Registered Students login to NYLS Portal for updated Course Information and Reading Assignments.
UNIT 02:
Computer Intrusions and Attacks (Unauthorized Access)
PONDERABLES:
What is "computer trespass"? Compare "unauthorized access" with "exceeding scope of authorized access." Explore the relationship between acceptable use policies ("AUP"), terms of service ("TOS"), and criminal law. What are the limits of a "computer crime"? Understand self-help strategies, honeypots, and strike-back mechanisms. When does use of a publicly-accessible system amount to an intrusion or attack? Wen does denying service by overwhelming system resources ("DoS" and "DDoS")?
REQUIRED READING:
CASEBOOK: David J. Loundy, COMPUTER CRIME, INFORMATION WARFARE, AND ECONOMIC ESPIONAGE, Carolina Academic Press (2003) (ISBN:0890891109):
Chapter 2, Computer Intrusions and Attack, pp. 9-53 (CA v. Lawton ["hardware" v. "software"]; WA v. Olson [authorization not conditioned on AUP]; NM v. Rowell [is use of modern phone system to commit fraud a "computer crime"?]; NY v. Versaggi ["alter program" v. "alter function"]; NY v. Angeles [locks]; Ebay v. Bidder's Edge [exceed conditional access]).
US Department of Justice, CCIPS, Federal Computer Intrusion Laws.
National Conference of State Legislatures, State Computer Hacking and Unauthorized Access Laws
FEDERAL STATUTES:
18 U.S.C. § 1029. Fraud and related activity in connection with access devices.
COMPUTER FRAUD AND ABUSE ACT
18 U.S.C. § 1030. Fraud and related activity in connection with computers.
CAN-SPAM ACT
18 U.S.C. § 1037. Fraud and related activity in connection with electronic mail.
PROPOSED AMENDMENTS TO COMPUTER FRAUD AND ABUSE ACT (10/22/2007):
Cyber-Crime Act of 2007 (S. 2213) (THOMAS) (Would amend Sec. 1030 to add "conspiracy"; change damage threshold from $5,000 to "damage affecting 10 or more protected computers during any one-year period"; and add "cyber extortion").
STATE LAWS:
National Conference of State Legislatures, State Computer Hacking and Unauthorized Access Laws
ADDITIONAL READING:
Hacking:
"Romanian man indicted for hacking into U.S. government computers," Associated Press (Dec. 1, 2006) ("A Romanian man has been indicted on charges of hacking into more than 150 U.S. government computers, causing disruptions that cost NASA, the Energy Department and the Navy nearly $1.5 million (euro1.1 million). ... The U.S. government alleged Faur was the leader of a hacking group called ''WhiteHat Team,'' whose main goal was to break into U.S. government computers because they are some of the securest machines in the world. ... After the hacking, scientists and engineers had to manually communicate with spacecraft and the computer systems had to be rebuilt.")
Hacking for Grades:
Gregg Keizer, "Grand Jury Indicts Former Students in Grades-For-Cash Hack," PC World (Nov. 5, 2007) ("Two former Fresno State students were charged ... with hacking into the university's computer network as part of a grade-changing scheme. [They were charged] with multiple counts of conspiracy, wire fraud, identity theft and unauthorized computer access [and] face up to 20 years in prison and fines of up to US$250,000 if convicted.")
Angeline J. Taylor, "Grade-tampering probes rare for federal investigators here," Tallahassee Democrat (Nov. 29, 2007) ("The U.S. Attorney's Office considers the grade-tampering case at Florida A&M University an investigation that could involve computer hacking, spokesman Alan Sprowls said. That's what's elevated it to a federal case.")
Hacking for harrassment ("swatting"):
Robert McMillan, "Couple Swarmed by SWAT Team After 911 'Hack'," PC World (Oct. 17, 2007).
Kevin Poulsen, "Guilty Plea: Phone Phreaks Use Caller-ID Spoofing to Get Foes Raided By SWAT," WIRED (Nov. 15, 2007)
"Computer Intrusions, Swatters Plead Guilty," Tech News (Dec. 10, 2007) ("Swatting refers to falsely reporting an emergency to a police department to cause a Special Weapons and Tactics (SWAT) response to a physical address, or making a false report to elicit an emergency response by other first responders to a specific physical address").
