It’s Not You. It’s Them. On Hacking and Responsible Disclosure.
A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But I’m a cybersecurity professional, I run a team that has the ability to hack into any system they take an interest in, and I’ve studied cybersecurity ethics and am familiar with the consequences of hacking in 2021. I’m also aware of the fallibility of humans. So I was obliged to reply on HN.
The short version is this: In the United States, hacking crimes are governed by the CFAA – the Computer Fraud and Abuse Act. The criminal penalties are extremely harsh, and many cybercrimes are handled in federal court. If you do access a computer system without authorization, or exceed the authorization you have been given – which are both criminal offenses under CFAA – you’ve given yourself a pretty good shot at ruining your life. Being charged with a crime and having to deal with court dates is stressful enough. Even if you’re lucky to get probation, you still have a criminal record which severely limits your job opportunities and travel options.
Responsible disclosure is challenging enough. But actually hacking systems – even if you think you’re being playful – can lead to disaster. As I said in my comment: “Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board, or management team to trigger a disastrous outcome in stories like this.”
For the most part, my comment on HN was upvoted and supported in the replies. But I did get a certain amount of pushback. And wouldn’t you know it, in the news this morning is a fine example of the kind of idiocy out there that demonstrates why researchers and explorers need to be very careful to avoid violating the CFAA.
A journalist at the St Louis Post Dispatch discovered a data disclosure issue with a website that allowed the public to look up teacher credentials. Encoded in the HTML source code of the site were the social security numbers of teachers, counselors, and administrators. It’s worth noting that the data was encoded, not encrypted, which means it was easily readable by any attacker or software developer.
The St Louis Post Dispatch and their journalist did exactly the right thing: They confidentially disclosed the issue to the website operator. The website operator fixed the problem. And then St Louis Post Dispatch disclosed the details in an article, which is exactly how the cybersecurity industry works. That final disclosure step is so that the public has full transparency on the issue – in other words, teachers should know that their socials were exposed. And so that other researchers, vendors, and operations staff can learn from this mistake.
What should have happened at this point? Nothing. Because absolutely nothing was awry. The discovery helped secure a system. The journalist never breached any cybersecurity ethical boundaries. The school system has a more secure website. Apparently, that wasn’t enough for Missouri Governor Mike Parson who has announced that the Cole County Prosecutor and the Missouri Highway Patrol [I’m not joking] will investigate the matter.
And the governor is rolling out the red carpet. Extracts from his statement: “We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved. We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them. This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies.”
All because a journalist spotted that social security numbers were easily accessible in HTML source code, responsibly disclosed the issue, and helped secure the school system, exactly the way every ethical and responsible cybersecurity organization on this planet operates.
Let’s revisit the school hacking story I started with. What you have here is exactly what I warned folks about just days ago. An embarrassed governor and embarrassed school administrators are framing this as a malicious act to try to protect their reputations. And they have the full force of the CFAA to back them up. They’re most likely going to try to frame reading HTML source code as accessing a system beyond the authorization given, which is a crime under the CFAA.
So if you are a cybersecurity researcher or simply curious and love exploring our global Internet, please be careful. Read the Wikipedia entry for the CFAA so that you understand it. The Responsible Disclosure article on Wikipedia is also a great start. Every major cybersecurity certification also contains a section on ethics, so consider gaining a Security+, CEH, CISSP, or similar. After working in ops and development for over 20 years, I became a CISSP and even with my experience and knowledge, I found that I have benefited greatly from the certification.
Understand that responsible disclosure is still very much an industry insider concept. People who operate systems and their employers are often unsophisticated and uneducated in the field of cybersecurity – and they are human and are easily embarrassed. It’s very tempting for them to shoot the messenger, even when the messenger delivers the bad news within a globally accepted framework.
And when it comes to hacking your school network or other systems that you don’t have the authorization to hack? Don’t do it. We aren’t living in the 80s or early 90s anymore, where hackers are seen as adorable Matthew Broderick characters from the movie Wargames. When Kevin Mitnick was hunted down by Janet Reno for over 2 years, under the Clinton Administration in 1995, and eventually arrested, the game changed. Hackers were rebranded as evil, malicious, dangerous, and bound for prison, and Kevin was sentenced to 5 years. In South Africa where I was “exploring”, my friends started getting raided, one was arrested, and I was fortunate enough to only get a nasty letter. Childhood’s end had arrived for cybersecurity.
If you’re a researcher, take care, even when disclosing responsibly. If you think you’re being playful by accessing systems you’re not allowed to, or exceeding the access you’ve been given, stop. Back away from the keyboard. And sign up for a cybersecurity certification that will give you opportunities to do the kind of exploring you want to do, legally, and will teach you about the ethical frameworks that our industry has. And give your adventurous friends and family the same advice.
It’s not you. It’s them.
Mark Maunder – Defiant Inc Founder & CEO. (We make Wordfence)