[tptacek]

Do I want a better sentencing system for computer fraud, so that it remains possible for companies to defend themselves without needing to spend hundreds of thousands of dollars every quarter finding every conceivable loophole an attacker might exploit, while not leading to a situation where simply using a computer turns a simple offense into a 6 year prison sentence?

Yes, that is what I want, and I don't think it's too much to ask for.

After I wrote the comment above, I worried that it would read as a contrarian barb at any attempt to move forward with better computer crime laws. I don't mean it that way, which is why I went back and pointed out that Lessig thinks it's "critically important". But I meant my first question as I wrote it: would Aaron's Law really have helped Aaron?

[spinlocked]

Its too late for that. Look to the future instead. Will having Arron's Law in place, coupled with civil outcry and petitions we've seen , prevent the next Aaron from being over-zealously prosecuted?

I think the answer is: not entirely, but its a huge, practical step in that direction. This is one of those things that you celebrate, not dismiss cynically.

Think of an alternate reaction. Why not create a petition on the whitehouse to make this small step a reality instead of cynically dismissing it? Remember, your pessimism can influence a whole audience into inaction. Recent precedent suggests.

[tptacek]

I'm not being cynical. The fact that Aaron's Law wouldn't have helped Aaron isn't a cynical point. I don't oppose the act at all. TOS violations shouldn't be felonies.

This is one of those ridiculous message board arguments where both parties agree, and the argument is actually not about the issues about about the metaissue of how people are posturing. Do you believe federal criminal sentencing is sensible or just? Here, I'll just speak for you: no you don't. We disagree on nothing. Let's move on.

[spinlocked]

If you could kindly edit your top comment by requesting readers to contact their representatives to help get this passed, THEN i will move on. Till then I have a pretty low opinion of you.

[coopdog]

Potentially. I think what got him is the argument that because he was authorised only in accordance with the terms of use, once he violated the terms of service he was now an unauthorised cracker (despite not actually cracking any system/software), and was going to go down under the CFAA.

I think the intent of the law is to remove the terms of use from determining whether or not the use is authorised. So since guests from any IP were authorised on MIT and JSTOR, despite the fact that he violated their terms of use, they then couldn't have hit him at all with the CFAA.

[tptacek]

The problem I'm bringing up is that Kerr and Granick have both pointed out that TOS violations weren't the only problem, or even the most severe problem, facing Swartz's defense. His attempts to evade filtering had the added misfortune of setting him up to "appear guilty" at trial.

[tedunangst]

Guests from any IP, except Aaron's IP. Until he got a new one. And then another.

Hypothetical Question: someone is accessing your network in an unauthorized way. How do you tell them? An IP is not a person, so how do you make your desire that they stop known? Block their IP? What if they come back with a new one?

[ScottBurson]

Do you really think that any legal change would reduce the need for security auditing of apps? I'm afraid that seems awfully unlikely to me. Even if US-based attackers would be deterred, there are plenty of places in the world the Internet reaches but US jurisdiction doesn't.

[tptacek]

I think the effort put into securing computers is an inevitable dead-weight loss. Laws against pollution don't make everyone stop polluting; some polluters will just find creative ways to conceal what they're doing. Definitely doesn't mean I think pollution should be legal.

[dlitz]

Computer security, at least while attached to the Internet, doesn't work that way. When all it takes is one attacker anywhere in the world to write a worm that compromises everyone, everyone needs to secure their systems.

Some problems really are best solved using technical means. If we stop building systems that can be exploited by arbitrary outsiders (yes, this is possible, and probably not that expensive in the long run if we standardize a few good protocols), then we can should be able to reach a point where a certain baseline of security can just be taken for granted.

[tptacek]

The idea that abusing people's computers to disable their businesses or gain access to confidential information should be legal because "that problem is best solved using technical means" is so hostile to my perspective that there's probably little chance of us learning anything from each other by debating it.

[ScottBurson]

For the record, that was not my thrust. (Can't speak for dlitz.)

I was just surprised at your suggestion that better laws would reduce your workload at Matasano.

[dlitz]

You spoke for me well enough. If you reduce the number of computer criminals by 90%, it won't perceptibly change the amount of work that anyone has to put into writing secure programs, because the 10% of remaining criminals will still exploit everyone's vulnerabilities. If those laws impose friction on the rest of us (e.g. laws mandating wiretapping and/or filtering capability), then we all suffer huge aggregate costs for basically no gain.