Section 5.2: A controversial application of
anti-hacking law
A woman registered on
MySpace as a 16-year-old boy, began an online flirting relationship with a
13-year-old girl in her neighborhood (a former friend of the woman's
daughter), then broke off the relationship and sent cruel messages.
The girl killed herself.
Prosecutors charged the woman with accessing MySpace without authorization,
in other words, illegal hacking under the Computer Fraud and Abuse Act.
Their argument was
that MySpace's user agreement includes the statement that users will provide
truthful registration information and not promote information they know to be
false or misleading; thus her access was "unauthorized." This application of
the CFAA was controversial.
(See Presentation/discussion assignment 4 for
Chapter 5.)
A jury convicted the woman, but the judge reversed the conviction.
He said that if she were guilty under the law, then anyone who ever violated
the terms of service of the site would be guilty of a misdemeanor. (July 2009)
Section 5.2.1: Hacking by governments?
The number of hacking attacks that appear to be espionage or sabotage
by foreign governments increased from a few a week in 2005 to about 50 a day in
2008, according to Symantec Corp. Here are a few examples.
While the Russian military moved into Georgia (the former Soviet republic),
Georgian government Web sites were attacked and some disabled.
Although the source of the attacks could not be proved, Internet
security experts and the Georgian government thought it very likely
that the Russian government was responsible. This was the first
time cyber attacks appeared so clearly coordinated with a military
attack. (Aug. 12, 2008)
A denial-of-service attack brought down Twitter, Facebook, and other
Web services in August 2009. Facebook found that the attack was directed
at one blogger, a person who appears to live in Georgia
and has been a very strong critic of the Russian government.
Hackers, described as spies, stole several terabytes of information about the design of one of the Pentagon's new and extremely expensive fighter jets. The computer attack appeared to originate in China. (The Joint Strike Fighter project, April 2009) Also, it appeared that Russian and Chinese hackers (spies?) broke into computer networks that control the U.S. electric power grid (in April 2009).
Security researchers found malware on computers at the organization of the Dalai Lama (the spiritual leader of Tibet, currently in exile). The software could steal files and take over the computers almost completely. Researchers at Cambridge University believe the attack came from China. Similar software was found in computers at embassies and other agencies of many governments. (March 2009)
Two members of the U.S. Congress who are longtime critics of the Chinese government's abridgement of human rights reported that someone, apparently in China, hacked into their computers. The computers contain information about politial dissidents. (Rep. Chris Smith and Rep. Frank Wolf, June 12, 2008)
Section 5.2.4: Vulnerability of air traffic
control system
Hackers continue to penetrate the U.S. air traffic control system.
A 2009 report by the Transportation Department warned of numerous
vulnerabilities and the potential for sophisticated attacks by foreign
governments. In 2008 hackers took over FAA computers in Alaska, resulting
in a shutdown of part of the system. The hackers also appeared to
have access to thousands of FAA passwords.
Section 5.2.4: Judge blocks security
presentation
Three MIT students planned to present a paper at a security conference
describing security vulnerabilites in Boston's transit fare system. At the
request of the transit authority, a judge ordered the students to cancel the
presentation. The transit authority requested a five-month ban to provide
time for them to fix the problems, but the judge dissolved the order after a
week. At about the same time, New York City accused several people of
stealing $800,000 from the city's subway system by taking advantage of an error
in the software in the machines that sell fare cards.
(Aug. 12-20, 2008)
Section 5.2.4: Hackers charged in TJX case
Prosecutors charged 11 men in the TJX case in 2008. In 2009, the man who
allegedly masterminded the operation (Albert Gonzalez) was charged and was
expected to plead guilty and accept a jail sentence of 15-25 years.
Section 5.2.4: Dealing with a security flaw
A security researcher (Dan Kaminsky) discovered a major flaw in the Internet's
domain name server system (the system that translates URLs to actual
Internet addresses) that could have allowed hackers to redirect and steal
any information transmitted on the net. He kept the problem secret while
working with several companies to develop a patch, then announced the patch
and said he would make details of the problem---and how to exploit it---public
in 30 days. The 30-day limit, he said, encouraged companies to install the
patch and encouraged others who knew of the flaw not to disclose it sooner.
