So, we have TV shows and movies coming out that show “hackers” doing magical things with computers and we have the added hype from the MSM that shake in fear when a Twitter account gets hacked (really just pwned because of bad passwords, etc.) or when a gaming network has been taken offline using tools, that, well, anyone can use even if they only have basic computer skills and the money to rent a botnet.
And the result of such ignorance and misinformation? Changes to current laws that can practically make anyone in information security a criminal under the right circumstances. I’m not going to delve into that aspect, as Robert Graham has already addressed these issues in a great blog post today. Please read this, if you have not already: http://blog.erratasec.com/2015/01/obams-war-on-hackers.html#.VLcCZyvF9ps
As I perused the proposed changes to the current laws, I noticed something that really stuck out to me, the recurrence of this and similar phrases; “…or facilitate the commission of…” said crime. This line got me thinking, what do I possess that could be classified under that statement? Well, I have a TP-LINK WiFi adapter that can be initialized in promiscuous mode that can sniff WiFi traffic and using some simple programs actually capture this traffic. I also have a WiFi Pineapple that can accomplish the same tasks and a great deal more!
Do these devices make me a criminal? Does watching You Tube videos on how to best leverage these devices (on a perfectly and still legal pentest) make me a criminal? Sure, there is no “intent” here, but the equipment and knowledge can “facilitate”. And this is just hardware, not the software distros that are out there that make these tools even more effective, like Kali Linux, Pentoo, Pwnie Express, just to list a few.
Another, passive, but “facilitating” concept that is frequently used, even by hobbyist in the field, is wardriving, using programs like WiGLE that log and map SSID’s of a range of devices, even providing GPS locations of said devices. Will possession, let alone use, of such applications now be criminal offenses?
The answer, as it stands today, is most likely none of these devices and techniques will be “technically” illegal if the laws are changed, just because of the sheer volume of what’s already out there and the amount of people using them, but, as Jack Daniel said earlier today, “it depends on the aspirations of the prosecutor” on where these lines are drawn.
But, as we all well know, once this Pandora’s Box is opened, it’s going to be damn hard to shut and the talented people who do great research and help protect the public from people and organizations that are truly scary, will eventually become targets, for any number of reasons that some ambitious prosecutor can conjure.
NOTE: Consider this… A great and award winning journalist, and a person that a great many people in information security admire and trust as an authoritative source when it comes to data breaches, namely Brian Krebs, could easily be a prime target under these new laws. Just let that sink in for a moment.
ACTION: Take action, write your local federal legislators, try to engage them in a dialogue and inform them of what our community is really about, educate anyone and everyone you can, encourage discourse on the matter before it’s too late.
All the journalist and bloggers out there that have the courage to report and speak out about the truth of things.
Support groups that, on their own time, are fighting the good fight every day, like:
And other groups and individuals, for they are the militia of the internet as we know it!