Cyberlaw – RJC ESQ

One of the fascinating aspects of Bitcoin is that you don’t have to be human to own Bitcoin. Throughout the history of money, money was the possessed by people. Men, women and even children can own money, either in physical form such as cash or currency or in electronic, digital or even tied to an account based system. As we enter an age where we may have autonomous agents, acting without being under the direction of human, we also have a mechanism for them to earn and spend money, again acting without coordination or need of a human actor.

Consider the idea of a drone being “set free” by it’s creator/owner/builder. This drone performs tasks to earn Bitcoin. Maybe it performs aerial surveillance, delivers packages, kills rodents, monitors human rights violators, whatever tasks that it is capable of performing that someone (or something) are willing to pay it to accomplish. What does it use it’s Bitcoin for? Why it spends it on fuel, on repairs, on upgrades to its software and hardware; a better camera, a gun turret, more intelligent software, whatever it’s programming deems a worthy investment. As long as the drone can sustain itself by selling it’s services and buying what it needs to continue, it can maintain its autonomy. The economy of drones.

If the drone needed access to a “trusted” holder of funds, it forever be at risk. Why? Because that trusted holder, be a bank or a person, is accountable only to the law, and a robot can’t sue.

This is only a stub and I hope to expand on it sometime.

There has been a lot of discussion regarding the over reach of the Computer Fraud and Abuse Act (aka CFAA) and prosecutorial misuse. The discussion only intensified after the suicide of Aaron Schwartz. Broadly, the CFAA criminalizes access to computer services that exceeds authorization. The question is what exceeds authorization is especially thorny in the case of a publicly accessible website.

Consider the current case against Andrew “weev” Auernheimer. He is being prosecuted for unauthorized access to 100k+ emails of AT&T customers who owned Ipads. Seems pretty bad doesn’t it…..but lets consider what he did from a technical standpoint.

It turns out AT&T was trying to make it easy for Ipad customers to log into their AT&T account. When a customer would access AT&T’s website, the Ipad had be preprogrammed to call a specific webpage. I don’t know the exact URL but it looked something like this

http://www.att.com/home.php?ipad=1234567890

That number at the end was the serial number of the Ipad. AT&T then used this number to pull the person’s email address from their records and pre-populate the login page so the customer didn’t have to enter their email every time they wanted to log in.

What Auernheimer did was go to the URL and alter the serial number sequentially upwards, thus revealing thousands of customer’s emails. This is a common problem and is easily fixed by what is referred to as page level security. In other words, you should only display information on a page if the user is authorized to access it. I’ve found this problem in many website, including my law school which displayed the roster of every class in the school and a popular retailer which allowed me to view every order placed on the website.

While AT&T certainly didn’t want Auernheimer to get that information, they put it out there for the world to see and ignored basic security practices. Auernheimer simply pointed this out as I and others have done so in the past.

It seems almost silly that if I set my computer to access a web page by typing a url, essentially instructing ATT’s server to send me some information (http://www.att.com/home.php?ipad=00033333) and get information PROVIDED by AT&T’s web server I’m now a Federal felon for unauthorized access.

If you, dear blog reader, agree with me so far, let’s make the question a bit more complicated. Suppose instead I enter the following in my url

http://www.att.com/home.php?ipad=’; select * from dbo.customers;

and now the webserver returns the entire database of customer information. This technique is called a sql injection attack and provides me a way of injecting a sql statement into their code. Here I have similarly sent instructions to AT&T’s server but this time I’ve gotten information they never intended to share. But wait, the never intended to share that one customer’s email with ME in the previous URL.

The fact is, without exposure by people such as Auernheimer, ATT and other companies lack incentive to secure their software. Then the only people using these attacks will be the criminals who use them for nefarious purposes. This shouldn’t be illegal under the CFAA. If anything, AT&T should be liable for failure to exhibit best security practices.