You leave a job, you keep the keys to your office, your employer forgets to take them back, you then deliberately copy the keys and hand them out to vandals. What court in the world would put any of the responsibility for that on the company?
Trib didn't spend millions in cleanup, but if any breach investigation were done --- to rule out the attackers having done things to retain access after credentials were revoked, and to ensure Trib's clients that no PII was taken --- would easily run into the mid tens of thousands.
Even the tens of thousands could be a stretch for the actual cost.
When I was handed a copy of my Pre-Sentencing Report, for an incident that took place on June 21, 2011, they billed from June 16-24.
I pointed out that I did not own a time machine, then they quickly changed the dates to June 21-27 and dropped the "damages" by over 60%. That's the difference between certain prison time and probation with house arrest.
(This was Sylint, maybe they're just scumbags and wanted to make as much money as they could off my mistake.)
I'm sorry, but this just isn't correct. It's hard to imagine any outside forensics investigation happening for less than $20k ($50k is a more reasonable estimate), and those outside investigations are often mandatory in breach cases. Insurance companies and, sometimes, regulated data protection usually require that the company take steps to ensure that everyone knows the limits of the attack --- and those limits, as you know, aren't at all obvious from the attackers overt actions.
It looks like the attackers just fucked up a bunch of web pages. But they broke in; how do you know they didn't leave backdoors, or exfiltrate databases? You often don't, unless you engage an outside firm to verify.
> It's hard to imagine any outside forensics investigation happening for less than $20k
In my case, Sylint was the web host and the forensics investigator. That might also explain their duplicity and lack of consistency in the reports to the court.
Aside, is knowing how to use Encase really that lucrative? I should switch specialties.
I agree that EnCase jockeys are overpaid, and I generally think of forensics as a lower-status specialty than software security, but website breach investigations are much more annoying than just imaging hard drives.
I can only imagine, especially if the logging/auditing policy was "pretty much non-existent" and you don't know how extensive the access was for a given user account (nor how much of that access could have been used in the short window of compromise).
Four years ago, I knew practically nothing about the security industry (or of business). I was a self-taught web programmer who knew really obvious ways to defend websites from attackers.
You work for a bank and you have the keys to the vault. You quit. The bank doesn't immediately change the locks to ensure that their security isn't compromised.
What happens to the keys after that is in my made up example doesn't matter. The bank is at fault because the bank has a responsibility to ensure the security of their operation, irrespective of how ethically or unethically their former employee acts from that point onwards.
A newspaper is an information bank especially in the Internet age.
EDIT: I should have specified "the bank is at fault for the total amount of damage" not that the bank is at fault full stop.
>The bank is at fault because the bank has a responsibility to ensure the security of their operation
Yes, and in the case of the Tribune company here, it cost them tens of thousands of dollars to "repair" the breach. That's the punishment for their failing of responsibility. It's not like they are suing to recover that money.
But I'm not sure how that absolves the actual criminal here.
I guess what I'm saying is that if your job is security and you fail at security and because of your failure at security a former employee is able to do some damage he or she if of course guilty of whatever crime.
But the amount of money that you spent to clean up the mess because you failed at your job initially, that doesn't matter and shouldn't influence the trial. The crime is a crime no matter how large or small the damage.
Consider a warehouse guarded by a night watchman, but sometimes he takes a smoke break (hence, failing to do his job). Some vandal comes by and tags the building with graffiti. Later, some other vandal comes by and burns the place to the ground. You think both vandals deserve equal treatment?
One is vandalism, the other is arson, destruction of property, and probably a bunch of additional crimes. They should be handled differently because they're different crimes.
The point is that two people who vandalize should be treated equally even if one vandalizes a poor person's house and the other vandalizes a rich person's house. The exact dollar amount of the vandalism shouldn't matter because either way we've all agreed by way of the law that vandalism is wrong.
Yes of course, and within vandalism there probably are different fines or sentences depending on just how much property you damage. But if you're going to label "anything where some property is damaged" as vandalism then 9/11 was vandalism, right?
You also neglected to address arson and the idea that a whole building burned down. I don't think any part of the justice system would seriously suggest that destroying a building and spray painting a building are the same. I don't think they'd be investigated the same, charged the same, etc.
The problem here is that the CFAA has definitions and those definitions are what determine what the crime is. So yes someone breaking into your Facebook account and posting a "turns out I'm gay everyone!" comment is -- again according to a strict reading of the law -- just as bad as someone breaking into VISA and forcing them to re-issue all the credit cards in the country. That's because the law doesn't distinguish damages or anything like that. In part that's because in reality you don't do any actual damage, you just cause people to have to take action to mitigate that your specific knowledge causes problems with their security.
This makes sense too, if you break into a bank it might be reasonable to attempt to force you to pay for the repairs to the vault door, but it would not be reasonable to force you to compensate the bank's shareholders for the loss of goodwill (and share price!) they suffer because the bank's security wasn't able to keep you out.
