Monied interests want you to play in their safe playground without rocking the boat, the legal and technical enforcement is closing in. Slowly, but the ratchet only turns one direction. I worry that the only reason it hasn't closed in entirely is that smart people exploring is more beneficial to business than not. For now.
Over the last few weeks I've been wondering when the scale flips and general purpose computing will die outright. Things that were once considered forgone conclusions about tech are turning out to be accidents of the fact adoption starts with individuals. How long can tech empowering people continue to outrun the oldschool powers using tech to empower themselves?
Does it really only turn in one direction, though?
I hear that kind of talk a lot, usually about taxes and government programs. It seems incredibly depressing, for one thing. It's fundamentally saying that you can never win, just delay the inevitable loss.
Fortunately, it doesn't seem to be true, whether it's taxes or computers. Computers might be getting squeezed a bit now, but there have been far worse periods, followed by better. Go back in time to, I don't know, 1990. You want an OS for your PC? Sure, Windows or DOS? You want a wide-area network connection of some kind? We have a variety of choices for you, ranging from the local phone company to the local phone company, or even the local phone company.
Remember when you had to be careful never to tell the phone company that your second line was for dialup internet, because they'd charge you more if they found out you were going to use it with a modem? Remember when you had to worry that they'd figure it out anyway from your usage patterns, or that they'd just cut you off regardless because you were tying up a line for hours and hours every day?
I don't want to tell you not to fight. Certainly, there are plenty of problems right now, and it's well worth fighting. But we should realize that there are many ways that it can be and has been worse, and that the ratchet really does go both ways when people want it to.
I think my favorite example of things going the other way was when we more or less won the battle on export control laws which restricted the distribution of cryptography.
Yeah, it felt kinda trite writing it. I just haven't found a way to articulate the idea without asking myself "Oh, so you're still a teenager getting stoned every day thinking you have thoughts about things, hows that working out for you?" Edit: Maybe I should just lean into it and write a phrack article. I'm sorry, that's a low blow, I enjoyed phrack even when the writing style wasn't my speed.
I'll just note that the biggest "moneyed interests" in the technology industry have more or less waived most of their ammunition to stop research under the CFAA by posting public bug bounties. Not only have they made it much harder to sue researchers, but they also pay strangers to do it.
It makes me wonder who actually likes the CFAA the way it is. Does anybody? I don't see how it's helping anybody. Most of the actually malicious computer intrusions come from outside of U.S. jurisdiction. It's like trying to reduce child labor in China by increasing the breadth of the offense and severity of the penalties in Texas. The next thing you know nothing has changed in China but a father in Texas is facing felony charges for having his son stock shelves at the family business.
Who would actually oppose fixing that? Is it purely a lack of understanding the issue on the part of legislators?
The CFAA exists because during the 1980s, there was a concern that no existing statute would deter purely malicious attacks on systems, or any other attack that didn't fit the narrow definition of wire fraud.
I actually do not have a problem with the CFAA's statutory prohibitions on unauthorized access. They seem eminently sensible to me. Don't mess with systems that don't belong to you.
I do think the CFAA has a grave and dangerous flaw: I think its sentencing makes absolutely no sense. I generally do not believe that computer crimes should have sentences that scale with the iterator in a "for()" loop. In the cases where sentences could reasonable scale along with the magnitude of the attack, the meaningful scaling factor should (and I think typically does, in a sane reading of the law) come from some other crime charged along with CFAA.
I agree that significantly reducing the penalties under the CFAA would mitigate almost all of the damage it causes, but I don't see how that makes the language any better. It just limits the damage.
"Don't mess with systems that don't belong to you" worked much better in 1980 when typical computers cost a million dollars and were only expected to be used by the employees of the bank or government that owned them, because in that context you know you're authorized when you file a W2 and are issued a security badge.
Once you put systems on the internet for access by the general public it changes everything. "Mess with systems that don't belong to you" is practically the definition of The Cloud. The defining question is no longer who is authorized, because everybody is authorized, so the question becomes what everybody is authorized to do.
The problem is that nobody has any idea what that means in practice. All we can do is make some wild guesses -- maybe SQL injection against random servers of unsuspecting third parties is unauthorized access whereas typing "google.com" into a web browser without prior written permission from Google, Inc. is not. But what about changing your useragent string to Googlebot? What if that will bypass a paywall? What if that will bypass a paywall, but you're a web spider like the real Googlebot? What if you demonstrate a buffer overrun against the web host you use in order to prove their breach of a contract to keep the server patched? Can you charge a journalist for reading a company's internal documents when the company made its intranet server accessible to the internet without any authentication?
The answers to these questions depend primarily on which judge is deciding the case. Which is ridiculous, and the hallmark of a bad piece of legislation.
> He was released on appeal over a jurisdictional issue, not a statue or misapplication of the law.
This is actually why we don't know anything from that case. District court rulings aren't binding on other courts and the appellate court apparently threw out the case without ruling on the CFAA, so there was no precedent created either way.
But if the appellate court had ruled the same way as the district court and created that precedent, I don't think you could reasonably describe that as an improvement in the CFAA situation.
Cory Doctorow's keynote at Chaos Communication Congress (2011) was about this trend. It's not technically feasible to make a turing-complete system that only does things that the creator likes. All anti-virus and DRM systems are provably limited unless general-purpose computation is removed. https://www.youtube.com/watch?v=HUEvRyemKSg
Over the last few weeks I've been wondering when the scale flips and general purpose computing will die outright. Things that were once considered forgone conclusions about tech are turning out to be accidents of the fact adoption starts with individuals. How long can tech empowering people continue to outrun the oldschool powers using tech to empower themselves?