Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Experts question guilty verdict for AT&T 'hackers'

Taylor Armerding | Nov. 26, 2012
After verdict in iPad email address case, experts say Computer Fraud and Abuse Act of 1986 needs major update

They also agree with Halliburton that the CFAA is hopelessly vague and outdated, since it was created before the evolution of the Web.

"Auernheimer is charged with participating in a conspiracy to violate the FAA by 'intentionally access[ing] a computer without authorization or exceed[ing] authorized access, and thereby obtain[ing]...information from [a] protected computer,'" Halliburton wrote. "But what exactly does that mean?"

The language, he said, comes from a law that defines "protected computer" as either a government or bank computer, or as any computer "which is used in or affecting interstate or foreign commerce or communication."

"Maybe that worked in 1986 when not that many computers were networked in interstate commerce, but in 2012, it covers almost anything with a microprocessor."

Kevin Mitnick, once known as the world's "most wanted hacker" and now a security consultant, also said the CFAA is neither clear nor up to date. And he said as written, it is so broad that just about anybody who uses the Internet could be convicted.

"Take caller ID spoofing, which allows me to call you and display any number I want," he said. "If I spoof your number to a business, and the business answers the call with an automated system, that says, 'Hello Taylor,' because of the linkage, is that a crime? Where is the unauthorized access? Spoofing your cell phone number? I don't think so."

Mitnick said he thinks the government's case "is a joke, because anyone can be accused of unauthorized access by simply visiting a web site. How ridiculous is that?"

Support for Spitler and Auernheimer is not unanimous. One comment on the TechCrunch site from "George Schmaltz" argued that, "A 'legitimate' security researcher either finds a problem, then gets permission to conduct penetration tests or vice-versa. You don't hack a site, then present yourself as a 'white hat.'"

But Ansel Halliburton raises a number of questions that he contends weakens the government's case.

"The GoatSec's slurper script never entered anything into the password field of the login page; it just collected the emails the page offered up to it," he wrote. "Who decides who is 'without authorization'? The government? The website operator? How do you know the website operator deems you to be 'without authorization'? The CFAA gives no answers."


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.