Worrying Trends In Cyber Law Enforcement

  • Posted on: 26 November 2014
  • By: davis

Good news! U.S. Attorneys have decided that inputting incorrect information into a website's form is a malicious act punishable by up to 10 years in prison for each instance of the crime!

For those of us that have entered a password or username incorrectly before (I assume you have), this is big news!

A scary trend has risen in prosecution of alleged cyber-criminals. Over-zealous prosecutors load their press releases with damning language, maximum penalties, conjecture, and ignorant statements. An under-educated public has no qualms with these sentences because they do not understand the nature of what is being charged.

Wired ran a nice piece today about the extreme sentencing limits promised by prosecutors in computer cases. A young hacker was threatened with 44 felonies after unsuccessfully trying to brute-force a local government website. Eighteen of those felonies were for "cyberstalking."

Well, jesus! Cyberstalking isn't good! He shouldn't have been doing that, right?

Luckily, he wasn't. The prosecutors, eager to throw more felonies onto the pile, decided that fuzzing some text fields counted as cyberstalking. Are you fucking kidding me?

Fuzzing, for those who are uninitiated, is the practice of entering invalid/corrupt data into text fields. It is a common method to assess application vulnerabilities, and is one of the first steps a hacker will take to penetrate a system. It's also exactly what you do when you enter an incorrect password. The only difference is intent. Fuzzing an entry field maliciously will involve passing invalid text strings to the field with hopes of exploiting common errors.

For example, a hacker may try entering an entire script in a password field. If a system developer does not protect against this well-known threat, the hacker may find themselves in possession of a new system.

Each of those 18 counts of "cyberstalking" (which were just fuzzing attempts) carry a maximum penalty of 10 years. That is a potential 180 years in prison for the crime of fuzzing text fields. Next time you enter your password or username incorrectly on Facebook, just remember that according to U.S. Attorney Kenneth Magidson, you are a criminal engaged in cyberstalking.

Aaron Swartz is a household name nowadays. I have a soft spot for him, as he created Reddit, helped develop RSS, was involved in Creative Commons, and was regarded by his peers as a wunderkind. He hung himself at the age of 26 after being threatened with up to 50 years in prison.His alleged crime: mass downloading academic journals from MIT. If it was Aaron Swartz downloading those files, that would be illegal (and should be). However, much like other high profile cyber-cases, his name was dragged through the mud years before a trial. 

In the case against Ross Ulbricht, who was accused of hiring a hitman by the government before those charges mysteriously dropped, there are a lot of strange holes in the forensic investigation of Silk Road's servers. My feelings on the matter are mixed, but as someone who used to browse the Silk Road, boy, is it terrifying. The government lead their charges with six counts of attempted murder (hiring a hitman, and torture allegations).

This was all before a trial - simple showmanship by the prosecutors. Later, after the dust settled and public opinion had been decided, the indictment was quietly changed - dropping the six murder counts.

What a nice position to be in as a prosecutor! The defendant has now been thoroughly smeared with charges of assassination and torture before the trial has even started! Never mind that those charges will not be proven (or included in the court case)!

One of the problems with these cases is the willingness of prosecutors to over-amplify what they consider to be crimes. Worse, because there are very few people capable of understanding the full breadth of these investigations, the public is left with interpretations of complex forensic science, explained to them by lay journalists.

Imagine reading the following story in the paper: "Man kills wife. Although police were unable to find the murder weapon and the body, they have firmly agreed that John X is responsible. When asked where the body and weapon may be, prosecutors told us 'That information is part of an on-going investigation'. Later, the charges were reduced to a misdemeanor, as John X was shown to have stolen a neighbor's paper."

That story didn't make any sense, right? That's because you have the frame of reference to understand that all of the listed events don't correspond. However, when confronted with a layperson's interpretation of highly-technical forensic computer science, the general public hardly has a chance to even understand the issue at hand.

That's how prosecutors can get away with these sleazy smear campaigns - 1.) because the general public understands murder, but doesn't understand Tor networking, 2.) prejudicing a jury is easier this way.