Context is important in law. It's not illegal to change your mac address or wear a ski mask. It can be illegal to do both of these things while committing other crimes.
I'm really sick of these sensational posts/comments showing up on HN. I know, I'm not supposed to complain about quality of posts or comments but the past week has really changed my view on the current state of HN. Witch hunts, sensational stories, jumping to conclusions, hating the law/government, etc. Let's go back to technical news.
Interesting post. Not sure if your point is to dispute the OP or to whine about HN but to be safe I'll comment on both :-)
The OP is alarmed at the use of common privacy enhancing techniques (of which wearing a ski mask is one) which allows a prosecutor to 'enhance' the charges against someone to increase the threat level. They are also alarmed that non-technical people cannot see that changing your MAC address is just "easy" for a technical person to do as holding one hand over the other as you type in your PIN at the grocery store, and equally innocuous. Nobody disputes that 'changing your MAC address' should not be considered as evidence of intent when prosecuting a crime, but there is a lot of dispute as to whether that action in and of itself rises to the level a crime in its own right. This is what the OP fears will happen, and there is some evidence to support that.
That takes us to your second paragraph which talks about how painful it is for you when others express their emotions with respect to the events of the past weekend (and to be clear other events like it). Generally, yes, HN is a community of technologists and technology enthusiasts who discuss the merits or lack thereof of various technology trends, events, and personalities. That said, it is also a community of people. People can often discuss dispassionately about topics that are at arms length, but the weekend case struck close to home for noticeable fraction of the hundreds of thousands of people who visit this community. They need time to process these events, and one way they process them is that they talk about them.
My point is that it helps to appreciate that others may be more affected by recent events than you were and this is their way of processing their emotions. No need to whine about it, you can take a break from HN for a week or so until it winds down. When things are continued beyond their reasonable lifetime they tend to get moderated down. Patience.
I'd expect more intelligent people, which this community claims to consist of, to not react the way it has to the events, with nothing but hyperbole and sensationalism.
The only clear concise analysis I have seen in the myriad of submissions was an analysis by Prof Orin Kerr, which was full of comments containing more hyperbole, that disappeared to no where instantly.
Speaks volumes IMO, and it's really deterring to some of us who prefer learning and discussing the facts in a more well thought concise, clear, and logical manner.
I'd expect more intelligent people, which this community
claims to consist of, to not react the way it has to the
events, with nothing but hyperbole and sensationalism.
Your first comment here on HN contains this:
Even within this submission, the comments here still talk
and insinuate Aaron was facing life imprisonment, danger to
being raped daily, and suicide was his only option.
Talk about hyperbole and sensationalism. There's been some of that but I've seen none of those three specific statements and if that's all you've got out of these discussions, you're seriously missing something. Just because you disagree doesn't make it all "hyperbole and sensationalism".
People are emotional and justifiably angry. Maybe some of it has been a bit ridiculous but that doesn't invalidate the disgust with these events and with the larger systemic issues.
I saw all such specific statements yesterday, albeit from different people. In particular, the argument that he was facing life imprisonment because the maximum possible term for the offenses he was charged with totaled 35 years was widely repeated. The news media does this all the time because big numbers sound most impressive, but the maximum sentence is only sought and handed down in a small minority of criminal cases.
The fact that is handed down rarely does not mean it was not threatened. And the reason why it handed down rarely may very well be that others plead out, because they were scared of that maximum sentence - which was exactly the problem in this case, that he did not want to accept the plea.
Honestly read the comments in the submission.. It was insane the amount of misinformation being thrown around. I'm sorry if my comment was exaggerated, I was just trying to highlight the issue.
Maybe the comments in the submission... were just trying to highlight the issues they saw.
Don't defend exacting discourse with the very hyperbole you claim is destroying it.
Let it be noted: I find immense irony in this discussion occurring in a thread where the parent comment is about how things need their context. What you're defining as misinformation needs to be taken in context.
The challenge is that even a community that is 99.9% rational and intelligent people, leaves hundreds, maybe even a thousand irrational and outspoken people participating.
Add to that the scourge of people who circumvent community guidance demand that their speech be heard, even when there are clear indications from the community that it is unwanted. Poses something of a challenge to the system as a whole.
Side note: Are you, tcuk, really making all of these judgements based on being a member of this community for less than 48 hours?
Chuck could you provide an analysis of how this article ends up on the front page of here, specifically what value it adds to the situation and how relevant it is.
To me I'm struggling to figure out how it relates to Aaron's case , is it purposefully being obtuse? Is it not obvious to everyone who's ever read anything to do with the case that the only reason spoofing his MAC address mattered was his intent to circumvent blocks placed on his connection?
Actions by themselves are mostly meaningless it's the context and intent that matters...
I'd expect more intelligent people, which this community claims to consist of, to not react the way it has to the events, with nothing but hyperbole and sensationalism.
So it turns out "intelligent" people are first and foremost just people like everyone else. We need to remember our humanity and allow ourselves to be humbled by our flaws.
I agree with much that you say. Sensationalism satisfies many of our base neurological desires. Indeed, I know that I share many thoughts with "sensationalists" and I responded similarly.
I cannot make any statements of blame, since being sensationalist is to be human, as we all are. However, I'd ask that everyone please inform yourself as much as possible. The indictment is available [0]online and is well worth reading.
If you want sensationalism, read a federal indictment. Their job isn't to paint a fair picture of the accused; it's to make the accused sound like scum.
Thanks for that. A good read. Assuming they had evidence to back that up (which both legal teams would have been privy to and would have been presented at trial), it seems pretty clear to me that he knew that what he was doing was not exactly above board there. I have little doubt Aaron knew what he was doing would get him in trouble if caught. Sure he probably did not expect that much trouble. We can be upset that he was possibly facing 35 (or what ever) years as that seems a bit excessive... but let's not pretend that Aaron had no clue that he was doing something he shouldn't be doing.
There's "shouldn't be doing" as in "will get you personally banned from MIT's network with a stern talking to from the IT department," and there's "shouldn't be doing" as in "will get you 35 years in federal prison."
I'd wager Aaron expected the former, or maybe a post-it note on his laptop saying, "Please discontinue what you are doing; call xxx-yyy-zzzz with any questions."
It doesn't really matter what he was expecting. If he knew he shouldn't do it then he should not have done it. And unless he had been living under a rock for the past decade, he should have expected a bit more than MIT leaving a post-it on his laptop asking him to stop. Come on... we all know that these types of actions have become more common and more public and therefore more heavily litigated. For him to expect anything less than police and lawyers would have been really naive boarding on stupid.
There are lots of things that people "shouldn't" do, like jump off of cliffs, jump out of airplanes, follow traffic even if traffic is going 75, yet people make the judgment that doing is better than not doing. In all of your "make stuff, do stuff, buy stuff, destroy stuff," life, have you never once colored outside the lines to accomplish some greater good?
There appears to be a vast cultural disconnect between those who recognize the nobility of Aaron's effectively harmless stunts, and those who take a hardline stance in defense of the status quo.
It is my sincere opinion that any sort of prison time should require genuine criminal intent (that is, the intent to do serious harm), that the judicial system should focus on prevention and rehabilitation, not punishment or deterrence, and that sacrificing the odd "example" here or there is an unacceptable infringement of the rights of the one who is made an example.
I have colored outside the lines plenty of times... both good and bad. And when it got me in trouble (which is has), I took my punishment. The people doing the act and the people standing on the sidelines and those that benefit from the act can think the act is "effectively harmless" or that there was no intent to do "serious harm" all they want. But there is always someone on the other end of it. Aaron's actions (and the efforts to stop/prevent them) caused servers to go down & legit access to be cut off. That caused harm to others. Maybe that isn't the same definition of "harm" that you use but you don't get to dictate what others feel is harmful or not any more than I do.
Whether it is cultural or whatever, I don't think what he did was noble at all. And hardly a stunt. He started downloading for free all the documents that were otherwise behind a pay-for-access service that placed limits on what a person could get at. He used various methods to circumvent attempts to prevent him from doing it. He took measures to conceal his activity. Those seem to be the facts that no one disagrees about. This has little to do with defending the status quo.
But we can agree here. It is also my opinion that Aaron should not have been facing prison time. We have prisons overflowing with bad people that have caused far greater chaos and pain than Aaron. Aaron probably should have had a lengthy house arrest and a hefty fine. Maybe restricted use of computers, etc. And that very well might have been what he would have ended up with if he'd stuck it out.
I'll restate some of the items from your second paragraph in a way that emphasizes why I think Aaron's Guerilla[sic] Open Access[0] concept is a noble one.
He started downloading for free all the documents that were otherwise behind a pay-for-access service that placed limits on what a person could get at.
He saw that scientific research, much of which was paid for by taxes (i.e. the people), was held hostage behind a paywall and wanted to provide that information to a deserving audience.
He used various methods to circumvent attempts to prevent him from doing it.
He encountered a bug in a computer system and created a workaround.
He took measures to conceal his activity.
He behaved like many of the students on any college campus would when preparing a harmless prank or exploring a steam tunnel, and perhaps didn't want his laptop stolen.
But we can agree here. It is also my opinion that Aaron should not have been facing prison time. We have prisons overflowing with bad people that have caused far greater chaos and pain than Aaron. Aaron probably should have had a lengthy house arrest and a hefty fine. Maybe restricted use of computers, etc. And that very well might have been what he would have ended up with if he'd stuck it out.
Much of my vehemence in these discussions of the last week stems from the sheer magnitude of the onslaught that is standard practice for prosecutors. If the law and its enforcers were more reasonable in this case, I'd find it much easier to be reasonable in response. Instead, prosecutors seem to see fit to alienate a huge chunk of the population, spreading disrespect for the law (and, I guess, giving them more defendants to prosecute in the future).
I'd be perfectly happy myself, if I were Aaron, to publicly apologize, do some community service, and go on my way never to interact with JSTOR or MIT again, as this prevents the alleged harm that would have come to JSTOR with the minimum necessary imposition from the law. But I would not be happy about being bullied by prosecutors. I don't even see why house arrest should be "lengthy," or a fine "hefty," because in reality his actions had a minimal effect on MIT or JSTOR (bandwidth is cheap).
Someone had to do something to upset the status quo of paywalls and ignorance because it certainly wasn't going to happen from within the publishers. Increased scientific literacy and better science reporting due to the availability of the entire paper (and all the other papers that support or refute it) instead of a press release are greater goods than profit for Elsevier (which wouldn't be significantly affected by releasing historic papers anyway).
I can't stand the mob, sometimes I feel that they are insulting my intelligence. But no revolution is possible without them. When intelligent people come together and try to make a deal, that's called dirty politics.
> but the weekend case struck close to home for noticeable fraction of the hundreds of thousands of people who visit this community.
Yet the whole of HN was full of nothing but Aaron Swartz articles for days. I stopped visiting HN for a bit. It was frustrating to me as I have no connection to Aaron Swartz (beyond using RSS and Reddit), although I realised it affected some people very seriously and needed to use HN as an outlet.
Having said that personally I felt that HN was the wrong place for an overrun of Aaron Swartz tributes and articles. My inner cynic sadly feels that quite a few of the posts over the weekend (especially some from some of his blog posts) were attempts at little more than karma scoring.
A minor quible, since it seems to be confusing people elsewhere in the thread. It isn't illegal to change your MAC address at all per se. It's illegal to access a network without permission. All the MAC spoofing did was help prove mens rea, that Aaron knew that the people in charge of the network were trying to keep him off of it when he accessed it anyways.
By analogy, there's nothing illegal about entering a building through the window. But if you try the door of a random and find it locked and then enter through the window that's still trespass. But if you make a habit of always entering buildings through open windows when they're available so you never try the door you might be able to argue that you didn't know the building wasn't public. At least, you could try to argue it to a jury and depending on the circumstances I guess it might work.
So: MAC spoofing doesn't really help prove mens rea (that Aaron thought he was trespassing, but did so anyways). From another comment: "People fear magic they don't understand, and distrust those who wield that magic. Things that seem reasonable to technical geeks seem illegal to the non-technical." ( http://news.ycombinator.com/item?id=5067146 )
There is a chasm between what "normal"/non-tech people might consider proof of mens rea (and probably explains some of the history of the laws) and what technical people would consider proof. Technical people do stuff like MAC spoofing all the time, as in the article.
