Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Government Bug Privacy Technology

Maryland Bill Would Outlaw Ransomware, Keep Researchers From Reporting Bugs (arstechnica.com) 85

A proposed law introduced in Maryland's state senate last week would criminalize the possession of ransomware and other criminal activities with a computer. However, CEO of Luta Security Katie Moussouris warns that the current bill "would prohibit vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored." Ars Technica reports: The bill, Senate Bill 3, covers a lot of ground already covered by U.S. Federal law. But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000. The bill also states (in all capital letters in the draft) that "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."

Additionally, the bill would outlaw unauthorized intentional access or attempts to access "all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed." It also would criminalize under Maryland law any act intended to "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person." There are no research exclusions in the bill for these provisions.
"While access or attempted access would be a misdemeanor (punishable by a fine of $1,000, three years of imprisonment, or both), breaching databases would be a felony if damages were determined to be greater than $10,000 -- punishable by a sentence of up to 10 years, a fine of $10,000, or both," the report adds. "The punishments go up if systems belonging to the state government, electric and gas utilities, or public utilities are involved, with up to 10 years of imprisonment and a $25,000 fine if more than $50,000 in damage is done."
This discussion has been archived. No new comments can be posted.

Maryland Bill Would Outlaw Ransomware, Keep Researchers From Reporting Bugs

Comments Filter:
  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Monday January 27, 2020 @08:29PM (#59662906)
    Comment removed based on user account deletion
    • They will invoke national security.

      • by voss ( 52565 )

        Its a state law. If it were federal law you might have a point.

        • by cob666 ( 656740 )

          Federal law trumps state law and states can't enact laws that violate the constitution. Well, they can try, but anyone convicted can appeal to a higher court on the grounds that the law is unconstitutional:

          https://law.justia.com/constitution/us/state-laws-held-unconstitutional.html

          • by voss ( 52565 )

            I was pointing out state laws do not invoke "national security" . Im well aware of federal pre-emption.

    • I am certainly not a lawyer, but prevention of speaking about something is a law that can be crafted... like that "shouting fire in a theater" only in the case we are talking about is software validation. maybe the government does not want validation of the facts to be public.

      • by rtb61 ( 674572 )

        Ahh, the USA where it is legal to carry a concealed pistol specifically designed to kill people, loaded and ready to fire but oh no a string of code, a bunch of algorithms that can not ever injure anyone, that's illegal, why does these feel like laws written by Luddites. Ohh Ahh that's smart people stuff, we don't understand it, lets make it illegal.

        If it does not need to be, absolutely need to be connected to the fucking internet, then do not fucking connect it to the internet. Run separate computer netwo

        • Ahh, the USA where it is legal to carry a concealed pistol specifically designed to kill people, loaded and ready to fire but oh no a string of code, a bunch of algorithms that can not ever injure anyone, that's illegal, why does these feel like laws written by Luddites. Ohh Ahh that's smart people stuff, we don't understand it, lets make it illegal.

          Please cite the specific law which makes a string of code or algorithms illegal, and please be *specific*.

          You can't be referring to this article, because
          • Look up the history of export restrictions on cryptography. Criminal investigations were opened against the authors of PGP [wikipedia.org] because it contained strong cryptography algorithms. Very likely first amendment considerations could have won against this, however it never came to court and the export control laws are still on the book in the US.
            • hmm, I kinda got a feeling that someone printed a hacking code on his shirt and was brought into court with a copyright violation. can't recall it, but I think he go off.

            • by anegg ( 1390659 )
              If I recall correctly, the code for asymmetric cryptography as used in Pretty Good Privacy (PGP) was put into hardcopy book form, published, and ultimately exported without anyone going to jail. Those who are interested in restrictions on free speech in the US should pay careful attention to US export controls on technology, wherein it can be considered unlawful to allow a foreign national on US soil to attend a conference where controlled technology is being discussed verbally, as is a US person traveling
          • by AK Marc ( 707885 )
            DMCA. AACS used DMCA to "takedown" 09... The claim, under perjury was that the publishing of that single number was illegal.

            Also, cryptography (export rules as "munitions"), and any series of 1's and 0's that when decoded as an image file, could be confused with a child engaging in prurient acts, even if the image were constructed solely by an assembling of 1's and 0's without involving any image taken from any human.

            These three examples are sufficient to prove you wrong, any single one of them is suff
        • If encryption is munitions, then software is covered by the 2nd amendment. I'm not hacking, I'm exercising my right to bear arms.

