Maryland Bill Would Outlaw Ransomware, Keep Researchers From Reporting Bugs (arstechnica.com) 85
A proposed law introduced in Maryland's state senate last week would criminalize the possession of ransomware and other criminal activities with a computer. However, CEO of Luta Security Katie Moussouris warns that the current bill "would prohibit vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored." Ars Technica reports: The bill, Senate Bill 3, covers a lot of ground already covered by U.S. Federal law. But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000. The bill also states (in all capital letters in the draft) that "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."
Additionally, the bill would outlaw unauthorized intentional access or attempts to access "all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed." It also would criminalize under Maryland law any act intended to "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person." There are no research exclusions in the bill for these provisions. "While access or attempted access would be a misdemeanor (punishable by a fine of $1,000, three years of imprisonment, or both), breaching databases would be a felony if damages were determined to be greater than $10,000 -- punishable by a sentence of up to 10 years, a fine of $10,000, or both," the report adds. "The punishments go up if systems belonging to the state government, electric and gas utilities, or public utilities are involved, with up to 10 years of imprisonment and a $25,000 fine if more than $50,000 in damage is done."
Additionally, the bill would outlaw unauthorized intentional access or attempts to access "all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed." It also would criminalize under Maryland law any act intended to "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person." There are no research exclusions in the bill for these provisions. "While access or attempted access would be a misdemeanor (punishable by a fine of $1,000, three years of imprisonment, or both), breaching databases would be a felony if damages were determined to be greater than $10,000 -- punishable by a sentence of up to 10 years, a fine of $10,000, or both," the report adds. "The punishments go up if systems belonging to the state government, electric and gas utilities, or public utilities are involved, with up to 10 years of imprisonment and a $25,000 fine if more than $50,000 in damage is done."
Comment removed (Score:5, Interesting)
Re: (Score:2)
They will invoke national security.
Re: (Score:2)
Its a state law. If it were federal law you might have a point.
Re: (Score:2)
Federal law trumps state law and states can't enact laws that violate the constitution. Well, they can try, but anyone convicted can appeal to a higher court on the grounds that the law is unconstitutional:
https://law.justia.com/constitution/us/state-laws-held-unconstitutional.html
Re: (Score:2)
I was pointing out state laws do not invoke "national security" . Im well aware of federal pre-emption.
Re: (Score:2)
I am certainly not a lawyer, but prevention of speaking about something is a law that can be crafted... like that "shouting fire in a theater" only in the case we are talking about is software validation. maybe the government does not want validation of the facts to be public.
Re: (Score:1)
Ahh, the USA where it is legal to carry a concealed pistol specifically designed to kill people, loaded and ready to fire but oh no a string of code, a bunch of algorithms that can not ever injure anyone, that's illegal, why does these feel like laws written by Luddites. Ohh Ahh that's smart people stuff, we don't understand it, lets make it illegal.
If it does not need to be, absolutely need to be connected to the fucking internet, then do not fucking connect it to the internet. Run separate computer netwo
Re: (Score:2)
Please cite the specific law which makes a string of code or algorithms illegal, and please be *specific*.
You can't be referring to this article, because
Re: (Score:2)
Re: (Score:2)
hmm, I kinda got a feeling that someone printed a hacking code on his shirt and was brought into court with a copyright violation. can't recall it, but I think he go off.
Re: (Score:2)
Re: (Score:2)
Also, cryptography (export rules as "munitions"), and any series of 1's and 0's that when decoded as an image file, could be confused with a child engaging in prurient acts, even if the image were constructed solely by an assembling of 1's and 0's without involving any image taken from any human.
These three examples are sufficient to prove you wrong, any single one of them is suff
Re: (Score:2)
If encryption is munitions, then software is covered by the 2nd amendment. I'm not hacking, I'm exercising my right to bear arms.
Re: (Score:2)
Arms are covered by the 2nd amendment. Arms are only a subset of munitions.
Re: (Score:2)
Well, at least you acknowledge the possibility of carrying a concealed pistol NOT specifically designed to kill people - which means you accept that only some guns are specifically designed to kill people.
Firearms are not carried concealed to conceal them from anything except other people.
possession?? now can they use that in court so tha (Score:2)
possession?? now can they use that in court so that only the prosecutor and the state lab can have possession. so you can't get an your own lab to look at it?
Re: (Score:1)
Re: (Score:2)
but prevention of speaking about something is a law that can be crafted... like that "shouting fire in a theater" only in the case we are talking about is software validation.
That free speech case was overturned, and it is in fact legal to shout fire in a theater.
Re: (Score:2)
but prevention of speaking about something is a law that can be crafted... like that "shouting fire in a theater" only in the case we are talking about is software validation.
That free speech case was overturned, and it is in fact legal to shout fire in a theater.
partially overturned [wikipedia.org] - it would be legal to shout "fire" but it would be illegal to falsely should fire in a theatre with the intent that the consequence would be imminent harm to the audience of that theatre.