I run Tor because I can always reach my SSH server as a hidden service, even through firewalls. I strip my HTTP headers with an HTTP proxy because I don't like having to constantly configure all my browsers to throw out adnet cookies. I set curl and wget to spoof a more common user agent, because some things simply don't work otherwise. This sort of remedial stuff literally scares non-tech people, and having to constantly explain and justify such network magic to anyone who doesn't know how technology and networks work just to make them feel better is tantamount to bending over for a TSA screening because you're brown (OK, not quite that bad). It's increasingly demoralizing, and doesn't feel like freedom in a supposedly free country (Canada). I have nothing to hide; I'm still not willing to bend over like that. No one should. It's the new McCarthyism. Lawmakers and non-techs are afraid of us, and so we're treated differently, and it's becoming scarier (just because SOPA was stopped in one country doesn't mean there won't be more). I don't want to work to help people who fear my knowledge rather than celebrate it and, while I hardly think "web apps" represent anything like the future of the Internet, I'm a little afraid to work on much else if I intended to release it. (The person who made bitcoin didn't want his identity on it.) We're already paying the price.
>Technical people do stuff like MAC spoofing all the time, as in the article. //
Yes to gain access to material they are not authorised to access, for example.
>I set curl and wget to spoof a more common user agent, because some things simply don't work otherwise. //
But you know that spoofing a useragent, eg Googlebots, to crawl a domain is unauthorised access. You do.
From what I've read recently Aaron Swartz was quite brilliant. He also appears to have acted morally in attempting to free JSTOR data (IMO a noble cause), but I very much doubt he was so naive as to believe he was acting legally in doing so. It seems to me to require suspension of rational thought to come to this conclusion.
MAC spoofing does really help prove mens rea. Authorisation was restricted to content based on MAC; a person spoofed MACs to gain access, that person knew that spoofing MAC was something that would gain access that wasn't authorised.
An analogy: If someone is offering free samples in the street, you may well be able to get lots of free samples by wearing different disguises, you may even be giving the samples to the needy, but claiming you didn't appropriate those samples by deception (ie fraud) is just lying.
Thanks for the illustration: what is considered common behavior in one community is not necessarily considered common behavior in another and today people are disagreeing on, among other things, even the definition of fraud (which I agree, "should" be simple) in computer networks.
I could just as easily argue it's fraud to restrict any copying via a network that functions for that purpose. MAC spoofing might help demonstrate mens rea to you, but that is far from universal. I don't care if Google crawls my domains, regardless of the presented user agent, so why should I presume anyone else would? (Google didn't start by presenting themselves as Googlebot... They committed your definition of fraud.) Why do your presumptions win over my presumptions? We need better reasons than a legislator's "because I said so." If we are to live together, we have to come to a consensus, but at the moment there is a long distance between some pretty inflexible points of view ("just lying").
>(Google didn't start by presenting themselves as Googlebot... They committed your definition of fraud.) //
Can you expand on this. It appears you're saying that Google spoofed the origin of their traffic in order to crawl sites? Can you back that assertion up?
If you allow Googlebot access using UA then someone identifying as Google in order to gain access they wouldn't otherwise have is clearly unauthorised. We all know this. It's not something [on it's own] that warrants prison time of course.
Fraud is gain by deception; simple. If you have to change your apparent identity to avoid being prevented in your acquisition then it's fraud.
>MAC spoofing might help demonstrate mens rea to you, but that is far from universal. //
Come on lets be adult about this. Are you really claiming that people don't change MAC address in order to avoid being identified with previous use under a particular MAC address, that it's not solely to mask identity. Masking identity is of course not normally and generally a crime in itself.
So then that repeated use of a service restricted by MAC address, after the intermediate application of MAC alteration doesn't show direct mental application (mens rea) to the task of attaining further access than that which has been authorised ... look I'm not saying he was morally wrong. But aaronsw certainly knew he was acquiring unauthorised access; if it were authorised he wouldn't have needed to hide equipment, spoof MACs, alter IPs to avoid IP blocking and such. He knew and I warrant you do too.
It's a shame in many ways he didn't pull it off.
>I could just as easily argue it's fraud to restrict any copying via a network that functions for that purpose. //
> saying that Google spoofed the origin of their traffic
The discussion was about user agents, not origins.
>Fraud is gain by deception; simple.
The hell it is. Let me give you an actual definition of fraud:
* a representation of an existing fact;
* its materiality;
* its falsity;
* the speaker's knowledge of its falsity;
* the speaker's intent that it shall be acted upon by the plaintiff;
* the plaintiff's ignorance of its falsity;
* the plaintiff's reliance on the truth of the representation;
* the plaintiff's right to rely upon it; and
* consequent damages suffered by the plaintiff.
Note in particular that if you don't harm someone there is no fraud.
> Are you really claiming that people don't change MAC address in order to avoid being identified with previous use under a particular MAC address, that it's not solely to mask identity.
There are many reasons one might want to avoid being identified with previous use under a particular MAC address (or other identifiable information). For example, if you're paranoid about all the big brother tracking going on in the world (just because you're paranoid doesn't mean they're not out to get you), you might consider many such techniques to break up your trail from the perspective of said trackers.
>There are many reasons one might want to avoid being identified with previous use //
OK, so you get blocked, change MAC/IP and that gets you access again. Would you claim to not know that you were now circumventing an access block? How about if you were downloading the 300th (or more likely 30,000th) document from a repo when it was clearly said users were limited to 3?
http://infolab.stanford.edu/~backrub/google.html$$4.3: Crawling the web:It turns out that running a crawler which connects to more than half a million servers, and generates tens of millions of log entries generates a fair amount of email and phone calls. Because of the vast number of people coming on line, there are always those who do not know what a crawler is, because this is the first one they have seen. Almost daily, we receive an email something like, "Wow, you looked at a lot of pages from my web site. How did you like it?" There are also some people who do not know about the robots exclusion protocol, and think their page should be protected from indexing by a statement like, "This page is copyrighted and should not be indexed", which needless to say is difficult for web crawlers to understand.
That about sums it up: the laws largely reflect the foot-stamping of non-technical people who wanted copies to be more like apples on a tree and less like reflections in a pool. To be sure, it is possible to commit real crimes using the Internet: securities fraud (real fraud), invasion of privacy, uttering threats, etc, but copying itself should not be criminal.
>"I could just as easily argue it's fraud to restrict any copying via a network that functions for that purpose."
"Where is the appropriation by deception in this?"
The deception is of copying as appropriation, which I consider impossible. The appropriation on your part (the royal "you") is 1) the loss of my freedom to surf/access the net using the tools and methods of my choosing (with any user agent string or MAC I want, or by scanning an IP block, or by sending a multicast packet), and 2) your gain of copies as a store of value.
"Are you really claiming that people don't change MAC address in order to avoid being identified with previous use under a particular MAC address, that it's not solely to mask identity."
No, I am saying a MAC was not an identity to begin with. Sites use technical means to limit some access, while usually leaving others open (there has to be some way for users to get at the bits). Why should anyone assume those means left open shouldn't simply be used instead? (The discriminator could have discriminated further, to an arbitrary degree, since the rules only exist in software.)
Again, it boils down to your definition of "unauthorized" which is defined firmly in one camp (not that copy, it's mine!) and equally firmly but very differently in another camp (copying is easy; copying will always be easy). The people who regularly apply access controls and maintain the networks largely assume other people could too, if they wanted to, so what feels like "security" for one person (a MAC address) isn't considered "security" for others. (I'm not speculating about Aaron's views, I'm talking about mine. I agree, I don't think he did anything wrong.) The general feeling is one of all-or-nothing access amongst those who define the locks; part of the hacker/inquisitive mindset is not wanting there to be any locks they can't bypass.
That lock analogy is problematic. Using an elaborate means to copy is not the same as breaking into a building by climbing through a window. Copying (looking) doesn't cause bodily harm or deprivation, and so is not fraud. Lots of people want to claim it can cause financial harm, but I don't buy that one either. Non-commercial copyright infringement is basically free advertising: the sort of word-of-mouth you pay through the nose for. Paying up-front for a copy is absurd; you pay after you hear the minstrel, and you only pay if you liked the music. You can stop playing music for me, but you can't, with accuracy, call me a thief for listening or not paying.
Keep in mind I'm describing what I think should be, not what I think the laws are. You are free to disagree, but this is the context for my comments.
The Internet was, and is, and remains a copying (looking) free-for-all, where code is law. That doesn't make it a wild west that needs to be civilized either - there's nothing to civilize in the absence of copyright. It doesn't mean we have to pull in property and theft analogies... This is still exclusively about copying. As little as 10 years ago we all thought copying would bring some kind of digital salvation: access to all human knowledge. (Enter Wikipedia...) Turns out we want to monetize copying instead, so we are reducing individual freedoms and access rights. Yes, reducing. Give me a break. (For the sake of keeping up with your exasperations.) I already pay my ISP for the link. The copying is implied.
Copying is only scary because you don't know the person doing it - but they aren't doing it to you; copying isn't an injury.
I run an SSH server, and I prevent access to it as well. I also run a wireless access point with a pretty simple password. I don't care if someone uses the wireless if they find the password. Good on them. If they use it to commit a crime I do, but using it is not the crime. Similarly, if they find the password to the SSH server, also good for them; if they find the password to the SSH server and commit an actual crime, then there will be charges (though not from me unless I was the victim), but looking onto a property (a physical computer) is not a crime. You have to forget about that if you want to monetize information, but that's why there's a lack of common ground between the two camps: there's no property to speak of.
Admittedly, there are a number of laws based on the idea that copying should be illegal (copyright as an obvious example). I'm not ignorant of them, but I challenge them. (Granted, I probably wouldn't be willing to put myself in Aaron's situation to challenge them.) I think they can only be enforced at the cost of physical ownership rights and I'm a "law-as-code" kind of guy. I want to be able to believe that if someone didn't want me to copy something, I wouldn't be able to copy it, or I at least want us to admit that making a copy can't actually hurt someone (the copy itself, not what you might proceed to do with it).
Thanks for your response, I'll keep this brief but I want to correct a few apparent misconcetions.
>I am saying a MAC was not an identity to begin with //
That's not important. The person accessing the system realised that it was being used to enforce a per person limitation. They spoofed MAC in order to misidentify their access. That misidentification was it appears to acquire documents in an attempt to publish them against the will of the license holders.
I'm pro-copyright and patent as I genuinely believe that they are required to ensure proper compensation of authors/inventors. I use CC-BY primarily, which is facilitated by copyright.
However, what I'm absolutely against is copyright or patent terms that don't stimulate innovation or artistic creation. Terms should be no more than about 9 years for either.
>Turns out we want to monetize copying instead, so we are reducing individual freedoms and access rights. //
We need fair exchange. Producing copyright works costs just like producing food or goods. Unless you give food, drink, shelter, etc., free to artisans then you can't demand their work to be free. Quid pro quo.
I am absolutely sympathetic to the idea of releasing JSTOR data, indeed any and all scientific data, and applaud the apparent sentiment. But I'm not about to overlook the pretty obvious truth in order to promote that position - releasing JSTOR's data to the public would be a highly damaging commercial act. Morally justifiable IMO but certainly against the law. So, was aaronsw guilty, it appears certain from what I've read of the case that he was.
>but looking onto a property (a physical computer) is not a crime //
Fixing an image from a private property is in many jurisdictions (not sure on USA, most likely it's situationally variable).
You're creating a false equivalence in any case, having your IP address is looking at your property from afar, logging in to your SSH and taking your files is picking the lock (or swinging the gate open) and walking in and taking something.
Which brings us back to authorised. Unauthorised is "not authorised", that may seem pedantic truism but it moves towards the next point. Just because my door is wide open doesn't mean you have the right to access my house, you are authorised by active assent not by failure to prevent access. Running sshd with a weak password doesn't mean I'm authorised to access your computer, I'm clearly not authorised, I could perhaps run an exploit on it or brute-force it but that doesn't make me authorised to access it.
If you truly hold the position you're espousing then presumably if someone takes money from you you'd consider it "authorised" because you failed to prevent them?
