[nfais-l] NFAIS Enotes, 2013, No 2, Hacking, Cracking and Working Well With Others

[jilloneill at nfais.org]

NFAIS Enotes, 2013, No. 2
Hacking, Cracking and Working Well With Others.
Written and compiled by Jill O’Neill
 
By now, most are familiar with the basics of the Aaron Swartz case. In July of 2011, the young man was charged with breaking into a computer-wiring closet on the campus of MIT with the added infringement of downloading something in excess of 4 million documents from the for-fee information service, JSTOR. Swartz was an ardent supporter of open access and an incredibly gifted individual in the field of computer science.  He had an instrumental influence on the development of RSS as well as creating his own software, Infogami, an achievement that would subsequently make him into a millionaire at a very early age as well as granting him the status of being a Fellow at one of Harvard University’s research centers. Over the course of four months, according to press accounts, Swartz successfully downloaded approximately two-thirds of the JSTOR database before MIT and the Department of Justice finally brought a close to the infringing activities. While JSTOR declined to press charges, MIT refused (or was persuaded by federal prosecutors to refuse) to drop the case against Swartz. Swartz was indicted and was (until January 2013) under threat of imprisonment for his actions; additional contributing factors led him to commit suicide.  (For a specific timeline of events, see this New York Times article, updated as of January 23, 2013: [http://www.nytimes.com/2013/01/21/technology/how-mit-ensnared-a-hacker-bucking-a-freewheeling-culture.html] http://www.nytimes.com/2013/01/21/technology/how-mit-ensnared-a-hacker-bucking-a-freewheeling-culture.html) 
 
Because of the caliber of students attracted to MIT – academically gifted, technically oriented, creative minds – the university has an extraordinarily open policy for access to their network, described by forensics and security expert Alex Stamos as “open, unmonitored, and unrestricted”. By minimizing challenges to access, the theory is that MIT students are presented with no temptation to match or circumvent necessary institutional protections that are, of necessity, in place. Hacking antics are kept in check. It’s important to note that Aaron Swartz’ access to the MIT network was accomplished through a variety of means for circumventing MIT protective measures, but not through any direct breach of those measures. He spoofed MIT’s network for the purposes of being allowed to access JSTOR and download articles, but did not exert his energies in any extensive hack inside the institution’s network.   ([http://unhandled.com/2013/01/12/the-truth-about-aaron-swartzs-crime/] http://unhandled.com/2013/01/12/the-truth-about-aaron-swartzs-crime/) 
 
It is important here to differentiate between the words “hacking” and “cracking” as various communities define the terms differently. Both terms apply to individuals who are proficient or expert in their understanding of computer networks and systems as well as the programming and fundamental coding that are the bricks in the architecture of both.  The nuance of difference lies in the ethics of how that knowledge may be applied. Hackers (within the tech community sense of the word) are interested in enhancing the efficiency of systems when they explore protected or internal networks. In that world view, hackers may be seen as a positive and potentially creative force in improving our digital environments.  Many hackers claim that their activities are benign in that they seek out vulnerabilities in existing systems in order to notify and support network administrators in maintaining a desirable level of protection around sensitive electronic information. Conversely, crackers are the “black hats” whose equally expert incursions into systems are for unmistakably illegal purposes– whether stealing, vandalizing or destruction. (See author and former MIT graduate and researcher Richard Stallman’s explanation at: [http://stallman.org/articles/on-hacking.html] http://stallman.org/articles/on-hacking.html. You might also read this opinion piece in the New York Times, by Professor Peter Ludlow, [http://opinionator.blogs.nytimes.com/2013/01/13/what-is-a-hacktivist/] http://opinionator.blogs.nytimes.com/2013/01/13/what-is-a-hacktivist/ -- although Catherine Frederick at [http://3dblogger.typepad.com/wired_state/2013/01/why-alex-stamos-is-completely-wrong-about-aaron-swartz.html] http://3dblogger.typepad.com/wired_state/2013/01/why-alex-stamos-is-completely-wrong-about-aaron-swartz.html isn’t buying any of the argument.)
 
For many techies, what Aaron Swartz did would not be considered hacking at all, because he did not “break into” any meaningfully protected networked environment. He signed on as a guest to MIT’s network and ran a Python automated script against the JSTOR database in order to download material at a rate which constituted a violation of institutional terms of use. He saw and exploited a technical option in achieving his end. That said, according to the definitions currently in use by the U.S. legal community, any unauthorized incursion into a computer system is considered to be a form of trespass and is therefore illegal under the auspices of the Computer Fraud and Abuse Act (CFAA). 
 
