POPULARITY
We hit a milestone today as this is our 50th Podcast Episode! A Big thank you to You, our listeners for your continued support!* Kali Linux Users Face Update Issues After Repository Signing Key Loss* CISOs Advised to Secure Personal Protections Against Scapegoating and Whistleblowing Risks* WhatsApp Launches Advanced Chat Privacy to Safeguard Sensitive Conversations* Samsung Confirms Security Vulnerability in Galaxy Devices That Could Expose Passwords* Former Disney Menu Manager Sentenced to 3 Years for Malicious System AttacksKali Linux Users Face Update Issues After Repository Signing Key Losshttps://www.kali.org/blog/new-kali-archive-signing-key/Offensive Security has announced that Kali Linux users will need to manually install a new repository signing key following the loss of the previous key. Without this update, users will experience system update failures.The company recently lost access to the old repository signing key (ED444FF07D8D0BF6) and had to create a new one (ED65462EC8D5E4C5), which has been signed by Kali Linux developers using signatures on the Ubuntu OpenPGP key server. OffSec emphasized that the key wasn't compromised, so the old one remains in the keyring.Users attempting to update their systems with the old key will encounter error messages stating "Missing key 827C8569F2518CC677FECA1AED65462EC8D5E4C5, which is needed to verify signature."To address this issue, the Kali Linux repository was frozen on February 18th. "In the coming day(s), pretty much every Kali system out there will fail to update," OffSec warned. "This is not only you, this is for everyone, and this is entirely our fault."To avoid update failures, users are advised to manually download and install the new repository signing key by running the command: sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpgFor users unwilling to manually update the keyring, OffSec recommends reinstalling Kali using images that include the updated keyring.This isn't the first time Kali Linux users have faced such issues. A similar incident occurred in February 2018 when developers allowed the GPG key to expire, also requiring manual updates from users.CISOs Advised to Secure Personal Protections Against Scapegoating and Whistleblowing Riskshttps://path.rsaconference.com/flow/rsac/us25/FullAgenda/page/catalog/session/1727392520218001o5wvhttps://www.theregister.com/2025/04/28/ciso_rsa_whistleblowing/Chief Information Security Officers should negotiate personal liability insurance and golden parachute agreements when starting new roles to protect themselves in case of organizational conflicts, according to a panel of security experts at the RSA Conference.During a session on CISO whistleblowing, experienced security leaders shared cautionary tales and strategic advice for navigating the increasingly precarious position that has earned the role the nickname "chief scapegoat officer" in some organizations.Dd Budiharto, former CISO at Marathon Oil and Philips 66, revealed she was once fired for refusing to approve fraudulent invoices for work that wasn't delivered. "I'm proud to say I've been fired for not being willing to compromise my integrity," she stated. Despite losing her position, Budiharto chose not to pursue legal action against her former employer, a decision the panel unanimously supported as wise to avoid industry blacklisting.Andrew Wilder, CISO of veterinarian network Vetcor, emphasized that security executives should insist on two critical insurance policies before accepting new positions: directors and officers insurance (D&O) and personal legal liability insurance (PLLI). "You want to have personal legal liability insurance that covers you, not while you are an officer of an organization, but after you leave the organization as well," Wilder advised.Wilder referenced the case of former Uber CISO Joe Sullivan, noting that Sullivan's Uber-provided PLLI covered PR costs during his legal proceedings following a data breach cover-up. He also stressed the importance of negotiating severance packages to ensure whistleblowing decisions can be made on ethical rather than financial grounds.The panelists agreed that thorough documentation is essential for CISOs. Herman Brown, CIO for San Francisco's District Attorney's Office, recommended documenting all conversations and decisions. "Email is a great form of documentation that doesn't just stand for 'electronic mail,' it also stands for 'evidential mail,'" he noted.Security leaders were warned to be particularly careful about going to the press with complaints, which the panel suggested could result in even worse professional consequences than legal action. Similarly, Budiharto cautioned against trusting internal human resources departments or ethics panels, reminding attendees that HR ultimately works to protect the company, not individual employees.The panel underscored that proper governance, documentation, and clear communication with leadership about shared security responsibilities are essential practices for CISOs navigating the complex political and ethical challenges of their role.WhatsApp Launches Advanced Chat Privacy to Safeguard Sensitive Conversationshttps://blog.whatsapp.com/introducing-advanced-chat-privacyWhatsApp has rolled out a new "Advanced Chat Privacy" feature designed to provide users with enhanced protection for sensitive information shared in both private and group conversations.The new privacy option, accessible by tapping on a chat name, aims to prevent the unauthorized extraction of media and conversation content. "Today we're introducing our latest layer for privacy called 'Advanced Chat Privacy.' This new setting available in both chats and groups helps prevent others from taking content outside of WhatsApp for when you may want extra privacy," WhatsApp announced in its release.When enabled, the feature blocks other users from exporting chat histories, automatically downloading media to their devices, and using messages for AI features. According to WhatsApp, this ensures "everyone in the chat has greater confidence that no one can take what is being said outside the chat."The company noted that this initial version is now available to all users who have updated to the latest version of the app, with plans to strengthen the feature with additional protections in the future. However, WhatsApp acknowledges that certain vulnerabilities remain, such as the possibility of someone photographing a conversation screen even when screenshots are blocked.This latest privacy enhancement continues WhatsApp's long-standing commitment to user security, which began nearly seven years ago with the introduction of end-to-end encryption. The platform has steadily expanded its privacy capabilities since then, implementing end-to-end encrypted chat backups for iOS and Android in October 2021, followed by default disappearing messages for new chats in December of the same year.More recent security updates include chat locking with password or fingerprint protection, a Secret Code feature to hide locked chats, and location hiding during calls by routing connections through WhatsApp's servers. Since October 2024, the platform has also encrypted contact databases for privacy-preserving synchronization.Meta reported in early 2020 that WhatsApp serves more than two billion users across over 180 countries, making these privacy enhancements significant for a substantial portion of the global messaging community.Samsung Confirms Security Vulnerability in Galaxy Devices That Could Expose Passwordshttps://us.community.samsung.com/t5/Suggestions/Implement-Auto-Delete-Clipboard-History-to-Prevent-Sensitive/m-p/3200743Samsung has acknowledged a significant security flaw in its Galaxy devices that potentially exposes user passwords and other sensitive information stored in the clipboard.The issue was brought to light by a user identified as "OicitrapDraz" who posted concerns on Samsung's community forum on April 14. "I copy passwords from my password manager all the time," the user wrote. "How is it that Samsung's clipboard saves everything in plain text with no expiration? That's a huge security issue."In response, Samsung confirmed the vulnerability, stating: "We understand your concerns regarding clipboard behavior and how it may affect sensitive content. Clipboard history in One UI is managed at the system level." The company added that the user's "suggestion for more control over clipboard data—such as auto-clear or exclusion options—has been noted and shared with the appropriate team for consideration."One UI is Samsung's customized version of Android that runs on Galaxy smartphones and tablets. The security flaw means that sensitive information copied to the clipboard remains accessible in plain text without any automatic expiration or encryption.As a temporary solution, Samsung recommended that users "manually clear clipboard history when needed and use secure