"We need fair exchange. Producing copyright works costs just like producing food or goods. Unless you give food, drink, shelter, etc., free to artisans then you can't demand their work to be free. Quid pro quo."
I agree. That's why I leave a tip for good service, after I have eaten. The difference between selling groceries and waiting on tables is that in the former there is a tangible item with an intrinsic value to which the law of exclusion strictly applies. The latter has an intangible and subjective value behind it, and the law of exclusion is as flexible as a wet noodle. The thing about the Internet is that it's all subjective and intangible, making the gratuity model vastly more appropriate. That doesn't make intangible work valueless, it just changes the business model. We have never seen such an expansive gratuity-based business opportunity as the Internet before. I can also understand how that might be a bitter thing to admit if one prefers, or depends on, the law of exclusion. (Of course, it is also possible to "inflict" the law of exclusion on netizens with laws such as copyright, the CFAA, etc, but that it's not the clear moral high road.)
"having your IP address is looking at your property from afar, logging in to your SSH and taking your files is picking the lock (or swinging the gate open) and walking in and taking something."
No, they are both just network traffic. Their effects and potential for damages are not, which we even seem to agree on. I'm saying that the conversation should be explicitly about damages though, and not indirectly about regulating access/copying.
"you are authorised by active assent not by failure to prevent access."
In the world of tangible goods with intrinsic values yes, on the Internet, not as obviously, if at all. If you already buy into the copying = theft equivalence/analogy, you might be more inclined to believe that. However, IMHO, there is no such thing as trespass against information, and any trespass or damages against me should be firmly anchored in the land of the real.
"If you truly hold the position you're espousing then presumably if someone takes money from you you'd consider it 'authorised' because you failed to prevent them?"
No, we have laws against theft. What I'm disagreeing with is the unspoken copying <-> theft equivalence. It may also be a pedantic truism, but "copyright infringement" and copying generally are semantically and functionally different from "theft." (Copying: 1+1=2; theft: 1-1=0.) IMHO, it's not necessary to presume that copies themselves need to be restricted on top of the criminal ends (damages, theft of value, etc). In the case of copyright, the case for damages is hypothetical. I'm not saying that's strictly invalid, just that it's not strictly valid either, and so should be taken with more than a few grains of salt.
>It may also be a pedantic truism, but "copyright infringement" and copying generally are semantically and functionally different from "theft." //
Not a pedantic truism by any stretch. Yes I absolutely agree, the tort of copyright infringement is nowhere near the crime of theft. I'd be happy to go with an approximation of "actual damages" in respect of copyright infringement but computer access is about more than just copyright infringement.
We come back, looking at the tort alone in the aaronsw case, to the quid pro quo - JSTOR were potentially set to lose a majority of their income if their entire back catalogue was released for free. On an actual damages basis this tort is huge.
>any trespass or damages against me should be firmly anchored in the land of the real. //
Certainly, however, information can be "held"/known by an arbitrary number of people at any single point in time, whereas money can only ever be held by a single person at a single point in time. That changes the nature of that reality. Value, and therefore damages, are simply not as concrete as is implied by the property analogy.
"On an actual damages basis this tort is huge."
That's for the courts to decide, and the public to rightly question as well.
You have completely and absolutely missed the point.
Changing MAC addresses (upon every restart) is something I do too. It is an extremely easy thing to do. That such an obvious thing will effortlessly add to a list of charges, amplifying the prosecutor's case for no good reason, is what the issue is.
The most frustrating thing about your comment is your condescending attitude. It's exactly this kind of behavior that is sliding us down a path of draconian laws that will in the end harm us all. Please think before going off like this.
I think you're completely and absolutely talking past the argument.
In the law as it exists, doing something "anonymously" for the purpose of committing a crime is itself a crime. It's not the act of changing the MAC address that is illegal by itself. That was the point.
Your point, I think, is that that "extra" crime is a silly law. Which I think many of us agree with. But it's still the law, and it's not unreasonable for a prosecutor to enforce it. In fact, they have a duty to do so.
Turning around and claiming that "the gubmint wants to lock up MAC randomizers!", however, is just dumb. That's not what the law in this case says at all.
>In the law as it exists, doing something "anonymously" for the purpose of committing a crime is itself a crime. It's not the act of changing the MAC address that is illegal by itself.
What, then, was the underlying crime, if not this unauthorized access nonsense where access was allegedly unauthorized only because he was supposedly hiding his identity? Keep in mind that it wasn't copyright infringement (which normally isn't criminal anyway), because it wasn't JSTOR pressing charges, it was MIT.
>Your point, I think, is that that "extra" crime is a silly law. Which I think many of us agree with. But it's still the law, and it's not unreasonable for a prosecutor to enforce it.
But there are two issues here: There is what prosecutors did, and what the law allowed them to do. Even if you don't have a problem with the prosecutors, we can still have a problem with the law and work to have it changed.
>In fact, they have a duty to do so.
No they don't. They have prosecutorial discretion. If the application of the law in a particular case is ridiculous, they have no legal or professional obligation to press those charges.
> No they don't. They have prosecutorial discretion. If the application of the law in a particular case is ridiculous, they have no legal or professional obligation to press those charges.
You either break the law, or you don't. The law should be the same for everybody and should NOT be applied selectively. It's actually outrageous that you imply otherwise.
Because this happens it's precisely the reason for why we have ridiculous laws in the first place. If this goes on pretty soon everybody will be a criminal, but the world will still turn for you, until you manage to upset somebody you shouldn't have.
And since we are on the subject, that's how the law works in totalitarian states.
Exactly, and the reason for this is that we can't cover all possibilities with enough granularity for black and white to be close to reasonable.
If it was illegal to break a lock (black and white), then the guy who breaks a lock to steal your TV gets the same sentence as the guy who breaks his own lock because he forgot his keys, and the same as the guy who breaks a lock to get into a burning building to save a child, etc. Obviously this is ridiculous, but even so, how could we possibly cover all of the motivations for breaking a lock?
How could we cover all of the motivations for hiding your identity? How could it ever be black and white if we can't?
If we could, then the entire justice system could then be automated.
>Obviously this is ridiculous, but even so, how could we possibly cover all of the motivations for breaking a lock?
But here's the thing: That's why it isn't illegal to "break a lock." It's illegal to e.g. steal things. Because that's what we want to prohibit, not breaking locks, even if breaking locks is a thing mostly done by criminals who are trying to steal things.
Neither are you guilty of "breaking and entering" if you break your own lock. And you might also notice that the penalty for breaking and entering is a lot lower than it is for e.g. grand larceny (or, for that matter, murder).
You're missing the point (intentionally or not, I can't say). So to take a bad analogy even further...
I'm a lock troll. I like to go around breaking people's locks. I never steal anything, I just break locks because I'm a prick like that.
This guy I know, Franky, broke a lock the other day in order to save a child from a burning building.
How would you propose a black and white system handle this? Do I get to run around breaking locks with impunity, or are we going to punish Franky for the method of his good deed. I mean, the good deed's nice and all, but irrelevant to the matter at hand right?
1) You don't have a law against breaking locks. You have a law against willful destruction of other peoples' property, and locks are property.
2) You have an exception to such laws for exigent circumstances or implied consent.
Here is the flaw in your argument: We don't have to nail everything down to nail part of something down. We don't have to define "exigent circumstances" mathematically or put the badge number of authorized fire marshals in the statute. That doesn't mean we can't do better than obscenely broad and vague nonsense like "unauthorized access to a computer."
There is a reason we have laws more specific than "anyone who does anything bad shall be punished by a fine of up to one hundred trillion dollars or up to one thousand years in prison."
My point was never that we should be as vague as possible. My point was that you could never be specific enough to not require context. The mere possibility of exigent circumstances guarantees it.
I don't think we're actually in disagreement. Maybe my analogy was just that badly thrown together?
What happened is that you managed to hit on one of my pet peeves, which is laws that prohibit innocuous things just because sometimes bad people do them. Like the DMCA prohibition on circumventing technical measures that control access to a copyrighted work. I really hate laws like that because they criminalize legitimate conduct (like circumventing for the purposes of fair use criticism) and have no benefit whatsoever over just applying the same penalties to the real bad act (e.g. copyright infringement that isn't fair use), all they do is expand the scope of criminality beyond the actually undesirable act so that it ensnares otherwise upstanding and innocent people. This is especially bad when the penalties are calibrated for the worst possible intent in doing the thing, e.g. mass scale for-profit infringement, and then applied with that severity to everyone in violation of proportionality.
The CFAA is the same way. It prohibits unauthorized access, which seems like it would generally be bad (though it's vague enough that who knows) and with no provision for looking into the circumstances to evaluate how bad, then goes on to impose penalties as though the unauthorized access was in furtherance of something like terrorism or bank fraud rather than accessing a wifi to check your email, even though the latter is still covered and subject to the same extreme penalties.
And none of this is about black and white, which is why I objected to the example. Wanting black and white laws is about fighting vagueness: Too much specificity is bad because it's too complicated and no one can understand it (see: tax code), but too much vagueness is also bad -- even worse -- because then you have no possible way to know what it actually means until you get told by a judge, by which point it's far too late.
The problem with your example is that it isn't an example of too much vagueness, it's an example of too much breadth. Take two examples: "Don't do things" and "don't do bad things without a good reason." The first isn't really vague at all -- it just covers everything, which is useless and stupid. So the problem is that it's too broad. The second isn't too broad -- it's pretty good at only criminalizing things that ought to be -- but it's hopelessly vague.
And it's overbreadth which is the trouble with "it is illegal to break locks." It covers breaking locks even for good reasons. So you need a list of exclusions or you end up like the DMCA: You're allowed to break them if they're your locks, or if necessary in order to do something legitimate, etc. Which is actually a counterexample of being okay with relatively simple laws and not needing a list of caveats to go along with them. Because we can't make things that simple, or we get the DMCA and the CFAA, which are both terrible and need to be seriously overhauled.
There is a reason we have laws more specific than "anyone who does anything bad shall be punished by a fine of up to one hundred trillion dollars or up to one thousand years in prison."
"The law should be the same for everybody and should NOT be applied selectively."
It depends on how the selection is done. If a prosecutor declines to prosecute because the law breaker is of a particular race, rich, politically powerful, etc. then that is an abuse of discretion.
However, we want prosecutors to be selective when it comes to saying that someone might have been justified even if the law as written doesn't explicitly acknowledge the justification (or acknowledges it but as a factor for the judge to consider). Speeding and running red lights because you are impatient and reckless is a different matter than speeding and running a red light because your passenger is bleeding profusely.
We also need to give prosecutors some discretion just to manage the case load. Unless we are willing to spend a lot more on both prosecutors and the court systems, we want them to be able to say "I will focus my time and attention on this murderer even if it means letting that shoplifter go with an extremely favorable plea bargain or even unpunished."
>You either break the law, or you don't. The law should be the same for everybody and should NOT be applied selectively. It's actually outrageous that you imply otherwise.
I'm not implying anything. That is actually how it works now. If you don't like it, change it. But good luck, because first you're going to have to fix all of the laws before you try to force prosecutors to prosecute all of them or we'll all be going to trial at the same time and the entire world will grind to a halt.
>If this goes on pretty soon everybody will be a criminal
Actually, we're well past that point. Until the past few years, only tiny special interest groups ever heard about things like this. Now, it has the potential to blow up into national news. Maybe this is progress.
I definitely don't think he was implying that the law be selectively applied to different people. However, law is not black and white. Law interpretation is up to a judge (in countries with a Common Law system) and is based on precedent. AnthonyMouse was simply saying that if the application of a certain law in a certain situation is ill-fitting, the judge/attorneys have no reason to pursue those charges.
the charges were wire fraud, computer fraud, unauthorized access, and computer damage.
> because it wasn't JSTOR pressing charges, it was MIT
when the charges are federal crimes, prosecutors decide whether or not to press charges. not wanting to press charges does not magically make criminal acts not criminal. if a guy beats the crap out of his girlfriend, and his girlfriend does not want to press charges, the prosecutor can still press charges.
No, it was rhetorical. The point is the charge that MAC spoofing was relevant to was unauthorized access, but if MAC spoofing is sufficient to prove "unauthorized" then MAC spoofing would virtually always be unauthorized access to whatever you're accessing with a spoofed MAC. That interpretation would make MAC spoofing illegal without any underlying crime.
