So, we have TV shows and movies coming out that show “hackers”
doing magical things with computers and we have the added hype from the MSM
that shake in fear when a Twitter account gets hacked (really just pwned
because of bad passwords, etc.) or when a gaming network has been taken offline
using tools, that, well, anyone can use even if they only have basic computer
skills and the money to rent a botnet.
And the result of such ignorance and misinformation? Changes
to current laws that can practically make anyone in information security a
criminal under the right circumstances. I’m not going to delve into that
aspect, as Robert Graham has already addressed these issues in a great blog
post today. Please read this, if you have not already: http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VLcCZyvF9ps
As I perused the proposed changes to the current laws, I
noticed something that really stuck out to me, the recurrence of this and
similar phrases; “…or facilitate the commission of…” said crime. This line got
me thinking, what do I possess that could be classified under that statement? Well,
I have a TP-LINK WiFi adapter that can be initialized in promiscuous mode that
can sniff WiFi traffic and using some simple programs actually capture this
traffic. I also have a WiFi Pineapple that can accomplish the same tasks and a
great deal more!
Do these devices make me a criminal? Does watching You Tube
videos on how to best leverage these devices (on a perfectly and still legal
pentest) make me a criminal? Sure, there is no “intent” here, but the equipment
and knowledge can “facilitate”. And this is just hardware, not the software distros
that are out there that make these tools even more effective, like Kali Linux,
Pentoo, Pwnie Express, just to list a few.
Another, passive, but “facilitating” concept that is frequently
used, even by hobbyist in the field, is wardriving, using programs like WiGLE
that log and map SSID’s of a range of devices, even providing GPS locations of
said devices. Will possession, let alone use, of such applications now be
criminal offenses?
The answer, as it stands today, is most likely none of
these devices and techniques will be “technically” illegal if the laws are
changed, just because of the sheer volume of what’s already out there and the
amount of people using them, but, as Jack Daniel said earlier today, “it depends
on the aspirations of the prosecutor” on where these lines are drawn.
But, as we all well know, once this Pandora’s Box is
opened, it’s going to be damn hard to shut and the talented people who do great
research and help protect the public from people and organizations that are
truly scary, will eventually become targets, for any number of reasons that
some ambitious prosecutor can conjure.
NOTE: Consider this… A great and award winning journalist,
and a person that a great many people in information security admire and trust
as an authoritative source when it comes to data breaches, namely Brian Krebs,
could easily be a prime target under these new laws. Just let that sink in for
a moment.
ACTION: Take action, write your local federal legislators,
try to engage them in a dialogue and inform them of what our community is
really about, educate anyone and everyone you can, encourage discourse on the
matter before it’s too late.
SUPPORT:
All the journalist and bloggers out there that have the
courage to report and speak out about the truth of things.
Support groups that, on their own time, are fighting the
good fight every day, like:
#MalwareMustDie
#WeAreTheCavalry
#WeAreTheArtillery
And other groups and individuals, for they are the militia
of the internet as we know it!
No comments:
Post a Comment