input methods for sensitive information." This stopgap measure puts the burden of security on users rather than providing a system-level fix.Security experts are particularly concerned now that this vulnerability has been publicly acknowledged, as it creates a potential "clipboard wormhole" that attackers could exploit to access passwords and other confidential information on affected devices. Users of Samsung Galaxy devices are advised to exercise extreme caution when copying sensitive information until a more comprehensive solution is implemented.Former Disney Menu Manager Sentenced to 3 Years for Malicious System Attackshttps://www.theregister.com/2025/04/29/former_disney_employee_jailed/A former Disney employee has received a 36-month prison sentence and been ordered to pay nearly $688,000 in fines after pleading guilty to sabotaging the entertainment giant's restaurant menu systems following his termination.Michael Scheuer, a Winter Garden, Florida resident who previously served as Disney's Menu Production Manager, was arrested in October and charged with violating the Computer Fraud and Abuse Act (CFAA) and committing aggravated identity theft. He accepted a plea agreement in January, with sentencing finalized last week in federal court in Orlando.According to court documents, Scheuer's June 13, 2024 termination from Disney for misconduct was described as "contentious and not amicable." In July, he retaliated by making unauthorized access to Disney's Menu Creator application, hosted by a third-party vendor in Minnesota, and implementing various destructive changes.The attacks included replacing Disney's themed fonts with Wingdings, rendering menus unreadable, and altering menu images and background files to display as blank white pages. These changes propagated throughout the database, making the Menu Creator system inoperable for one to two weeks. The damage was so severe that Disney has since abandoned the application entirely.Particularly concerning were Scheuer's alterations to allergen information, falsely indicating certain menu items were safe for people with specific allergies—changes that "could have had fatal consequences depending on the type and severity of a customer's allergy," according to the plea agreement. He also modified wine region labels to reference locations of mass shootings, added swastika graphics, and altered QR codes to direct customers to a website promoting a boycott of Israel.Scheuer employed multiple methods to conduct his attacks, including using an administrative account via a Mullvad VPN, exploiting a URL-based contractor access mechanism, and targeting SFTP servers that stored menu files. He also conducted denial of service attacks that made over 100,000 incorrect login attempts, locking out fourteen Disney employees from their enterprise accounts.The FBI executed a search warrant at Scheuer's residence on September 23, 2024, at which point the attacks immediately ceased. Agents discovered virtual machines used for the attacks and a "doxxing file" containing personal information on five Disney employees and a family member of one worker.Following his prison term, Scheuer will undergo three years of supervised release with various conditions, including a prohibition on contacting Disney or any of the individual victims. This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit edwinkwan.substack.com
Nicholas Carlini from Google DeepMind offers his view of AI security, emergent LLM capabilities, and his groundbreaking model-stealing research. He reveals how LLMs can unexpectedly excel at tasks like chess and discusses the security pitfalls of LLM-generated code. SPONSOR MESSAGES: *** CentML offers competitive pricing for GenAI model deployment, with flexible options to suit a wide range of models, from small to large-scale deployments. https://centml.ai/pricing/ Tufa AI Labs is a brand new research lab in Zurich started by Benjamin Crouzier focussed on o-series style reasoning and AGI. Are you interested in working on reasoning, or getting involved in their events? Goto https://tufalabs.ai/ *** Transcript: https://www.dropbox.com/scl/fi/lat7sfyd4k3g5k9crjpbf/CARLINI.pdf?rlkey=b7kcqbvau17uw6rksbr8ccd8v&dl=0 TOC: 1. ML Security Fundamentals [00:00:00] 1.1 ML Model Reasoning and Security Fundamentals [00:03:04] 1.2 ML Security Vulnerabilities and System Design [00:08:22] 1.3 LLM Chess Capabilities and Emergent Behavior [00:13:20] 1.4 Model Training, RLHF, and Calibration Effects 2. Model Evaluation and Research Methods [00:19:40] 2.1 Model Reasoning and Evaluation Metrics [00:24:37] 2.2 Security Research Philosophy and Methodology [00:27:50] 2.3 Security Disclosure Norms and Community Differences 3. LLM Applications and Best Practices [00:44:29] 3.1 Practical LLM Applications and Productivity Gains [00:49:51] 3.2 Effective LLM Usage and Prompting Strategies [00:53:03] 3.3 Security Vulnerabilities in LLM-Generated Code 4. Advanced LLM Research and Architecture [00:59:13] 4.1 LLM Code Generation Performance and O(1) Labs Experience [01:03:31] 4.2 Adaptation Patterns and Benchmarking Challenges [01:10:10] 4.3 Model Stealing Research and Production LLM Architecture Extraction REFS: [00:01:15] Nicholas Carlini's personal website & research profile (Google DeepMind, ML security) - https://nicholas.carlini.com/ [00:01:50] CentML AI compute platform for language model workloads - https://centml.ai/ [00:04:30] Seminal paper on neural network robustness against adversarial examples (Carlini & Wagner, 2016) - https://arxiv.org/abs/1608.04644 [00:05:20] Computer Fraud and Abuse Act (CFAA) – primary U.S. federal law on computer hacking liability - https://www.justice.gov/jm/jm-9-48000-computer-fraud [00:08:30] Blog post: Emergent chess capabilities in GPT-3.5-turbo-instruct (Nicholas Carlini, Sept 2023) - https://nicholas.carlini.com/writing/2023/chess-llm.html [00:16:10] Paper: “Self-Play Preference Optimization for Language Model Alignment” (Yue Wu et al., 2024) - https://arxiv.org/abs/2405.00675 [00:18:00] GPT-4 Technical Report: development, capabilities, and calibration analysis - https://arxiv.org/abs/2303.08774 [00:22:40] Historical shift from descriptive to algebraic chess notation (FIDE) - https://en.wikipedia.org/wiki/Descriptive_notation [00:23:55] Analysis of distribution shift in ML (Hendrycks et al.) - https://arxiv.org/abs/2006.16241 [00:27:40] Nicholas Carlini's essay “Why I Attack” (June 2024) – motivations for security research - https://nicholas.carlini.com/writing/2024/why-i-attack.html [00:34:05] Google Project Zero's 90-day vulnerability disclosure policy - https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html [00:51:15] Evolution of Google search syntax & user behavior (Daniel M. Russell) - https://www.amazon.com/Joy-Search-Google-Master-Information/dp/0262042878 [01:04:05] Rust's ownership & borrowing system for memory safety - https://doc.rust-lang.org/book/ch04-00-understanding-ownership.html [01:10:05] Paper: “Stealing Part of a Production Language Model” (Carlini et al., March 2024) – extraction attacks on ChatGPT, PaLM-2 - https://arxiv.org/abs/2403.06634 [01:10:55] First model stealing paper (Tramèr et al., 2016) – attacking ML APIs via prediction - https://arxiv.org/abs/1609.02943
Send us a Text Message.How does understanding the legal landscape in cybersecurity elevate your professional game? Join us on this episode of the CISSP Cyber Training Podcast as we unpack the complexities of civil, criminal, administrative, and contractual law. Learn how each legal category influences risk assessments, organizational policies, and legal prosecutions. We'll guide you through the nuances of civil law's role in resolving non-criminal disputes, the severe implications of criminal law, and the critical importance of maintaining proper logs for legal conformance.Discover why precise contractual language is essential for protecting your organization in the event of a data breach. We delve into the importance of collaborating with legal experts when drafting contracts and examine key intellectual property areas like trademarks, patents, and trade secrets. Protect your brand from domain name scams and safeguard valuable business information from impersonation and counterfeiting with practical steps and real-world examples.Finally, we delve into the pivotal laws that shape cybersecurity practices today. From the Computer Fraud and Abuse Act (CFAA) to the Electronic Communications Privacy Act (ECPA), understand how these laws aid in prosecuting unauthorized access and fraudulent activities. Explore the significance of the Economic Espionage Act, the Electronic Funds Transfer Act, and the UK GDPR in modern transactions and international business operations. Don't miss this comprehensive episode packed with invaluable insights for your CISSP preparation and professional growth in the cybersecurity field.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!