>when the charges are federal crimes, prosecutors decide whether or not to press charges. not wanting to press charges does not magically make criminal acts not criminal.
I'm not sure that's always true. If one of the elements of the crime is that what the defendant did was unauthorized (as was the case here) then if every victim authorized the behavior that element of the crime wouldn't be satisfied, no?
> if MAC spoofing is sufficient to prove "unauthorized"...
i agree. but its not. MAC is one piece of evidence. without the other evidence, the charges would probably be worthless.
> If one of the elements of the crime is that what the defendant did was unauthorized (as was the case here) then if every victim authorized the behavior that element of the crime wouldn't be satisfied, no?
In theory, I suppose. However, JSTOR not pushing for charges is not the same as JSTOR "authorizing" Aaron to access those files.
>MAC is one piece of evidence. without the other evidence, the charges would probably be worthless.
The trouble is that the other evidence can be just as spurious and circumstantial. It's the selection bias problem: You do a hundred thousand things in the process of downloading a journal article and fifteen of them are "suspicious" but those are the fifteen they present to a jury when trying to convict you.
The charge was that they blocked his MAC address, so he changed it with intent to continue accessing a system.
Even if he had changed his MAC address by buying a new laptop / NIC and connecting it, they probably would have still tried to charge him with the same thing.
The wording of what is alleged from the indictment is: "He sought to defraud MIT and JSTOR of rights and property by: ... b. Repeatedly taking steps to change his and his computer's apparent identities and conceal his and his computers' true identities".
For that same argument to be applied to someone else, there would have to be several aspects:
* The change of MAC would have to be repeated (although obviously they could construct a similar argument if you just did it once to clone a white-listed MAC).
* The 'intent' behind changing the MAC address would have to be to obtain something that could not be obtained otherwise. This could be by spoofing a white-listed MAC address, or changing away from your black-listed MAC address that was blacklisted to stop you doing something the network owner doesn't want you to do with their network.
I don't think they are saying the technical means by which the MAC is changed matters, or that changing MAC addresses without the intention to circumvent a technical measure to restrict access are wire fraud.
Turning around and claiming that "the gubmint wants to lock up MAC randomizers!", however, is just dumb. That's not what the law in this case says at all.
That is exactly what the law says in this case. The government has declared that MAC randomization is the creation of fraudulent identities for the purposes of authentication, not unlike creating fraudulent photo identification.
You can say that randomizing a MAC address is not a crime, just as one can say that creating a fake passport for a movie is not a crime. The crime is in using that fake identification for authentication, which is obvious when customs asks for your passport, but undetectable when a network is using MAC addresses to enforce policy. If subverting that network policy is a felony, then MAC randomization is, by law, sometimes an involuntary felony.
While MAC addresses are obviously not a form of identification to technical folks, this stance would not be unprecedented as the US has also made it a felony to forge another trivially forged pseudo identify, Caller ID[1]. Enforcement of CNID spoofing is much easier given the nature of the phone system, since only a few providers bridge from VoIP to POTS.
Say I am not allowed on your premises, and I wear a fake mustache in order to get past a mechanism you put in place to stop me (such as guards with my picture), and I get charged with fraud for deceiving your guards because I gained access to something valuable.
This doesn't mean "oh noes! fake mustaches are against the lawz!!!11 they are going to lock up all the actors!"
In this hypothetical moustache example, is the "gained access to something valuable" the sticking point, or is it the "deceiving guards"?
I've changed my MAC/moustache plenty of times to "deceive some guards". Actually I'm doing it right now, this Comcast modem is a utter pain in the ass...
Or, if it is the "something valuable" part, would gaining access to that "something valuable" have been an issue if there was no deceit? Was Aaron's curl script A-okay right up until the point that he deceived?
Aaron's initial script may well have been illegal in and of itself, because it was bypassing JSTOR's limits on how many articles you can download. Aaron took so many more steps after that that it's hardly worth talking about his first action.
Two questions you need to seriously answer to make changing your MAC address on Comcast's network to be the exact same thing as what Aaron did:
1. Are you bypassing a security mechanism by changing your MAC address?
2. Did you gain something and/or cause them losses exceeding $5,000?
Are you bypassing a security mechanism by changing your MAC address?
This question seriously calls into question your profile description of "security guy". A security mechanism based on MAC is as effective as a security mechanism based on asking a stranger whether their name is Aaron Swartz, because Aaron Swartz isn't allowed on this network.
The relevance of the security measure is that it serves to prove that the trespasser knew he wasn't allowed on the property. That's why the strength of the security measure isn't relevant. If I don't want Bob Dylan walking on my lawn, and I post guards who simply ask "are you Bob Dylan?" that shouldn't be any different than if I put up retinal and finger print scanners.
Note, that doesn't mean I think you should get 30 years in prison for simply walking across my lawn.
Note, that doesn't mean I think you should get 30 years in prison for simply walking across my lawn.
Agreed, which is one reason it is important in this conversation to separate false identity from trespassing.
The relevance of the security measure is that it serves to prove that the trespasser knew he wasn't allowed on the property.
Ah! Exactly! Which is why this conversation is important. The OP has said that he effectively always says no when asked if he is "Insert Name". My example is also poor, because asking someone if they are Bob Dylan also informs them that Bob Dylan is restricted from entry, which means something to the law.
A better example would be a security system based on something fleeting and baseless, like your favorite color. You might have always liked the same color, or you might change favorite colors every year, or you might just tell people a different color because no one really knows what your favorite color is but you anyway. If the security call box asked you what your favorite color was, you told them something random, and they let you in, is that illegal? The security guard never said that people whose favorite color is X are not allowed, he just asked what your favorite color was, and then he let you in.
You're going to all sorts of gyrations to avoid the obvious. The fundamental question is still: do you know that you are being singled out?
Favorite colors are non-specific enough that you might reasonably not know. But MAC addresses aren't like favorite colors. Every Ethernet device has a unique one. If you find your MAC address banned, I think you can reasonably conclude that you're being singled out.
You're going to all sorts of gyrations to avoid the obvious. The fundamental question is still: do you know that you're not allowed?
I agree that I'm darting around, but it's in the interest of truth. Here's the problem: if Aaron was running an automated MAC randomization system for the purpose of personal privacy, he would never have known that his MAC was blocked. The details of his case show that he was aware, but this OP describes a situation in which there is no awareness. If the law is primarily concerned with the knowledge aspect, this can be attended to on a case by case basis. However, much of the discussion has suggested that a MAC is an identifier, and any alteration of this identifier is criminal. This should not be the case.
Swartz was not running an automated MAC randomization system.
His defense team vigorously contested the searches of his home, office, computers, even the netbook found in the closet at MIT under the aegis of his expectation of privacy at MIT; his team also attempted to have wire fraud indictments dismissed by challenging the notion of IP and MAC address "spoofing" constituted false statements. If Swartz had been continuously "spoofing" his addresses, he surely would have raised that point. Instead, he appears to stipulate that he was altering his addresses to bypass the authorization controls at MIT.
I wrote the first line of this comment a couple hours ago because I remembered reading this on Sunday, but it took me a while to track down the exact filing.
>By the same token, obtaining new
IP addresses by “spoofing,” i.e., changing, the Acer’s MAC address, Indictment, ¶¶19(a)-(c), 27(a)-(c), also cannot constitute false statements or misrepresentations or omissions of material fact, nor can Swartz’s use of an automated collection device which made it appear that multiple people were
requesting articles rather than a single person making multiple requests, Indictment, ¶34(c). //
So they're really claiming that writing a program to appear to be many people accessing data when only being one person, that program solely being to gain unauthorised access, wasn't fraudulent at all.
Yes. Engineers deal with uncooperative systems all the time. One might have the task of getting SCADA system A to integrate with financial system B, and report to management system C. But SCADA system A rate limits requests from a single origin, and the financial calculations will be inaccurate without more frequent updates. So, the engineer creates a system that appears to be multiple different origins to SCADA system A, and the world still turns.
I think what terrifies lawmakers and non-technical people is that, for the first time in history, computers present a potential world in which their expectations of the outcome of force and command do not apply; a virtual universe in which the laws are entirely different, and it takes bending over backwards to make the old laws of the physical world apply in the virtual world. So they do the only thing they know how, apply the physical world's laws of force and command to that chunk of the physical world at the opposite end of the virtual world, in a scale that is proportional to their vast fear instead of the actual behavior.
OK but you don't do that for other peoples industrial control units.
Look I've done MAC spoofing, switched UA's, tunnelling, used VPNs and such; it's not rocket science - certainly a moderately computer able person with legal training is going to be able to understand such things.
It's like signing up for multiple API keys in contravention of the ToS, you know it's not authorised.
There's nothing especially technical about what happened my only incredulity is that anyone supposes a person doing such a hack wouldn't know it's not _authorised_ (ie countenanced by the system owners). The first thought in addressing the access limit is that switching IP and/or MAC and/or UA is likely to enable access to 3(?) more JSTOR docs - but there's a realisation implicit within that of the JSTOR owners having only authorised a very limited access.
Now if we're talking about the ridiculousness of the proposed sentence that's an entirely different matter ...
As an aside I'm surprised no-one has crowdsourced the gathering of all JSTOR docs, they'd need an index, a script to pass the links to a person for download and a repository for upload. It would be just as copyright infringing as any other method but far harder to trace - the majority of it could be automated I'd expect (perhaps not the JSTOR registration).
I'm not an expert in the law, but I don't think it's the case that "any alteration of the identifier is criminal."
Now, is it the case that if you habitually use MAC address randomization and try to access a network repeatedly without permission, your randomization of MAC address might be interpreted as a way of trying to get around blocks? This is quite possible, and will be handled by a jury that probably doesn't understand why anyone would randomize their MAC address any more than they would understand why anyone would habitually walk around wearing a ski mask. I think that's a legitimate concern.
This is quite possible, and will be handled by a jury that probably doesn't understand why anyone would randomize their MAC address any more than they would understand why anyone would habitually walk around wearing a ski mask.
I would hope that someone would realize that wearing a ski mask for no reason has considerable downsides, while changing you MAC address for no reason has none.
What if someone uses different devices instead of changing the identifier of one device? A policy that very explicitly says you can only take so much food on a plate, but that anyone can take a new plate, doesn't suggest that the server is too concerned about how much food is served.
> I would hope that someone would realize that wearing a ski mask for no reason has considerable downsides
On this note, I recall several years ago while in college getting a mass email from administration that warned students not to wear masks during Halloween on the street because doing so was banned in the city. A quick googling just now doesn't turn up anything of the sort, though it does seem some other states have laws concerning masks, though often with exceptions for children, holidays, religion, education, etc.
However, much of the discussion has suggested that a MAC is an identifier, and any alteration of this identifier is criminal. This should not be the case.
Who specifically has suggested that it should be the case? You're constructing a strawman or not reading what people are writing.
The criminal act is continuing to do something after you've been told to stop.
The fact that something is easy to bypass doesn't mean it's legal to bypass.
In fact, that "Aaron Swartz isn't allowed on the network" example is perfect. If I have a sign saying "Bob isn't allowed on my property" and Bob comes on my property, that's trespassing.
The legal status of a security mechanism does not depend on its engineering efficacy. For example even though many deadbolts can be easily defeated with a bump key, using a bump key to gain entry to a house you're not legally entitled to enter would still be considered a crime.
Security based on MAC blocking is not remotely like a deadbolt. A deadbolt denies anyone who doesn't have a key, whereas a block list allows anyone who doesn't look like someone on the list. Security based on a MAC whitelist (where only certain people are allowed) is closer, but that isn't what MIT was using.
You're continuing to miss the point. If I leave my door wide open and put up a sign that says "Private Property, Do Not Enter", it is legally the same as a deadbolt, despite the complete engineering uselessness of a sign in preventing physical access.
You can't answer legal questions with engineering. They are different fields with different goals.
If I leave my door wide open and put up a sign that says "Private Property, Do Not Enter", it is legally the same as a deadbolt
Yes, and it's not the same as MAC blocking.
You can't answer legal questions with engineering
Technology changes the subtleties upon which laws are based, so you necessarily have to answer a legal question with certain aspects of engineering.