Re: (Score:2)
"Shouting fire in a movie theater" was an metaphor used by racists while they were arguing that black people shouldn't be allowed free speech. They lost both sides of the argument; a law banning yelling "fire" in a theater would be unconstitutional, and so would denying black people freedom of speech.
Be smart enough to stop using this metaphor.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
prevention of speaking about something is a law that can be crafted... like that "shouting fire in a theater"
Because they are trying to restrict personal speech of researchers that means the law would have to survive Strict Scrutiny [wikipedia.org], which I doubt it would --- There must be a rational basis for the law furthering compelling state interest which the law accomplishes, And the law must be narrowly taylored, so that it is only as restrictive as necessary for accomplishing the compelling purpose.
Pretty
Re: (Score:1)
So... (Score:5, Insightful)
So, when your computer gets infected, you are breaking the law.
Re: (Score:2)
"possess, identify, or attempt to identify a valid access code..."
So, if you have YOUR OWN valid access code, you would also be breaking this law?
---
Re: (Score:1)
1s and 0s (Score:1)
Not your target market, Maryland (Score:2)
It seems likely on the order of tomorrow's increasing coronavirus infection numbers that the folks responsible for committing the bulk of ransomware offenses are outside the State of Maryland's jurisdiction.
so wait... (Score:2)
Re:so wait... (Score:5, Interesting)
Re: (Score:2)
Yeah, that's what happens when you let the morons are Arsetech summariize it.
From the pdf linked above:
(5)(I)THIS PARAGRAPH DOES NOT APPLY TO THE USE OF
RANSOMWARE FOR RESEARCH PURPOSES.
(II)APERSON MAY NOT KNOWINGLY POSSESS RANSOMWARE
WITH THE INTENT TO USE THE RANSOMWARE FOR THE PURPOSE OF INTRODUCTION
INTO THE COMPUTER,COMPUTER NETWORK,OR COMPUTER SYSTEM OF ANOTHER
PERSON WITHOUT THE AUTHORIZATION OF THE OTHER PERSON.
(d)(1)A person who violates subsection (c)(1) of this section is guilty of a
misdemeanor and on conviction is subject to imprisonment not exceeding 3 years or a fine
not exceeding $1,000 or both.
(2)A person who violates subsection (c)(2) or (3) of this section:
(i)if the aggregate amount of the loss is $10,000 or more, is guilty
of a felony and on conviction is subject to imprisonment not exceeding 10 years or a fine not
exceeding $10,000 or both
Re: (Score:1)
Re: (Score:2)
That's the federal definition. In Maryland, the statute defines whether a crime is a misdemeanor or a felony.
What better way is there to legislate away 6th amendment rights?
Government... (Score:2)
screws up computer security in 5.. 4... too late.
Re: (Score:2)
Ars bungles reporting on law and how it applies to computer security in 5... 4.... too late.
That oughta do it, thanks very much Ray. (Score:4, Insightful)
Outlaw ransomware? That will protect you about as well as a gun-free zone sign or the warning label on the side of a pack of cigarettes.
Re: (Score:2)
Warning labels on cigarettes might actually dissuade someone. Not many someones, but someone. Outlawing ransomware will do absolutely nothing, however.
Re: (Score:3)
We're turning into a face-saving culture rather than a problem-solving one.
Re: (Score:2)
At this robbing a convenience store will get you less jail time (or probably already does, not sure) but then I suppose also a lot less money.
"misdemeanor" (Score:4, Insightful)
>"But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000."
That doesn't sound right. Misdemeanors are almost always only a fine, 1 year or less jail time, or a combination of the both. Felonies are typically > 1 year prison time with possible large fines. Yet I just read it from the bill:
"(4) A PERSON WHO VIOLATES SUBSECTION (C)(5) OF THIS SECTION IS GUILTY OF A MISDEMEANOR AND ON CONVICTION IS SUBJECT TO IMPRISONMENT NOT EXCEEDING 10 YEARS OR A FINE NOT EXCEEDING $10,000 OR BOTH."
Strange that something could be so severe as to imprison someone for a decade that is not a felony offense.
Re: (Score:2, Funny)
Re: (Score:2)
Hurr durr! While you're gloating about how much smarter than her you are, don't forget to learn about which government she is in, and which government is considering this bill.
Re: "misdemeanor" (Score:3)
It varies by state, but I don't think 1 year is that strict a cutoff.
For example a DUI (many offenses) can catch you 5 years in PA but is still a misdemeanor.
Re: (Score:1)
I translate it as "on conviction of a misdemeanor, can be sent to prison", thus turning the crime into a felony. It's a end-run around the principles of law, like civil forfeiture legislation.
