Category Archives: Hacks

A tiny project

So last weekend I realized that the City of Minneapolis maintains a lot of email lists (I think you need to enter an email address to see them after following that link, but it’s quite a few). I was curious to learn more about what was on them, but there wasn’t an obvious way to read the archives of each mailing list. And I surely wasn’t going to sign up for over 100 mailing lists just to get a taste of what they were sending out.

So I made a new website and twitter account in order to get a better sense of what’s going on in the city. Each email sent out by the city to any of their mailing lists is published online in a new post, and a link to that post is tweeted out. Simple!

I apologize for the Geocities-esque aesthetics of the website, but the emails don’t use consistent HTML and my email parsing utility was pulling some crazy shenanigans with nesting and CSS, so this is the best I cold make it look in about an hour’s worth of time. (I work in infosec, not web design.) Got a better idea? Tweet me or send an email.

Obviously in the future I’d love to have a calendar, and the ability to only see messages from one particular mailing list. Even better, I’ve asked the city to look into doing this for me. Hopefully the folks at GovDelivery can get this simple problem taken care of and increase online engagement between the City of Minneapolis and its residents.

Heartbleed and the Computer Fraud and Abuse Act

As the Heartbleed story broke last week, a number of individuals and security vendors released tools designed to test for the vulnerability.  One very popular tool was written and hosted by Filippo Valsorda.  Many systems administrators took advantage of this free tool in order to test the security of their own systems.

Tools that test for vulnerabilities make the internet more secure.  Consumers feel safer knowing their bank or email provider is not leaking sensitive information.  Similarly, websites which do not immediately patch their systems put their customers’ data at risk, and assessment tools allow this information to be known.  A publicly-available assessment tool allows anybody to test whether sites they rely on are properly protecting data.

But releasing these assessment tools to the public is problematic from a legal perspective.  Using a security assessment tool to test any site you don’t control is a violation of the Computer Fraud and Abuse Act (CFAA).

The CFAA amended 18 USC § 1030 to define crimes which occur due to computer misuse.  Multiple clauses of this law could be violated by scanning a website for vulnerabilities without prior authorization.  The Heartbleed bug allows an attacker to receive information located in a server’s memory just by asking for it, so the way to assess whether a particular server is secure is to ask for extra information and see whether the server provides it.  Subsection (a)(2)(c) of 18 USC § 1030 deals specifically with unauthorized access to information:

(a) Whoever —

(2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—

(C) information from any protected computer;

What exactly is a “protected computer”?   The CFAA defines such in subsection (e)(2):

(e) As used in this section–

(2) the term “protected computer” means a computer–

(A) exclusively for the use of a financial institution or the United States Government, or, in the case of a computer not exclusively for such use, used by or for a financial institution or the United States Government and the conduct constituting the offense affects that use by or for the financial institution or the Government; or

(B) which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States;

(The growth of the internet, unforeseen when the CFAA was introduced in 1986, essentially means that a “protected computer” as defined above covers every internet-connected computer, as they are used in “interstate or foreign commerce or communication”.)

Of course, being charged under one section of the CFAA does not preclude being charged under additional sections.  Subsections (a)(5)(B) and (C) cover potential damage caused by access from those who:

(B) intentionally accesses a protected computer without authorization, and as a result of such conduct, recklessly causes damage;

(C) intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage and loss

Section (b) of 18 USC § 1030 makes attempting or conspiring to attempt unauthorized access a crime.  Use of a vulnerability assessment tool could be considered tantamount to “casing the joint” before actually committing the crime:

(b) Whoever conspires to commit or attempts to commit an offense under subsection (a) of this section shall be punished as provided in subsection (c) of this section.

The provisions of the CFAA were intended to fight crime, but they’ve made criminals out of every internet user who is concerned about security.  Criminalizing security research makes us all less safe – after all, how does anyone know who to trust without  basic knowledge regarding security practices?

The inability of prosecutors to uniformly enforce this outdated law also creates a system of selective enforcement.  Since it’s impossible to punish everyone, a federal prosecutor can choose who they would like to charge under this law.  The technology community is painfully aware of what happens when overzealous prosecutors take the CFAA too far.

Part of this problem is symptomatic of a larger issue.  As it stands, it is currently impossible to count the number of federal crimes that could be committed:

“There is no one in the United States over the age of 18 who cannot be indicted for some federal crime,” said John Baker, a retired Louisiana State University law professor who has also tried counting the number of new federal crimes created in recent years. “That is not an exaggeration.”

There have been recent efforts to reform the CFAA.  A bill introduced by Zoe Lofgren would eliminate penalties for Terms of Service violations, such as using a friend’s Netflix account or joining a class-action lawsuit against Steam or Sony.  While these reforms are a step in the right direction, they do not go far enough to de-criminalize responsible online behavior.

Additional resources:
Prosecuting Computer Crimes Handbook
A Practitioner’s Guide to the CFAA
Cybercrimes & Misdemeanors

Best 30c3 videos

One of my favorite hacker conferences, the Chaos Communication Congress, has just ended.  The most famous talk given so far was given by Jacob Appelbaum, who detailed the ways that the NSA can intercept communications.  It was an interesting talk if you’re following the NSA scandal, and I recommend you watch it – and since it’s going to be freezing cold out tomorrow, what else are you going to do?

But there are some other wonderful talks to come out of this conference.  My personal favorite is called Seeing the Secret State: Six Landscapes.  An artist essentially attempts to “see” secrecy by tracking down the remnants that are still part of the non-secret world:

Another great talk is by Kurt Opsahl of the EFF, who details the NSA revelations and their relation to the law.  I try to pay attention to this and keep all the codenames straight and I still can’t do it, but this is a great one-hour overview.

Two security researchers look into how governments use third-party tools to monitor journalists and dissidents. This talk focuses on governments that are not the United States, and much of the research is firsthand.

If you want some historical context of how governments have always attempted to surveil their citizens, there are a couple of great talks that touch on the subject. The first is an analysis of surveillance and policing during the Romantic Age, and the second is an even broader look at how/why governments act the way they do – frequently to preserve their own power through technology. Both worth a watch.

Also, learn about how national ID cards are used in China. In a trial city of “only” 10 million, the cards contain information such as medical records and political history, and how this impacts human rights. (Funny how “human rights” is invoked when mass surveillance happens in another country, yet it’s necessary to “prevent terrorism” at home).

There’s more that you should be watching, but the above talks are probably the most accessible for a non-technical audience.  If nothing else, check out Six Landscapes – fascinating stuff.

Atomic Energy Organization of Iran hacked again

Looks like someone was able to break into the AEOI again – not only doing untold damage, but also leaving an interesting calling card:

There was also some music playing randomly on several of the workstations during the middle of the night with the volume maxed out. I believe it was playing ‘Thunderstruck’ by AC/DC.

While at first it struck me as funny, it’s also interesting that a detail like that could lead to increased media exposure for this particular hack. I wouldn’t even be posting this story if this was anyone else, but I trust Mikko Hypponen not to be pulling a fast one over on us…