A network that is protected by MAC identification cannot be directly compared to a room protected by a lock and key. In the case of Aaron, you can point to his modification of the MAC as an awareness that his is skirting network policy. Whether breach of network policy should be a felony is another discussion. However, someone who maintains privacy by randomizing his MAC is in a very different situation that looks strikingly similar to the case at hand. Will the courts understand the difference? We can only hope.
If you must use a door analogy, your sign would actually read "Party inside. Please join us!" with a bowl full of keys sitting beside the door.
Now imagine if each key is valid for only five openings of the door. When someone comes back to your place for a sixth time and their key doesn't work anymore, is it really reasonable to be upset if they choose another key from the bowl?
> 1. Are you bypassing a security mechanism by changing your MAC address?
As far as I can tell? Quite possibly. If I don't make my router use my laptop's MAC address then I get hit with a captive portal at random times. This appears to be a security measure, though in my unresearched opinion I believe it to be a mis-firing of a security measure.
> 2. Did you gain something and/or cause them losses exceeding $5,000?
Considering the cost of my bill, it won't take me all that long to cross that limit.
If you are paying Comcast, and not exceeding the level of access for which you are paying, then you are not costing them any money at all, and arguably not defeating security since you have a legal right (by virtue of your contract with them) to the resource you are accessing.
The situation would be different if you were not paying Comcast, but still using technical trickery to defeat their network security and access their bandwidth.
So you really think that Comcast doesn't want you on their network with a router spoofing a laptop MAC today?
It's the intent to be somewhere you know (or ought to know) you aren't wanted that matters.
2.
It's not just "I did $5,000 worth of business." If Comcast had a program where they sold "router-attached Internet" for a price difference that totaled $5,000 over the price you paid for "computer-attached Internet" then you would hit CFAA levels.
> So you really think that Comcast doesn't want you on their network with a router spoofing a laptop MAC today?
Their captive portal demands that I install client side software. If they didn't want me to do this, there are definitely better ways of letting me know about this than a captive portal. Why would they captive portal someone they intend to let use their service?
What concerns me here is the degree to which I seemingly have to guess at Comcast's motives.
> It's not just "I did $5,000 worth of business."
So on one hand we are violating the terms of service for a connection we paid for... and on the other hand we are violating a terms of service for a connection we paid for.
How is a layman, who is apparently responsible for evaluating the legality of his own actions, supposed to make a distinction?
I don't understand about the captive portal. Do you really think they don't want you on their network with a router?
The fact that their motives are unclear would be a good argument in your favor in case you were in court. Note that there wasn't any doubts about MIT's motives. Aaron isn't an idiot and he knew they were trying to keep him off the network.
2.
So on one hand we are violating the terms of service for a connection we paid for... and on the other hand we are violating a terms of service for a connection we paid for.
I don't understand how this is a reply.
If I use fraud to buy something you would sell for $8000 for $6000 instead, that's only $2000 worth of damages.
Do you know what a captive portal is or something?
Comcast is preventing me from accessing their network unless I install their client side software. I am circumventing the technical measure in place to enforce this demand by changing my MAC address such that they think I have their software installed.
Am I in violation of their ToS for doing this? The hell if I know, but it seems entirely plausible.
> I've changed my MAC/moustache plenty of times to "deceive some guards". Actually I'm doing it right now, this Comcast modem is a utter pain in the ass...
Is this activity illegal? Like most questions in law, the answer is, "it depends".
Are you paying Comcast for internet? If so, its probably not illegal because they have authorized you to access the internet through their networks.
However, if Comcast's network authentication was based on MAC addresses and you spoofed yours to match a paying customer's, that would probably be wire fraud.
> Or, if it is the "something valuable" part, would gaining access to that "something valuable" have been an issue if there was no deceit?
I'm not sure what other laws would be relevant if there was no deception, but it certainly wouldn't be wire fraud. Deception is a pretty integral component to fraud.
Well that's a poorly constructed straw-man. Why would you be charged for fraud for wearing a fake mustache? I don't think you have any idea what you're saying.
I haven't given this all much chance, but the OP's argument is basically that the current legal view of MAC spoofing is flawed in two ways, which no one seems to be addressing here. It is not an actual means of identifying an individual and it is part of ensuring a reasonable amount of privacy for the user.
It's more akin to wearing a fake mustache, than using a fake id.
It is not an actual means of identifying an individual and it is part of ensuring a reasonable amount of privacy for the user.
Technically. Yes, I think that anyone who understands the technology agrees with this. The problem is that the courts are enforcing it as if it were the digital equivalent of a photo id, and this is not a small problem.
Well yes we all know legislators and the judicial system do a horrific job of understanding these fundamental differences between the real world and the computer world.
What really worries me is when someone on HN talks the same way.
If you can show "damages" to their satisfaction/threshold, yes (bear in mind that, as should be no surprise to anyone here, definitions of damage and the measurability thereof may significantly vary).
Just to point out that if a law is unjust, the prosecutor may have a duty qua prosecutor but qua human being he has a stronger duty to stand against that law.
Yes, it may be dangerous but the slippery slope is exactly that: 'as it is my legal duty, I shall try to make as much harm as possible'.
Conscience does exist...
Well it doesn't matter how "easy" it is to do. It also doesn't matter if the password was just "password" or if the door he broke into had 1 lock or 500 locks.
Also the prosecutor is typically going to overstate the charges and the defendant will understate them. In this case the prosecutor went for 35 years and the defendant went for zero years (not guilty). This is where the judge comes into play. If Aaron shows that he changes his MAC address every morning then that charge will likely be dropped. If it's found that he only changed his MAC to bypass a restriction, it could be seen as concealing.
Well then is is probably a good idea to go on record about changing your mac address on boot. Otherwise I imagine you would have a hard time proving it in court.
I too randomize my MAC address at boot on all of my machines except my work desktop.
I agree with ajross' reply. The changing of MAC address wasn't the "capital offense" so to speak. You don't get pulled over for not wearing a seatbelt, but if they _do_ pull you over and you _happen_ to not be wearing a seatbelt, they can hit you with extra fines, etc.
Besides, arguing against a comment for it's attitude isn't an argument at all. The original comment was essentially a (valid) "so what?" to the article; it wasn't a refutation of fact, but expressing a frustration at the non sequitur implied by this, and allegedly, many other articles on HN.
I've heard from several police officers that if they follow you for 60 seconds, they can find a reason to pull you over. If the seatbelt instigated that following, isn't it exactly the same thing the OP is saying?
The issue the OP has is that changing your MAC address is synonymous with walking around in the dark, something law abiding citizens do regularly, but police better frown upon because that's when the bad guys sneak around. Personally, I played lots of tag after dark and had more than one negative interaction with the police as a result. Kids after dark can't be up to good, and hackers spoofing MACs can't be either!
There are very real problems with our laws. That Aaron was facing 35 years in prison for what he did is very clear evidence of that, and this is far from the only broken law.
While hating on the system can be done in stupid ways, ignoring these sorts of things doesn't make them less real.
Besides that, this sort of thing fits the criteria for submissions on HN. I'd even go so far as to say that this is more appropriate than the latest news about incremental changes in X.
I very much agree here. The problem isn't that there's a law against accessing a computer system without authorization or how it's defined. The problem is that the law treats unauthorized access to a computer system so much more harshly than the equivalent trespasses on physical property. If he'd been charged with a misdemeanor resulting in "a fine of not more than $100 and up to 30 days in jail" I could see that as being a just law. Decades in prison and a felony record? Not so much.
It wasn't just that he made unauthorized access to the network; it was so that he could download millions documents that JSTOR sells a subscription to for tens of thousands of dollars a year.
You can't ignore that. If he had trespassed into JSTOR's offices to grab the same information, it wouldn't be a $100 fine.
(Ob: I'm not saying justice would have been Aaron sitting in jail for 7 years.)
He only did this because the majority of them are publicly funded and should be available for free. The only reason they are not available to the public is JSTOR's grasp on journals and monopoly over archiving.
Maybe we should be blaming the journals for being greedy instead, but the point stands.
Saying, "I don't want to see this on HN" when it clearly fits the criteria for submission and aids in making the audience of HN more aware[1] does suggest that you are ignoring these sorts of issues elsewhere in your life.
[1] Though this post wasn't particularly informative, it did stir debate.
Debate raises awareness and challenges opinions. It's not related to the criteria, but it is related to why you would be inclined to discuss this on HN if you were inclined to discuss it outside of HN.
I don't need to know anything about your political involvement to draw conclusions about your involvement on this particular cause.
Edit for clarity:
When I mentioned the criteria, I wasn't referring to debate; I was referring to awareness.
I can see how tempting that would be, but David is a special case. With his many years of complaining about politics on HN he has covered the entire ideological spectrum. :)
Edit: I mean that to sound good-humored, not snarky. I agree with davidw on this more than I used to.
It's difficult to reply to this because there are lots of moving, intertwining parts. I'll label them, I guess
1) I didn't assume political apathy, but I did assume apathy about this particular case.
2) His responses suggested that he was somewhat concerned with politics outside of HN.
3) My use of "these sorts of issues" did suggest that I meant politics in general, but I meant *this* brand.
4) I did not suggest that HN was a vehicle for political awareness in general, but rather than this brand of politics is well-placed on HN.
5) I also suggested that this particular brand of politics do belong on HN given its criteria.
I realize this isn't my best writing, but I'm running on very little sleep and I don't have the energy for the dozen proofreadings and rewordings that I normally give my posts. I hope that my meaning can be accurately discerned.
That is exactly the thing that drives charge inflation. You don't just get indicted for committing a crime, you also get charged with walking the streets while intending to commit the crime, wearing the pants with intent to commit crime, not telling the policemen you're going to commit crime, using your laptop in committing the crime, using public airwaves while committing crime, concealing your identity with criminal intent, etc. etc. That's where 30-year charges come from. I think it does indicate serious problem - why changing MAC address should be a felony in any context? If somebody did something evil and changed MAC address - convict him for something evil, not for changing MAC address. Only reason I see why such charges exist is to coerce plea bargains.
I'm really sick of these sensational posts/comments showing up on HN.
Seconded, and I'm also tired of the dogmatic and uninformed approach to legal issues. Just because law employs logic does not mean that being a programmer gives a superior understanding of law. The same misconceptions crop up over and over again and badly lower the signal:noise ratio.
> It's not illegal to change your mac address or wear a ski mask. It can be illegal to do both of these things while committing other crimes.
Honest question: why is that? Why is it not enough to charge someone for the actual crime they committed? Why does someone need to be charged for committing it a specific way?
It's not so much that wearing a ski mask is illegal (though that's true in some cities) but it demonstrates you are deliberately committing the real crime, not an accident. You can wear a mask. You can tell a bank teller "I'm here to make a large withdrawal." Doing both at the same time? Good luck convincing the jury you were just trying to hide from your wife while getting some cash for a friends bachelor party.
> but it demonstrates you are deliberately committing the real crime
So once again you're back to saying that it provides evidence of another crime. But many people are saying the anonymity becomes a crime itself when in the context of another crime. I'm kind of bothered by that as it puts a liability (or a chilling effect, if you like) on being anonymous, something I do every day and cherish very much as an important aspect of my privacy. Even though it won't become relevant until the day I am (perhaps wrongly) accused of another crime, suddenly it will become a very huge liability if that ever happens.
Now if you say the anonymity crime is "planning and preparing to commit a crime" then that's (sort of) OK. Once again, the anonymity is part of committing a separate crime that I can at least rationalize is wrongful. But if you tell me that the pure anonymity itself is a crime then I'm very disturbed by that.
Anonymity is anathema to the government. There are plenty of laws on the books prohibiting it even if you're not committing any other crimes: many locations (most? all?) ban wearing masks at legal, peaceful public protests, even if the protesters have legitimate reasons to fear employer or community reprisal for participating in the protest.
That's because State Power is not, contra popular imagination, based on a monopoly of violence, which only exists nowadays thanks to the triumph of its real source. It's based on legibility: by abstracting the world and identifying and naming its subsystems, the State creates its own power. Naming and identifying people is a natural part of that: indeed, adding last names to a first name to create a (ostensibly) unique global identifier was one of the first projects of the modern State. One hundred faceless people you have to monitor at the moment is far more dangerous than a thousand identified people you can attack after the fact.
