It’s Not You. It’s Them. On Hacking and Responsible Disclosure.
A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But I’m a cybersecurity professional, I run a team that has the ability to hack into any system they take an interest in, and I’ve studied cybersecurity ethics and am familiar with the consequences of hacking in 2021. I’m also aware of the fallibility of humans. So I was obliged to reply on HN.
The short version is this: In the United States, hacking crimes are governed by the CFAA – the Computer Fraud and Abuse Act. The criminal penalties are extremely harsh, and many cybercrimes are handled in federal court. If you do access a computer system without authorization, or exceed the authorization you have been given – which are both criminal offenses under CFAA – you’ve given yourself a pretty good shot at ruining your life. Being charged with a crime and having to deal with court dates is stressful enough. Even if you’re lucky to get probation, you still have a criminal record which severely limits your job opportunities and travel options.
Responsible disclosure is challenging enough. But actually hacking systems – even if you think you’re being playful – can lead to disaster. As I said in my comment: “Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board, or management team to trigger a disastrous outcome in stories like this.”
For the most part, my comment on HN was upvoted and supported in the replies. But I did get a certain amount of pushback. And wouldn’t you know it, in the news this morning is a fine example of the kind of idiocy out there that demonstrates why researchers and explorers need to be very careful to avoid violating the CFAA.
A journalist at the St Louis Post Dispatch discovered a data disclosure issue with a website that allowed the public to look up teacher credentials. Encoded in the HTML source code of the site were the social security numbers of teachers, counselors, and administrators. It’s worth noting that the data was encoded, not encrypted, which means it was easily readable by any attacker or software developer.
The St Louis Post Dispatch and their journalist did exactly the right thing: They confidentially disclosed the issue to the website operator. The website operator fixed the problem. And then St Louis Post Dispatch disclosed the details in an article, which is exactly how the cybersecurity industry works. That final disclosure step is so that the public has full transparency on the issue – in other words, teachers should know that their socials were exposed. And so that other researchers, vendors, and operations staff can learn from this mistake.
What should have happened at this point? Nothing. Because absolutely nothing was awry. The discovery helped secure a system. The journalist never breached any cybersecurity ethical boundaries. The school system has a more secure website. Apparently, that wasn’t enough for Missouri Governor Mike Parson who has announced that the Cole County Prosecutor and the Missouri Highway Patrol [I’m not joking] will investigate the matter.
And the governor is rolling out the red carpet. Extracts from his statement: “We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved. We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them. This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies.”
All because a journalist spotted that social security numbers were easily accessible in HTML source code, responsibly disclosed the issue, and helped secure the school system, exactly the way every ethical and responsible cybersecurity organization on this planet operates.
Let’s revisit the school hacking story I started with. What you have here is exactly what I warned folks about just days ago. An embarrassed governor and embarrassed school administrators are framing this as a malicious act to try to protect their reputations. And they have the full force of the CFAA to back them up. They’re most likely going to try to frame reading HTML source code as accessing a system beyond the authorization given, which is a crime under the CFAA.
So if you are a cybersecurity researcher or simply curious and love exploring our global Internet, please be careful. Read the Wikipedia entry for the CFAA so that you understand it. The Responsible Disclosure article on Wikipedia is also a great start. Every major cybersecurity certification also contains a section on ethics, so consider gaining a Security+, CEH, CISSP, or similar. After working in ops and development for over 20 years, I became a CISSP and even with my experience and knowledge, I found that I have benefited greatly from the certification.
Understand that responsible disclosure is still very much an industry insider concept. People who operate systems and their employers are often unsophisticated and uneducated in the field of cybersecurity – and they are human and are easily embarrassed. It’s very tempting for them to shoot the messenger, even when the messenger delivers the bad news within a globally accepted framework.
And when it comes to hacking your school network or other systems that you don’t have the authorization to hack? Don’t do it. We aren’t living in the 80s or early 90s anymore, where hackers are seen as adorable Matthew Broderick characters from the movie Wargames. When Kevin Mitnick was hunted down by Janet Reno for over 2 years, under the Clinton Administration in 1995, and eventually arrested, the game changed. Hackers were rebranded as evil, malicious, dangerous, and bound for prison, and Kevin was sentenced to 5 years. In South Africa where I was “exploring”, my friends started getting raided, one was arrested, and I was fortunate enough to only get a nasty letter. Childhood’s end had arrived for cybersecurity.
