

NEXT: If Colleges Are Skeptical of Common Core, It's Probably Because the Standards Are Awful

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. They never caught the hacker who fucked H&R’s commenting shit up.

    1. How could they tell?

  2. Chris Francescani spoke with Muentz about how and why prosecutors go after hackers, even when those hackers think they’re helping companies uncover security vulnerabilities.

    I don’t buy this crap for a second. It seems analogous that these so-called “white hats” are like a guy who goes around picking locks on people’s doors, then leaving a note on your bed informing you that you need better locks. Might he be right? Yes, but he’s still done something he had no business doing in the first place.

    1. Yes, much better for, say, your bank’s SSL encryption bug to go undetected until some asshole in a Russian hacking ring discovers it and drains a few million from vulnerable accounts.

      Without white hats over the last 20 years, you’d have about a 50/50 chance of losing your identity whenever you transact business or communicate confidential information online. Their services are so beneficial that most large institutions don’t bother waiting for white hats to come to them – they hire them as consultants proactively.

      1. Yes, much better for, say, your bank’s SSL encryption bug to go undetected until some asshole in a Russian hacking ring discovers it and drains a few million from vulnerable accounts.

        Because you have absolutely no recourse to recover your lost funds from the business that you entrusted to keep them safe.

        Without white hats over the last 20 years, you’d have about a 50/50 chance of losing your identity whenever you transact business or communicate confidential information online.

        Citation?

        Their services are so beneficial that most large institutions don’t bother waiting for white hats to come to them – they hire them as consultants proactively.

        This I have no problem with. Sort of like secret shoppers, except they test your company’s security.

        1. Because you have absolutely no recourse to recover your lost funds from the business that you entrusted to keep them safe.

          You’d rather deal with the consequences of actual criminals actually stealing your actual money, to say nothing of your personal data which is probably just as valuable, than to have a (to varying degree) less shady hacker find the exact same vulnerability, report it to your bank, give them time to fix it, and if they don’t, at absolute worst, publicize the exploit in the mainstream security world and make them look like assholes? I mean… seriously?

          Citation?

          The work done by white hats going back to the very foundation of the world wide web is the type of stuff that isn’t very likely to get compiled into neat statistics for reasons that should be obvious. And while 50/50 may possibly be an exaggeration, it’s probably not by nearly as much as you think. For one very recent example, after the Heartbleed OpenSSL bug was identified by white hats at Google and Codenomicon, Cloudflare issued a challenge to independent white hats to try and identify whether private cryptographic keys could be extracted from the vulnerability. Long story shot, turns out they could be.

          (cont’d)

          1. Sort of like secret shoppers, except they test your company’s security.

            That’s what “white hats”, by definition, do. Many do it at the behest of a company who has employed them specifically for the task, others do it unsolicited, which can actually be even more beneficial to both the institutions involved and their unknowing users because freelancers tend to be more aggressive and the consequences for the reputation of the institution are usually more severe, so they are more apt to make necessary changes. There’s a pretty bright line between white hatting and blackmail, in that white hats don’t demand payment in exchange for revealing the information so that it can be fixed. Until they cross that line, power to them I say.

          2. You’d rather deal with the consequences of actual criminals actually stealing your actual money…

            So my (false) choices are trust my money to the scruples of self-appointed security vigilantes, or be robbed?

            …others do it unsolicited…

            And this is the problem.

            1. So my (false) choices are trust my money to the scruples of self-appointed security vigilantes, or be robbed?

              Except it’s not a false choice – somebody is going to discover any given security vulnerability, so by outlawing white hatting you’re ensuring the discovery will be made by an actual criminal. That’s a very… interesting preference.

      2. It’s a spectrum – the whole ‘white hat’, ‘grey hat’, ‘black hat’ thing just describes the endpoints and midpoints of a very complicated line.

        Just like not all vigilantes have been bad – but there have been very bad vigilantes, so there is some very reasonable suspicion when you encounter one.

        1. I approve of some of the white hats and their various internet wars against black hats that send out ransomware and other malware, rootkits, bots, etc.

          My problem is, they are “testing” the security of people who never asked them to do so. Without a license, this a pretty clear violation of a corporation’s property interests, no matter how well-intentioned it might be.

    2. Agreed. Following the Ralph Nader analogy further, it falls apart – Nader didn’t go around breaking into people’s cars or GM factories, modifying the vehicle’s structure or intentionally ripping up stuff to show the weaknesses, and then say “Hey, u mad bro, I was just trying to help”.

      Don’t know how I ended up defending Ralph Nader as I’m not a big fan overall, just that that analogy didn’t exactly fit.

      1. The analogy falls apart because there are very important differences between sabotaging a vehicle manufacturing plant and uncovering security vulnerabilities on a computer network. A more relevant, though still not perfect, analogy to what white hats do in the computer world would be if some random guy started parking by the back door at the GM factory every day when the 2nd shift clocks out, caught employees on camera admitting to disregarding assembly protocols, then took the evidence to management and told them if they didn’t do something about the problem he was sending a copy of the tape to the eyewitness news.

  3. Vaguely written laws give federal prosecutors the power to target hackers anybody they want to at will.

    Just say the magic words “terroristic threats” and watch the Constitution disappear!

    1. Also DUI, child porn/human trafficking, and the big one, War on Drugs.
      Did I miss any biggies?

  4. I will so fuck shit up if they come after me 😉

    1. Damnit briannnnn, He just said not to do that thing. What the hell?

  5. Start working at home with Google. It’s a great work at home opportunity. Just work for few hours. I earn up to $100 a day. I can’t believe how easy it was once I tried it out. http://www.Fox81.com

  6. Long ago in a far away land known as America there used to be a requirement that a person had to be physically or financially harmed by another person before that other person would prosecuted. If a hacker causes a financial harm to a company, or individual, then he or she needs to be sued under the law of torts. As Friedrich Nietzsche once said: “Mistrust those in whom the urge to punish is strong.” That would be the federal and state governments of the U.S.

    1. Your comment is confusing. You say people used to be prosecuted (meaning criminal law) only for “physical or financial harm” and then say companies financially harmed should sue in tort. Besides this, under the law of torts, trespass requires no physical or financial injury. The mere violation of the right to exclude others, a property right, is sufficient.

    2. Your comment is confusing. You say people used to be prosecuted (meaning criminal law) only for “physical or financial harm” and then say companies financially harmed should sue in tort. Besides this, under the law of torts, trespass requires no physical or financial injury. The mere violation of the right to exclude others, a property right, is sufficient.

Please to post comments

Comments are closed.