THANK YOU - you can pick up your friend from the store with your car and it is legal, but if your friend is robbing the store and you are helping him escape, you are now an accessory.
You can carry a concealed handgun and shoot it at a shooting range, but if you murder someone with it - you will not only be charged with murder, but also with unlawful use of a handgun. There is no story here. Ugg...
Under the CFAA, it might in fact be illegal to randomize your MAC address depending on the terms of use for the network you are accessing. It is not illegal for this guy to access his home network in this way, because he owns the network. However, the danger of the CFAA is that it makes it a crime to violate user agreements - which can say anything that the network or site owner wants them to. It effectively allows anyone to author and implement their own criminal laws and have them be enforced by the full power of the federal government.
As for the wire fraud implications (which are separate from the CFAA), if you cause a false statement to be transmitted for the purpose of obtaining money or property, you have committed wire fraud and face a potential 20 year sentence. Spoofing MAC addresses to exceed access limits, for example, would qualify. You are causing your device to mask its true identity for the purpose of obtaining "property" that you wouldn't otherwise have access to.
Besides taking the "civil liberty" angle, I'm trying to get to the "witchcraft" angle. As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch". People fear magic they don't understand, and distrust those who wield that magic. Things that seem reasonable to technical geeks seem illegal to the non-technical.
Probably because the implication of that little blurb was that the author is so advanced technically that laypersons see him as magic.
Clarke's quote isn't "anything you don't understand looks like magic". Spoofing a MAC address is not especially advanced. It certainly doesn't look like magic. And people who spoof their MAC addresses don't look like witches.
The "witchhunt" -> "advanced technology looks like magic" connection had the potential to be interesting, but I don't think it worked out well. And I agree with rayiner that it came off as self-aggrandizing more than anything else.
To average jury members, who likely wouldn't know what a MAC address was prior to a potential trial, spoofing a MAC address might seem quite sophisticated, actually.
I get your point, and the level of perceived sophistication probably comes down to how well the concept is explained. (At its heart, it's just changing a number. But it could look pretty complex if explained in terms of Python scripts and system services and such.) Of course, there's also still a rather large gap between something seeming sophisticated and that thing seeming to be magic.
He's basically saying "I'm being persecuted because I'm so much smarter than everyone else they can't possibly understand me, and people attack what they don't understand."
The general public is quite ignorant about technical matters. This becomes evident when, just as a trivial example, you complain about technical inaccuracies in a hollywood movie. You'll immediately be told in no unclear terms that the general public neither knows nor cares.
People attacking that which they do not understand is just as old as recorded history. I'll take that phenomenon as just an axiom of human behaviour.
Exactly. The general public does not care about tedious technical things you can do. Nor should they. Spoofing your MAC address simply isn't interesting to other people.
> People attacking that which they do not understand is just as old as recorded history. I'll take that phenomenon as just an axiom of human behaviour.
This is sad cynicism. In general, people don't just arbitrarily attack things they don't understand. And people certainly don't attack things they don't care about. You kind of have to care about something in order to put in the effort to attack it.
People certainly care about hacking, why do you think it is in the movies so much? What people don't care about is an accurate portrayal of hacking.
The problem occurs when people are trying to make ethical calls in a context outside of hollywood movies. Any string of technobable sounds insidious to them; writers (quite reasonably) use this to their advantage to reduce the amount of research they need to do, but prosecutors also use it to their advantage.
> You kind of have to care about something in order to put in the effort to attack it.
Yeah, and that something they care about is "ze evil haxxors". They care about a topic they have absolutely no technical insight into.
You're conflating a number of separate issues. Sure, people care about "hacking". That doesn't mean that the general public automatically attacks anyone accused of hacking. More to the point, is there some evidence that the general public considers MAC spoofing to be hacking? Most people don't know what MAC spoofing is, and don't care. Sure, if you can convince someone that MAC spoofing is hacking, then you might be able to convince them to care, but first you have to convince them that it's hacking.
> Any string of technobable sounds insidious to them; writers (quite reasonably) use this to their advantage to reduce the amount of research they need to do, but prosecutors also use it to their advantage.
Any string of technobabble sounds like technobabble to the average person. It makes no sense to them, by design. That doesn't mean they automatically consider it evil or hacking. Writers use this to their advantage because they know they can assign whatever meaning they want to the technobabble by using appropriate framing. Now a prosecutor might well stand up and spout a bunch of technobabble and then say "that's hacking". The defense needs to stand up and explain why that's stupid.
A prosecutor in a medical malpractice trial could also stand up and describe a heart bypass surgery using medical terms and then announce that the doctor is clearly responsible for the patient's death. It would be pure medical babble to the typical jury, and without accurate context, the jury could indeed be led to believe that the doctors actions were negligent or even malicious, despite them being standard procedure. The defense needs to step up and provide context for those terms that the jury doesn't understand. (The judge also needs to step up and not allow the prosecution to intentionally mislead.) The jury here isn't attacking the doctor, though. They're making a judgement based on the information they are provided.
When all the spinning 3d shit appears on the movie screen, the audience does not automatically think "hacking". But they do think that once the movie tells them it is hacking. (Of course audience members have come to expect certain depictions to be described as hacking) If you spew technobabble at a layman and tell them that you are rehashing a microwave oven, they'll believe you, even though that makes no sense. When a prosecutor spews technobabble about graphology, the layman is going to think it is evidence, not because when they hear the technobabble they think "hard evidence" but because when the prosecutor spews it and calls it evidence, they think "evidence".
When a prosecutor spews what seems to be nonsense about MAC addresses, and calls it leet illegal hacks, do you really think that the layman is going to sit there and second guess that assessment? Really?
The general public cares about illegal hacking. The general public has no idea what illegal hacking looks like. When the general public is shown something alien to them, and then told it is illegal hacking, you would be insane to think they would not react in fear of it.
If they understood the subject matter, they would act rationally even if they did not understand the particulars; for example, if they understand the basic premises of medicine. Now, if you had a surgeon describe the familiar (say an appendectomy) in unfamilar detailed medical jargon, your standard layman is going to be a hell of a lot more stressed out over the procedure. Why? Because the unfamilar frightens.
Being persuaded by technical jargon is not the same thing as simply attacking someone for having technical skills, as was the original implication.
And for better or worse, juries are tasked all the time with coming to conclusions in problem domains that might be beyond their understanding. This is not unique to the technical realm nor is it a new phenomenon. A jury in a complex insurance or securities dispute is going to need things explained to them just as much as in a computer hacking case. Indeed, I'd argue it's much easier to explain to someone what MAC address spoofing is than to explain to them what the LIBOR manipulation entailed.
There is plenty of evidence for both aspects of his statement for him to say it with confidence in public discourse. We he saying something that you don't disagree with, I doubt you would be demanding a higher grade of evidence.
The "witch" comment reminded me of the shift in the term "hacker" to refer to criminal behavior. A lot of people distrust cleverness. I've always suspected that if another term was adopted for positive hacking, such as "tinkerer", it too would be shifted to have a negative or criminal connotation.
It was frustrating that in high school, whenever any computer shenanigans went down, I would always be the one who was automatically called to the principal's office. And some of those times, I wasn't even the one responsible. ;)
I am not a lawyer, and neither is the author. But I suspect that there's nothing illegal about randomizing your MAC address or concealing your online identity. It's the combination of those things and committing some other "crime" (ie accessing data or systems for which you don't have permission) that becomes a problem, in that it shows intent to deceive the other party.
Changing your MAC address is not, by itself, illegal. But the path from there to a felony is easy to cross.
Suppose that you have an ISP that only allows you to connect one device to their modem. (This used to be very common.) Suppose that you want to connect a different device. (Again a common desire.) Suppose that you spoof the MAC address of the original device so that you can connect. (This use case is a big part of why consumer electronics added the ability to spoof MAC addresses.)
Under federal law, you've now committed a felony for which you can serve jail time. Your access to your ISP's network is unauthorized.
Let me make this personal. This is not a random use case. I have done this. If anyone had cared, I could be charged with a felony. I could serve jail time, for accessing a network that I paid for in a way that I thought was pretty fair. (My "crime" being that I wanted to attach a wireless modem to the network so that I didn't have to have a wire connecting my laptop while I was using it. OK, I was bad, my wife and I could both use computers at the same time.) I didn't think I was doing anything wrong. It was a pretty common act. It was still a felony.
So no, randomizing your MAC address is not illegal. But the line between legal and a felony here is awfully easy to cross.
The situation you describe is almost certainly not a crime under the prevailing interpretation of the CFAA.[1] (Although I do grant that your theory could potentially be correct, which is part of the reason it's such a bad law.[2])
The CFAA criminalizes "unauthorized access" and "exceeding authorized access."
The unauthorized access provision applies to various means of hacking into a computer. The exceeding authorized access provision applies (in general) to company and government insiders. "The term “exceeds authorized access” means to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled so to obtain or alter." 18 U.S.C. §1030(e)(6)[3]
Your contract with your ISP gives you access to the network. By spoofing a device, you would breach your agreement with the ISP, but you would not be obtaining or altering information that you are not already entitled to under your agreement with the ISP as an authorized user.
In sum, for an authorized user to commit a crime, he must break through the access level he was granted by his authorization and reach information that was effectively closed-off to him.
That is comforting to learn. I was relying on my understanding of Orrin's analysis of the law. I should have put bigger disclaimers on it.
That said, "prevailing interpretations" can shift, and can vary by jurisdiction. Thus if someone living in Boston did what I described, and was sued by Ortiz, it is not guaranteed that a Massachusetts judge would decide the case on the same principles.
I'm not convinced even then you've committed a felony. Your access to the cable network, assuming your bills are paid up, is authorized. They'd have to demonstrate that your decision to change your router's MAC was intended to defraud them.
Setting up four different laptops all with the same MAC, so that either you or your three neighbors could share the connection, is probably closer to the kind of thing that would land you in jail.
Existing precedent says that my access to the cable network is only authorized if I am within their terms of service. The terms of service said "one device" and explicitly said I couldn't plug a router in.
I used that network from more than one device, and plugged a router in. I was therefore accessing the cable network in a way that was not authorized. Furthermore I intentionally changed the MAC address on my router so that I could circumvent their control mechanism that was intended to make sure that I followed their terms of use. There is no question that I did this in full knowledge of the fact that, according to the owner of that network, I was not allowed to do that. Among other things that I did with that network connection was gained access to online collections of software, including CPAN and Debian repositories.
I therefore used unauthorized access to a computer to obtain information. When valued in accord to the standards used in precedent as described in http://www.volokh.com/2013/01/14/aaron-swartz-charges/ there is no question that the cost of production of the property that I gained access to was worth more than $5000. (The fact that my cable provider did not produce that content does not enter into the statute, and is therefore irrelevant.)
By my reading, my changing of the MAC address allowed me to gain unauthorized access under false pretenses to property worth more than $5000 that resided in another state from me at that time. That means that a prosecutor could, in theory, have charged me with the first 3 of the 4 original charges that were leveled at Aaron Swartz.
But, you say, no prosecutor would have actually done so, and a judge would not impose a serious penalty if one did? That is absolutely true. The phenomena is called selective enforcement. And selective enforcement of bad laws only against people that someone in power doesn't like is a real problem.
(The fact that my cable provider did not produce that content does not enter into the statute, and is therefore irrelevant.)
Is this really true? I would think the circumvented security and the damaged party would need to be more "proximate". If you downloaded 500 copies of antivirus software from the Comcast only FTP site there'd be a case.
I don't think piling on of charges is right, but I don't think charges are piled on in quite the way you're describing. There is a connection, even if tenuous, between them.
I am not a lawyer, but my understanding is that proximity is not needed, and in fact was not present in Aaron Swartz' case.
Aaron had unauthorized access to MIT's network, through which he downloaded JSTOR's documents, and the value calculation they would use was based on the effort of various academic authors around the world. MIT complained to the prosecutor, and who brought the case despite JSTOR not being interested and no complaint from the actual owners of those documents (which mostly was not JSTOR).
In my parallel scenario, the cable company takes the role of MIT, open source repositories take the role of JSTOR, and open source authors take the role of the academic researchers, journals, etc who owned the documents downloaded. The parallel is exact. If the cable company (like MIT) complained, the fact that the other pieces of the puzzle do not want charges brought would not stop an overzealous prosecutor from being able to charge me.
