| 7529073 |
| 2012-08-13 17:28:41 | 50.77.50.222 |
| 7529137 |
| 2012-08-13 17:40:33 | 50.77.50.222 |
| 7529155 |
| 2012-08-13 17:47:34 | 50.77.50.222 |
| 7552199 |
| 2012-08-21 00:54:51 | 46.21.99.22 |
| 7819909 |
| 2012-11-13 01:35:40 | 75.72.88.156 |
| 7825185 |
| 2012-11-14 17:14:58 | 75.72.88.156 |
| 7825203 |
| 2012-11-14 17:20:48 | 75.72.88.156 |
| 7825260 |
| 2012-11-14 17:30:30 | 75.72.88.156 |
| 7832814 |
| 2012-11-17 00:31:14 | 46.21.99.29 |
| 7844770 |
| 2012-11-20 19:51:42 | 46.21.99.29 |
| 7848258 |
| 2012-11-21 19:46:21 | 46.21.99.29 |
| 7892402 |
| 2012-12-06 00:56:18 | 46.21.99.29 |
| 7912530 |
| 2012-12-11 19:30:54 | 75.72.88.156 |
| 7936734 |
| 2012-12-19 00:31:27 | 85.17.31.120 |
| 7940008 |
| 2012-12-19 23:03:32 | 46.21.99.29 |
| 7968216 |
| 2012-12-29 01:00:50 | 46.21.99.29 |
| 8119701 |
| 2013-02-09 00:11:31 | 46.21.99.29 |
| 8144465 |
| 2013-02-14 21:44:33 | 75.72.88.156 |
Tuesday, June 4, 2013
Thursday, April 4, 2013
CFAA: Fundamental Flaws in Application
The CFAA: Where to draw the line?
The imprisonment of Andrew Auernheimer (A.K.A. weev) and the death of Aaron Swartz have lead to many public discussions, as were both being prosecuted under the Computer Fraud and Abuse Act. The CFAA is also being used civilly by nefarious groups like Prenda Law to attempt to find methods of attaching liability to IP addresses, essentially for "accessing computers without authorization." While the EFF has focused their attention on the cases of Auernheimer and Swartz, a large protest has begun against the CFAA, or how it is now being used.
There is a clear divide in these suits and actions taken by prosecutors. I believe that the CFAA as it is applied now, is unconstitutional as it leads to a position where there is no definite or certain "line" that needs to be crossed on a computer in order to have it be a criminal act. Because there is no definite line, the CFAA is unconstitutionally vague and leads to a position of selective enforcement.
The CFAA and Weev's Case
Before I get into Weev's AT&T "hack" I must confess that I have known of Mr. Auernheimer for nearly 12 years, but I am not biased for or against him based on that relationship. That part out of the way, his case is the perfect case to show where the line should be not drawn in the sand. Weev's "hack" of AT&T came from requests to a public webserver, which allows public access. They allowed this access to personal information to anyone who knew the address to type into a web browser. This information was made PUBLIC by AT&T by their failure to secure their systems.
This is not to say that any entity in particular has a duty to prevent intrusion, but there is a difference between intrusion and opening a public web address. If no password is required, the request should not be considered an intrusion. If no security is in place, the request should not be considered an intrusion. If a person is not seeking to gain different or higher ranking credentials on a computer within a web request, this should not be considered an intrusion.
How is this activity different than what SHOULD be a violation under the CFAA? Let us hack my office and see.
CFAA and my Office
At my office, I have a webcam setup for security on a tiny linux box at the front of my office. The page for the webcam gives me the status of certain servers and devices that I run using ping or curl.
The page for this webcam setup is a public webpage, and there is no password to access this particular page. It is a secret known only to me, not available in any google search, but if you knew to type in the URL the public at large would be able to access it. If someone was lucky enough to find the publicly accessible portion of this page, which is everything to the right of webcam picture, then they could have certain control over my office. However, there is a password on the webcam stream, and so the image would not be accessible.
Over to the right hand side, there are also controls for the lobby music. Again, these are publicly available controls. You can turn the lobby volume up, turn it down, change the channel. stop it, start it, etc. If you found this particular page, without a password, you would be able to create some havok in my lobby. You would probably not be able to use this information in anyway, but it is a control of a device through the internet.
If someone found this webpage, and spent all day turning the music in my lobby up and down, and switching stations, I would be very annoyed and angry, but this would be my fault.