Stanford's Evelyn Douek and Alex Stamos weigh in on the latest online trust and safety news and developments:X-Twitter CornerTwitter followed through on its threat to sue the Center for Countering Digital Hate (CCDH). The rationale has changed from a violation of the Lanham Act, a federal trademark statute, to a breach of contract and violations of the Computer Fraud and Abuse Act (CFAA). It's still a bad idea and not at all free-speechy. - Bryan Pietsch/ The Washington Post But in a pleasant surprise, X appealed an Indian court ruling that it was not compliant with federal government orders to remove political content, arguing it could embolden New Delhi to block more content and broaden the scope of censorship. Does Musk know about this? - Aditya Kalra, Arpan Chaturvedi, Munsif Vengattil/ ReutersMeanwhile, Apple removed Meduza's flagship news podcast, “What Happened,” from Apple Podcasts and then reinstated it two days later without explaining… what happened. - MeduzaEarlier this summer, the Russian state censorship authority asked Apple to block the Latvian-based, independent Russian- and English-language news outlet's show.About a month ago, the Oversight Board told Meta to suspend Cambodian Prime Minister Hun Sen from Facebook and Instagram. He originally threatened to leave the platform altogether, but instead is back and posting. Meta has three more weeks until the deadline to respond to the Board's recommendation. (Shoutout to Rest of World for being one of the only outlets covering this!) - Danielle Keeton-Olsen, Sreynat Sarum/ Rest of World TikTok announced a number of new measures that it is rolling out in the EU to comply with the Digital Services Act, which comes into effect for major platforms at the end of the month. Especially ironic in light of our discussion last week, one of the measures is a chronological feed. - Natasha Lomas/ TechCrunch, TikTokGoogle said demand for its free Perspective API has skyrocketed as large language model builders are using it as a solution for content moderation. But Perspective is a blunt tool with documented issues, including high false-positives and bias, and a lack of context that can be easily fooled by adversarial users. (Shoutout to Yoel Roth for skeeting about this on Bluesky) - Alex Pasternack/ Fast Company, @yoyoel.comThis is scary: A lawsuit brought by the adult entertainment industry group Free Speech Coalition (FSC) against the state of Utah to stop enforcement of a new state law requiring age verification to access adult websites was dismissed. - Sam Metz/ Associated PressThe court held that the law can't be challenged and paused with an injunction before it goes into effect because it's not enforced by the government, but with private lawsuits. Not only that, but the court said the group can't raise the constitutional arguments it made against the law until a resident uses it to file a lawsuit.This has to be wrong as a matter of First Amendment law, which is usually very concerned about chilling effects. FSC appealed the ruling, so we'll have to wait and see. If this survives, it will be a scary loophole to First Amendment scrutiny.Sports CornerAussie Aussie Aussie! Oi Oi Oi! The Matildas are through to the Women's World Cup quarter finals with a 2-0 win over Denmark and Sam Kerr's return to the pitch for the final 10 minutes of play. - Jon Healy, Simon Smale/ ABC News (Australia)We send our commiserations to the U.S. Women's team for bowing out of the World Cup in the worst possible way. Hold your head up high, Megan Rapinoe, you've left an indelible mark on the sport and U.S. women's athletics! - Issy Ronald/ CNNStanford Athletics is in rare company, but not the kind you want to be in. All but three other teams will leave the Pac-12 as the historic college athletics conference faces an uncertain future. - John Marshall/ Associated PressJoin the conversation and connect with Evelyn and Alex on Twitter at @evelyndouek and @alexstamos.Moderated Content is produced in partnership by Stanford Law School and the Cyber Policy Center. Special thanks to John Perrino for research and editorial assistance.Like what you heard? Don't forget to subscribe and share the podcast with friends!
The Justice Department recently announced the issuance of a revised internal policy for charging cases brought under the Computer Fraud and Abuse Act (CFAA), our nation’s main computer crime statute. This revised policy was issued in the wake of the Supreme Court case of United States v. Van Buren, which held that the CFAA's “exceeds […]
The Justice Department recently announced the issuance of a revised internal policy for charging cases brought under the Computer Fraud and Abuse Act (CFAA), our nation's main computer crime statute. This revised policy was issued in the wake of the Supreme Court case of United States v. Van Buren, which held that the CFAA's “exceeds authorized access” provision does not cover those who have improper motives for obtaining information that is otherwise available to them. Additionally, the new DOJ policy for the first time directs federal prosecutors that good-faith security research should not be charged under the CFAA, but also acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith.Does the new DOJ charging policy strike a reasonable balance between privacy and law enforcement interests? Do its protections for security research go far enough, or do they extend too far? In the wake of Van Buren and this policy, does the federal government have adequate tools to address insider threats, especially where such threats are focused on invasions of privacy and confidentiality instead of being motivated by financial gain?Join us as our panel of experts break down these questions.Featuring:--Prof. Orin Kerr, Willam G. Simon Professor of Law, University of California, Berkeley School of Law --Prof. Michael Levy, Adjunct Professor of Law, Penn Carey Law, University of Pennsylvania --[Moderator] John Richter, Partner, King & Spalding
Elizabeth Wharton spoke to us about laws, computers, cybersecurity, and funding education in rural communities. She is a strong proponent of privacy by design and de-identification by default. Liz (@LawyerLiz) is the VP of Operations at Scythe.io (@scythe_io), a company that works in cybersecurity. She won the Cybersecurity or Privacy Woman Law Professional of the Year for 2022 at DefCon. Liz is on the advisory board of the Rural Tech Fund (@ruraltechfund) which strives to reduce the digital divide between rural and urban areas. We mentioned disclose.io and the Computer Fraud and Abuse Act (CFAA, wiki). Transcript
Modern smartphones have a potentially life-saving feature called "SOS" or "Emergency" mode that can give first responders critical medical information and automatically dial your country's emergency phone number. It can report your location and even notify selected contacts. In today's show, I'll share a story from one woman who believes this mode saved her life. It's easy to use and set up, but it won't do you any good if you don't know about it. I'll tell you everything you need to know. In other news: Clearview AI is looking to expand its services to schools, banks and other institutions that wish to authenticate people; MasterCard is launching a new facial recognition system that will allow users to pay "with a smile"; the US Department of Justice has finally issued long-overdue guidance on common sense limitations for prosecuting security researchers and regular people who might run afoul of the tragically over-broad Computer Fraud and Abuse Act (CFAA); Twitter has been fined and Google has been sued for abusing customer data; local governments forced children to use EdTech software that surreptitiously harvested their data and fed them behavior-based ads; DuckDuckGo