Fear of prosecution hampers security research
As Black Hat and DefCon near, there's a noticeable "chill" in the air due to recent, aggressive legal action taken against security researchers. And the biggest loser of all may be the public.
The cream of the research crop will head to Black Hat next week.
A few months ago, Matthew Green was asked to advise a small team of undergraduate students who were investigating possible security vulnerabilities in a state's toll collection system.
A part-time research associate at the University of Maryland, Green learned that the students found a way to uncover proprietary information about the system by calling up a publicly available web page and entering particular commands into a form. It was the equivalent, he said, of "typing 'password' into a password field," and required no hacking or evasion of security controls.
But instead of congratulating them on their discovery and guiding them through the next steps on the project, which was being conducted strictly for academic research purposes, Green had an entirely different reaction.
"My immediate thought was that we have to get an attorney," he recalled. "How do we keep these kids out of jail?"
Green knew the students he was asked to consult with weren't up to anything nefarious, but that may not have been enough to ensure they avoided the interest of law enforcement. As a result, they stopped working on the project. "Someone could come along and say, 'We can prosecute them,'" Green said. "It does have a chilling effect. You can do most anything you want, until it involves something, however benign, against a real system. It's very arbitrary, and it's difficult to know where the lines are."
The concern and worry expressed by the cryptography expert is rapidly becoming the norm in the security research community, a collective of arguably the world's most skilled and indefatigable computer enthusiasts. Because of recent examples in which the federal anti-hacking law, known as the Computer Fraud and Abuse Act (CFAA), has been interpreted in ways that permit aggressive prosecutions to be launched, researchers are significantly limiting or scrapping altogether projects that they have invested months or even years on – fearful that they will become the next Aaron Swartz or Andrew "Weev" Auernheimer, and unwilling to join a procession of digital martyrs that is expected to only grow over the next several years. Everyone, it seems, is feeling timid.
In the words of one, the current climate in which to conduct research is "terrifying.” Information security enthusiasts said the nearly 30-year-old CFAA is broadly worded, and if a prosecutor wants to make an example of a researcher, they easily can because the law, critics have argued, essentially criminalizes normal computer behavior and, to be charged, doesn't require someone to have had breached security controls or accessed something without authorization.
So it should be no surprise that when the good-guy hackers, commonly called white-hats, converge on Las Vegas next month for Black Hat and DefCon, considered the world's two most preeminent security research conferences, there will be something of a dark cloud hanging below the bright desert sun. This year has seen a huge number of submissions – Black Hat, for instance, is putting on a record 110 talks – but longtime veterans of the gatherings said that most of the presentations won't go quite as far as they can or should. Not anymore, at least.
Take Brendan O'Connor, a law student at the University of Wisconsin, who also doubles as the CTO of security consultancy Malice Afterthought. O'Connor plans to present at Black Hat and DefCon on CreepyDOL, a low-cost system that can mine data from public Wi-Fi traffic to create “a really nice visualization engine” on specific people based on the websites with which they interact. It's an example of how effortlessly one's privacy can be infringed. The title of talk: “CreepyDOL: Cheap, Distributed Stalking.”
Wi-Fi publicly sends out data about which sites users visit, so anyone who is listening in can, for example, acquire someone's photo from an online dating site or their name from Facebook. By physically placing nodes – tiny sensor platforms – around a major city, one can amass a profile about a targeted individual based on their wireless “emanations,” without any need to actually hack their computer, O'Connor explained.
But this is all theoretical because O'Connor was afraid to do it, even though he said case law has shown that wireless eavesdropping is legal. Instead, he'll showcase the data he correlated from MAC addresses under his control. He is, of course, very confident the research would scale across a large city and produce the same results, but given the current legal landscape, it was an easy decision to abstain from trying that.
“I've had to greatly curtail how much I've tested CreepyDOL because even though there's a great deal of case law saying that it's well within the law, that hasn't seemed to matter to the U.S. government,” O'Connor said.
At Black Hat and conferences like it, researchers lately are more reluctant than ever to go that “extra three percent,” in which they explain the real-world applicability of their discovery, O'Connor said. For instance, that may mean demonstrating a major SCADA system vulnerability, but never disclosing that the bug could allow for the lights of a skyscraper to be switched off.
"Essentially, prosecutorial misconduct or prosecutorial discretion used to harm has caused this awesome chilling effect,” said O'Connor, who authored an amicus brief that was recently filed and signed by about a dozen other researchers calling for the release of Auernheimer, the 27-year-old researcher and self-described internet troll who took advantage of an AT&T website flaw to expose the email addresses of roughly 120,000 iPad users, including some high-profile people like New York Mayor Michael Bloomberg.
But Auernheimer enlisted no hacking tools and bypassed no security technology to amass the information. Everything was publicly available. He and a colleague merely built a script that expedited the process of collecting the email addresses. Gawker wrote a story about the “hack,” but didn't publish the personal information.
That didn't prevent Auernheimer from being slapped with identity theft and conspiracy charges, with the government arguing that he unlawfully accessed or exceeded authorized access to a protected computer. He lost his court battle, and in March, was sentenced to 41 months in prison.
By prosecuting white-hat researchers – even ones who have a muddied reputation, as Auernheimer does – they become more reticent about doing their work, despite the fact that it is typically performed for the public good and rarely for profit. Meanwhile, researchers said, the treatment of digital researchers runs in stark contrast to those who have evaluated the safety of physical systems over the years, including automobile braking systems or the suspensions on a bridge.
But the negative consequences of discouraging and deterring these IT research efforts are potentially enormous. That's because the vulnerabilities they would have publicly exposed never get fixed – which means someone with more malevolent intentions, not concerned about facing prison time because they already have a criminal mindset, could come in and sell the information they discover to the highest bidder, at the expense of the victim.