But CFAA charges should, and this is the issue a lot of people have with them afaict, have a sliding scale for premeditation though.
If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw.
A lot of the CFAA excesses are maximum penalties from the CFAA being thrown at people using minimally sophisticated / premeditated methods, in addition to charges about the underlying crime.
That doesn't seem just or fair.
In practice it's turned into an if(computer){increase maximum penalty} clause, solely at the government's discretion.
>If I knock on a door, it swings open, and I walk inside and steal something, then imho there should be a lesser maximum charge for possessing burglary tools than if I show up with a lock gun, crowbar, and concrete saw.
Why? (I'm not a lawyer...) - shouldn't intent and harm (i.e. the value of the stolen item) be the only relevant details? Now of course its much easier to demonstrate intent if there's a crowbar involved, but once that's already established, it seems irrelevant.
Because that's the way most method-specific laws work, at least in the US.
There's an underlying result crime (eg causing business harm by destroying a database), then the method by which one chose to do it (eg exceeding authorized access to a computer with the intent to cause harm).
The CFAA was originally passed under the erroneous worry that existing laws wouldn't be enforceable against cybercrime, which turned out to generally be false.
When you cause damage, there's almost always a law by which someone can sue you for those damages.
What there wasn't, and what the CFAA created, were extra penalties for computer crimes and an ability to charge people with computer crimes where there were no damages (eg Aaron Swartz).
And why should those things need to exist? Theft is theft. Destruction is destruction.
It fit with 'premeditated intent' intensifiers (where penalties escalate if premeditated intent can be proven)... but that wasn't actually how it was written or how it is used. Instead, it's a method-based checkbox that allows prosecutors to tack on additional charges / penalties. If a computer was used to destroy this thing, add X years the sentence.
Am a lawyer - You're correct. Intent is key and almost all laws are based around intent or, in legal parlance, "Mens rea" or the guilty mind. That is what separates a legal act from an illegal act: the intention behind it.
Suppose you are leaving a store and heading to your car. For whatever reason, the button on your keys unlocks someone else's car that is the exact same make and model as yours. You hop into the car, your key starts the ignition, and you drive off (Yes, this has really happened). That isn't legally theft because you legitimately believed that was your car - aka you didn't intend to take something that wasn't yours.
For 98% of laws, in order to be convicted, the government needs to prove you intended to commit the crime. Obviously, I'm oversimplifying what is a very complicated topic you spent two years learning, but that's the gist
It does sound like a crime to me too. But was it a password or other credential that was guessed, or was it just some sequential primary key? The latter is not an authorization system, and I do not believe it a crime to do that unless you have specific knowledge that it is likely to cause damage and/or the intent to cause that damage.
As far as I am concerned, I am allowed to send any traffic I wish to public-facing hosts, and if they respond with content that the owners would not wish me to see, I have no responsibility to refrain. The only traffic I am not permitted to send are credentials I am not authorized to use (this would include password guessing, because if I manage to guess correctly, I was still not permitted to use it).
You are not allowed unauthorized access regardless of how the key works.
> I am allowed to send any traffic I wish to public-facing hosts
No you're not. Denial of service is a federal crime.
> I have no responsibility to refrain
Yes you do, and this is just beyond silly. The nuance of how you obtained it will be decided in a court. Stop making everything so reductionist and lazy.
> The only traffic I am not permitted to send are credentials I am not authorized to use
Absolutely not. Use of a vulnerability to cause a data breach is OBVIOUSLY a federal crime.
> You are not allowed unauthorized access regardless of how the key works.
You and I seem to both speak/write English, but there is a language barrier. For me, "authorization" means that they have given me credentials, and any content locked down under those credentials is off-limits.
For you, "authorization" is a magical term that has no real meaning. It means that they want me to have the content. But I am no telepath, and I do not know what they want me to have or do not want me to have. The only way, from my point of view, to know what they want me to have or not is to try to retrieve the content without credentials, and if it succeeds, it's legal.
Of course, there are a few corner cases. What if I discover some software defect that very clearly shows they intended to require credentials, and a test without credentials shows that it is indeed off-limits, but exploiting the defect produces that content? I wouldn't do that, that'd be illegal.
