Yeah, it felt kinda trite writing it. I just haven't found a way to articulate the idea without asking myself "Oh, so you're still a teenager getting stoned every day thinking you have thoughts about things, hows that working out for you?" Edit: Maybe I should just lean into it and write a phrack article. I'm sorry, that's a low blow, I enjoyed phrack even when the writing style wasn't my speed.
I'll just note that the biggest "moneyed interests" in the technology industry have more or less waived most of their ammunition to stop research under the CFAA by posting public bug bounties. Not only have they made it much harder to sue researchers, but they also pay strangers to do it.
It makes me wonder who actually likes the CFAA the way it is. Does anybody? I don't see how it's helping anybody. Most of the actually malicious computer intrusions come from outside of U.S. jurisdiction. It's like trying to reduce child labor in China by increasing the breadth of the offense and severity of the penalties in Texas. The next thing you know nothing has changed in China but a father in Texas is facing felony charges for having his son stock shelves at the family business.
Who would actually oppose fixing that? Is it purely a lack of understanding the issue on the part of legislators?
The CFAA exists because during the 1980s, there was a concern that no existing statute would deter purely malicious attacks on systems, or any other attack that didn't fit the narrow definition of wire fraud.
I actually do not have a problem with the CFAA's statutory prohibitions on unauthorized access. They seem eminently sensible to me. Don't mess with systems that don't belong to you.
I do think the CFAA has a grave and dangerous flaw: I think its sentencing makes absolutely no sense. I generally do not believe that computer crimes should have sentences that scale with the iterator in a "for()" loop. In the cases where sentences could reasonable scale along with the magnitude of the attack, the meaningful scaling factor should (and I think typically does, in a sane reading of the law) come from some other crime charged along with CFAA.
I agree that significantly reducing the penalties under the CFAA would mitigate almost all of the damage it causes, but I don't see how that makes the language any better. It just limits the damage.
"Don't mess with systems that don't belong to you" worked much better in 1980 when typical computers cost a million dollars and were only expected to be used by the employees of the bank or government that owned them, because in that context you know you're authorized when you file a W2 and are issued a security badge.
Once you put systems on the internet for access by the general public it changes everything. "Mess with systems that don't belong to you" is practically the definition of The Cloud. The defining question is no longer who is authorized, because everybody is authorized, so the question becomes what everybody is authorized to do.
The problem is that nobody has any idea what that means in practice. All we can do is make some wild guesses -- maybe SQL injection against random servers of unsuspecting third parties is unauthorized access whereas typing "google.com" into a web browser without prior written permission from Google, Inc. is not. But what about changing your useragent string to Googlebot? What if that will bypass a paywall? What if that will bypass a paywall, but you're a web spider like the real Googlebot? What if you demonstrate a buffer overrun against the web host you use in order to prove their breach of a contract to keep the server patched? Can you charge a journalist for reading a company's internal documents when the company made its intranet server accessible to the internet without any authentication?
The answers to these questions depend primarily on which judge is deciding the case. Which is ridiculous, and the hallmark of a bad piece of legislation.
> He was released on appeal over a jurisdictional issue, not a statue or misapplication of the law.
This is actually why we don't know anything from that case. District court rulings aren't binding on other courts and the appellate court apparently threw out the case without ruling on the CFAA, so there was no precedent created either way.
But if the appellate court had ruled the same way as the district court and created that precedent, I don't think you could reasonably describe that as an improvement in the CFAA situation.