      • possession?? now can they use that in court so that only the prosecutor and the state lab can have possession. so you can't get an your own lab to look at it?

        • by ixidor ( 996844 )
          so what happens if someone hacks your pc, and leaves ransownware, then the police just happen to find it? you were in possession...
      • but prevention of speaking about something is a law that can be crafted... like that "shouting fire in a theater" only in the case we are talking about is software validation.

        That free speech case was overturned, and it is in fact legal to shout fire in a theater.

        • but prevention of speaking about something is a law that can be crafted... like that "shouting fire in a theater" only in the case we are talking about is software validation.

          That free speech case was overturned, and it is in fact legal to shout fire in a theater.

          partially overturned [wikipedia.org] - it would be legal to shout "fire" but it would be illegal to falsely should fire in a theatre with the intent that the consequence would be imminent harm to the audience of that theatre.

      • "Shouting fire in a movie theater" was an metaphor used by racists while they were arguing that black people shouldn't be allowed free speech. They lost both sides of the argument; a law banning yelling "fire" in a theater would be unconstitutional, and so would denying black people freedom of speech.

        Be smart enough to stop using this metaphor.

      • I'm not overly familiar with the laws mentioned, but I suspect you can't be arrested for shouting the word "fire" in a theatre, after all if there was a fire it's rather important that someone can notify everyone, however you will be arrested for doing so when there is no fire and causing a stampede to the exit that could result in injuries. I'd bet the law in question would be "reckless endangerment to the public", similar to "incitement to violence" and various other laws around the impact of what was sai
      • by mysidia ( 191772 )

        prevention of speaking about something is a law that can be crafted... like that "shouting fire in a theater"

        Because they are trying to restrict personal speech of researchers that means the law would have to survive Strict Scrutiny [wikipedia.org], which I doubt it would --- There must be a rational basis for the law furthering compelling state interest which the law accomplishes, And the law must be narrowly taylored, so that it is only as restrictive as necessary for accomplishing the compelling purpose.

        Pretty

    • Comment removed based on user account deletion
  • So... (Score:5, Insightful)

    by mschaffer ( 97223 ) on Monday January 27, 2020 @08:32PM (#59662916)

    So, when your computer gets infected, you are breaking the law.

    • "possess, identify, or attempt to identify a valid access code..."

      So, if you have YOUR OWN valid access code, you would also be breaking this law?

      ---

    • That was my thought, exactly. Although I haven't read the text of the law, I hope that it doesn't criminalize being a victim of ransomware. By definition, victims have a copy of the ransomware that is attacking them, on their computer. They need to make very sure that the new law doesn't make victims into criminals. They also need to make sure that they are not making the reporting of a ransomware attack a crime either. Victims need to be able to lawfully get assistance in fighting the effects of this
  • You may posses 1s and 0s provided that they are not arranged in these specific arrangements. Now replace 1s and 0s with dominoes.
  • It seems likely on the order of tomorrow's increasing coronavirus infection numbers that the folks responsible for committing the bulk of ransomware offenses are outside the State of Maryland's jurisdiction.

  • "The bill, Senate Bill 3, covers a lot of ground already covered by U.S. Federal law. But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000." So depending on how you interrupt this law a person that was effected by it could be charged since its on his computer could be called possession. Which means if you were victim of it paid it off but yet the software is still on your machine? Its a Vague way to view the law but you
    • Re:so wait... (Score:5, Interesting)

      by paralumina01 ( 6276944 ) on Monday January 27, 2020 @09:39PM (#59663116)
      I also noticed this wtf: "a misdemeanor punishable by up to 10 years of imprisonment". Felonies are crimes punishable by imprisonment for a year or longer. Misdemeanors are not.
      • Yeah, that's what happens when you let the morons are Arsetech summariize it.

        From the pdf linked above:

        (5)(I)THIS PARAGRAPH DOES NOT APPLY TO THE USE OF
        RANSOMWARE FOR RESEARCH PURPOSES.
        (II)APERSON MAY NOT KNOWINGLY POSSESS RANSOMWARE
        WITH THE INTENT TO USE THE RANSOMWARE FOR THE PURPOSE OF INTRODUCTION
        INTO THE COMPUTER,COMPUTER NETWORK,OR COMPUTER SYSTEM OF ANOTHER
        PERSON WITHOUT THE AUTHORIZATION OF THE OTHER PERSON.
        (d)(1)A person who violates subsection (c)(1) of this section is guilty of a
        misdemeanor and on conviction is subject to imprisonment not exceeding 3 years or a fine
        not exceeding $1,000 or both.
        (2)A person who violates subsection (c)(2) or (3) of this section:
        (i)if the aggregate amount of the loss is $10,000 or more, is guilty
        of a felony and on conviction is subject to imprisonment not exceeding 10 years or a fine not
        exceeding $10,000 or both

  • screws up computer security in 5.. 4... too late.