is in damage control over reports that it isn't blocking some Microsoft web tracking due to an agreement which they legally can't discuss; there's a new Wells Fargo phishing campaign going around which seeks to gather tons of data that would easily enable identity thefts; and a security researcher has found a bug with the OAuth single-sign on functionality used by Facebook. Article Links [Gizmodo] Clearview AI Says It's Bringing Facial Recognition to Schools https://gizmodo.com/clearview-ai-facial-recognition-privacy-1848975528[The Guardian] Mastercard launches ‘smile to pay' system amid privacy concerns https://www.theguardian.com/technology/2022/may/17/mastercard-launches-smile-to-pay-amid-privacy-concerns[The Verge] Justice Department pledges not to charge security researchers with hacking crimes https://www.theverge.com/2022/5/19/23130910/justice-department-cfaa-hacking-law-guideline-limits-security-research[NPR] Twitter agrees to pay $150 million after FTC, DOJ accuse company of mishandling data https://www.npr.org/2022/05/25/1101275323/twitter-privacy-settlement-doj-ftc[None] Governments Harm Children's Rights in Online Learning https://www.hrw.org/news/2022/05/25/governments-harm-childrens-rights-online-learning[Review Geek] DuckDuckGo Isn't as Private as You Thought https://www.reviewgeek.com/118915/duckduckgo-isnt-as-private-as-you-thought/[Sky] Google sued for using the NHS data of 1.6 million Brits 'without their knowledge or consent' https://news.sky.com/story/google-sued-for-using-the-nhs-data-of-1-6-million-brits-without-their-knowledge-or-consent-12614525[None] Bank phishing and identity theft https://usa.kaspersky.com/blog/wells-fargo-phishing-identity-theft/26473/[Forbes] Security Warning For Facebook Users Who Login With Gmail OAuth Code https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/[9to5mac.com] iPhone SOS credited with saving woman during assault attempt – Here's how to set it up https://9to5mac.com/2022/05/24/iphone-sos-how-to-set-it-up/Set up Emergency mode, Apple iPhone: https://support.apple.com/en-us/HT208076Set up Emergency mode, Google Pixel: https://support.google.com/pixelphone/answer/7055029Set up Emergency mode, Samsung Galaxy: https://www.samsung.com/us/support/answer/ANS00050849/ Further Info Get your Dragon Challenge Coin!! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ Generate secure passphrases! https://d20key.com/#/Amulet of Entropy teaser #2: https://twitter.com/HackerBoxes/status/1530341605567242240?s=20&t=OWW931j-mZk8cMRc6yp9bA Stop Using “Sign in with”: https://firewallsdontstopdragons.com/stop-using-sign-in-with/ EFF on facial recognition technology: https://www.eff.org/deeplinks/2021/10/face-recognition-isnt-just-face-ide...
Scraping data from public websites is legal. That’s the upshot of a decision by the Ninth Circuit Court of Appeals earlier this week. LinkedIn had taken a case against data analytics company hiQ, arguing it was illegal for hiQ to “scrape” users’ profile data to analyze employee turnover rates under the federal Computer Fraud and Abuse Act (CFAA). Tiffany Li, a technology attorney and professor of law at the University of New Hampshire, joins our host Meghan McCarty Carino to talk about how the CFAA fits into today’s world.
Scraping data from public websites is legal. That’s the upshot of a decision by the Ninth Circuit Court of Appeals earlier this week. LinkedIn had taken a case against data analytics company hiQ, arguing it was illegal for hiQ to “scrape” users’ profile data to analyze employee turnover rates under the federal Computer Fraud and Abuse Act (CFAA). Tiffany Li, a technology attorney and professor of law at the University of New Hampshire, joins our host Meghan McCarty Carino to talk about how the CFAA fits into today’s world.
Join us for a live chat as hosts Cindy and Danny speak with cybersecurity expert Tarah Wheeler on Thursday Dec 9th at 2pm PT. They will continue the conversation that started on this episode of the podcast, exploring how we can incentivize computer security and fix computer crime laws: https://www.eff.org/tarahchat======================There are flaws in the tech we use everyday- from little software glitches to big data breaches, and security researchers often know about them before we do. Getting those issues fixed is not always as straightforward as it should be. It's not always easy to bend a corporation's ear, and companies may ignore the threat for liability reasons putting us all at risk. Technology and cybersecurity expert Tarah Wheeler joins Cindy Cohn and Danny O'Brien to explain how she thinks security experts can help build a more secure internet. On this episode, you'll learn:About the human impact of security vulnerabilities—and how unpatched flaws can change or even end lives;How to reconsider the popular conception of hackers, and understand their role in helping build a more secure digital world;How the Computer Fraud and Abuse Act (CFAA), a law that is supposed to punish computer intrusion, has been written so broadly that it now stifles security researchers;What we can learn from the culture around airplane safety regulation—including transparency and blameless post-mortems;How we can align incentives, including financial incentives, to improve vulnerability reporting and response;How the Supreme Court case Van Buren helped security researchers by ensuring that the CFAA couldn't be used to prosecute someone for merely violating the terms of service of a website or application;How a better future would involve more collaboration and transparency among both companies and security researchers.This podcast is supported by the Alfred P. Sloan Foundation's Program in Public Understanding of Science and Technology.Resources: ResourcesConsumer Data Privacy:Equifax Data Breach Update: Backsliding (EFF)EFF's Recommendations for Consumer Data Privacy Laws (EFF)Strengthen California's Next Consumer Data Privacy Initiative (EFF)Ransomware:A Hospital Hit by Hackers, a Baby in Distress: The Case of the First Alleged Ransomware Death (WSJ)FAQ: DarkSide Ransomware Group and Colonial Pipeline (EFF)Computer Fraud and Abuse Act (CFAA):CFAA and Security Researchers (EFF)Van Buren is a Victory Against Overbroad Interpretations of the CFAA, and Protects Security Researchers (EFF)Van Buren v. United States (SCOTUS)EFF CFAA Revisions – Penalties and Access (EFF)Computer Fraud and Abuse Act and Reform (EFF)Electoral Security:Election Security (EFF)This work is licensed under a Creative Commons Attribution 4.0 International License. Additional music is used under creative commons licence from CCMixter includes: http://dig.ccmixter.org/files/admiralbob77/59533Warm Vacuum Tube by Admiral Bob (c) copyright 2019 Licensed under a Creative Commons Attribution (3.0) license. http://dig.ccmixter.org/files/admiralbob77/59533 Ft: starfroschhttp://dig.ccmixter.org/files/snowflake/59564rr4Come Inside by Snowflake (c) copyright 2019 Licensed under a Creative Commons Attribution (3.0) license. http://dig.ccmixter.org/files/snowflake/59564 Ft: Starfrosch, Jerry Spoon, Kara Square, spinningmerkabahttp://dig.ccmixter.org/files/djlang59/37792Drops of H2O ( The Filtered Water Treatment ) by J.Lang (c) copyright 2012 Licensed under a Creative Commons Attribution (3.0) license. http://dig.ccmixter.org/files/djlang59/37792 Ft: Airtonehttp://dig.ccmixter.org/files/airtone/59721reCreation by airtone (c) copyright 2019 Licensed under a Creative Commons Attribution (3.0) license. http://dig.ccmixter.org/files/airtone/59721
