[conspire] Post Mortum legal explosion

Rick Moen rick at linuxmafia.com
Wed Jan 23 21:49:16 PST 2013

Quoting Paul Zander (paulz at ieee.org):

> What I meant to add was that here is another example of the
> prosecutors and the news media making the strongest possible charges.  
> It's just the way they do things.  

It is, but that's also an order of magnitude more true for Federal than
for state prosecutions.

A few comments about the Gozi Trojan before we move on.  Like other
MS-Windows malware, practically all you read about in the antimalware /
computer-security industry's captive press coverage is stuff about what
the trojan does after it's somehow executed (what I call
'aftereffects'), which it actually entirely _uninteresting_.  FWIW, it
does a bunch of screwing around under the user's authority and does not
aspire to escalate privilege (e.g., to Administrator authority).  And it
hides itself, tra la.  (If you want to read articles about the
aftereffects, here's at least a good one, by Brian Krebs:
http://krebsonsecurity.com/2013/01/three-men-charged-in-connection-with-gozi-trojan/ )

The interesting bit is what they almost never discuss, which is HOW DOES
IT GET RUN.  As always, I had to plow through dozens of pages of
basically meaningless rubbish about aftereffects, finally my bleary eyes
spotting a briefly meaningful passage:

   The Trojan horse takes advantage of a previously fixed vulnerability
   in the iFrame tags of Microsoft Corp.'s Internet Explorer to infect


It'll shock nobody to hear that, gosh, MSIE has fatal bugs.  Again.
Still.  The <iframe></iframe> tagpair are a nasty bit of business in
HTML 4.01 and above to embed one HTML document (or site) inside another, 
and MSIE 6/7/8's treatment of same has been known defective for a few
years:  http://www.kb.cert.org/vuls/id/516627

My point about execution vs. aftereffects is that the fruitful and
systematic approach to undesirable code of all kinds (including
'malware') is to take systematic steps to simply avoid running it.
(Eschewing MSIE helps.  Exchewing MS-Windows helps more.)  Once you have
done a good job setting about avoiding running undesirable code, you can
ignore almost everything produced by the computer-security industry and
literally everything produced by the antimalware industry -- which may
be one reason they talk incessantly about aftereffects and almost never
about what causes execution.

The story you quoted
tells a slightly different (but vague) tale:

  The malware installed itself on computers after users clicked on an
  apparently benign PDF file embedded in an e-mail

How, you might ask, does opening a PDF file run anything?  Good
question.  It shouldn't.  The antimalware industry's discussion of that
particular is more than typically useless, e.g.:
PDF attachments opened, and a trojan gets run.  How?  Magic.  (Idiots.)

If you follow links, you _eventually_ get to details:  

  Unspecified vulnerability in Adobe Acrobat and Reader 8.1 on Windows
  allows remote attackers to execute arbitrary code via a crafted PDF
  file, related to the mailto: option and Internet Explorer 7 on Windows
  XP. NOTE: this information is based upon a vague pre-advisory by a
  reliable researcher.

So, what's up with Adobe Acrobat [Reader] software?  In short, it's
buggy overfeatured rubbish that should not in a million years be
permitted to handle files off the Internet.  And that most certainly
includes Adobe Acrobat for Linux.  Which is why, thank God, we have 
better open-source alternatives such as Evince, Okular, xpdf, and so on.

By 'overfeatured' I mean without prejudice to other defects the fact
that Adobe Acrobat includes a whole friggin' Javascript engine.  I mean,
just imagine the opportunity for mischief.  As Marcus Ranum frequently
observes, some patterns of software defects don't indicate a need to
patch but rather to remove and avoid.

So:  Opening a PDF file does _not_ run any program if you are using a
reasonable and modestly designed PDF viewer program.  You are at risk
only with Adobe bloat-and-bugware.

Getting back to the Feds (in particular) throwing the book at people:  
They've been doing that for a very, very long time.  Part of the reason
is that once the Feds have picked one of the relative few cases they 
can budget time and money on, they go for the throat and intimidate the
accused, seeking to motivate a deal.  This was the story with Swartz,
who refused to accept a 4-month jail sentence and felony conviction, so
the case proceeded and the prosecutor piled on as much pressure as she

Which brings me to Orin Kerr's Part 2: Prosecutorial Discretion, which
he posted very late on January 16th.

   I'm going to break down the question into four different issues:
   First, was any criminal punishment appropriate in the case? Second, if
   so, how much criminal punishment was appropriate? Third, who is to blame
   if the punishment was excessive and the government's tactics were
   overzealous? And fourth, does the Swartz case show the need to amend the
   Computer Fraud and Abuse Act, and if so, how?

I'll have to skip very large amounts of analysis, as it's a very long
piece.  Kerr points out something up-top that was much on my mind, too:

   ..._Some_ kind of criminal punishment was appropriate in this case. 
   Swartz had announced his commitment to violating the law as a moral 
   imperative in order to effectively nullify existing federal laws 
   on access to information. 

Indeed.  There's a long and honourable tradition of opposing bad laws by
deliberately breaking them.  The price it comes with is that you expect
to get tried and then fined or imprisoned.  You hope that you and other
protestors will get people's attention and motivate them to say 'Hey, 
this whole situation is totally unjust, that bad law needs to change,
and these people need to be pardoned or their convictions vacated.'
But the latter bit's a calculated risk with (often) long odds, so 
you usually expect to spend jail time.

Would I have wanted Aaron Swartz to spend time in jail?  No.  But that's
pretty much the law.  _Multiple_ laws, not just CFAA.  And no, I don't
buy the notion that Swartz was in compliance with his access rights
under contract.  (Pull the other one.)

But why was Swartz so special that it's utterly outrageous that he would
be convicted and sent to jail?

Another _very_ telling point:

  What's unusual about the Swartz case is that it involved a highly
  charismatic defendant with very powerful friends in a position to object
  to these common practices. That's not to excuse what happened, but
  rather to direct the energy that is angry about what happened. If you
  want to end these tactics, don't just complain about the Swartz
  case. Don't just complain when the defendant happens to be a
  brilliant guy who went to Stanford and hangs out with Larry Lessig.
  Instead, complain that this is business as usual in federal criminal
  cases around the country -- mostly with defendants who no one has
  ever heard of and who get locked up for years without anyone else much


(Kerr agrees with the Ninth Circuit that 'unauthorized access' is
problematically defined in the CFAA.  If you want details, read what he

Kerr's opinion about the basic problem:

   Felony liability under the statute is triggered much too easily. The
   law needs to draw a distinction between low-level crimes and more
   serious crimes, and current law does so poorly. I would recommend two
   changes. First, the felony enhancements for 1030(a)(2) are much too
   broad. I would significantly narrow them. Second, I would repeal
   1030(a)(4), which is redundant as it only a combination of 1030(a)(2)
   and the wire fraud statute, 18 U.S.C. 1343. It therefore only leads to
   extra and redundant charges to confuse juries, and is better off

In other words, the law is broken and needs to be changed.  As I said.

More information about the conspire mailing list