A reliable way to get rid of something... (Score:2)
What's a more reliable way to get rid of something, than criminalizing it? It worked so well for for alcohol, marijuana, weapons, speeding — you name it — no wonder, legislators are a little dizzy with success...
Re: (Score:2)
More Evil Government (Score:5, Insightful)
It is nearly impossible for this to ensnare anyone but innocent people because of how the entire landscape operates!
For now lets just ignore that loads of malware comes from foreign dissident and governments.
You can sure as bet like hell that this disclaimer...
"THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."
Is never going to apply when Uncle Sam needs for it to not apply. This will be used to fuck everyone that crosses the powers that be and that is the entire point. We are already at the point where the moment you piss off the wrong group you are an instant pedophile with terabytes of CP on your computer spanning years! We are at the point where we spend millions of taxpayers dollars to trick mentally handicapped people into committing crimes they would never have even thought about if sting operations were left in the dirt at home. After all, exactly which important group of people are going to give a shit? In a world of pseudo morals and so many double standards where we have made Cognitive Dissonance and Virtue Signaling into an art-form entirely dressed in the Emperors New Clothes.
Every Incarnation of Evil in all the Story Books would be exceedingly proud of our achievements!
Re: (Score:2)
This is a MD *STATE* law. Has nothing to do with Uncle Sam.
Re: (Score:2)
The Age of Literacy was fleeting, but sadly, it has ended.
Re: (Score:2)
Has nothing to do with WHERE Federal agencies are. Has everything to do with jurisdiction.
This is a STATE law. Federal agencies have NO jurisdiction. In other words, if you are arrested on a Federal charge, they can't throw the MD law on ransomware at you to jack up the charges.
Similarly, if you are arrested in MD under this law, the Feds don't have jurisdiction over you, it's a state charge.
Re: (Score:1)
I would also presume workers don't take their work home with them off base either. Which would be problematic in so many other ways.
Re: (Score:1)
All criminal laws are like that: They identify who is targeted, who is protected, and contain wiggle-room so the government can persecute special cases.
Re: (Score:2)
All criminal laws are like that: They identify who is targeted, who is protected, and contain wiggle-room so the government can persecute special cases.
This sort of apathetic cynicism is one of the biggest dangers to democracy today, and it's all too prevalent in the younger generation. If you think like NotEmmanuelGoldstein, you are part of the problem, and you should stop it.
To the extent laws enable and allow persecution and selective prosecution, that's a problem that you should take a hand in fixing, like the people who have pointed out, publicly and to the lawmakers, the potential problems with the wording of this law. How many letters a year do
future direction ? (Score:4, Interesting)
Thankfully there is no anonymity on the internet (Score:2)
If people could post things on the internet anonymously then this whole thing would be pointless. Fortunately that's impossible. Thank goodness I have my internet ID card that allows me to post government approved messages.
Illegal speech attempts again (Score:2)
I can't see how the disclosure thing won't be tossed because of the first amendment. It sounds like they are trying to address nudge nudge wink wink you should pay us a finder's fee for this bug, first dibs, or we are ethically bound to let everyone know of the vulnerability, as extortion.
But you can't solve that by making speech illegal.
Superfluous bill is superfluous (Score:2)
Re: (Score:1)
No "cybercrime" laws are required. The long-standing offense of "extortion" is entirely applicable.
Unintended consequences (Score:1)
Not a surprise (Score:1)
I live in Maryland. Our legislature has a long history of being stupid.
:D Problem solved (Score:2)
Well I guess THAT problem is solved now.
Hey, Maryland (Score:2)
The internet doesn't care about your laws. I can't publish my findings in Maryland? Oh no, woe is me, guess I'll have to put a disclaimer on the page that nobody in Maryland may look at the information.
Get a clue, politicians, will ya?
Re: (Score:2)
Your post makes no sense. How do you conclude that this has anything to do with publishing or reading a paper?
Re: (Score:2)
The wording of the bill does. Basically publishing a PoC is already enough to get into hot water, hell, publishing a security flaw is.
Fortunately I'm not in Maryland, so I can continue my research. If I had a company in Maryland, I'd probably consider moving. It's not like you have to move far, no matter where in Maryland you happen to be...
Re: (Score:2)
ok, thanks, I'll have to read the bill and see what the EFF says too. There's a LOT of security positions in MD because of proximity to DC and the presence of various three letter agencies.
Just livid (Score:2)
More stupid from the Stupid State (Score:2)
Re: (Score:1)
Re: (Score:2)
Research Purposes? (Score:2)
So, does that mean when they bust someone for ransomware he's fine as long as he had "For Monero Financial Network Research Only" in small print on his payload?
TFS (Score:2)
A proposed law introduced in Maryland's state senate last week would criminalize...criminal activities...
Good call.
Don't DIY (Score:1)
Software bugs would be illegal (Score:2)
"cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data
I don't have anything to worry about because my code is perfect but many other are not as awesome as me.
But? (Score:1)