What could I be charged with? Of the 4 initial charges against Aaron Swartz, the fact that he caused damage only matters for the last one. The first three are only concerned with the fact of unauthorized access over a network of valuable property. My parallel scenario has that.
The amendment that is being proposed saying that violation of terms of service does not suffice to count as unauthorized access under this bill would protect my case. That change is definitely needed. As I've commented elsewhere, the fact that Aaron's access required physical trespass means that his lack of authority did not merely stem from violating the terms of service. Therefore I don't believe that he would have been protected by the proposed bill that bears his name.
My cable modem is somewhat similar - it makes one DHCP offer, at boot. If you connect it directly to a switch, you don't get connectivity. That's why the ISP recommends you make the one device a router.
The problem is that the various computer crime laws are vague and subject to interpretation. I read an article recently claiming that accessing a URL manually that is not intentionally exposed via a public link could be considered a form of unauthorized access and wire fraud.
The problem is that the laws have to be almost impossibly vague. In just a few years we move from Sun RPC to DCOM/ActiveX to XML to SOAP to various SOA web standards onward to REST APIs/Ajax/etc. etc.
That's why the law leaves it couched in terms unlikely to change (like "authorized access", "intentionally" doing something, etc.) and leave the charges to be considered in light of the totality of what went on.
Would a jury convict on typing in one URL, realizing it gave access to an admin panel and just leaving the site immediately? Hopefully not...
Would a jury convict on building a screen-scraper that steals the password for users by incrementing ID's on a URL that wasn't public but wasn't properly secured? I would think so. Sometimes the circumstances of the case matter more than the law itself.
>The problem is that the laws have to be almost impossibly vague.
No they don't! Please don't say things like that in public, someone may actually believe you.
It is not possible for the laws to be perfect. They can't be like programs or catch every possible nuance or edge case (and when they try they look like the tax code). But we have specific articulable laws that are severely defective in ways that normal laws aren't, and they can certainly be improved to attain roughly the same level of imperfection found in the large body of legislation rather than their current state of total absurdity.
For ours laws that can be clarified then by all means let's get those clarified.
By what I mean by almost impossibly vague is things like even basic elements of the CFAA. There have been debates up and down HN, Reddit, and across the web about whether logging onto a website that uses laughably poor authentication schemes even counts as "unauthorized access".
If a specific-enough term like "unauthorized access" can lead to so much controversy in practice then yes, I don't see how one could argue that a legal code could simultaneously encompass all reasonable aspects of computer technology, in the present and future, and still not be at least somewhat vague.
It's the principle of indirection applied at a legal level. "What does unauthorized access mean? Well, I guess that's for the specific judge to hash out and the specific jury to decide"
Penalty: "shall be punished by a fine of not more than one hundred dollars or by imprisonment for not more than thirty days or both such fine and imprisonment."
On top of that, look at the wording: You have to have some specific notice that you're unauthorized before it's trespass. And then the penalty is a $100 fine or 30 days. So okay, you want to have the digital equivalent of trespass, let's do the same thing: You have to have been specifically told (not implied by some trumped up circumstantial nonsense about MAC and IP addresses or URLs) that you aren't allowed to access a particular computer and then have done it anyway, and then the penalty should be $100 or 30 days.
Because that's the trivial offense. That's the one that should have the really low penalties because it doesn't necessarily imply any substantial harm. The high penalties should be for high value financial fraud or misappropriating classified materials or disrupting the control systems at a power plant or a chemical processing facility, and they should each be separated out so that we know what they are and have penalties proportional to the specific offense.
And to do that we don't need to talk about XML or SOAP or AJAX, because that isn't what matters. It doesn't matter specifically how you did it, it matters what you did and what you intended to do. This is why we don't have laws against trespassing while wearing a yellow shirt. Because you don't need to specify the irrelevant details, only the relevant ones, and the specific underlying technology is almost always irrelevant to a particular class of criminal activity. Sometimes it does make a difference, and then you need to update the law, but that doesn't actually happen so often that we can't keep up with it if we're paying attention.
This is highly unlikely (but of course, courts may rule differently depending on what is put in front of them).
The closest thing that comes to mind is the 2006 incident in which a researcher from the candidate opposing Governor Schwarzenegger logged onto the governor's public FTP site and stepped-up a directory to find a bunch of private audio recordings:
Of course, this involved a political campaign with millions of dollars (and publicity) behind it. The CHP arresting Arnold's opponent would not turn out well for anyone...if this had been a teenager who tried it, who knows?
Okay, let's cut the crap.
Speaking as a knowledgable lawyer (It's not my specialty, but I studied it intensely in the past with experts :P), they are in fact, quite difficult to interpret.
This is even empirically true:
Different federal appeals courts (which have panels of knowledgable judges) have come to different conclusions about the scope, reach, and interpretation of different parts of the law.
I'm not sure what your evidence is to the contrary.
I would only point out that it's actually both: Not only are they unclear, even if they were clarified but still prohibited roughly the same breadth of things with the same extraordinary penalties, we still should not like them. A law that plausibly imposes the same (felony) penalty for using one's brother's laptop without permission as for breaking into a military intelligence satellite to steal classified materials is a defective law in need of serious reform.
Someone in the UK was prosecuted for this; the statute is something like "don't use other peoples' computers in a way they did not intend", and the guy appended "/../" to the URL to try and read the parent directory listing (it worked). He also lied to police about having done it, but the server logs showed that he had.
Yes, it's pretty simple. If I knew, or should have known, that you did not want me on your wireless network, and I kept on going on by changing MACs, I've crossed a line.
Probably a line with small damages if it's just your home router.
Not a lawyer either. But from reading a dozen or so articles regarding the case it sounds like the general timbre of human emotion in those posts believes that charges of 'concealing his true identity' are used simply to increase the possible sentence. It reminds me similarly of RICO statutes which allow prosecutors to lump various charges together in order to create 'super' charges. Also reminds of me Captain Planet for some reason. Except his evil doppelganger.
Why should we even be trying to sugarcoat what he did? His intention was right but perhaps means weren't and thats how every rebel goes about doing their stuff. They aren't too much concerned about "confirming", and ,duh, not for nothing they are a rebel. The moment the society and the government start treating A Rebel With a Cause for the means they take than read the message they are trying to convey, it invariably shows the rot in the system. A system that doesnt like mirror being shown at. Lets please stop finding reasons for Aaron's action, instead lets accept what he did was not confirming to the system, we also need people who question and challenge the system not just those who confirms!
No, he wasn't kicked off, just the MAC address of his laptop was banned. As the article author wrote, if someone blocks your number, it's not illegal to call him/her from a different phone number.
Maybe they could make it illegal if they got a restraining order, but AFAIK MIT did not do that.
Perhaps its different for me since I work in information security, but if there's someone connected to our guest network (where we have no identity information) and their computer is misbehaving, the only recourse we have to demonstrate that they are not welcome anymore is to terminate their session and block their MAC address. There's literally no other way to get in contact with them.
I would say it's safe to assume that if your MAC address gets banned, it was for a reason. It means you're not welcome on the network anymore.
The retort would be : If you want to be able to address me, you don't have to have an open network, you can require registration and/or other physical verification first. You have chosen to run a network where you can't identify or talk to me, you should therefore know that I won't necessarily know what you're wanting. Some places have a policy that older versions of OSes aren't permitted on the network, and you'll get booted for that. Doesn't mean that you aren't welcome after you've updated your system or changed to another PC. But you haven't told me why you booted me, so I can't know for sure that I'm not welcome again.
The courts can and do, particularly when a particular crime specifies that you violate a specific placed prohibition. In Arrons case (without knowing precisely what went on), it may very well be possible to argue that he thought the banning of the mac address was e.g. a warning, an automated trip/response that the administration may not agree with in his deserving case, related to a period of overload on the system (i.e. temporary ban) etc. And the court would need to believe "beyond reasonable doubt" that none of those were the case.
The courts (usually) take a common sense approach like you suggest when your argument of "duuuhhhhhh, they didn't explicitly tell me not to do that" has very little to back it (i.e. no plausible explanation of why you thought it necessary for them to explicitly say it). But backed by a reasonable, or at least feasible, alternative, the courts often side with the defendant.
If you were able to access the network before, then you did something questionable, and now you're not able to access the network, I'd say that's a pretty good sign. At the very least, you should be able to guess why you were able to access the network again once your spoofed your MAC address. There are many layers of security on networks like these, and to be banned from an open network you have to be doing something you really know is questionable (even if you don't believe it's illegal or immoral).
The argument of "well I didn't know why you kept banning me" doesn't fly. After the first MAC filter, you should know you're no longer welcome, for whatever reason.
I like this idea, but there's a problem with it. His MAC address, which is meant to be specific to a machine, was banned. The intent is clear-- "your machine is no longer welcome on our network."
"His MAC address, which is meant to be specific to a machine"
The article (which I tend to agree with) tends to argue that a MAC address is exactly NOT that, especially in a technical sense (thus a technical user may indeed have more reason for the intent not to be "clear").
I think a better description in plain english is :
A MAC address is an address that a particular interface on a particular machine asks to be identified by in a particular session.
I.E. it's not an identity of a machine, its an identity of an interface. Its not an identity assigned by the network, its an identity offered by the machine/interface itself. Its not guaranteed to be unique, or stable beyond a session.
If it was meant to be a specific identifier for a machine, we would have many technical problems on the "legitimate" side of things, think multiple network cards and virtualised machines.
There was no agreement between Arron and MIT that arron would use a particular MAC address as an indentifier on their network. Its a downside of running an open network.
The meat of the question is how much legal weight a MAC filter should carry. To me the answer is not much. Attach the MAC filter to a simple advertisement of the network rules and it goes way up. This business about safe to assume is scary stuff.
I wouldn't say it's scary. Imagine you're in a club and you start a fight. The bouncer takes you outside. Every time you try to get back in, he's standing in your way. You can come back with a disguise and get in, but without the disguise you're banned. It's safe to assume that you got thrown out because you were fighting.
A lot of the US legal system is based on reasonable belief and reasonable assumption. If an average, reasonable person would believe X, then X is the interpretation the law is likely going to take. It doesn't matter if the rule was actually supposed to be Y, X is what is being communicated and a reasonable assumption would be that X is correct.
I don't like the bouncer analogy. The network people surely know that the MAC filter is ineffective and no bouncer would be fooled by a fake mustache.
I agree that it is clear enough that Aaron Swartz was intentionally circumventing their attempts to keep him off the network. Where I have trouble is that any notional security mechanism is apparently enough to make the circumvention a serious crime.
I suppose where I am going is that severe penalties should be for circumventing security features, and easily altered implementation details of network hardware should not qualify as security features.
Well I wasn't intending this as a debate of secure network practices. I was intending to voice my opinion that having your MAC address banned sends a very clear signal that you are no longer welcome. A signal that could be successfully argued in court. If you are banned from a network and you gain access back by changing your MAC address, no matter how trivial this exercise is you have to understand at some level that your machine address was purposefully blocked from the network.
Actually that makes me like the analogy again! If all you do is put on a mustache or change your shirt and the bouncer lets you in, then you don't really know what the purpose of the bouncing is.
> It means you're not welcome on the network anymore.
I thought it meant, that specific MAC address is not welcome anymore. Otherwise, why would you allow that person to reconnect again just because they changed their MAC address?
No it's not. What if they blocked the MAC because they detected botnet activity? There is absolutely no desire in this case to ban the person, or even to ban the entire computer if it has multiple OSs.
There is really no way to tell just from a MAC ban what the intent is.
>"Otherwise, why would you allow that person to reconnect again just because they changed their MAC address?"
Because in some situations, this is literally the only means you have to get someone off your network. I'm arguing that it is possible and fairly straightforward to tell why your MAC address got banned. The most obvious is by looking back at your history on the network. You know if you've done something questionable. Another way is to call the helpdesk and ask why you've been banned.
At no point is "I didn't know why" going to be a valid reason for spoofing a MAC address to get around a network ban. If you have the know-how to spoof your MAC address, you have the know-how to understand why it's necessary.