The technical community views the CFAA as an out-dated and poorly crafted piece of legislation. They point to its application to cases such as Andrew “Weev” Auernheimer as an example of how the legislation may be used inappropriately to protect careless corporate behavior. In that instance, Auernheimer discovered a public AT&T web server that held unique device serial numbers and email addresses of the owners of those devices. The server was there to enable a rapid log-on to the AT&T network for users of iPads with connectivity through the telecommunications giant.  Auernheimer merely happened upon a public URL, recognized it as such and released the information to a media outlet in order to embarrass AT&T in the interests of constructing better protection of its clientele. Auernheimer didn’t “hack” in any sense of the word that the technical community would accept, but he was convicted under the CFAA in the hope that his conviction would send a message to the hacking and security community that any similar trespass or unauthorized use of a publicly accessible web server would be grounds for conviction.  Similar cases being prosecuted under the CFAA but with decidedly differing specifics are those of Barrett Brown and Matthew Keys, both of whom are currently accused of aiding the denial of service attacks by the activist group, Anonymous.  The case against Lori Drew (an instance of cyberbullying on MySpace which led to a young person’s suicide) was another instance of applying the CFAA to activities unrelated to hacking.  For the record, it appears that in none of these cases was financial profit a motive. 
 
Andrew “Weev” Auernheimer: [https://www.eff.org/cases/us-v-auernheimer] https://www.eff.org/cases/us-v-auernheimer (See also: [http://www.theverge.com/2013/1/18/3888528/after-aaron-swartz-how-antiquated-computer-laws-enable-the] http://www.theverge.com/2013/1/18/3888528/after-aaron-swartz-how-antiquated-computer-laws-enable-the)
 
Barrett Brown: [http://www.guardian.co.uk/commentisfree/2013/mar/21/barrett-brown-persecution-anonymous] http://www.guardian.co.uk/commentisfree/2013/mar/21/barrett-brown-persecution-anonymous
 
Matthew Keys:  [http://readwrite.com/2013/03/14/reuters-social-editor-indicted-anonymous-internet-jaw-drops] http://readwrite.com/2013/03/14/reuters-social-editor-indicted-anonymous-internet-jaw-drops
 
Lori Drew: [http://latimesblogs.latimes.com/lanow/2009/07/myspace-sentencing.html/] http://latimesblogs.latimes.com/lanow/2009/07/myspace-sentencing.html/
 
Actual lawyers trace problems with the legislation to what may be an overly-vague definition of authorized access.  The language leaves open the possibility of abuse by owners of computers in controlling every use made of systems and networks. ([http://www.infoworld.com/t/federal-regulations/cfaa-where-the-computer-security-law-broken-216104] http://www.infoworld.com/t/federal-regulations/cfaa-where-the-computer-security-law-broken-216104 ) 
 
As noted in CNET’s article from this past March, the CFAA was intended “to lock up, for a very long time, extremely destructive hackers who might try to disrupt the banking system or tunnel into the U.S. military's classified mainframes”. [http://news.cnet.com/8301-13578_3-57573985-38/from-wargames-to-aaron-swartz-how-u.s-anti-hacking-law-went-astray/] http://news.cnet.com/8301-13578_3-57573985-38/from-wargames-to-aaron-swartz-how-u.s-anti-hacking-law-went-astray/ The same article also notes incremental expansion of the CFAA over the years since 1984,  due to a rewording of the legislation in 1996 which extended protection to more than the “federal interest computers” that were the original concern.  At least in part, these expansions over time have been due to a heightened fear of cyber-attacks from crackers, both at home and abroad.  [http://news.cnet.com/8301-1009_3-57573902-83/intelligence-chief-offers-dire-warning-on-cyberattacks/] http://news.cnet.com/8301-1009_3-57573902-83/intelligence-chief-offers-dire-warning-on-cyberattacks/.  Some media coverage suggests that the Department of Justice prefers the current vagueness of the CFAA wording because it more easily enables prosecution of undesirable behaviors until such time as the social norms controlling behavior in an online environment become more fixed in the public mind.  However, legal experts such as Orin S. Kerr, law professor at George Washington University, have testified before Congress of the need for reformation in the hopes of containing some of the more egregious prosecutorial abuses.  (For more detail on just how, see Kerr’s written testimony at [http://www.volokh.com/wp-content/uploads/2013/03/KerrCFAATestimony2013.pdf] http://www.volokh.com/wp-content/uploads/2013/03/KerrCFAATestimony2013.pdf) 
 