But your way of (non-)thinking is alien to me, and no reasonable judge or legislator could possibly mean what you claim that law states. Or at least what you seem to claim.
>No you're not. Denial of service is a federal crime.
Only with intent. If I send reasonable content that shouldn't be DoS, how was I to know? I intend no crime.
>Yes you do, and this is just beyond silly.
You're the one being silly. You can't even decide what you mean by "authorized".
>The nuance of how you obtained it will be decided in a court.
I'm never going to trial, I'm not even going to be noticed.
>Use of a vulnerability to cause
Use of a clear defect. The biggest and most dangerous vulnerabilities are the apathy and stupidity of their employees, their lack of a sane business model and attainable vision, and so on. Using those is just common sense. There is a popular magazine that is subscription only. But they have the pdf download links hidden with display: none CSS. These links require no authorization. Just knowledge. I retrieve those quite punctually.
You're both veering out of CFAA jurisprudence in different ways. But you know you're in trouble when you start saying things like "I am no telepath", because in fact a big part of an ambiguous CFAA case will be determining what a reasonable person (ie: the jury) would think confronted with the computer system under discussion. There will in fact be mind reading involved; your intent would in fact be tried.
There's nothing at all CFAA-specific about this; this is really basic US criminal law and it comes up in all sorts of different criminal justice contexts. The terms you're both dancing around are mens rea and actus reus.
>But you know you're in trouble when you start saying things like "I am no telepath",
I'm not in trouble. There is virtually zero chance of this ever being noticed by law enforcement, and even less chance than that of them giving a shit.
Also note, I am not arguing what the worst possible interpretation might falsely convict someone of, but how the law should be viewed, or, if someone can demonstrate to my satisfaction that the law disagreed with, then how it should be altered.
If I have to guess what retards (read: juries) might think is reasonable, then there can be no public internet. We're just a few years after journalists were arrested for looking at html source with "view source", aren't we?
>The terms you're both dancing around are mens rea
I'm only mildly ignorant. Has CFAA ever been considered to describe strict liability crimes?
Well, I guess it's a good thing for me that they're unable to notice or care and in general incompetent.
I am still permitted to do this. None of the details of this case give me the impression that they're using CFAA in such a way as to offend my sensibilities. Sounds like he sabotaged a former employer and caused hundreds of thousands in (tort not physical) damages. I guessed the urls for some issuu.com links that aren't available in search, and downloaded the page images to make a pdf. I was never prompted for a password. Arrest me, I'm a notorious hacker.
You and simonask are speaking at different levels of literality.
Yes, literally, "let's" expands to "let us". But idiomatically, "let's/let us <do this thing>" does not mean "allow us to <do this thing>"; it means "I am requesting that we now <do this thing> together".
Now, I'm not entirely sure why simonask felt this level of literality was a useful one to bring up here, but it is true.
True, but the point was not that they were asking permission, it's the "let us do this together" meaning to which the OP takes offense. He feels like it implies he cannot do it on his own.
Let literally means "allow." In many cases where this is said, the person saying it isn't blocking/preventing/gatewaying anyone from going. So the literal meaning of "allow" is not intended.
Let also means "to cause to" as in "let me know", or can be "used in the imperative to introduce a request or proposal", as in "let us pray". (Or "let there be light.")
The definition you're referring to matches definition 2a, "to give opportunity to or fail to prevent", or definition 4: "to permit to enter, pass, or leave".
"Let's go" absolutely means "let us go". There's no way around it. It's just not the version of "let" that you may be used to, but that doesn't change anything.
"Let us go" does not only mean "you should let us go" but it is also the first person plural imperative implying that we go. Whether you shorten it to "let's go" or not does not change this.
Same as how "let us pray" is frequently used as well.
Abbreviation does change it; it narrows the meaning. "Let's go" never means "you should let us go" and "let's pray" never means "you should let us pray".
Nowhere does anyone claim that "let's go" means "you should let us go". The discussion was whether "let us go" automatically means "you should let us go", which it does not.
I don't know if I'm being clear. Say you and your family were imprisoned. You would never demand to be released by saying "let's go!". Your bemused family might well ask "Where, to the other corner of the cell?"