CFAA is not a license to be insecure
Now, imagine that weev found my webcam control page, and started spending a lot of time changing my lobby music at random (which is not all too far fetched). I would and should have no recourse against his actions. While it was not expressly permitted by me, by putting this control on the World Wide Web, unpassworded, I have opened it up for the world. I do not need to list it with google, I do not need to share the URL. If it happens that the URL is hit, then the URL is hit. Again, I should have no recourse.
Now imagine that weev started saying things to me like, "Hey man, nice suit. Jerk face." and started saying that he could see me walking into my office. Well, to access that particular part of the webcam, the video stream, he would need to get around the password screen that pops up when the page is opened. This is a line that shouldn't be crossed. For the bar exam, one of the things we always had to remember for Burglary was that at common law, it was "Entering the dwelling house of another" and "at night" and "with the intent to commit a felony" but we have no such straight principles within the CFAA.
This lack of bright-line rules within the CFAA and a lack of understanding of technology (or a lack desire to understand) on behalf of some members of the judiciary, leads to a position where the knowledgeable prosecutor can pull the wool over the courts eyes.
Part of the lack of bright-line rules comes from the inherent problem of accurate language required by statutory construction paired with a lack of understanding and fear of technology. And, lets face facts, the common law does not exactly seem to apply nor basically even shed light on the issues presented by technology. The law of trespass has been used to describe entry upon land for centuries. States have instituted laws regarding the posting of signs regarding trespass. There is no "Signpost" on a webserver where such trespass warnings can be instituted. There are only password prompts or denials of access. It is not the "World Wide Web" of secrets, it is a world wide web of publicly accessible information with nests of secrets all around. If you want your information to be secure, and for a potential intruder to be criminally or civilly culpable, then it is your duty to put up sign posts or passwords, no matter how simple. Access to this information should be restricted, and secured, so that actual intrusion becomes necessary to get at the information.
If I place upon my server a public directory, lets say http://www.syfert.com/AB34392DQERE3, it is a good chance that this would never be guessed. But if I start throwing information into that folder without placing passwords on the information and someone accesses it, it is my fault. I put the information on the web. But, if I went to a judge or a prosecutor and claimed that you accessed that directory without permission and gained valuable information, I might be able to get them to run with it. If the Prosecutor or Law Enforcement had some particular reason to hate you (i.e. you are very vocal in a political party or movement or just being a general jerk like Weev) then they would spin the story into a security breach and seek punishment. The lack of direction within the CFAA and the lack of understanding of technology have lead to the perfect storm of selective enforcement of the law.
TAKE ACTION TODAY https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=9005
The imprisonment of Andrew Auernheimer (A.K.A. weev) and the death of Aaron Swartz have lead to many public discussions, as were both being prosecuted under the Computer Fraud and Abuse Act. The CFAA is also being used civilly by nefarious groups like Prenda Law to attempt to find methods of attaching liability to IP addresses, essentially for "accessing computers without authorization." While the EFF has focused their attention on the cases of Auernheimer and Swartz, a large protest has begun against the CFAA, or how it is now being used.
There is a clear divide in these suits and actions taken by prosecutors. I believe that the CFAA as it is applied now, is unconstitutional as it leads to a position where there is no definite or certain "line" that needs to be crossed on a computer in order to have it be a criminal act. Because there is no definite line, the CFAA is unconstitutionally vague and leads to a position of selective enforcement.
The CFAA and Weev's Case
Before I get into Weev's AT&T "hack" I must confess that I have known of Mr. Auernheimer for nearly 12 years, but I am not biased for or against him based on that relationship. That part out of the way, his case is the perfect case to show where the line should be not drawn in the sand. Weev's "hack" of AT&T came from requests to a public webserver, which allows public access. They allowed this access to personal information to anyone who knew the address to type into a web browser. This information was made PUBLIC by AT&T by their failure to secure their systems.
This is not to say that any entity in particular has a duty to prevent intrusion, but there is a difference between intrusion and opening a public web address. If no password is required, the request should not be considered an intrusion. If no security is in place, the request should not be considered an intrusion. If a person is not seeking to gain different or higher ranking credentials on a computer within a web request, this should not be considered an intrusion.
How is this activity different than what SHOULD be a violation under the CFAA? Let us hack my office and see.
CFAA and my Office
At my office, I have a webcam setup for security on a tiny linux box at the front of my office. The page for the webcam gives me the status of certain servers and devices that I run using ping or curl.
