Easier Than Ever to Spend Your Life in Jail

Posted on by Jeff Porten

The House of Representatives, showing their willingness to do something in the complete absence of understanding or common sense, has widened the list of computer crimes that will land you behind bars for the rest of your life. (In case you didn’t notice, hacking became terrorism last fall.)

CSEA’s original language said in cases where miscreants knowingly attempt “to cause death or serious bodily injury” through electronic means, the punishment would be life imprisonment. That wasn’t strong enough for the committee, which succumbed to pressure from the Bush administration […] promising life terms for computer intrusions that “recklessly” put others’ lives at risk.

On the face of it, that looks pretty reasonable. The problem is that the enforcement of this law will be done by people who, frankly, rarely know what the hell they’re talking about. Turn on your laptop at the wrong time with your wireless Internet card activated, and that can be recorded as an “intrusion” when it automatically attempts to handshake with the government or military antenna a block away. Here in DC, there aren’t many places where that won’t be happening.

Tech people working the Internet use “hacker” tools all the time on their own sites; it’s a pretty good idea to use the bad guys’ tools to see if the bad guys can break in. But when your site is at 123.93.13.1 and the FAA is at 123.94.13.1, it’s not that hard to accidentally ping flood the wrong location. Do you think that an explanation of “typographical error” will cover the problem?

Better yet, which is more likely: 1) the FAA will say, “damn, it was really incompetent of us to put a critical system on the Internet with no protection,” or 2) the FBI will jail a bunch of people and trumpet yet another advance in the war on terrorism?

It’s impossible to accidentally hijack a plane or release anthrax. It’s very possible to do entirely legal things on the Internet in such a way that you accidentally target someone else — or make someone else think they’ve been targeted, even when zero damage is done.

Odds of people in power understanding this before several poor schmucks have been sent to jail: zero.

Addendum: 2/28/02, 8:20 PM:

Here’s a perfect example of the kind of activity I’m talking about. My industry views this as “white hat” hacking which is far preferable to exploiting a security issue and then keeping your mouth shut. It could also earn Adrian Lamo a long stretch in jail from people who don’t know the difference between criminal activity and responsible reporting of security issues.

Leave a Reply

Your email address will not be published. Required fields are marked *