You have to go to the computing security industry itself to find even the mildest commentary against the idea of CFAA reform: [http://www.scmagazine.com/the-great-divide-reforming-the-cfaa/article/288844/] http://www.scmagazine.com/the-great-divide-reforming-the-cfaa/article/288844/. But even in that context, the key quote is one from the banking lobby spokesperson who said simply, “We would prefer that it would stay the way the law is written now.” As long as the financial industry believes that an un-amended CFAA is in its own best interest, the likelihood of change is limited. 
 
All the more reason then to focus on a particular paragraph in the court papers filed at the end of March by MIT, requesting that they be allowed to control the release of their internal documents on the handling of the Swartz matter rather than yield to the request of Aaron’s family that such documents be released publicly and immediately.  MIT has promised to release the documents once its own internal investigation of the Swartz matter has been closed and identifying names of employees and other sensitive information have been redacted.  (See [http://tech.mit.edu/V133/N15/swartz.html] http://tech.mit.edu/V133/N15/swartz.html) Current coverage indicates that the report on that investigation is due in June of this year. 
 
In the court filings the following paragraph appeared, “The MIT documents …contain candid and confidential discussions of MIT’s computer networks, including possible weak spots in and modifications to be made to the security of those systems. In light of the series of intrusions that have occurred in express retaliation for MIT’s perceived connection to Mr. Swartz’s death, MIT is concerned that the dissemination of these documents will provide a road map for future, and perhaps more serious, attacks on its networks.” The judge subsequently ruled in favor of MIT’s position. 
 
From within our own industry, technologist Eric Hellman wrote about why MIT administrators would have been so concerned about the presence of an unknown agent on their network.  “There's nothing worse than having a hidden agent on your computer or on your network. Because even if it's not going anywhere it's not allowed to go, if you don't know where it is or what it's doing, you suspect the worst. You start doubting everything, and everyone, and you can lose your sanity.” ([http://go-to-hellman.blogspot.com/2013/01/the-four-crimes-of-aaron-swartz.html] http://go-to-hellman.blogspot.com/2013/01/the-four-crimes-of-aaron-swartz.html)
 
In an age where $45 million dollar bank heists can occur across two dozen countries and where governments routinely infiltrate the computer systems of other nations, it’s hard to claim that protection isn’t both vital as well as prudent.  But it also suggests the most serious questions of the day have still not been adequately answered when it comes to the daily practices of a digital society. What constitutes authorized access? If a site is openly accessible on the Web and unsecured against intrusion, should unauthorized presence on that site be deemed trespass?  If a creative mind comes up with a use for content – one that you as a provider had never thought of – is that by definition an unauthorized use? What limits exist on tracking user presence and user behavior? While it may seem preposterous on some levels, these are questions that provoke emotional responses. 
 
Managing the legal and financial obligations of licensed content while not criminalizing users who are frequently expert in manipulating technology in unforeseen manner is just as complex as it sounds. This is scary stuff and there are no simple answers emerging.  We may organize our online behaviors through contracts and terms of use but there are always times – as Dickens noted in Oliver Twist – when the law is an ass. JSTOR and MIT deserve some credit for their handling of the challenges posed by the Swartz case, but it won’t be the last time the information community will have to deal with such activities. NFAIS members will want to find a way of working well with all the various constituencies that make up our networked society. 
 
2013 NFAIS Supporters
 
Access Innovations, Inc.
 
Accessible Archives, Inc.
 
American Psychological Association/PsycINFO
 
American Theological Library Association
 
Annual Reviews
 
CAS
 
CrossRef
 
Data Conversion Laboratory, Inc.
 
Defense Technical Information Center
 
Getty Research Institute
 
The H. W. Wilson Foundation
 
Information Today, Inc.
 
IFIS
 
Modern Language Association
 
OCLC
 
Philosopher’s Information Center
 
ProQuest
 
RSuite CMS
 
Scope e-Knowledge Center
 
TEMIS, Inc.
 
Thomson Reuters IP & Science
 
Thomson Reuters IP Solutions
 
Unlimited Priorities LLC
 
 
********************************
 
 
 
 
 
 
 
 
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lyralists.lyrasis.org/pipermail/nfais-l/attachments/20130614/0c5c397c/attachment.html>