The CFAA makes knowing, purposeful access to computer systems you don't have permission to use a crime, and a felony when that access is used to attempt to perpetrate additional crimes. It's a simple statute.
There are two common arguments against CFAA.
The first is that it shouldn't be a felony to access computer systems without authorization. The logic goes: if you use access to a computer system to perpetrate a fraud, charge fraud. If theft, charge theft.
A variant of this argument suggests that maybe "serious hacking" should be a felony, but things like reusing an old password, or guessing the URL after the login screen, those things shouldn't be felonious.
These arguments are problematic. For instance, in cases where the offender has used their unauthorized access solely to cause economic harm to someone else, there may not be a better crime to charge. The vandalism statutes weren't designed for offenses that can easily rack up tens of thousands of dollars. There's also the basic issue of trespass and violation of property rights. And, of course, civil remedies to these problems have their own problems, prominent among them the fact that all the burden for collecting those remedies falls on the victim, who under civil law receives no assistance from the rest of society.
The second set of arguments against CFAA is that the sentences are draconian. This argument seems much more straightforward. A particular problem with CFAA is that the sentence scales with damage, but damage can trivially scale with the induction variable of a program's loop; it does not seem intuitively just that typing an extra '0' into a single program can ratchet your sentence by years.
A variant of this argument suggests that damages are also inflated by victims and prosecutors. This is likely very true, but it's less meaningful in this case than in others, because even the most charitable view of the offenses charged suggest he did more than 15k of damages, and is facing a multi-year sentence.
I think CFAA should be reformed so that damages accelerate sentences only to the extent that the prosecution can prove intent to cause damage. That wouldn't much help Keys, though, who is convicted of deliberately trying to maximize the harm to Tribune Corporation.
I would also be in favor of factoring in "what kind of precautions did you take?" to the whole thing, though I have no idea how you could practically do that.
But I do think that most reasonable people would agree that finding someone's browser still logged in to Facebook and making a joke (whatever kind of joke that is) is substantially less bad than cracking the person's password.
Just the same as there are "breaking" and "entering" for forcing your way into someone's home (versus just "entering" if the door or window is unlocked) the severity of the computer crime is in proportion to how hard the people who owned the computer were trying to keep it under their control.
Don't have any kind of access control for your computer at all? Sorry, we're statutorily limited to the lesser charges. Fix your security and if this happens again we can nail them!
EDIT:
So if you say that the X axis is the amount of effort that the entity expends to keep the system secure, then the Y axis is the maximum intent that can be inferred, and your function is something that you think is reasonable like say y=x.
In other words, if a company makes no serious effort to secure their systems or control access no malicious intent can be inferred from someone "accessing without authorization", whereas someone who has to mission impossible style break into your facility says a lot about their level of malicious intent.
I don't think you're right about breaking into people's houses. Breaking a locked window and opening an unlocked window probably doesn't net you a different charge at all.
There are various definitions, here's one that I read that bolstered my claim but there are others that don't; "force" can mean as little as pushing an already open door open further.
I think it's fair if a vandal uses a copied key to enter the office and pee on the rug, then the company should cover the costs of changing the locks, but the vandal is responsible for the damage to the rug. Changing the locks is a direct consequence of the company's failure to collect the keys (and needs to be done regardless of what if any vandalism has taken place), but the follow on damage was not caused by mere negligence or happenstance.
Right. I think the reasonable complaint in these cases is that the damages should cover the cost of investigation that resulted directly from the breach, not the cost of fixing the original security vulnerability and/or auditing the entire system.
If you break into a bank, then the bank is right to ask for damages of amount stolen + amount necessary to sweep their building for any backdoors you might've added and repair any damage. That's fair. They shouldn't be suing for the cost of an upgrade to their security system or a new training course for their security officers.
The bank is at fault for the amount of damage due to their own negligence, which would be the amount greater than what it would have cost to re-key the locks. And you have to re-key the locks instead of recovering the keys that had been issued, because you have no way of knowing whether the keys were copied or not.
In the case of username/password keys, "changing the locks" can be done as easily as running an automated script nightly against the HR employee database, to suspend login privileges from anyone who is on leave or no longer an employee, or at worst, by having your sysadmin's lackey, who makes $30/hour, spend 2 minutes on doing that every time it is needed.
The people who broke in are responsible only for the damages they caused directly, not for the cost of fixing things that were already broken when they showed up, or for investigating and implementing measures to stop the next gang of vandals that might enter.
So what is the actual financial impact of a defaced web page? How do you prove that? If you give crowbars and sledgehammers to a gang of vandals, to what extent are you responsible for the damage they cause with them? If they only use those tools for legit demolition work, are they obligated to pay you a cut of their revenue?
Trib didn't spend millions in cleanup, but if any breach investigation were done --- to rule out the attackers having done things to retain access after credentials were revoked, and to ensure Trib's clients that no PII was taken --- would easily run into the mid tens of thousands.