If you’re a researcher, take care, even when disclosing responsibly. If you think you’re being playful by accessing systems you’re not allowed to, or exceeding the access you’ve been given, stop. Back away from the keyboard. And sign up for a cybersecurity certification that will give you opportunities to do the kind of exploring you want to do, legally, and will teach you about the ethical frameworks that our industry has. And give your adventurous friends and family the same advice.
It’s not you. It’s them.
Mark Maunder – Defiant Inc Founder & CEO. (We make Wordfence)
Comments
12:09 pm
At last! A sensible, reasoned, balanced view on cyber security and responsibility. I too have been in the industry and involved in cyber security since the 80’s and I couldn’t agree with you more. People on both sides of the fence need to step back and rethink their actions and possible consequences. Thank you!
12:10 pm
Thank you!
6:08 pm
Great comment.
12:29 pm
Excellent cautionary tale. The landscape has changed over the years, and we would all be wise to keep up with the changes. Thanks for raising our collective awareness to issues of the modern day.
1:31 pm
Thank you!
6:08 pm
Great article. Great work. 5/5
1:15 pm
I wouldn't like to be the webmaster of https://governor.mo.gov as I suspect some zero-day Drupal exploits might be wriggling their way to the surface because of this unfathomable injustice.
1:17 pm
Before retirement I worked as a DBA for a UK insurance company. Our security people wanted to check our database security and asked to have the same access as the DBAs and I was asked to facilitate it. Although my instruction was to give them full access, I gave them the minimum access to do what they had requested. My boss raised an eyebrow at me not following their command to the letter, but agreed that I had done what was requested. A few months later the security person behind the request was sacked - for hacking into a major client’s IT systems (and being detected and traced). My next performance review went rather well!
1:30 pm
Principle of least access. Love it! Well done.
6:15 pm
Good job mate. all I can say is "bosses?!?!?!"
Its sad to day that experts and professionals don't get the credibility they deserve out of the gate.
I have similar experiences in my field and I doest get easier most of the time.
Happy retirement fellow pro.
1:29 pm
I live in Missouri and am frankly not at all surprised by this. Governor Parsons has always been despicable. He's a joke.
2:37 pm
I agree with your assessment and I saw the post on HN and absolutely loved it. It was a great example of play, growth and learning in an educational environment we don't see as often as I would like. As for what is happening in MO, that IS a real shame.
10:13 am
Thanks, and apologies for the delay in moderating your and other comments here. Won't happen in future.
4:03 pm
Excellent and informative article. Unfortunately, the law's an ass and is often translated without common sense by overzealous lawyers and petty individuals. Sadly, the system is run by crooks, so what do we expect?
6:57 pm
This reminds me of the story of Aaron Swartz, who ended up killing himself over the federal charges brought against him (fraud, exceeding authorisation etc., liability given to the tune of 50 years in prison + $1mln in fines) for what amounted to stepping over the Terms of Service of a service.
It's clear that the CFAA is a tool that can be bent to almost any shape. While it didn't end up in play in the D214 Rickroll case (and who knows, it takes one "interested party" to push the federal gov't into actions that can't be taken back...), it only takes one bruised ego to potentially destroy someone's life (up to suicide, as mentioned) for something you might consider "too absurd to prosecute" otherwise.
The Electronic Frontier Foundation has been trying to get the CFAA under control for a while now, too (https://www.eff.org/issues/cfaa). And while I agree on principle that young people should be made aware that their (mostly) innocent pranks can have very, very serious consequences that are a poor match to the issue, it's up to all of us to fix this abuse-waiting-to-happen.
Also, it'd be nice to have a reference to a copy of the STLToday article that isn't behind a 451 for the EU (it's available on archive.org).
6:10 am
Thanks for such a nice, simple and practical post, thanks also for your free Wordfence plugin.
8:16 am
Good Article Mark. Well done for giving everyone the heads-up on Responsible Disclosure.