[Cryptography] Georgia prohibits vulnerability research

R0b0t1 r030t1 at gmail.com
Thu May 3 14:44:23 EDT 2018 

On Thu, May 3, 2018 at 11:32 AM, L Jean Camp <ljeanc at gmail.com> wrote:
> Yes, the CFAA has seen quite a a bit of prosecutorial overreach. I am sure
> many of us have at least been threatened. The bill as passed but not year
> signed into law in GA is worse.
>
> This is closer to the Sklyarov prosecution where he did not use a
> vulnerability rather he presented information about it. That case was
> prosecuted under DMCA because sharing information about vulnerabilities is
> not now and has never been found to be a violation of CFAA. It is the use of
> vulnerabilities that concerns the CFAA, the investigation to find
> vulnerabilities and discussions of these were under DMCA, and this law in GA
> covers disclosure of their existence regardless of legitimacy in discovery.
> It is quite problematic.
>

Hmm. That is what I thought the Georgian bill was about initially, but
then I kept reading and it looked like a rehashing of the CFAA.

This is an obvious violation of the first amendment, so why does
anyone care? It will be overturned if it ever passes. I would suggest
a better expenditure of effort and the attention span of those who
will listen is the initial court case where the law is tested.

> The DMCA has recently renewed the security research exemption; CFAA does not
> have a formal security research exemption.
>

Thinking about a "security research exemption" in this way is
dangerous. I will explain further below.

A research exemption for the CFAA does not make much sense. Would a
researcher be allowed to break into people's houses for research
purposes? Would they be allowed to sneak around a military base or
government building simply because they could get in?

Realize that the CFAA tries to explicitly translate physical property
law into a form that applies to computers. Knowing this it is easy to
explain why it was written the way it was written, and why it has been
applied in the way it has been applied.

> The DMCA still allows CFAA prosecution if the research includes unauthorized
> use. So the DMCA exemption does not remove all CFAA risks, but seriously
> mitigates these as well as formally removing prohibitions on
> anti-circumvention in good faith security research.
>

The DMCA and the CFAA are entirely different areas of law. I am afraid
I do not understand what you mean.

> This started as a temporary exemption which was then renewed.
> https://www.ftc.gov/news-events/blogs/techftc/2016/10/dmca-security-research-exemption-consumer-devices
>
> You may find this report a more enjoyable read and it is fairly accurate:
> https://www.techdirt.com/articles/20170625/01312637658/copyright-office-realizes-dmca-fucks-with-security-research-while-w3c-still-doesnt-see-it.shtml
>
> The people who worked to make that DMCA exemption happen include the CDT and
> the USACM (the policy arm of the ACM), and to a lessor extent the IEEE-USA
> (similarly the volunteer organization of the IEEE). None of us will be
> abandoning the fight for better policy in vulnerability disclosure, crytpo
> policy, or standards.
>

The right to reverse engineer the operation and construction of
devices is not one which was granted but one which is inherent in the
rule of law in the United States. It is absurd to think the DMCA ever
removed it. More likely is that that clause of the DMCA, if ever
seriously enforced, would be found invalid. And indeed it was
challenged and changed. The "exemption" was likely a pragmatic move to
avoid weakening the rest of the act by association with overreaching
statements.

All of the linked articles make the same critical flaw: that anything
was given up or that concessions can even be granted. My reading of
the law seems to make it evident that the majority of the novel
concepts in the DMCA are simply invalid as they try to overturn longer
existing and more basic property law.

Please answer this: How can it be said I own something but have no
right to use it? That is what the DMCA is saying. The parts that do
not say something to that effect are just duplicating existing IP law.


The way the creators of these laws are treated borders on Stockholm
syndrome. Do not accept their laws simply because they pass. Do not
compromise with them. Your rights are already guaranteed. A more
effective call to action would be to request individuals disregard
these laws and refuse to be bound by them as they are not valid.

> Here, for example, is the short form of the USACM letter, there are longer
> documents which detail the long slog towards this point:
> http://usacmdev.acm.org/images/documents/1201_Short_CommentUSACMfinal.pdf
>
> The GA law goes far beyond the DMCA (except if Elcom had lost) and certainly
> far beyond the CFAA which requires actual use of a vulnerability.
>

The CFAA requires unauthorized use of an information system. If you
have valid credentials but your access has been revoked, e.g. via
contract, then signing in would be a violation of the CFAA.

> In any case, the bill HAS NOT BEEN SIGNED  and here is a very nice article
> if you care to oppose it:
> https://www.eff.org/deeplinks/2018/02/how-grassroots-activists-georgia-are-leading-opposition-against-dangerous-computer
>
>  "A ping is a felony" has been used in no case of which I am aware, and may
> be rhetorical outreach to match the prosecutorial excesses we have seen
> under CFAA. This bill in GA would unlikely to make a ping a felony either.
> That is not even on the radar, unless of course it was part of a DoS
> leveraging ping, which is another bucket of crabs altogether.
>

Under the CFAA all that matters is the machine operator's attitude
towards your use of their machine. I do not think it is a stretch to
consider the generation of an ICMP echo reply packet use. I do realize
that it may be hard to make a prosecutor care about someone pinging
your machine, but the CFAA technically forbids unsolicited ICMP echo
requests.

> There is fairly good material explaining it further in the links while
> Security Week, tripwire, Microsoft, and Google have letters really the grass
> roots on the ground is what has delayed this bill being signed.
>
> As for a ping being felony, this is a  fun if sometimes strident read:
> https://www.amazon.com/dp/B00505UZ4G/ref=dp-kindle-redirect?_encoding=UTF8&btkr=1
>
> You might recall the author from the famous MIT LaMacchia rule case.
>

That is good, but I sincerely hope people start studying the law which
already exists. It is very informative and has the potential to be
extremely surprising. There is existing precedent which is simply
against the text of modern laws which remain unchallenged but tacitly
enforced. Taking those laws and applying them to more common
situations can be amusing. E.g., what if someone sold me a lawnmower
but told me I could not repair it? I'd be concerned about their mental
health and repair it anyway.

Another good example: Some number of months ago I found out that those
"warranty void if removed" stickers are invalid under the
Magnuson-Moss warranty act. I believe this has some pretty far
reaching implications especially w.r.t. bootloader locking.

Cheers,
     R0b0t1

More information about the cryptography mailing list