At what point does "hacking" become illegal? (US)

The law is unclear. Anything you do, no matter how innocent, could be considered a crime. All the website owner has to do is say "I didn't want that to happen", and you could be convicted of a crime.

Before donating to a tsunami relief website, Daniel Cuthbert typed in ../../../ in the URL. He was convicted of "intent to hack" (in the UK).

Lori Drew was convicted of hacking MySpace, because she violated MySpace's terms-of-service by creating a fake account, that was later used by her 14 year old daughter to harass another girl, who later committed suicide. The convictions were overturned later, and the government decided not to appeal - but it's still an experience to avoid.

Andrew "weev" Auernheimer was found guilty of identity theft, because AT&T provided customer account info for early iPad owners on their website, and he wrote a script that just enumerated the URLs and download them.

Brian K. West was threatened with prosecution because he clicked on a button labelled "Edit" on a newspaper website -- and was surprised to discover that this allowed him to edit the actual web page. After reporting the problem to the newspaper, the FBI investigated him (including searching West's workplace and seizing some materials) and a prosecutor apparently threatened him with a felony prosecution.

In a recent case, it's been found that when you cause an inbox to fill up with spam, thus DoSing it, you are guilty of "hacking" it as defined by the Computer Fraud and Abuse act.

I do all the things you describe. There are lines I won't cross: I'll test for SQL injection, but I won't access the database. But I do this because I can afford high-priced lawyers to defend me. Also, I won't do things that are stupid. For example, Daniel Cuthbert was convicted of "intent to hack" because he kept changing his story when asked why he did it, so the court didn't believe any story.


Don't do it! Don't do it! If you are in the US, the law is very broad. You don't want to even tiptoe up to the line.

The relevant law is the Computer Fraud and Abuse Act (18 U.S.C. 1030). In a nutshell (and simplifying slightly), under the CFAA, it is a federal crime to "intentionally access a computer without authorization or exceed authorized access". This language is very broad, and I imagine an ambitious prosecutor could try to use it to go after everything on your list except #1 (view source).

Orin Kerr, one of the leading legal scholars in this area, calls the statue "vague" and "extraordinarily broad", and has said that "no one actually knows what it prohibits".

And, as @Robert David Graham explains, there have been cases where folks were prosecuted, threatened with prosecution, or sued for doing as little as typing a single-quote into a textbox, adding a ../ to a URL, or signing up to Facebook under a pseudonym. It's pretty wild that this alone constitutes a federal offense, even if there is no malicious intent. But that's the legal environment we live in.

I'd say, don't take chances. Get written authorization from the company whose websites you want to test.


The one constant across many jurisdictions seems to be that the only safe action on your list is number 1.

In some areas you would be okay with modifying data, but really you shouldn't risk it.

I would go so far as to say you are approaching this in entirely the wrong way.

Better approach:

Inform the web development company that if they want your business they must provide proof that the application has been tested to a particular standard. In the UK you could do this by requiring a test by a CREST or CHECK approved individual or team. Or you may gain assurance by using one of the Big-4 audit firms. If they have had a test, you could request visibility of the methodology and results.

Best approach:

Ask them to demonstrate the security and governance controls in their development lifecycle. An organisation that is mature in security will use a full SDLC which will reduce the likelihood of vulnerabilities, and even remove whole classes of vulnerabilities. Penetration testing is almost just a confirmation at the end of the process.

Tags:

Legal

Penetration Test

Related

Why do we even use passwords / passphrases next to biometrics? How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it? Should I have a maximum password length? Can you tell if an attack is successful by looking at IPS logs? Is there any asymmetrically encrypted file system? Amount of simple operations that is safely out of reach for all humanity? White list or black list sanitation for international input? Geographic equivilent of RFC 3161 (X.509 PKI Time-stamp Protocol) How to write an email regarding IT Security that will be read, and not ignored by the end user? Is there any legal reason to save a cleartext password? How to detect "forged" SSL certificates from the webserver end How do you exploit Directory Traversal to traverse from one drive/share to another?

Recent Posts