Van Buren v United States (2021) was a United States Supreme Court case dealing with the Computer Fraud and Abuse Act (CFAA) and its definition of "exceeds authorized access" in relation to one intentionally accessing a computer system they have authorization to access. In June 2021, the Supreme Court ruled in a 6–3 opinion that one "exceeds authorized access" by accessing off-limit files and other information on a computer system they were otherwise authorized to access. The CFAA's language had long created a circuit split in case law, and the Court's decision narrowed the applicability of CFAA in prosecuting cybersecurity and computer crime. Background. The Computer Fraud and Abuse Act (CFAA) is a federal law passed in 1986 to strengthen laws around unauthorized access to computer systems. The law was passed partially based on fears from Congress members who saw the 1983 film WarGames. Among its core statutes at 18 U.S.C. § 1030(a)(2) is that intentionally accessing a computer system "without authorization or exceeds authorized access" to obtain protected information, financial records, or federal government information is considered a federal crime that can include fines and imprisonment as a penalty. The exact definition of "exceeds authorized access" is not clear and created a 4–3 circuit split of cases at the Circuit Courts. In the First, Fifth, Seventh, and Eleventh Circuits, the courts upheld a broad view of the statement, that accessing a computer with authorization but for an improper purpose is a violation of the CFAA. The Second, Fourth, and Ninth Circuits took a more narrow view that a violation only occurs if the authorized user accesses information they were prohibited from accessing. Because of the case law split, there has been debate on whether the language should be treated narrowly or broadly between cybersecurity researchers and law enforcement among others. For cybersecurity practitioners, a narrow interpretation of "exceeds authorized access" language in §1030(a)(2) would allow them to better conduct work identifying and resolving security problems with computer hardware and software as to make the Internet safer. The vagueness of the statute otherwise puts these job functions at risk. Law enforcement and the U.S. government in general prefer a broader interpretation as this allows them to prosecute those who use hacking to bring down or take advantage of insecure systems under the CFAA. There are additional concerns as the language of CFAA, if broadly interpreted, could apply to commonly-accepted activities at businesses or elsewhere, such as using office computers for browsing the web. Jeffrey L. Fisher, a law professor at Stanford University who represents the petitioner in the present case, states that the law's language is outdated with modern computer usage, and its broad interpretation " a crime out of ordinary breaches of computer restrictions and terms of service that people likely don't even know about and if they did would have no reason to think would be a federal crime." --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app
Roger Grimes is an industry expert and the Data Driven Defense Evangelist for KnowBe4. In this episode, Roger weighs in on how the Computer Fraud and Abuse Act (CFAA) discourages white hat hackers from doing innocuous or beneficial security research because of their fear of liability, one ransomware gang's opposition to police and negotiators, and more. KnowBe4 is the world's first and largest New-school security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. To learn more about our sponsor, KnowBe4, visit https://knowbe4.com
Why the Computer Fraud and Abuse Act (CFAA) is ruining hacks for good._______________________GuestJohn JacksonOn Twitter
Let me introduce you to Tor Ekeland, the federal criminal defence attorney who fights for hacker justice in the US We started our conversation from the time Tor moved from his routine and not-so-exciting role as a Corporate Lawyer to what was – evidently – his true calling: becoming a criminal defence lawyer representing defendants on trial. The joys of US Computer Law Tor is one of the few lawyers the press turns to when in need of a commentary on internet law and all of its associated impacts given his experience in technology law, Intellectual Property rights and regulatory frameworks. We discussed the relation between cyber and law in depth, starting from the Bill of Rights' role in protecting citizens' privacy by limiting government intrusion to a critical analysis of the US Computer Fraud and Abuse Act – CFAA – and its unveiled misuse. We negotiated the tough terrain of the Computer Law mandate and its ongoing pressure on common and criminal laws. To conclude our chat on the “fairness” of justice – and on the US Criminal Justice system in particular – we took into account the power of information control, the influencing role of social media, the first steps towards stronger data protection accountability – think GDPR – and the controversial issue of online web search reading and storage – talk about privacy. An overview of Tor's intriguing and multifaceted cases Over the course of his remarkable career, Tor has managed to follow some of the most complex and controversial cases in the history of computer criminal law, and he was more than willing to share some first-hand details with us. We examined the case of Laurie Love in all its intricacy and complexion. The case was of an alleged UK hacker risking extradition for alleged intrusions into the US government and federal agency computers to steal massive quantities of confidential data, thus violating CFAA. We then moved on to Aaron Swartz case, which made history for the disproportionality of its prosecution and its tragic end. In fact, Swartz, a true PC pioneer, innovator and Internet hacktivist, was charged with 11 CFAA violations and state breaking-and-entering charges, leading to a major political protest against the US Department of Justice after the suspect's heart-breaking suicide on the trial's eve. Finally, we discussed some of the cases Tor is currently working on, including Daniel Hale's “Theft of government property” felony charge according to the Espionage Act, pointing to his unauthorised access of a protected PC from which secret data concerning the US military and attack strategies were allegedly leaked to press sources. To discover how these cases ended up and more about Tor's experience in this field, tune in and perhaps ponder this question: what constitutes a felony charge and how should the law meet the rapidly changing environment of our time? The Secure in Mind Project Our mission is to greatly increase and encourage community discussion about technological and ethical issues that have done, are and will impact society on a global scale. There is a longstanding and distinct disconnect between the way information is packaged and presented to the public and the effectiveness of this presentation in terms of generating informed, considered debate. If we can take complex, important topics and present them, as best we can, in a manner that can interests people from outside the speciality, then we have surpassed our expectations. Nick Kelly Bio Nick is someone who, in many senses, is just like you: a human being trying to make sense of this existence of ours as we hurtle around a ball of gas in a sea of infinite eternity. More relevant though are his vacillations in the world amongst diverse countries and environments, collaborating, negotiating, elaborating and celebrating with fascinating people from all walks of life including politics, technology, activism, military and intelligence the world over. He brings this unique breadth of perspective to the table and has a dogged interest in pursuing the human story behind the title or policy, appreciating the fact that underneath all of our bravado, political correctness and dichotomous states of creation and destruction, we are, after all, merely mortals trying to make the best of it.