The page for this webcam setup is a public webpage, and there is no password to access this particular page. It is a secret known only to me, not available in any google search, but if you knew to type in the URL the public at large would be able to access it. If someone was lucky enough to find the publicly accessible portion of this page, which is everything to the right of webcam picture, then they could have certain control over my office. However, there is a password on the webcam stream, and so the image would not be accessible.
Over to the right hand side, there are also controls for the lobby music. Again, these are publicly available controls. You can turn the lobby volume up, turn it down, change the channel. stop it, start it, etc. If you found this particular page, without a password, you would be able to create some havok in my lobby. You would probably not be able to use this information in anyway, but it is a control of a device through the internet.
If someone found this webpage, and spent all day turning the music in my lobby up and down, and switching stations, I would be very annoyed and angry, but this would be my fault.
CFAA is not a license to be insecure
Now, imagine that weev found my webcam control page, and started spending a lot of time changing my lobby music at random (which is not all too far fetched). I would and should have no recourse against his actions. While it was not expressly permitted by me, by putting this control on the World Wide Web, unpassworded, I have opened it up for the world. I do not need to list it with google, I do not need to share the URL. If it happens that the URL is hit, then the URL is hit. Again, I should have no recourse.
Now imagine that weev started saying things to me like, "Hey man, nice suit. Jerk face." and started saying that he could see me walking into my office. Well, to access that particular part of the webcam, the video stream, he would need to get around the password screen that pops up when the page is opened. This is a line that shouldn't be crossed. For the bar exam, one of the things we always had to remember for Burglary was that at common law, it was "Entering the dwelling house of another" and "at night" and "with the intent to commit a felony" but we have no such straight principles within the CFAA.
This lack of bright-line rules within the CFAA and a lack of understanding of technology (or a lack desire to understand) on behalf of some members of the judiciary, leads to a position where the knowledgeable prosecutor can pull the wool over the courts eyes.
Part of the lack of bright-line rules comes from the inherent problem of accurate language required by statutory construction paired with a lack of understanding and fear of technology. And, lets face facts, the common law does not exactly seem to apply nor basically even shed light on the issues presented by technology. The law of trespass has been used to describe entry upon land for centuries. States have instituted laws regarding the posting of signs regarding trespass. There is no "Signpost" on a webserver where such trespass warnings can be instituted. There are only password prompts or denials of access. It is not the "World Wide Web" of secrets, it is a world wide web of publicly accessible information with nests of secrets all around. If you want your information to be secure, and for a potential intruder to be criminally or civilly culpable, then it is your duty to put up sign posts or passwords, no matter how simple. Access to this information should be restricted, and secured, so that actual intrusion becomes necessary to get at the information.
If I place upon my server a public directory, lets say http://www.syfert.com/AB34392DQERE3, it is a good chance that this would never be guessed. But if I start throwing information into that folder without placing passwords on the information and someone accesses it, it is my fault. I put the information on the web. But, if I went to a judge or a prosecutor and claimed that you accessed that directory without permission and gained valuable information, I might be able to get them to run with it. If the Prosecutor or Law Enforcement had some particular reason to hate you (i.e. you are very vocal in a political party or movement or just being a general jerk like Weev) then they would spin the story into a security breach and seek punishment. The lack of direction within the CFAA and the lack of understanding of technology have lead to the perfect storm of selective enforcement of the law.
TAKE ACTION TODAY https://action.eff.org/o/9042/p/dia/action/public/?action_KEY=9005
Tuesday, March 26, 2013
Bait Productions Pty. Ltd. v Does 1-XXX - IP Enforcement Law Group
Attorney Richard Fee of the IP Enforcement Law Group PA has initiated many multiple individual suits in the Middle District of Florida.
Bait Productions Pty Ltd. v. Doe 3 - Filed 2/11/2013
Bait Productions Pty Ltd. v. Doe 24 - Filed 2/8/2013
Bait Productions Pty Ltd. v. Doe 24
Bait Productions Pty Ltd. v. Doe 12
Bait Productions Pty Ltd. v. Doe 12
Bait Productions Pty Ltd. v. Doe 33
Bait Productions Pty Ltd. v. Doe 37
Bait Productions Pty Ltd. v. Doe 52
No client I have ever talked to about this movie ever remembers anything about it. http://en.wikipedia.org/wiki/Bait_(2012_film)
The IP Enforcement Law Group is tightly integrated and an alter ego of Fee & Jeffries, P.A.
IP Enforcement Law Group -
IP Enforcement Law Group, P.A.
