9/29 - illegal hacking

What inspired early U.S. anti-hacking laws?

The 1983 Congressional hearing, influenced by the movie WarGames, highlighted risks of unauthorized access and intention behind hacking, prompting lawmakers to craft legislation like the CFAA.

What does the CFAA (Computer Fraud and Abuse Act) prohibit?

Knowingly accessing a computer without authorization or exceeding authorized access. Key disputes arise over what counts as “authorization” or “access.”

How is “exceeds authorized access” defined under the CFAA?

Accessing a computer with authorization but using that access to obtain or alter information one is not entitled to access or modify.

What was the significance of US v. Morris (1991) regarding unauthorized access?

Morris exploited holes in mail and directory programs, bypassing intended functions to access other computers. The court ruled this was unauthorized access even though he had initial permission to use the programs.

What was the MySpace case (Drew) about?

A mother pretended to be a 16-year-old boy, posted a photo of a juvenile without consent, and communicated with another minor. Violating MySpace’s MSTOS was the basis for unauthorized access claims.

Why is relying on terms-of-service violations problematic in criminal cases?

Criminalizing any TOS violation would make statutes overbroad, potentially turning minor breaches into felony offenses.

What does “access” a computer mean legally under broad statutory definitions?

To approach, instruct, communicate with, store data in, retrieve data from, or otherwise make use of any computer resources.

How did State v. Riley (1993) interpret “access”?

Entering random 6-digit codes via a phone switch constituted “access” because Riley made use of the computer’s resources, even if he was unsuccessful in obtaining information.

What did State v. Allen (1996) determine about access?

Only once passwords are entered beyond the initial banner can a person be considered to have accessed a computer; mere approach does not count.

What did Moulton v. VC3 (2000) establish?

Running port scans without compromising public data does not constitute access to a network.

How does AOL v. National Health Care Discount (2000) define access?

Sending emails that traverse multiple computers counts as accessing all intermediate systems under CFAA.

What is the “intended function” test for authorization?

Access is authorized if used for the system’s intended function. US v. Morris (1991) exemplifies that using access in unintended ways counts as unauthorized.

What is the Agency Theory of Authorization?

Authorization ends when an employee or agent acts on behalf of another party against the system owner’s interests, as in Shurgard Storage Centers v. Safeguard Self Storage (2000).

What does State v. Olson (1987) say about unauthorized access?

Violating internal use policies does not necessarily make access unauthorized if the person had general permission to access the system.

What was EF Cultural Travel BV v. Explorica Inc. (2001) about?

Automated “scraper” programs sending massive queries to a website exceeded authorized use, constituting abuse under CFAA.

What did AOL v. LCGM Inc (1998) establish about TOS?

Violating AOL’s prohibition on harvesting emails via robots counted as unauthorized access.

What did Register.com v. Verio (2000) establish about web scraping?

Using search robots against a site that objects to such automated queries constitutes unauthorized access.

What did U.S. v. Rodriguez (2010) clarify about business use?

Accessing databases for nonbusiness purposes exceeds authorization under CFAA, as personal motives fall outside granted access.

What is the key holding in U.S. v. Nosal (2012) regarding CFAA scope?

“Exceeds authorized access” is limited to restrictions on information access, not general misappropriation or violating company policies; CFAA is focused on hacking, not trade secrets.

What are arguments in favor of “hacking back” measures?

Faster response than government, leverages private-sector expertise, allows immediate mitigation of attacks.

What are arguments against “hacking back” measures?

Potential violation of foreign laws and CFAA, attribution challenges, risk of escalating conflicts, and chaos in cyber operations.

What does the ACDC Act propose?

Excludes prosecution under CFAA for victims taking active cyber defense measures, such as accessing an attacker’s system to gather evidence or disrupt continued unauthorized activity, with limits on destructive or harmful actions.

What was the Assange/Manning incident?

Alleged assistance in cracking a DoD password on SIPRNet to obtain administrative privileges and conceal evidence of leaks; unclear if password was ever cracked.

What does Van Buren v. United States (2021) clarify about CFAA?

“Access without authorization” or “exceeds authorized access” involves bypassing a gate that is off-limits, focusing on restricted areas (files, folders, databases) rather than contract or policy limits.

What do the 2022 Sentencing Guidelines say about vulnerability testing?

Prosecutors are advised to avoid cases when computers are accessed to test or fix vulnerabilities in ways that avoid harm, though civil suits and state law prosecution remain possible.

What was the Paige Thompson case about?

Downloaded personal information from 100M+ Capital One customers by exploiting AWS vulnerabilities; prosecution debated whether her actions were criminal or resembled legitimate security research.

What is the “cyber kill chain” in cyber attacks?

Sequence of steps for attackers: Delivery (deploy code), Exploitation (run code), Installation (persist), Command & Control (control remotely), Action on Objective (steal data or cause damage).

What is a chokepoint in cyber defense?

A step in the attack chain where defenders can place barriers that are hard for attackers to bypass, focusing on stages with high enforcement feasibility and low attacker adaptability.

What is war driving?

Driving around to detect vulnerable wireless networks.

What was the North Korea Sony breach (2014) about?

Retaliatory cyberattack by North Korea over the movie The Interview, illustrating nation-state motivations in hacking.