  • by schwit1 ( 797399 ) on Monday January 27, 2020 @08:45PM (#59662956)

    Outlaw ransomware? That will protect you about as well as a gun-free zone sign or the warning label on the side of a pack of cigarettes.

    • Warning labels on cigarettes might actually dissuade someone. Not many someones, but someone. Outlawing ransomware will do absolutely nothing, however.

    • True, but if they do catch you, you are really fucked.
      At this robbing a convenience store will get you less jail time (or probably already does, not sure) but then I suppose also a lot less money.
  • "misdemeanor" (Score:4, Insightful)

    by markdavis ( 642305 ) on Monday January 27, 2020 @08:50PM (#59662966)

    >"But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000."

    That doesn't sound right. Misdemeanors are almost always only a fine, 1 year or less jail time, or a combination of the both. Felonies are typically > 1 year prison time with possible large fines. Yet I just read it from the bill:

    "(4) A PERSON WHO VIOLATES SUBSECTION (C)(5) OF THIS SECTION IS GUILTY OF A MISDEMEANOR AND ON CONVICTION IS SUBJECT TO IMPRISONMENT NOT EXCEEDING 10 YEARS OR A FINE NOT EXCEEDING $10,000 OR BOTH."

    Strange that something could be so severe as to imprison someone for a decade that is not a felony offense.

    • Re: (Score:2, Funny)

      by ArhcAngel ( 247594 )
      I'm wondering if AOC didn't write this bill. That makes no sense.
      • Hurr durr! While you're gloating about how much smarter than her you are, don't forget to learn about which government she is in, and which government is considering this bill.

    • It varies by state, but I don't think 1 year is that strict a cutoff.

      For example a DUI (many offenses) can catch you 5 years in PA but is still a misdemeanor.

    • ... AND ON CONVICTION IS SUBJECT TO IMPRISONMENT ...

      I translate it as "on conviction of a misdemeanor, can be sent to prison", thus turning the crime into a felony. It's a end-run around the principles of law, like civil forfeiture legislation.

  • What's a more reliable way to get rid of something, than criminalizing it? It worked so well for for alcohol, marijuana, weapons, speeding — you name it — no wonder, legislators are a little dizzy with success...

    • Well they have to at least "appear" to be doing something about it. Considering the new generation of ransom ware people are subsequently black mailing people who refuse to pay the ransom they could get around the whole thing by not encrypting the data and only blackmailing them instead.
  • by SirAstral ( 1349985 ) on Monday January 27, 2020 @09:26PM (#59663072)

    It is nearly impossible for this to ensnare anyone but innocent people because of how the entire landscape operates!

    For now lets just ignore that loads of malware comes from foreign dissident and governments.

    You can sure as bet like hell that this disclaimer...
    "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."
    Is never going to apply when Uncle Sam needs for it to not apply. This will be used to fuck everyone that crosses the powers that be and that is the entire point. We are already at the point where the moment you piss off the wrong group you are an instant pedophile with terabytes of CP on your computer spanning years! We are at the point where we spend millions of taxpayers dollars to trick mentally handicapped people into committing crimes they would never have even thought about if sting operations were left in the dirt at home. After all, exactly which important group of people are going to give a shit? In a world of pseudo morals and so many double standards where we have made Cognitive Dissonance and Virtue Signaling into an art-form entirely dressed in the Emperors New Clothes.

    Every Incarnation of Evil in all the Story Books would be exceedingly proud of our achievements!

    • by sconeu ( 64226 )

      This is a MD *STATE* law. Has nothing to do with Uncle Sam.

      • The Age of Literacy was fleeting, but sadly, it has ended.

    • ... when Uncle Sam needs for it to not apply.

      All criminal laws are like that: They identify who is targeted, who is protected, and contain wiggle-room so the government can persecute special cases.

      • ... when Uncle Sam needs for it to not apply.

        All criminal laws are like that: They identify who is targeted, who is protected, and contain wiggle-room so the government can persecute special cases.