This week, our co-host, Priya Chaudry will enlighten us on several other topics of interest to our community. There might be a mention of Solarwinds, Southwest Airlines, HIQ Labs, and more! We welcome our resident legal expert and co-host Priya Chaudry to catch us up on the status of the Supreme Court case concerning the Computer Fraud and Abuse Act (CFAA) and some other legal topics. Show Notes: https://securityweekly.com/scw61 Visit https://www.securityweekly.com/scw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
We welcome our resident legal expert and co-host Priya Chaudry to catch us up on the status of the Supreme Court case concerning the Computer Fraud and Abuse Act (CFAA) and some other legal topics. Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://securityweekly.com/scw61
This week, our co-host, Priya Chaudry will enlighten us on several other topics of interest to our community. There might be a mention of Solarwinds, Southwest Airlines, HIQ Labs, and more! We welcome our resident legal expert and co-host Priya Chaudry to catch us up on the status of the Supreme Court case concerning the Computer Fraud and Abuse Act (CFAA) and some other legal topics. Show Notes: https://securityweekly.com/scw61 Visit https://www.securityweekly.com/scw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
Welcome back to the Politics of Prosecution Podcast! This podcast examines the interaction between politics, broadly defined, and criminal prosecution on the local, state and federal levels. Our goal is to produce a variety of shows using different media. The podcast's first series is created and produced by students in High Point University's Honors Program. They will look at a variety of issues raised by ongoing events. In the twenty-third episode of the first series, the hosts introduce the Computer Fraud and Abuse Act (CFAA) in a dicussion of how malleable laws increase prosecutotial discretion and power. The hosts examine prior court cases where the CFAA was charged, including United States v Rodriguez (2010), John v United States (2013), United States v Valle (2015), and United States v Nosal (2017). Additionally, the hosts analyze the possible outcomes and inplications of Van Buren v United States, the first case involving the CFAA that will go before the Supreme Court. Finally, the hosts consider how the CFAA can be improved and how the CFAA could limit prosecutorial discretion. The resources used for reference in this episode include: https://academic.oup.com/jpart/advance-article/doi/10.1093/jopart/muaa017/5837923 https://doi.org/10.1093/sf/77.3.1163 https://law.unc.edu/wp-content/uploads/2020/01/National-Study-Prosecutor-Elections-2020.pdf https://lawreview.law.ucdavis.edu/online/vol50/Sklansky.pdf https://newsinteractive.post-gazette.com/thedigs/2014/10/13/anne-alpern-first-woman-on-pennsylvanias-high-court/ https://www.acslaw.org/event/progressive-prosecution-and-the-carceral-state/#:~:text=Proponents%20of%20%E2%80%9Cprogressive%20prosecution%E2%80%9D%20commonly,limiting%20the%20number%20of%20people https://www.fairvote.org/voter_turnout#measuring_voter_turnout https://www.pewresearch.org/fact-tank/2019/05/03/in-year-of-record-midterm-turnout-women-continued-to-vote-at-higher-rates-than-men/ https://www.prisonpolicy.org/reports/pie2020.html https://www.themarshallproject.org/2020/01/16/facing-intimidation-black-women-prosecutors-say-enough https://www.law.cornell.edu/uscode/text/18/1030 https://www.nacdl.org/Landing/ComputerFraudandAbuseAct https://caselaw.findlaw.com/us-11th-circuit/1549806.html https://www.eff.org/cases/van-buren-v-united-states https://www.supremecourt.gov/DocketPDF/19/19-783/146727/20200701130402295_19- 783BriefForPetitioner.pdf https://www.scotusblog.com/wp-content/uploads/2017/06/16-1344-Nosal-petition.pdf https://en.wikipedia.org/wiki/United_States_v._John_(2010) https://caselaw.findlaw.com/us-2nd-circuit/1719750.html A special thank you goes to HPU's Media Services Librarian Josh Harris for allowing us to use his outstanding recording equipment. Taylor Cunningham performed the editing this week. If you have any comments, questions, concerns, or criticisms, please contact us via: Twitter: @Poli_Pros Instagram: Poli.n.Pros poli.n.pros@gmail.com More episodes of this podcast can be found on iTunes and Spotify.
The US Supreme Court heard oral arguments Monday in Van Buren vs. United States regarding the application of the US Computer Fraud and Abuse Act (CFAA). We discuss the premise of the case and how a ruling one way or another will impact computer use.Starring Tom Merritt, Rich Strophollino, Roger Chang, Joe.Link to The Show Notes. See acast.com/privacy for privacy and opt-out information.
The US Supreme Court heard oral arguments Monday in Van Buren vs. United States regarding the application of the US Computer Fraud and Abuse Act (CFAA). We discuss the premise of the case and how a ruling one way or another will impact computer use. Starring Tom Merritt, Sarah Lane, Roger Chang and Joe. MP3 Download Using a Screen Reader? Click here Multiple versions (ogg, video etc.) from Archive.org Please SUBSCRIBE HERE. Subscribe through Apple Podcasts. A special thanks to all our supporters–without you, none of this would be possible. If you are willing to support the show or to give as little as 10 cents a day on Patreon, Thank you! Become a Patron! Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme! Big thanks to Mustafa A. from thepolarcat.com for the logo! Thanks to Anthony Lemos of Ritual Misery for the expanded show notes! Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit Send to email to feedback@dailytechnewsshow.com Show Notes To read the show notes in a separate page click here!
Cory Doctorow joins EFF hosts Cindy Cohn and Danny O'Brien as they discuss how large, established tech companies like Apple, Google, and Facebook can block interoperability in order to squelch competition and control their users, and how we can fix this by taking away big companies' legal right to block new tools that connect to their platforms – tools that would let users control their digital lives. In this episode you'll learn about: How the power to leave a platform is one of the most fundamental checks users have on abusive practices by tech companies—and how tech companies have made it harder for their users to leave their services while still participating in our increasingly digital society; How the lack of interoperability in modern tech platforms is often a set of technical choices that are backed by a legal infrastructure for enforcement, including the Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA). This means that attempting to overcome interoperability barriers can come with legal risks as well as financial risks, making it especially unlikely for new entrants to attempt interoperating with existing technology; How online platforms block interoperability in order to silence their critics, which can have real free speech implications; The “kill zone” that exists around existing tech products, where investors will not back tech startups challenging existing tech monopolies, and even startups that can get a foothold may find themselves bought out by companies like Facebook and Google; How we can fix it: The role of “competitive compatibility,” also known as “adversarial interoperability” in reviving stagnant tech marketplaces; How we can fix it by amending or interpreting the DMCA, CFAA and contract law to support interoperability rather than threaten it. How we can fix it by supporting the role of free and open source communities as champions of interoperability and offering alternatives to existing technical giants. Cory Doctorow (craphound.com) is a science fiction author, activist and journalist. He is the author of many books, most recently ATTACK SURFACE, RADICALIZED and WALKAWAY, science fiction for adults, IN REAL LIFE, a graphic novel; INFORMATION DOESN'T WANT TO BE FREE, a book about earning a living in the Internet age, and HOMELAND, a YA sequel to LITTLE BROTHER. His latest book is POESY THE MONSTER SLAYER, a picture book for young readers. Cory maintains a daily blog at Pluralistic.net. He works for the Electronic Frontier Foundation, is a MIT Media Lab Research Affiliate, is a Visiting Professor of Computer Science at Open University, a Visiting Professor of Practice at the University of North Carolina's School of Library and Information Science and co-founded the UK Open Rights Group. Born in Toronto, Canada, he now lives in Los Angeles. You can find Cory on Twitter at @doctorow. Please subscribe to How to Fix the Internet via RSS, Stitcher, TuneIn, Apple Podcasts, Google Podcasts, Spotify or your podcast player of choice. You can also find the Mp3 of this episode on the Internet Archive. If you have any feedback on this episode, please email podcast@eff.org. A transcript of the episode, as well as legal resources – including links to important cases, books, and briefs discussed in the podcast – is available at https://www.eff.org/deeplinks/2020/11/podcast-episode-control-over-users-competitors-and-critics. Audio editing for this episode by Stuga Studios: https://www.stugastudios.com. Music by Nat Keefe: https://natkeefe.com/ This work is licensed under a Creative Commons Attribution 4.0 International License.