Hacking for Harrassment (is this hacking, online fraud, or using a false identity?):
Betsy Taylor, "Missouri prosecutor: Law doesn't allow for charges in MySpace teen suicide case," Associated Press, Dec. 3, 2007
Scott Glover and P.J. Huffstutter, "L.A. grand jury issues subpoenas in Web suicide case." LA Times, Jan. 9 2008 ("A federal grand jury ... has begun issuing subpoenas in the case of a Missouri teenager who hanged herself after being rejected by the person she thought was a 16-year-old boy she met on MySpace. ... The case set off a national furor when it was revealed that the "boyfriend" was really a neighbor who was the mother of one of the girl's former friends. Local and federal authorities in Missouri looked into the circumstances ... [b]ut after months of investigation, no charges were filed against [the neighbor] for her alleged role in the hoax. Prosecutors in Missouri said they were unable to find a statute under which to pursue a criminal case. Prosecutors in the U.S. attorney's office in Los Angeles [where MySpace is HQed], however, are exploring the possibility of charging [her] with defrauding the MySpace social networking website by allegedly creating the false account ... prosecutors are looking at federal wire fraud and cyber fraud statutes as they consider the case.)
Betsy Taylor, "Task force drafts online harassment law," Associated Press (Jan. 08, 2008) ("Adults who use the Internet or other media to harass children could be charged with a felony if Missouri lawmakers agree with a proposal made today by a special state task force.")
Linda Deutsch, "Woman indicted in Missouri MySpace suicide case," Washington Post (May 15, 2008) ("Lori Drew, 49, of suburban St. Louis, who allegedly helped create a MySpace account in the name of someone who didn't exist to convince Megan Meier she was chatting with a 16-year-old boy named Josh Evans, was charged with conspiracy and fraudulently gaining access to someone else's computer.")
Anick Jesdanun, "Routine Web conduct at risk due to MySpace suicide case," USA Today (May 17, 2008) ("Federal prosecutors turned to a novel interpretation of computer hacking law to indict a Missouri mother on charges connected to the suicide of a 13-year-old MySpace user. Prosecutors alleged that by helping create a MySpace account in the name of someone who didn't exist, Lori Drew, 49, violated the News Corp.-owned site's terms of service and thus illegally accessed protected computers.")
"Woman pleads not guilty in MySpace suicide case," CNN.com (Jun. 16, 2008) ("A Missouri woman has pleaded not guilty in Los Angeles federal court to charges in an Internet hoax blamed for a 13-year-old girl's suicide. ... She pleaded not guilty to charges of conspiracy and accessing protected computers without authorization to get information used to inflict emotional distress..)
JENNIFER STEINHAUER, "Verdict in MySpace Suicide Case," N.Y. Times (Nov. 26, 2008) ("A federal jury here issued what legal experts said was the country’s first cyberbullying verdict Wednesday, convicting a Missouri woman of three misdemeanor charges of computer fraud for her involvement in creating a phony account on MySpace to trick a teenager, who later committed suicide.")
GREG RISLING, "LA judge hears bid to dismiss MySpace conviction," AP (Jan. 8, 2009) ("An attorney for a woman convicted in a MySpace hoax directed at a teen who ended up committing suicide asked a judge to dismiss her convictions Thursday, saying a computer-fraud law was improperly used to prosecute her.")
Malicious Hacking:
Jordan Robertson, "Hackers attack epilepsy forum," USA Today (May 7, 2008) ("But in a rare example of an attack apparently motivated by malice rather than money, hackers recently bombarded the Epilepsy Foundation's website with hundreds of pictures and links to pages with rapidly flashing images."
Vandalism:
"Comcast.net site is hacked briefly," Associated Press (May 29, 2008).
Kevin Poulsen, "Comcast Hijackers Say They Warned the Company First," WIRED (May 29, 2008) (interview with the hackers).
David Kravets, "FBI Agents Hunt for Comcast Hijackers," WIRED (May 30, 2008).
URL hacking:
Philip Greenspun's Weblog: "Business schools redefine hacking to "stuff that a 7-year-old could do" (Mar. 8, 2005).
Lisa Trei, "Business school hopefuls who tried to gain access to application files rejected," Stanford Report (Apr. 13, 2005).
Michele Dellio, "Rooting Around Site With Intent?" WIRED News (Oct. 30, 2002).
Here is how the Reuters/Intentia "hack" was done. [LINK]
Declan McCullagh, "Rival behind Schwarzenegger Web flap," CNET News.com (Sep. 12, 2006).