If this happened on my company's network, the next step would be tracking the person down with physical security and letting them know the police would be enforcing the ban next time.
> Because in some situations, this is literally the only means you have to get someone off your network. I'm arguing that it is possible and fairly straightforward to tell why your MAC address got banned
Of course that might be the only means to remove someone from layer2 of your network. I don't disagree. I think there are reasons for spoofing MAC addresses (like having it randomized on startup) are complete legitimate and indicate nothing about intent.
> If this happened on my company's network, the next step would be tracking the person down with physical security and letting them know the police would be enforcing the ban next time.
Absolutely. I just don't think wire fraud should be tacked on to their other crimes on your network just because their MAC address changed.
In the law of property, there is a concept called "license." Basically, it encompasses the idea that you can give people permission to trespass, either explicitly or implicitly. If I invite you to my house for dinner, I'm giving you implicit permission to trespass.
Basically, the implied license has a scope defined by the rationale for the implication. If you invite a plumber to fix your toilet, they don't have license to use your jacuzzi (though a dinner guest might!) A license can be revoked in any manner that reasonably conveys the revocation to the licensee.
The law of property isn't directly applicable to computer networks, but is a source of guiding principles and analogy. If you're on an open network and the administrator bans your MAC address, I think a normal person would conclude that the message that you are no longer welcome has been reasonably conveyed. Moreover, MIT Net does have terms of use, and one of those terms (#4 of 6) is: "Don't misuse the intellectual property of others." You can also argue that these terms of use define the scope of the implied license to use MIT's open network.
I disagree.
If I call your phone and one day you don't answer and I try from a different phone number and you do I think you are ok to have me call you.
Had they notified him with a web page that his mac address wasn't welcome it would have been a different matter altogether.
What Aaron did was the equivalent of trying a different laptop to see if things resumed working.
The very first time that happens, maybe he could have thought it was a network error.
But Aaron kept on evading every single countermeasure MIT was putting in his place. By the time you get to going into a wiring closet, you have well passed the point where you know you are no longer welcome on the network.
The law cares very little about what tools you use, and they care a lot more about the actions you do and why you do them.
Aaron wasn't an idiot. He knew MIT was trying to keep him off. It wasn't just a network error.
Yeah, if they had just blocked his mac address then he could reasonably think "hmmm, I can't connect with this mac address, I'll try a different one" instead of "I am no longer authorized". But if you have to keep reconnecting with different IP addresses and mac addresses over and over again, and finally resort to connecting directly to a wiring closet, then the message is pretty clear that you (not just your mac address) are no longer allowed on the network.
It's clear that someone doesn't want you to have easy access, but it by no means gives a clear message that you aren't 'allowed'. If I set up a wifi portal that flips images upside down and misspells words and all that fun stuff it's clear that your access is being diminished but by no means says I want you off my network.
Calling someone isn't considered analogous to trespassing, while accessing someone's network is. I don't think that's a meaningless distinction at the technical level either. Calling someone is like issuing an HTTP GET on a public server. Putting a computer on their network is something quite different.
As for whether banning they MAC address conveys revocation of the license. The precise form of the communication is irrelevant, it's about whether it can be expected to get the message across in context. Do you think Aaron didn't know, after the various measures MIT took, that he was no longer welcome on the network? If he did know, then the message was conveyed.
You're basically attacking a straw man. You're acting like he was charged for trying to access the publicly-available MIT home page, getting a 404, and trying again with a different laptop to see if the problem was on his end. That's what would be analogous to your "calling someone who isn't answering then trying a different phone" example.
> The law of property isn't directly applicable to computer networks, but is a source of guiding principles and analogy. If you're on an open network and the administrator bans your MAC address, I think a normal person would conclude that the message that you are no longer welcome has been reasonably conveyed.
Let's say Aaron's laptop gets its MAC address banned for doing whatever it is he did initially. Aaron then walks over to one of the available library computers and looks up directions to the train station. In your opinion, has he just committed a federal crime?
Let's say I normally let people cut through my lawn to get to the road behind it. But you come on my lawn and start yelling at my house. So I tell you to leave. Are you still welcome to cut through my lawn to get to the road?
I have no idea. As a non-lawyer, my answer would be yes, I'm still allowed. So the message is "we don't like what you're doing", not "you aren't allowed on this network".
By default, you have no right to be on or use private property without permission. MIT's network is private property. It might be "open" in the sense that MIT liberally gives out permission to use it, but that doesn't mean they give up the right to revoke your permission. This is the same as my lawn. Just because I let people cut through it doesn't mean I give up the right to single you out and keep you from walking on it.
The example you give is an edge case, but I think technically the "get off my lawn" revokes your right to cut across it as other people do. I don't think this is a pretty common sense definition.
Imagine I have a land that is for pissing. I.e. people are free to piss on my land. You piss. I don't like the smell of your piss. So I put some boxes where you piss and so I try to block you from peeing. Are you in the wrong to pee on a different part of my land?
Wouldn't a better recourse be to require people to sign up before they pee? Or to find you when you're peeing and tell you in person that you can't any more (then if you do it again, it's trespassing)?
Just because I have something that is open to the public doesn't mean I lose the ability to kick people out. I don't have to put security guards at every door to keep that person out.
It was crystal clear that MIT did not want Aaron on their network doing what he was doing. (This doesn't mean, of course, he should be in jail for 7 years.)
Really, a MAC address is a unique name. Now your pissing land requires people give their name. I find my name has been banned, so I make up a new name. I think it is clear I know yo don't want me there, but I give a new name to get in.
They don't have to be unique. MIT/JSTOR wouldn't have really cared about accidentally blocking people unfortunate enough to share Aaron's MAC address. And, the MAC address would have been perfectly reliable had Aaron not spoofed it.
With enough resources it's practically impossible to provide reliably unforgeable credentials without strong crypto, and strong crypto goes against the whole point of MIT's open network.
How do you kick an anonymous person off of a network? Other than blocking the MAC address, the only thing I can think of is to block non-HTTP access and redirect any HTTP requests to a page explaining what has happened with instructions for getting unblocked in case the block was due to a misunderstanding.
I find it odd to provide unlimited access to a network without any further form of authentication than just the IP address. There are enough alternatives out (e.g. Shibboleth) that could have been implemented if there were a needed for closer monitoring of access to journal databases.
I guess if he had purchased multiple laptops to circumvent the filter, the prosecutor would have argued along similar lines.
So the problem is that there is room to argue that the notion of unauthorized access exists on a network that doesn't do anything to identify or authenticate users.
Sure, but people at a mall are personally identifiable. This is more like a mall full of clones,whom you can individually address but collectively not differentiate.
They were intentionally not installing a security system at their "mall" while catering to a bunch of high risk consumers (i.e. high level of knowledge addiction, know track record of MIT "hackers", etc). Since they were having identification systems for other clients in place, one could even suggest, that they had given up restricting the access towards this specific crowd.
If you want to change the discussion to "was Aaron's crime worth 7 years in prison?" that's different. (Note: he wasn't just getting onto their network to play Nettrek. Walking into a closed store at night that happened to be unlocked to be out of the cold for a few minutes is different than doing the same thing in order to interfere with their business.)
I guess I'll need to put the "Ob: I'm not saying Aaron's crimes were worth 7 years in prison" on every comment again. Thanks.
I don't think you've really considered the practical effects of "unless someone has put in place measures to do identity and authentication of all people that enter, they don't have the rights to keep out unwanted parties."
Evading a MAC filter should be equivalent to criminal trespass (usually a misdemeanor). There isn't any such notion in the law.
So the problem I have is with the structure and application of the CFAA, not so much with people having the right to keep out unwanted parties.
I did not put it clearly above, but I specifically meant unauthorized access where the CFAA would apply (in my world view, for circumvention to be a felony, the network operator needs to have some expectation the security mechanism will effectively prevent access).
If all we were talking about was just getting onto their network, then I'd agree. Just walking into a store where I'm not allowed should be a misdemeanor. Charges could increase, possibly to the felony level, depending on what I do after I'm in the store.
If MIT were tracking down someone who kept on using the network to send out shitloads of spam, and that person kept on bypassing all of MIT's countermeasures, and that person dropped a physical box into a wiring closet at MIT, no one would be confused about this.
in my world view
I disagree with your world view, but for now we can leave it at us disagreeing.
The author has not bothered to read the indictment. Maybe he should talk with MIT's sysadmins, who were attempting to block Swartz's MAC address as he changed them when the MIT sysadmins found out about them. They were trying to block Swartz. It's their network. The author's blog post doesn't mention any of this. What the author should do is block his own access based on his MAC address, change his MAC address to get around his own block, and then blog about it. He could wear a bike helmet to conceal his identity and run away when he attempts to apprehend himself, for extra realism. Then he could think about the implications for the case, as a "security" expert.
It is their network, but does changing a MAC address to resolve, presumably, flaky network problems count as circumvention? I don't think Access was meant to imply Authentication in the naming of MAC.
If my telephone at home suddenly and inexplicably stopped working and I walked up the pay phone down the street to get another phone number, am I running the risk of legal consequences because my own phone number may have been cut off on purpose?
If he was explicitly told why his MAC addresses were being blocked, you may have a point. However, if he was explicitly talked to about what was going on, how was it able to escalate to the level it did?
I always wonder at these sort of tinfoil hat articles. It seems to me that someone who has the skills and access to the internet but does not leave much of a trace is a huge red flag for what ever the tinfoil hatter fears. A better strategy would be to boot in to your original MAC address then have a covert switch that randomizes it for doing things out of the ordinary, then returns it to normal once they are done. If you fear you are being tracked, it would be better to leave a completely normal, boring footprint that is easy to find. Normal boring Facebook page, tweets, etc. All the way down to a cache of vanilla porn on your hard drive with just a hint of kink for that ah ha moment. Then anything that goes beyond what you want that footprint to look like then moves to randomized MAC addresses, TOR networks and all the other tricks…
I once did a test on my own network to see what would happen if I assigned two computers the same MAC address (but different IP addresses). You know what happened? Nothing. Despite my best efforts (for all of 30 seconds), I couldn't see any meaningful difference in the behavior of the computers. I was expecting tons of dropped packets as my switches tried to figure out what port that address was really on, but it didn't happen.
The charges are most likely not for how he did (spoof MAC addresses), but what he did (redistribute material he obtained without permission). A crime exists if it can proved there's intention.
This argument goes towards the DMCA, as well as what is considered under the CFAA..
"Intentionally accessing a computer without authorization to obtain: ....Information from any protected computer."
What does 'without authorization' mean, and what does 'protected' mean?
Does without authorization mean you violate a click-through license? Or is there some nebulous authentication chit you are handed? Is it a felony to fake your name on a website demanding your name?
And with that keyword 'protected', how do we know it is indeed protected? What steps one must take to protect, and what steps one must go through to understand that it is indeed protected computer/data?
In other words, we are all felons-on-standby. The laws are so vague as to entrap all by default.
The problem, of course, is that in the original law it actually said "federal interest computer" instead and was targeted primarily at computers used by financial institutions and the U.S. Government (which you still see in subsection (A)), but has since been amended to include computers "used in or affecting interstate or foreign commerce or communication" which is a term of art that means anything within the power of Congress to regulate under the interstate commerce clause, which I'm led to understand means pretty much everything now. So that's even worse then: Sorry you thought it was vague and might have been able to argue your way out of it, I hope you enjoy your cell.
I really am astonished at how bad this law is. "Without authorization" is undefined and so overly broad that it seems to capture just about anything and then the penalties are preposterous even for the smallest of violations. We really need to fix this.
>Is it a felony to fake your name on a website demanding your name? //
It would be a breach of contract if the website specified your "legal name" and that is defined in your jurisdiction. If you then used that access to acquire goods/services/property that you wouldn't otherwise get possession of then that would be acquiring by deception and most likely be breach of IP laws.
You can carry a concealed handgun and shoot it at a shooting range, but if you murder someone with it - you will not only be charged with murder, but also with unlawful use of a handgun. This is common sense stuff here people sheesh.
I'm really sick of these sensational posts/comments showing up on HN. I know, I'm not supposed to complain about quality of posts or comments but the past week has really changed my view on the current state of HN. Witch hunts, sensational stories, jumping to conclusions, hating the law/government, etc. Let's go back to technical news.