The Computer Fraud and Abuse Act (CFAA) makes it a crime (and a tort) to access “without authorization” a computer to obtain information from that computer. But is the CFAA limited to cases in which an outsider hacks into a system or database to gain information, or does it also cover cases where a person who has permission to be on the system uses that permission for manifestly improper purposes – for example, where an employee uses access to their employer’s computers to steal information on those computers for themselves or for a competitor? In Van Buren v. United States, the Supreme Court will address this question, which has vexed federal courts for more than a decade. Mr. Joseph DeMarco, who has filed two amicus briefs in that case, will discuss the legal issues involved in Van Buren and the potential ramifications of the Court’s decision in this closely-watched case. Featuring: Joseph DeMarco, Partner, DeVore & DeMarco LLP This call is open to the public and press. Dial 888-752-3232 to access the call.
Priya and the SCW hosts take a look at the upcoming Supreme Court case that could potentially redefine or redirect the scope of the Computer Fraud and Abuse Act (CFAA). Visit https://www.securityweekly.com/scw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/scw44
it's not cheap or easy to get your iPhone repaired - largely because there's not a lot of real competition in the iPhone repair market. That's no accident. Owners of modern John Deere tractors have really only one option: John Deere. Why? There's no good technical reason. There's really no good legal reason either, but laws like the Digital Millennium Copyright Act (DMCA) and the Computer Fraud and Abuse Act (CFAA) have been abused to give these companies inordinate say over who can perform repairs on their products. In part 2 of my interview with the EFF's Cory Doctorow, we discuss the right to repair and wrap up our overall discussion with possible solutions and action items for the concerned consumer. Cory Doctorow is a science fiction author, activist, journalist and blogger. He’s the author of several novels including HOMELAND, LITTLE BROTHER and WALKAWAY. He is the former European director of the Electronic Frontier Foundation and co-founded the UK Open Rights Group. Further Info: Adversarial Interoperability: https://www.eff.org/deeplinks/2019/10/adversarial-interoperability Donate to EFF: https://supporters.eff.org/donate Electronic Frontier Alliance: https://www.eff.org/fight
Parts of today’s online business and technology market rely on operating websites with two characteristics: (1) making access to data available to the general public and (2) protecting that data from web scraping. Website owners and web scrapers will want to watch hi’Q Labs’ litigation against LinkedIn Corp. to see if these two characteristics are, in fact, compatible, something placed in doubt by the United States Court of Appeals for the Ninth Circuit in HiQ Labs, Inc. v. LinkedIn Corp., 2019 U.S. App. LEXIS 27107, ___ F.3d ___, 2019 WL 4251889 (9th Cir. Sep 9, 2019). In hiQ Labs, the Ninth Circuit narrowly interpreted the meaning of “without authorization” in the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, to deny LinkedIn’s appeal of the District Court’s preliminary injunction forbidding LinkedIn from preventing hiQ Labs from scraping LinkedIn servers for publicly available information. In apparent contravention of LinkedIn’s User Agreement, hiQ scraped the profiles of LinkedIn members for information that was viewable by any member of the general public. HiQ did not scrape the profiles of those LinkedIn members whose privacy settings precluded access by the general public. HiQ used the scraped information to produce “people analytics” it sold to businesses. LinkedIn was likley aware of this activity because LinkedIn personnel had attended hiQ events selling its product over several years. When LinkedIn developed a competing product, however, it sent a cease-and-desist letter to hiQ claiming the scraping activities violated LinkedIn’s User Agreement. LinkedIn also took technical measures to prevent hiQ from accessing its website and warned hiQ that it risked violating the CFAA if it continued scraping. Claiming a right to scrape and copy publicly available information, hiQ sued and obtained a preliminary injunction prohibiting LinkedIn from denying hiQ access to the information in LinkedIn profiles visible to the general public. LinkedIn appealed, arguing in part that given the cease-and-desist letter, hiQ would violate the CFAA provision against intentionally accessing a computer without authorization to obtain information from a protected computer. The Ninth Circuit disagreed. The Ninth Circuit noted that authorization is “an affirmative notion” indicating access must be restricted except to those specifically permitted. In order for a website to be accessed without authorization, then, the website’s generally applicable rules require some indication of permission. Since LinkedIn allows anyone with a computer and an Internet connection to access publicly available portions of LinkedIn member profiles, LinkedIn’s generally applicable rule is access without authorization. As a result, hiQ Labs had a strong argument that despite LinkedIn’s User Agreement and the cease-and-desist letter, hiQ’s could access LinkedIn servers to scrap publicly available information without violating the CFAA. The existence of a strong argument was enough for the Ninth Circuit to affirm the District Court’s order granting the preliminary injunction. The Ninth Circuit noted other legal bases might exist to allow LinkedIn to ban hiQ and it was not addressing those. By Robert Eatinger & David Verhey Partners at Dunlap Bennett & Ludwig https://www.dbllawyers.com/when-you-let-everyone-in-stop-is-not-enough/
Kip Boyle, CEO of Cyber Risk Opportunities, talks with Jake Bernstein, JD and CyberSecurity Practice Lead at Newman DuWors LLP, about how the 35-year-old Computer Fraud and Abuse Act (CFAA) is a useful tool for today's cyber risk managers.