WiFi Mooching:
Eric Bangeman, "Florida man charged with felony for wardriving," Ars Technica (Jul. 7, 2005).
"Man Arrested for Hopping on to Home Wi-Fi Network," Networked World (Jul. 8, 2005).
Declan McCullagh, "FAQ: Wi-Fi Mooching and the Law," CNET News.com (Jul. 8, 2005).
Eric Bangeman, "Illinois WiFi freeloader fined US$250," Ars Technica (Mar. 23, 2006).
Peter Griffiths, "Two cautioned over wireless "piggy-backing," Reuters (Apr. 18, 2007) ("Two people have been arrested and cautioned for using someone else's wireless Internet connection without permission, known as "piggy-backing", British police said on Wednesday.")
See also, "Open Wireless Defense", below.
DoS/DDoS:
Caroline McCarthy, "Florida man charged in botnet attack on Akamai," N.Y. Times (Oct. 24, 2006).
Tom Espiner, "U.K. outlaws denial-of-service attacks," CNET News (Nov. 10, 2006).
DOI (denial of insight):
Clint Boulton, "Denial-of-Insight Lurks For Search Engines, Users," Internet News (Nov. 10, 2006).
Hacking/Extortion:
Sharon Gaudin, "Man Sentenced to 110 Years for Hacking and Extortion," NY Times (Dec. , 2007) ("A ... man last week was sentenced to 110 years in prison after admitting that he ... hacked into computers used by young girls and used illicitly gained data to blackmail them.")
Evan Ratliff, "The Zombie Hunters," The New Yorker (Oct. 10, 2005).
Hacking/Blackmail:
Kevin Poulsen, "Fed Blotter: Alleged Hacker Charged in Sex Video Blackmail Attempt," Wired Blog (Dec. 19, 2008) ("A Kentucky college student faces federal extortion charges for allegedly attempting to blackmail a female student with an stolen sex video of her and her boyfriend.")
Trends (see also Trends in section III, below):
Symantic's "Cybercrime Trends in 2008".
ZDnet, "Top Secuirty Concerns 2009: The Trends to Watch" Posted Dec. 24, 2008.
Matthew Harwood, "Cybercrime Trends Will Worsen in 2009, According to Forecasts," Security Management (Dec. 10, 2008)
Andy Patrizio, "Cyber Crime Grows More Dangerous And Sophisticated," InternetNews.com (Nov. 29, 2007)
Tom Espiner, "Cracking open the cybercrime economy," ZDnet.co.uk (Dec. 14, 2007) ("There seems to be some serious evidence then for the idea of an evolution from hacking and virus writing for fun to creating malicious code for profit. Security experts are increasingly pointing to the existence of a "black" or "shadow" cyber-economy, where malware services are sold online using the same kinds of development methods and guarantees given by legitimate software vendors.").
OPTIONAL READING:
Orin S. Kerr, Cybercrime's Scope: Interpreting 'Access' and 'Authorization' in Computer Misuse Statutes, 78 N.Y.U. L. Rev. 1596 (Nov. 2003).
Registered Students login to NYLS Portal for updated Reading Assignments.
Course Outline/Class Units
Registererd NYLS students login to my.nyls.edu for updated outline and assignments.
- Overview, What is Cybercrime?
- Computer Intrusions and Attacks (Unauthorized Access)
- Computer Viruses, Time Bombs, Trojans, Malicious Code (Malware)
- Online Fraud and Identity Theft; Intellectual Property Theft; Virtual Crime
- Online Vice: Gambling; Pornography; Child Exploitation
- International Aspects and Jurisdiction
- Infrastructure and Information Security; Risk Management
- Investigating Cybercrime: Digital Evidence and Computer Forensics
- Interception, Search and Seizure, and Surveillance
- Information Warfare, Cyberterrorism, and Hacktivism
- Terrorism, Radicalization, and The War of Ideas
- Trade Secret Theft and Economic Espionage
- National Security
- Case Study: CALEA, VoIP
Course Information
- PAPER RESEARCH
- USEFUL LINKS FOR DEFINING TECHNICAL TERMS
- COURSE SUBTEXT AND OPTIONAL BACKGROUND MATERIAL
Registered Students login to NYLS Portal for updated Reading Assignments.
All original material on this or any linked page is copyright the Center for Advanced Studies in Science and Technology Policy © 2003-2009. Permission is granted to reproduce this material in whole or in part for non-commercial purposes, provided it is with proper citation and attribution.
|