1227 N. Franklin Street Tampa, FL 33602
Phone: 813-490-6050
Fax: 813-490-6051
Fee & Jeffries, P.A.
1227 N. Franklin Street Tampa, FL 33602
813.229.8008
David Jeffries is a partner in both firms.
IP Enforcement Law Group -
IP Enforcement Law Group, P.A.
1227 N. Franklin Street Tampa, FL 33602
Phone: 813-490-6050
Fax: 813-490-6051
Fee & Jeffries, P.A.
1227 N. Franklin Street Tampa, FL 33602
813.229.8008
David Jeffries is a partner in both firms.
Monday, January 28, 2013
Malibu Media - Exculpatory Evidence Request
Malibu Media is contacting John Doe defendants in cases and requesting that they fill out a document, under oath, called an Exculpatory Evidence Request.
This document is a strange request for discovery without proper form before the courts.
If you are in Florida or Georgia and have received one of these Exculpatory Evidence Requests, please do not hesitate to call.
Saturday, January 19, 2013
Georgia Super Speeder - Class Action
Graham Syfert is currently taking contact information from potential clients interested in Georgia Super Speeder representation.
If you are a resident of Florida, or any state other than Georgia, and have received a notice which states that your license may be suspended for a failure to pay an extra $200.00 on top of your traffic ticket, Mr. Syfert is currently putting together a list of clients for a possible class action suit against various entities within the State of Georgia.
The first thing you will need to do is visit https://www.foreclosurelawyerjacksonville.com/contact.php
and enter your information.
Second, please gather the materials that you have collected (Your ticket, any letter or demand for payment provided by DDS) and provide it to Mr. Syfert at graham@syfert.com or fax it to 904-638-4726. By submitting your information, no attorney client relationship exists, but attorney client confidentiality does. This is not a guarantee that any case will even occur, but collection of this information is the first place to start. Mr. Syfert intends to consult with other attorneys on this matter, and may enter into an agreement for joint representation with other counsel in these matters.
Of particular interest is anyone who actually had a license suspended due to a failure to pay the super speeder fine. I would like to talk to a few people who had this happen. Mr. Syfert is licensed only in Florida and Georgia, and cannot give you advice on how to challenge Georgia's suspension of the superspeeder law if you are the resident of another state.
I wrote an earlier blog post regarding the double jeopardy aspect of the Georgia Super Speeder law. I hope to challenge this soon in a criminal matter. While researching the matter of the constitutionality of the Super Speeder law, I came across something interesting. The legal theory is still being developed, but I don't see any reason why it is not a good argument.
My Grandfather died on I-95 in South Georgia. He is someone that could have benefited from the extra revenue the Georgia Super Speeder law (O.C.G.A. section 40-6-189) . He would be rolling over in his grave if he knew that there was another fine on top of a fine that was already paid.
If you are a resident of Florida, or any state other than Georgia, and have received a notice which states that your license may be suspended for a failure to pay an extra $200.00 on top of your traffic ticket, Mr. Syfert is currently putting together a list of clients for a possible class action suit against various entities within the State of Georgia.
The first thing you will need to do is visit https://www.foreclosurelawyerjacksonville.com/contact.php
and enter your information.
Second, please gather the materials that you have collected (Your ticket, any letter or demand for payment provided by DDS) and provide it to Mr. Syfert at graham@syfert.com or fax it to 904-638-4726. By submitting your information, no attorney client relationship exists, but attorney client confidentiality does. This is not a guarantee that any case will even occur, but collection of this information is the first place to start. Mr. Syfert intends to consult with other attorneys on this matter, and may enter into an agreement for joint representation with other counsel in these matters.
Of particular interest is anyone who actually had a license suspended due to a failure to pay the super speeder fine. I would like to talk to a few people who had this happen. Mr. Syfert is licensed only in Florida and Georgia, and cannot give you advice on how to challenge Georgia's suspension of the superspeeder law if you are the resident of another state.
I wrote an earlier blog post regarding the double jeopardy aspect of the Georgia Super Speeder law. I hope to challenge this soon in a criminal matter. While researching the matter of the constitutionality of the Super Speeder law, I came across something interesting. The legal theory is still being developed, but I don't see any reason why it is not a good argument.
My Grandfather died on I-95 in South Georgia. He is someone that could have benefited from the extra revenue the Georgia Super Speeder law (O.C.G.A. section 40-6-189) . He would be rolling over in his grave if he knew that there was another fine on top of a fine that was already paid.
Subscribe to:
Posts (Atom)