        This sort of apathetic cynicism is one of the biggest dangers to democracy today, and it's all too prevalent in the younger generation. If you think like NotEmmanuelGoldstein, you are part of the problem, and you should stop it.

        To the extent laws enable and allow persecution and selective prosecution, that's a problem that you should take a hand in fixing, like the people who have pointed out, publicly and to the lawmakers, the potential problems with the wording of this law. How many letters a year do

  • future direction ? (Score:4, Interesting)

    by jmccue ( 834797 ) on Monday January 27, 2020 @09:29PM (#59663092) Homepage
    Guess we are slowly heading here: https://www.gnu.org/philosophy... [gnu.org] For a short period seemed we at least stopped the progression to that future, between all the encryption, drm and now this we started moving again.
  • If people could post things on the internet anonymously then this whole thing would be pointless. Fortunately that's impossible. Thank goodness I have my internet ID card that allows me to post government approved messages.

  • I can't see how the disclosure thing won't be tossed because of the first amendment. It sounds like they are trying to address nudge nudge wink wink you should pay us a finder's fee for this bug, first dibs, or we are ethically bound to let everyone know of the vulnerability, as extortion.

    But you can't solve that by making speech illegal.

  • Ransomware is already illegal under existing cybercrime laws amongst others, isn't it? This sounds like legislators that either have no clue what's going on, or who want to seem like they're doing somethign about something no one can really do anything much more about anyway,
    • by Anonymous Coward

      No "cybercrime" laws are required. The long-standing offense of "extortion" is entirely applicable.

  • So people who self duplicate car keys, hack their Furbie, replace locked iPhone screen, or repair thier tractor, or mofify their GE fridge water dispenser. Police using stingrays .. would also be criminals. Software vendors who hack and steal registry details would also be on the hook. Anybody contributing to CERT NIST CSV must be excluded. Existing practice is 30 days - more if they beg and provide justification. Ransomware is already on the books as blackmail, so no law needed. Any respectful IT firm w
  • I live in Maryland. Our legislature has a long history of being stupid.

  • Well I guess THAT problem is solved now.

  • The internet doesn't care about your laws. I can't publish my findings in Maryland? Oh no, woe is me, guess I'll have to put a disclaimer on the page that nobody in Maryland may look at the information.

    Get a clue, politicians, will ya?

    • by MobyDisk ( 75490 )

      Your post makes no sense. How do you conclude that this has anything to do with publishing or reading a paper?

      • The wording of the bill does. Basically publishing a PoC is already enough to get into hot water, hell, publishing a security flaw is.

        Fortunately I'm not in Maryland, so I can continue my research. If I had a company in Maryland, I'd probably consider moving. It's not like you have to move far, no matter where in Maryland you happen to be...

        • by MobyDisk ( 75490 )

          ok, thanks, I'll have to read the bill and see what the EFF says too. There's a LOT of security positions in MD because of proximity to DC and the presence of various three letter agencies.

  • I'm sure the hackers in Russia are fuming over this
  • This is a kneejerk response to the massive ransomware pwning of the City of Baltimore [wikipedia.org] last year. As usual, the morons who run MD are passing some asinine law that unsurprisingly does more damage than it will cure instead of addressing the root cause: in this case, gross IT incompetence and a complete lack of a backup strategy [darkreading.com]. This ironically will deter one of the state's pet "causes": attracting cybersecurity firms [maryland.gov] in order to further leech off of their proximity to DC. Seriously, these idiots couldn't
    • Note that the other local governments didn't get pwned and do the same functions. Working systems & staff exist within 30 miles. If the City of Baltimore wanted to help itself the easiest thing to do is start sending Baltimore City IT work to Baltimore County which surrounds it. Send some to Howard & Anne Arundel Counties too. No reason City sewer & water bills or payroll or pothole tracking can't run on a County's software. The City can't afford - and should not want to afford - to duplicate th
      • Why should the other (better run) local gov'ts in MD suffer because of the city's decades of endless incompetence and corruption? If you expect the rest of the state to continue to fund that clown show, you better put the city into receivership.
  • So, does that mean when they bust someone for ransomware he's fine as long as he had "For Monero Financial Network Research Only" in small print on his payload?

  • A proposed law introduced in Maryland's state senate last week would criminalize...criminal activities...

    Good call.

  • This would probably help end consumer right to repair in conjunction with making security research more dangerous
  • "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data

    I don't have anything to worry about because my code is perfect but many other are not as awesome as me.

  • If we take away peoples ransomware, only criminals will own ransomware! Or, something like that...

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...