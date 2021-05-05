Security: CFAA and Supply Chains
What Does it Mean to Exceed Authorized Access?
After years of debate and prosecutorial overreach, the Supreme Court has now narrowed the Computer Fraud and Abuse Act (CFAA). In Van Buren v. U.S., the Court ruled that obtaining information by "exced[ing] authorized access" is limited to information on the computer that one is not authorized to access at all, rather than to information simply gathered for an improper purpose.
To explain, consider the facts of Van Buren. Van Buren had rightful access to a database of DMV license plate information. He accessed that database using valid credentials, but looked up information for an improper purpose. He was convicted under the CFAA for exceeding his authorized access. I have blogged about this issue before. The broad reading that sent him to jail is a really scary interpretation of the statute, one in which many ordinary people could go to jail for innocuous use of the internet.
The Court narrowed the meaning, and held that the language of the statute: "to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter.” cannot be read to cover the purpose of gathering the information. Instead, "entitled so to obtain" must mean entitled to obtain in the manner prior referenced, which means obtained by access to a computer with authorization. Based on this reading, Van Buren cannot be guilty because he accessed records that he was already entitled to access. But he might have been guilty if he looked at personnel files on the same computer.
[...]
As a final note, the Court's appeal to the civil provisions is unavailing – standard hacking, captcha breaking, password guessing and any number of other things that might give unauthorized access to information are illegal yet cause no damage or loss as the Court describes those provisions. Further, the Court ignores the ridiculous, “we spent money finding the leak and that’s loss” that lower courts have upheld. That type of loss would apply to a broader definition of "exceeds authorized access" as well.
Van Buren v. United States (2021)
There is a well-worn legal maxim that "hard cases make bad law." In deciding Van Buren v. United States today, the Supreme Court was faced with the opposite problem: bad laws[i] make hard cases. Specifically, in a 6-3 decision, the Court found that the Computer Fraud and Abuse Act ("CFAA") does not extend to an individual's accessing information over the internet for an improper purpose, so long as the individual would be entitled to access for a proper purpose. There's no question that interpreting the opaquely-worded CFAA forced the Court to choose between two bad options, with a parade of horribles on both sides; it chose the option that clearly decriminalizes everyday behavior (but also would allow abusive use of access that individuals have solely for work purposes).
[...]
Seeing an opportunity for help with his financial woes, Van Buren told Albo -- falsely -- that he had substantial medical debts. He then asked Albo for a loan. But instead of appreciating Van Buren's position, Albo went to the county sheriff's department with recordings of the request and told them Sergeant Van Buren was shaking him down. The FBI got involved and decided to run a sting operation. First, it had Albo ask Van Buren for help running drugs, but the police sergeant refused. Then, it had Albo ask for information about a female friend that Albo had allegedly met at a strip club (specifically, information regarding whether she was an undercover police officer). Albo offered money in exchange for Van Buren accessing Georgia and national criminal databases to run the woman's license plates. Van Buren accepted the money and ran the plates, then texted Albo when he had done so. The FBI and Georgia Bureau of Investigation then swept in and arrested Van Buren, who admitted to all of the facts and agreed what he had done was wrong.
The local U.S. Attorney charged Van Buren with honest services fraud and unauthorized access to the government databases in violation of the CFAA. He was convicted on both counts, but the Court of Appeals reversed the honest services fraud verdict on the basis of improper jury instructions. Van Buren then took the CFAA conviction to the Supreme Court.[ii] Specifically, the Supreme Court considered whether a person who is authorized to access information on a computer for certain purposes violates the CFAA if he accesses that information for an improper purpose.
The six-Justice majority, in an opinion written by Justice Barrett, decided that the CFAA would not extend so far. The majority started with the text of the CFAA, and believed that the act was structured so that the two options for the offense (access with authorization or access exceeding the scope of authorization) would be parallel in a binary "gates-up-or-down inquiry." That is, because the only question for the first part was whether the accesser had authorization or not, the second part should be limited to the question of whether the accesser had authorization to access that information in any circumstance or not. In that sense, Justice Barrett used a physical analogy for the scope of authorization, describing the prohibition as relating to "particular areas of the computer – such as files, folders, or databases – to which their computer access does not extend." In doing so, she rejected the government's assertion that the majority's interpretation would read the word "so" (in the phrase "entitled so to obtain or alter") from the statutory definition of "exceeds authorized access." She indicated that the word "so" could be understood to distinguish the situation where an individual is not entitled to see the same information in non-computer-based means (such as, hypothetically, if a person were entitled to see a personnel file in hard copy by not electronically).
Hacker lexicon: What is a supply chain attack?
Cybersecurity truisms have long been described in simple terms of trust: Beware email attachments from unfamiliar sources and don't hand over credentials to a fraudulent website. But increasingly, sophisticated hackers are undermining that basic sense of trust and raising a paranoia-inducing question: what if the legitimate hardware and software that makes up your network has been compromised at the source?
That insidious and increasingly common form of hacking is known as a "supply chain attack," a technique in which an adversary slips malicious code or even a malicious component into a trusted piece of software or hardware. By compromising a single supplier, spies or saboteurs can hijack its distribution systems to turn any application they sell, any software update they push out, even the physical equipment they ship to customers, into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier's customers—sometimes numbering hundreds or even thousands of victims.
Games: Valve, StoryArcana, and Hollow Knight
Linux 5.14 Set To Retire The Long-Deprecated RAW Driver For Direct I/O Access
Linux's RAW driver (RAW_DRIVER) for providing direct I/O access to block devices is finally set to be removed with the Linux 5.14 kernel this summer since its deprecation all the way back in the mid 2000s and its use has been discouraged even longer. The RAW driver has allowed for direct unbuffered I/O to block devices for the Linux kernel but it hasn't been relevant in well over a decade since using the O_DIRECT flag when opening a block device can achieve the same behavior. The block devices in the raw mode were exposed through /dev/raw/. While O_DIRECT has been the preferred approach, some legacy workloads weren't maintained/unable to just use the O_DIRECT approach that led to the RAW driver being obsolete for all this time. Also: The future is climate-friendly software [Ed: Linux Foundation is now a Microsoft propaganda arm]
Best Free and Open Source Alternatives to Google Drive
Google has a firm grip with their products and services ubiquitous on the desktop. Don’t get us wrong, we’re long-standing admirers of many of Google’s products and services. They are often high quality, easy to use, and ‘free’, but there can be downsides of over-reliance on a specific company. For example, there can be questions about their privacy policies, business practices, and an almost insatiable desire to control all of our data, all of the time. What if you are looking to move away from Google and embark on a new world of online freedom, where you are not constantly tracked, monetised and attached to Google’s ecosystem. In this series we explore how you can migrate from Google without missing out on anything. We recommend open source solutions.
IBM/Red Hat: Buzzwords, Kubernetes, and Results
