What Counts as “Good Faith Security Research?”

The U.S. Department of Justice (DOJ) recently revised its policy on charging violations of the Computer Fraud and Abuse Act (CFAA), a 1986 law that remains the primary statute by which federal prosecutors pursue cybercrime cases. The new guidelines state that prosecutors should avoid charging security researchers who operate in “good faith” when finding and reporting vulnerabilities. But legal experts continue to advise researchers to proceed with caution, noting the new guidelines can’t be used as a defense in court, nor are they any kind of shield against civil prosecution. Continue reading What Counts as “Good Faith Security Research?”

Researchers to Supreme Court: Terms of service violations shouldn’t be CFAA crime

As the Supreme Court prepares to consider a controversial federal anti-hacking law, a group of prominent cybersecurity researchers and legal advocates is pleading with the court not to criminalize digital research in the public interest. In a brief filed with the court Wednesday led by digital rights group Electronic Frontier Foundation, the researchers warned that if violations of a company’s “terms of service” are deemed to be illegal, it risks chilling important research into voting systems, medical devices and other key equipment. “Despite widespread agreement about the importance of this work—including by the government itself— researchers face legal threat for engaging in socially beneficial security testing,” wrote the EFF, the nonprofit Center for Democracy & Technology, and cybersecurity companies Bugcrowd, Rapid7, SCYTHE and Tenable. Famous security researchers like Peiter “Mudge” Zatko and Chris Wysopal, who warned Congress of the internet’s insecurities in the 1990s as members of the L0pht hacking collective, […]

The post Researchers to Supreme Court: Terms of service violations shouldn’t be CFAA crime appeared first on CyberScoop.

Continue reading Researchers to Supreme Court: Terms of service violations shouldn’t be CFAA crime

Facebook sues to curb data scraping, fake Instagram likes from outside developers

Facebook is accusing a developer of collecting username and password credentials from thousands of accounts, and it is separately alleging that a European service distributed fake likes and comments throughout Instagram. In an announcement Thursday, the social media company said it is taking legal action against software developer Mohammad Zaghar and his company, Massroot8, for allegedly operating a service that compelled Facebook users to provide their personal information. Zaghar’s company would ask users for their username and password, then scrape the site for data about their friends, using a bot to sneak past Facebook’s security controls and collect vast amounts of data quickly, according to the suit. The company also said it has sued MGP25 Cyberint Services for selling automation software that produces fabricated likes and comments on Instagram. The Spanish firm made money by mimicking the Instagram app while using code that connected outsiders to actual Instagram accounts, Facebook said. Neither defendant could […]

The post Facebook sues to curb data scraping, fake Instagram likes from outside developers appeared first on CyberScoop.

Continue reading Facebook sues to curb data scraping, fake Instagram likes from outside developers

Trial delayed for former SEC watchdog accused of abusing computer access

A federal judge in New York has agreed to postpone the trial of a former U.S. government official accused of abusing his position at the Securities and Exchange Commission to access information about his new employer. U.S. prosecutors last year charged Michael Cohn, a former examiner for the SEC, with unauthorized access of a computer and obstruction of justice. During negotiations for a job at a private equity firm, GPB Holdings, Cohn told the company he possessed inside information about an SEC investigation into their behavior, according to an indictment. The exact technical nature of the alleged crime is not clear, based on the indictment. Cohn has pleaded not guilty.  U.S. District Judge Gary Brown, of the Eastern District of New York, on Wednesday agreed to delay the start of trial to September, after it was initially scheduled to begin on June 15, Law360 first reported. The decision came in response to a letter […]

The post Trial delayed for former SEC watchdog accused of abusing computer access appeared first on CyberScoop.

Continue reading Trial delayed for former SEC watchdog accused of abusing computer access

Supreme Court Looks at Computer Trespass Meaning

Federal statutes have muddied the waters on the meaning of computer trespass, but a Supreme Court case may clear the air When Congress passed a federal statute on computer fraud in 1984, it was concerned with the problem of people “breaking in” to comp… Continue reading Supreme Court Looks at Computer Trespass Meaning

The CFAA will soon have its day before the Supreme Court

The future of a long-controversial federal law could come down to how the U.S. Supreme Court interprets the way that a local police officer looked up information on an exotic dancer in a law enforcement database. The Supreme Court indicated on Monday it will hear a case involving the U.S. Computer Fraud and Abuse Act, a piece of legislation instituted in 1986 that internet freedom advocates have described as “the worst law in technology.” The CFAA makes it illegal for computer users to access another computer or exceed authorized access without authorization. Technologists and attorneys have argued that the law is so vaguely-worded that it could open well-intentioned security researchers up to prosecution for doing their job, or criminalize the use of work computers for personal purposes. In the best known case, internet pioneer Aaron Swartz took his own life before standing trial for allegedly downloading articles from a database […]

The post The CFAA will soon have its day before the Supreme Court appeared first on CyberScoop.

Continue reading The CFAA will soon have its day before the Supreme Court

Ubisoft sues DDoS-for-hire operators for ruining game play

The network of sites and services run by the alleged operators target the Rainbow Six Siege game, selling attacks to cheating players. Continue reading Ubisoft sues DDoS-for-hire operators for ruining game play

Scraping public website data does not violate CFAA, judge rules

Scraping public data from a website without the website’s authorization is not a violation of the Computer Fraud and Abuse Act, a U.S. federal court ruled Monday, limiting a U.S. anti-hacking law that academics have criticized for allowing broad legal action against innocuous activity. The U.S. Court of Appeals for the Ninth Circuit on Monday refused to overturn a preliminary injunction that required professional networking site LinkedIn to allow talent management startup hiQ Labs to gather data from users’ public profiles. Microsoft-owned LinkedIn had installed technical safeguards to stop hiQ from sweeping up data on members until a court in 2017 ordered LinkedIn to stop blocking that automated collection. LinkedIn appealed, alleging hiQ had broken CFAA, among other things, by using LinkedIn data in a way LinkedIn did not intend. “LinkedIn has no protected property interest in the data contributed by its users, as the users retain ownership over their […]

The post Scraping public website data does not violate CFAA, judge rules appeared first on CyberScoop.

Continue reading Scraping public website data does not violate CFAA, judge rules

More than 2m AT&T phones illegally unlocked by bribed insiders

The alleged, now indicted ringleader paid more than $1m in bribes to insiders who planted malware and hardware for remote unlocking. Continue reading More than 2m AT&T phones illegally unlocked by bribed insiders