People living in glass houses, outlawing stones.
And start the federal court case… now.
We do have to be careful that our intent doesn’t outshine our impact.
So, I don’t quite agree with you, but I REALLY don’t agree with the legislation.
Right? I couldn’t help but think of the ironic timing…
Maybe, but maybe not, if you were a researcher who was going to test it for weaknesses and potentially embarrass them if they didn’t fix the problems you found for all of their existing customers. “Sorry, we only license our locks to hotels.” Or, more to the point, we only sell our electronic voting machines to states.
But, even that aside, you can’t purchase a copy of Facebook or Experian or the code that shares your driving habits with your insurance company…
Improvising a key to unlock the door or improvising a key to keep the lights on when no one is in the room?
Oddly, the second harms the hotel, since electricity ain’t free, but the first seems much much sketchier.
The detail I left out is that the strip of cardboard in the power switch was almost certainly left by the cleaners. I returned it to the front desk and they didn’t seem surprised.
If the hotel is not putting any effort into security they they can’t act too concerned when people subvert it. I guess the furtherest I would go is to keep the power on when I am out so I don’t have to shut down my PC or whatever.
In this case though, unless the cardboard unlocked the door, it’s a conservation issue rather than a security issue. The hotel really won’t care about you doing that or even publishing the “one weird trick to keep the lights on” because a couple of rooms keeping the lights on won’t matter.
But, if you post that HotelChain doors can be unlocked with a cardboard key, a lot of people won’t want to stay there, and a few people will go with cardboard and cause problems.
In any case, I agree with you that it shouldn’t be illegal to use an improvised key in the master light switch.
Apparently you haven’t met my cousins in Macon.
It’s interesting to note that Equifax’s headquarters is in Atlanta Georgia. It would be a shame if anybody probed their security to see if they have improved things…
Equifax donated to the following bill sponsors:
- Butch Miller
- Bill Cowsert
- Jeff Mullis
“Florida Man, meet Georgia Legislator. He’ll be replacing you.”
It is hard to write a law that outlaws what Cambridge Analytica did (penetrating while claiming to be doing research) without stopping legit research. Similarly, of the many people who think that facebook should be regulated to prevent abuses, I have never heard any cogent proposals for what that legislation would look like.
It may be better to simply leave “penetration” out of the law, and instead use existing laws which already outlaw the bad things people can do with penetration (e.g. in the case of Cambridge Analytica it seems they violated contracts).
More importantly, most of this is in the civil arena, not criminal. Using criminal law to further and protect business interests is, well, just icky.
In other news, research into which state has the dumbest legislature has had a breakthrough.
In Soviet Georgia, security researches you!
Sadly, we’re talking about American Georgia.
At what point does the South deserve their stereotype as a backwater toilet of ideas and culture?
Edit: This post was hidden in the same way the South fixes their problems.
The definition for “computer password disclosure” appears in 16-9-93(e) and is not changed by this bill:
Any person who discloses a number, code, password, or other means of access to a computer or computer network knowing that such disclosure is without authority and which results in damages (including the fair market value of any services used and victim expenditure) to the owner of the computer or computer network in excess of $500.00 shall be guilty of the crime of computer password disclosure.
The bill basically creates a new crime called “unauthorized computer access” and gives it the same penalty as “computer password disclosure.” The way the penalty is described has been changed but it is effectively unaltered because the penalty for a “misdemeanor of a high and aggravated nature” is also a fine of up to $5,000, up to a year in prison or both.
So when I land in Georgia, and the customs guy asks me for multiple computer password disclosures…?
Keep your eyes on Wisconsin!
The key as it relates to software, is the notion of licensing, versus “ownership” of code. So a (good) theoretical law would deal with this in a way that shielded researchers, when using copies they have legally licensed, even if technically, the codebase belongs to, say, Microsoft.
The obvious workaround is that many software license agreements forbid penetration testing - as soon as you try, your license is void.
Seems like there is authority involved in that situation, right? Basically, though, the law is the same as it was before this bill so you can do whatever you’ve always done in that situation with regard to “computer password disclosure” and expect the same result.