Lowering the legal limit: Intimidation of innovators
Lowering the legal limit: Intimidation of innovators

There was a noticeable chill in the air at Black Hat and DefCon, due to recent action taken against security researchers, reports Dan Kaplan.

A few months ago, Matthew Green was asked to advise a small team of undergraduate students who were investigating possible security vulnerabilities in a state's toll collection system.

A part-time research associate at the University of Maryland, Green learned that the students found a way to uncover proprietary information about the system by calling up a publicly available web page and entering particular commands into a form. It was the equivalent, he said, of “typing ‘password' into a password field,” and required no hacking or evasion of security controls.

But instead of congratulating them on their discovery and guiding them through the next steps on the project, which was being conducted strictly for academic research purposes, Green had an entirely different reaction.

“My immediate thought was that we have to get an attorney,” he recalled. “How do we keep these kids out of jail?”

Green knew the students he was asked to consult with weren't up to anything nefarious, but that may not have been enough to ensure they avoided the interest of law enforcement. As a result, they stopped working on the project. “Someone could come along and say, ‘We can prosecute them,'” Green said. “It does have a chilling effect. You can do most anything you want, until it involves something, however benign, against a real system. It's very arbitrary, and it's difficult to know where the lines are.”

The concern and worry expressed by the cryptography expert is rapidly becoming the norm in the security research community, a collective of arguably the world's most skilled and indefatigable computer enthusiasts. Because of recent examples in which the federal anti-hacking law, known as the Computer Fraud and Abuse Act (CFAA), has been interpreted in ways that permit aggressive prosecutions to be launched, researchers are significantly limiting or scrapping altogether projects that they have invested months or even years on – fearful that they will become the next Aaron Swartz or Andrew “Weev” Auernheimer, and unwilling to join a procession of digital martyrs that is expected to only grow over the next several years. Everyone, it seems, is feeling timid.

In the words of one, the current climate in which to conduct research is “terrifying.” Information security enthusiasts said the nearly 30-year-old CFAA is broadly worded, and if a prosecutor wants to make an example of a researcher, they easily can because the law, critics have argued, essentially criminalizes normal computer behavior and, to be charged, doesn't require someone to have had breached security controls or accessed something without authorization.

So it should be no surprise that when the ethical hackers, commonly called white-hats, converged on Las Vegas last month for Black Hat and DefCon, considered the world's two most preeminent security research conferences, there was something of a dark cloud hanging below the bright desert sun. This year has seen a huge number of submissions – Black Hat, for instance, put on a record 110 talks – but many of the presentations didn't go quite as far as they should. 

Take Brendan O'Connor, a law student at the University of Wisconsin, who also doubles as the CTO of security consultancy Malice Afterthought. O'Connor presented at Black Hat and DefCon on CreepyDOL, a low-cost system that can mine data from public Wi-Fi traffic to create “a really nice visualization engine” on specific people based on the websites with which they interact. It's an example of how effortlessly one's privacy can be infringed. The title of his talk was “CreepyDOL: Cheap, Distributed Stalking.”

Wi-Fi publicly sends out data about which sites users visit, so anyone who is listening in can, for example, acquire someone's photo from an online dating site or their name from Facebook, O'Connor explains. By physically placing nodes – tiny sensor platforms – around a major city, one can amass a profile about a targeted individual based on their wireless “emanations,” without any need to actually hack their computer. 

But this is all theoretical because O'Connor was afraid to do it, even though he said case law has shown that wireless eavesdropping is legal. Instead, he showcased the data he correlated from MAC addresses under his control. He is, of course, very confident the research would scale across a large city and produce the same results, but given the current legal landscape, it was an easy decision to abstain from trying that.

“I've had to greatly curtail how much I've tested CreepyDOL because even though there's a great deal of case law saying that it's well within the law, that hasn't seemed to matter to the U.S. government,” O'Connor said.