English contractions are weird in general in that it doesn't always "work" to contract two words. Tom Scott does a good video about this: https://www.youtube.com/watch?v=CkZyZFa5qO0
(Example, "Is this a good idea? Yes, it's!" sounds wrong. But "it's" still means "it is". It would just sound weird to use a contraction in that context.)
Somebody else brought up the example of “let’s go!” versus “let us go” - not the same thing by a long shot.
“Let’s” in English has a distinct meaning from “let us”, and that is to politely and casually (but firmly) suggest a course of action.
I remember touring a Polish salt mine a couple of years ago. The guide was very good, but her English had a few quirks, among them that she seemed to like the phrase “let’s let me to show you …”. It’s wrong, but you can immediately understand that she meant “please let me show you”.
> YouTube channels earn revenue from viewers with YouTube Premium. Throughout this month (August 2018), I earned approximately 55p per 1000 regular views and 94p per 1000 Premium views, so it appears that if 75% of your viewers went Premium, that would actually be beneficial.
> Per user, creators usually get a LOT more from premium than ads. If I divide my monthly views by my monthly unique viewers, I get about 1.9 cents per viewer.
> The way premium works is, first youtube takes a cut--I believe it's 45%. The remaining amount is divided among all the creators you watch based on how much you watch them. I believe that's based on view time.
> So if the YT premium price is $13.99, the creators get 55% or $7.69. You would have to watch 405 different creators for each one to get 1.9 cents.
I used to, but I don't consume enough YouTube videos anymore to make it worthwhile. Give me a top-up plan that I can use to pay for individual videos and I will definitely do it.
But what's with the weirdly aggressive second part of your message?
There are not enough people with your willingness to make this mechanism work by itself.
So the choice is either to have the content exist, but rely on ads, or not have the content exist. And it's not your choice - it's the content creator's choice.
You can pay for Youtube Premium right now and the ads go away.
For a long time, my criticism was that Youtube Premium is needlessly bundled with Youtube Music, which is redundant for me as a Spotify user and which I refused to pay for accordingly.
Now, in at least a few countries, there's "Youtube Premium Lite", which is basically regular Youtube but without ads. If you live in one of these, in my view that's close to the ideal scenario: Everybody gets to choose between watching ads and paying.
From the same rules: "Please don't complain that a submission is inappropriate. If a story is spam or off-topic, flag it. Don't feed egregious comments by replying; flag them instead. If you flag, please don't also comment that you did."
If you forget your shop's door open after hours, and someone starts shouting "HEY GUYS! THIS DOOR IS OPEN! LOOK!", I have a hard time putting 100% of the blame on you.
Why is a cracked bridge dangerous? Because anyone traveling over it or under it is at risk of being hurt if the bridge collapses. Warning people that it is cracking does not increase the likelihood of a collapse.
Why is a software vulnerability dangerous? Because anyone who knows about it and has nefarious intent can now use it as a weapon against those who are using the vulnerable software, and the world is full of malicious actors actively seeking new avenues to carry out attacks.
And there are quite a few people who would exploit the knowledge of an unlocked door if given the chance.
There’s a very clear difference in the implications between these scenarios.
A vulnerable piece of software is always dangerous.
There are large numbers of state funded exploit groups and otherwise blackhat organizations that find and store these vulnerabilities waiting for the right opportunity, say economic warfare.
Much like building safe bridges from the start we need the same ideology in software. The 'we can always patch it later' is eventually going to screw us over hard.
I agree with the conclusion that we need safer software from the start.
But we also have to deal with the reality of the situation in front of us.
I will maintain that the differences between the implications of revealing a crack in a bridge vs. prematurely revealing a vulnerability to literally the entire world are stark. I find it pretty problematic to continue comparing them and a rather poor analogy.
> There are large numbers of state funded exploit groups and otherwise blackhat organizations that find and store these vulnerabilities
This underscores my point. What you’ve been describing is a scenario in which those organizations are handed new ammunition for free (assuming they don’t already have the vuln in their catalog).
They didn't "forget" to lock the door that one time. They just never lock it. The guy yelling it out loud is pissing off all the people who already knew you didn't. He is not the one to be angry at.
