Google takes CryptBot to the wood shed

Google is in the midst of a legal campaign designed to take down the creators of a very persistent piece of malware called CryptBot. This malware, which Google claims compromised roughly 670k computers, set about infecting users of the Chrome browser. Unfortunately for the malware campaign...

The Justice Department Will No Longer Charge Security Researchers with Criminal Hacking

Following a recent Supreme Court ruling, the Justice Department will no longer prosecute "good faith" security researchers with cybercrimes: The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solel...

It’s Not You. It’s Them. On Hacking and Responsible Disclosure.

A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But Im a cybersecurity professional, I run a team that has the...

Microsoft Gets Second Shot at Banning hiQ from Scraping LinkedIn User Data

The U.S. Supreme Court has granted LinkedIn another legal option to try to prevent rival hiQ Labs from scraping public information from its user profiles, something the Microsoft-owned professional networking platform has claimed is a violation of user privacy and a misuse of its data. The court...

The Supreme Court Narrowed the CFAA

In a 6-3 ruling, the Supreme Court just narrowed the scope of the Computer Fraud and Abuse Act: In a ruling delivered today, the court sided with Van Buren and overturned his 18-month conviction. In a 37-page opinion written and delivered by Justice Amy Coney Barrett, the court explained that the...

Proposed security researcher protection under CFAA

Rapid7 views independent cybersecurity research and the security community as important drivers for advancing cybersecurity for all, a core value for Rapid7. One way we take action on this value is by supporting protection for security researchers acting in good faith. We have spoken out on this...

Supreme Court Limits Scope of Controversial Hacking Law

The United States Supreme Court has ruled that a police officer who received money for obtaining data from a law-enforcement database for an associate did not violate a controversial federal hacking law, marking a victory for the ethical hacking community by limiting the law’s scope. In a landmar...

Supreme Court narrows CFAA

The US Supreme Court issued its long-awaited-by-cybersecurity-nerds opinion on Van Buren v. United States. The case examined whether it was a violation of the Computer Fraud and Abuse Act CFAA for a police officer to access a law enforcement database to obtain information, which the officer then...

Adversarial Machine Learning and the CFAA

I just co-authored a paper on the legal risks of doing machine learning research, given the current state of the Computer Fraud and Abuse Act: Abstract: Adversarial Machine Learning is booming with ML researchers increasingly targeting commercial ML systems such as those used in Facebook, Tesla,...

Clarifying the Computer Fraud and Abuse Act

A federal court has ruled that violating a website's terms of service is not "hacking" under the Computer Fraud and Abuse Act. The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have...

Trump Comments Straddle Line of Soliciting Computer Crime

Donald Trump may have left himself an out today when he urged Russian hackers to find 30,000 emails deleted by Hillary Clinton from her private server. “Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said during a press conference in Florida. “I...

I'm Warning You, Don't Read this Article. It's a Federal Crime!

Yes, you heard it right. If I tell you not to visit my website, but you still visit it knowing you are disapproved, you are committing a federal crime, and I have the authority to sue you. Wait! I haven't disapproved you yet. Rather I'm making you aware of a new court decision that may trouble yo...

Researcher Tries to Get Ahead of CFAA Changes, Dumps 10M Sanitized Passwords

The Obama administration’s proposed changes to Computer Fraud and Abuse Act CFAA have security researchers on edge. The amendments, spurred on by 2014’s seemingly never-ending stream of data breaches, contain vagaries in their language that threaten legitimate research done in the name of improvi...

Dennis Fisher and Mike Mimoso Discuss Encryption, the Microsoft-Google Feud and More

Dennis Fisher and Mike Mimoso discuss the security news of the past week, including the proposed changes to the CFAA, David Cameron’s encryption comments, the NSA’s quasi-apology regarding Dual EC and the Microsoft-Google disclosure feud. Music by Chris Gonsalves Download: digitalunderground180.m...

Proposed CFAA Amendments Bad News For Security Researchers

Legitimate security researchers, from bug hunters to pen-testers, are buckled in for a bumpy ride as vague language in President Obama’s proposed amendments to the Computer Fraud and Abuse Act CFAA is expected to be debated and sorted out as it makes its way through the legislature. The amendment...

House GOP Task Force Favors Private Incentives, Fewer Regulations for Cybersecurity

A House GOP task force called on Congress this week to adopt voluntary incentives – rather than federal requirements – to get private companies to further develop their cyber security. The GOP proposes a combination of tax credits, grants, insurance and rules set by non-regulatory agencies as a w...