(Sept. 15, 2008)
Section 5.3.1: Identity theft jail sentence
A Man who used file-sharing software to search people's computers for financial
data to use for identity theft was sentenced to four years in jail.
Prosecutors said this was the first federal case involving the use of
file-sharing software for identity theft. (Mar. 17, 2008)
Section 5.3.1: Identity theft rates
The Federal Trade Commission said 8.3 million people were victims of identity
theft in the U.S. in 2005 and that losses amounted to $15.6 billion.
The data were based on a consumer survey. Thus they give an indication
of the size of the problem but are not precise. The FTC received
256,000 complaints of identity theft from consumers in 2005. It reported
receiving 5,400 each week in 2007, thus almost 300,000 for a year.
Section 5.3.1: Cost of credit-card fraud
There was $5.6 billion of credit-card fraud worldwide in 2007, about triple
what it was a decade earlier. (Nilson Report, Oct., 2008)
Section 5.5.1: A-Rod and the 4th Amendment
The case described in the box in Sec. 5.5.1 is United States
v. Comprehensive Drug Testing.
This case received much attention in the news after Alex Rodriguez's
name was released as one of the players who allegedly tested positive for
steroids. The 9th circuit federal appeals court reheard the case in December
2008. In Aug. 2009, the court ruled that the seizure of the data on 104
players was improper. Judge Alex Kosinski
issued guidelines for future seizures from computers.
The guidelines include using independent computer experts to find the data
that is to be provided. The government might appeal the case to the Supreme
Court. (Aug. 2009)
Section 5.5.1: Searching laptops at airports
A federal appeals court (9th circuit) ruled that customs
agents do not need reasonable suspicion to
search or seize a person's laptop or other eletronic devices.
The court stated that the defendant did not show how a search of a laptop
is different from a search of luggage without probable cause
(which the Supreme Court has allowed). (Apr. 2008)
Customs officials search laptops and cell phones of business people, potentially
exposing confidential business and personal data. See, for example,
Ellen Nakashima, "Clarity Sought on Electronic Searches," Washington Post
(www.washingtonpost.com/wp-dyn/content/article/2008/02/06/AR2008020604763.html).
Several orgainzations are attempting to get the government to release its
policy on what files are copied and how long they are kept.
Section 5.5.1: Encryption keys and the 5th
Amendment
A federal judge ruled that the government cannot force a defendant to
provide the encrpytion he or she uses to protect files on a computer.
The 5th Amendment specifies that a person cannot be forced to testify against
himself, and
the judge interpreted turning over the key as such testimony.
(The issue is still open; many courts view encryption keys as similar to
keys to a safe, which a person may be forced to provide.)
Section 5.6
A Dutch man released a controversial film critical of Islam on
the Internet. In response to complaints, prosecutors in the Netherlands
said the film was not illegal. However, Jordan prosecuted the man on
charges of blasphemy and other crimes. Making it difficult or dangerous
for him to travel internationally was apparently one of the goals of the
organization that filed the complaints in Jordan. (Dec. 1, 2008)
Section 5.6.3: Using British libel law against
U.S. writers and publishers
A U.S. publisher published a book in the U.S. by a U.S. scholar about
the funding of terrorism. English residents bought some copies over the Web.
A Saudi banker who, according to the book, helped fund Osama bin Laden,
brought a libel suit in England against the author and won. Another U.S.
publisher canceled another well selling book (also written by an American)
on a similar topic out of fear of the same kind of lawsuit. (U.S. courts
generally enforce foreign court judgments against U.S. residents.)
Thus, because
one can order the books on the Web, the relative
ease of winning libel suits in England squelched freedom of speech and access
to information for people in the U.S. (and elsewhere), where the libel suits
would probably fail. A bill in the U.S. Senate would prevent U.S. courts
from enforcing such judgments in libel cases where the material would not
be libelous under U.S. law. (July 15, 2008. The bill is the Free Speech
Protection Act of 2008.)
Return to A Gift of Fire home page.