Welcome to a new episode of An InfoSec Life on ITSPmagazine! Today’s topic looks at the life of a hacker and the challenges they face from both a liability and legal perspective. We also look at how organizations deal with the research activities they encounter from both cybercriminals and ethical hackers alike. To help me have this conversation, I am delighted to welcome Amit Elazari, Lecturer at UC Berkeley School of Information, and Leonard Bailey, Special Counsel for National Security at the U.S. Department of Justice, Criminal Division where he is Head of Cybersecurity Unit for the DOJ’s Computer Crime & Intellectual Property Section. There are laws to protect companies from cybercriminals. However, those laws— when interpreted as such—also block ethical hackers from researching and looking for exploitable weaknesses. Changes in the acts and laws over the years have made it better, if not easier, for ethical hackers to perform their research and engage in responsible disclosure. The question is: do these changes also make it "better" and/or “easier” for the cybercriminals? “Safe harbor is not a blanket approval of protection from the law." ~ Amit Elazari During our chat, we dig into the many yin yang elements of this topic as we explore some of the details behind responsible disclosure and vulnerability disclosure programs, the related language and frameworks available from the DoJ and Disclose.io, and how those interact with—and often counteract—the Computer Fraud and Abuse Act (CFAA) and the Digital Millennium Copyright Act (DMCA). There’s a lot of work being done to help establish a safe environment for vulnerability research and responsible disclosure to take place. Formal rules surrounding responsible vulnerability are critical in both the legal landscape as well as with ethical business operations—these rules need sorting out quickly if we are going to function in a safe cyber society. Listen in and enjoy! This episode of An InfoSec Life is made possible by the generosity of our sponsors, Devo and STEALTHbits. Click below to learn more about what they can do for you: www.itspmagazine.com/company-directory/devo www.itspmagazine.com/company-directory/stealthbits
On this episode of The Critical Hour, Dr. Wilmer Leon is joined by Brian Becker, co-host of Sputnik's Loud and Clear.It is being reported by some outlets that the EU is preparing to offer UK Prime Minister Theresa May a two-month delay to Brexit - on the condition that MPs approve a withdrawal agreement next week, according to a draft of summit conclusions seen by the Financial Times. Lithuanian President Dalia Grybauskaitė told CNN that EU leaders have agreed in principle to grant an extension to the Brexit process, but have not finalized the length of the extension. What's going on in Brussels? A Supreme Court examination of jury discrimination has prompted a rare question from Justice Clarence Thomas. The court seemed deeply troubled yesterday about the actions of Mississippi prosecutor Doug Evans, who has tried Curtis Flowers, an African American man, six times for a quadruple murder and has blocked the vast majority of black potential jurors. Also, the hour-long argument brought a surprise: a question from Thomas (do wonders never cease?). Flowers was tried in 1997, 1999, 2004, 2007, 2008 and most recently in 2010. Six times, District Attorney Evans, who is white, has attempted to convict Flowers in a prosecutorial pursuit that may be without parallel. Two trials — as it happens, the only ones with more than one African American juror — have resulted in hung juries. What is the significance of this case and Justice Thomas' question?Question: who is Martin Gottesfeld? What did he do, and why is he in solitary confinement? Gottesfeld is a human rights activist facing up to 15 years in federal prison under the Computer Fraud and Abuse Act (CFAA) for helping save Justina Pelletier. In 2014, Marty, as his friends and family call him, defended the life of then-15-year-old Pelletier as well as the rights of her parents. The Pelletiers had brought Justina to Harvard-affiliated Boston Children's Hospital (BCH) with a referral to see a specialist who had treated her before at nearby Tufts Medical Center. However, when Justina arrived, she was instead seen by a different set of less experienced doctors, who incorrectly challenged her existing physical diagnosis in favor of a mental one. They wanted to stop her pain and heart medications, amongst others. Marty worked tirelessly to end Justina's suffering and bring her home. Then, with many people fearing she would die before her previous treatments were restored, a note Justina had smuggled to her parents was published by The Blaze. A few days later, Marty knocked BCH off the internet during its largest annual online fundraiser, hurting no one. So why is a good Samaritan facing jail time?GUESTS:Brian Becker - Co-host of Sputnik's Loud and Clear.Kim Keenan - Executive vice president of marketing and research at Odyssey Media, co-chair of the Internet Innovation Alliance and senior adjunct professor at George Washington University Law School.Dana Gottesfeld - Wife of Marty Gottesfeld.
In our 211th episode of The Cyberlaw Podcast, Stewart Baker, Jennifer Quinn-Barabanov, Brian Egan, and Nick Weaver discuss: what the latest autonomous driving deaths tell us about liability and regulation; Tesla’s tone-deaf explanation; Grindr suffers security meltdown and releases HIV status of its users; it gets a snippy letter from Ed Markey and Richard Blumenthal; they address the letter to Grindr in Hong Kong and don’t even bother to ask what access China has to the data; big new Internet of Things botnet gets taken out for a drive -t o the bank; does the Computer Fraud and Abuse Act (CFAA) violate security researchers’ first amendment rights; is Senate Judiciary working with the Department of Justice (DOJ) on a new encryption access bill; Softbank is getting a CFIUS workout; YouTube demonetization leads to mass shooting at company headquarters; Keeper can’t even get through a news cycle about its lame lawsuit without a story about its lame security; Stingrays blanket DC. Our guest interview is reporters Chris Bing and Patrick Howell O’Neill of Cyberscoop. The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.
Christo on the Cambridge Analytica privacy breach, the Computer Fraud & Abuse Act (CFAA), Aaron's Law, and the long term future of Facebook.
Chante Westmoreland (JD Candidate ’18) interviews Jamie Williams of the Electronic Frontier Foundation. Jamie discusses how the Computer Fraud and Abuse Act (CFAA) interacts with the “Internet of Things,” and why the CFAA needs to be reformed.
Fordham Intellectual Property, Media & Entertainment Law Journal
This week Online Editor Anthony Zangrillo, Staff Member Borja Eroglu and Special Guest Ken Rashbaum, partner at Barton LLP discuss the gaming leaks involving the new releases Pokemon Sun and Moon. Often, the gaming industry utilizes demos as a channel that promotes brand exposure and harnesses fan excitement with the end goal of encouraging demo-players to purchase the game. Unfortunately, the Pokémon Sun/Moon demo became available to both fans and game-hackers alike. Within the first 24 hours of the demo’s release, hackers “datamined” the demo and leaked all sorts of information to online forums not yet publically shared. The issue is whether hackers who leak any unauthorized and unowned data of a game (1) can be held liable under the Computer Fraud and Abuse Act (“CFAA”) and; (2) whether the game’s rightful owner is entitled to recovery if she can prove that such hackers’ leaks deter fans from purchasing her game. A hacker is, by definition, a person who “illegally gains access to and sometimes tampers with information in a computer system.” Hacking constitutes an illegal act per the CFAA (18 U.S.C. Section 1030(4) as long as the plaintiff can show that the defendant (1) intentionally (2) accessed information from a protected computer involved in interstate or foreign commerce that (3) caused substantial damage. We explore whether gaming consoles are also protected by this Act when intentional actors leak a game’s confidential information to the public. The court in U.S. v. Mitra stated that the term “computer system” cannot be narrowly interpreted to mean only computers; the court further stated that modern technology forces legislatures to write broadly-worded statutes that the courts must then apply to the facts of a case unless expressly excluded in Section (e)(1) of CFAA. Today’s gaming consoles, like the 3DS, are closer to computers than the listed devices in the CFAA’s exception clause because of these consoles’ ability to connect with the Internet. It is clear that at least in some aspects, the Pokémon publishers maintain a cause of action so long as modern gaming consoles legally constitute computers as defined in the CFAA. Don't forget to also subscribe to the podcast on Itunes (https://itunes.apple.com/us/podcast/fordham-intellectual-property/id1158550285?mt=2) and leave a review!
Jerod speaks with Jamie Lee Williams, legal fellow with the Electronic Frontier Foundation (EFF). The two discuss the expansive Computer Fraud and Abuse Act (CFAA) and a recent circuit court ruling criminalizing password sharing.
Jerod speaks with Jamie Lee Williams, legal fellow with the Electronic Frontier Foundation (EFF). The two discuss the expansive Computer Fraud and Abuse Act (CFAA) and a recent circuit court ruling criminalizing password sharing.