, DOJ offered some excellent examples of conduct that would no longer merit prosecution: \u201cEmbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges. The policy focuses the department\u2019s resources on cases where a defendant is either not authorized at all to access a computer or was authorized to access one part of a computer \u2014 such as one email account \u2014 and, despite knowing about that restriction, accessed a part of the computer to which his authorized access did not extend, such as other users\u2019 emails.\u201d<\/span><\/p>\nThe statement also said that \u201cgood faith\u201d has its limits. \u201cThe new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices in order to extort their owners, even if claimed as research, is not in good faith.\u201d<\/span><\/p>\nThe practical matter is that there will always be gray areas. Let\u2019s consider Justice\u2019s own example of \u201cdiscovering vulnerabilities in devices in order to extort their owners.\u201d <\/span><\/p>\nTrue extortion is not gray: \u201cWe found these 19 security holes on your system. Give us $5 million by midnight tonight or we\u2019ll post the details for the world to see.\u201d<\/span><\/p>\nThis, however, isn’t as clear cut: “We found these 19 security holes on your system. We\u2019re really good at finding holes. Do you want to discuss retaining my firm for cybersecurity services?\u201d That’s more of a sales pitch, with no explicit threat. Then again, the “researchers” \u00a0are silent about what they would do if the pitch was refused or ignored.<\/span><\/p>\nWhat about bounty programs? What if the security researchers found these holes and wants a payout from an advertised bounty program \u2014 and says if the bounty request is denied, they”ll tell everyone the details of the holes.<\/span><\/p>\nMark Rasch is an attorney specializing in cybersecurity issues and a former Justice Dept prosecutor who happened to prosecute the very first case involving the Computer Fraud and Abuse Act. (Note: That case, with the defendant being Robert Tappan Morris, happened back in 1989. I covered that trial every day for almost a month in a Syracuse federal courtroom, so this is hardly a new issue.)<\/span><\/p>\nRasch likes the new DOJ policy, but said it all goes back to prosecutorial discretion and dealing with elaborate details and circumstances in every single case. \u201cThe real problem has been that, absent something in writing, it\u2019s about relying on the good nature of an individual prosecutor. Two people can look at the exact same activity report and come to different legal conclusions. There are a hundred different value judgments at play.\u201d<\/span><\/p>\nOne big difference, Rasch said, between 1989 and today is community. Back in the late ’80s, cybercrime was viewed as more individualistic, with analogies back to the physical world more common. He offered the example of a thief breaking into houses to prove that their security was insufficient and perhaps stealing something small to prove that they successfully broke in. That was considered abhorrent.\u00a0<\/span><\/p>\nBut today, he said, there is a better sense of community, meaning that there is an acceptance that security research can<\/em> benefit the whole community.\u00a0<\/span><\/p>\nEven within the cybersecurity community, there are differences between what a whitehat can get away with (finding ways to break in, often via high-tech brute force) and what researchers and pen testers can get away with. Pen testers like to stay with publicly-accessible documents and see how far they can go with that limitation.<\/span><\/p>\nEither way, this new guidance should help those prosecution decisions be more appropriate. Anything that allows security researchers to do their jobs with less fear is a good thing,<\/span><\/p>\nhttp:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"![](\"https:\/\/images.idgesg.net\/images\/idge\/imported\/imageapi\/2022\/03\/16\/09\/sale_311646_article_image-100922035-large.3x2.jpg?auto=webp&quality=85,70\"\/)
<\/p>\n
Credit to Author: Evan Schuman| Date: Thu, 26 May 2022 03:02:00 -0700<\/strong><\/p>\n\n