now browsing by tag
The oft-attacked city of Baltimore not only uses mind-bogglingly bad data storage. Its home state, Maryland, also knows how to swiftly propose mind-bogglingly bad legislation that would outlaw possession of ransomware and put researchers in jeopardy of prosecution.
It is, of course, already a crime to use the data/systems-paralyzing malware in a way that costs victims money, but proposed legislation, Senate Bill 30, would criminalize mere possession.
It’s not supposed to keep researchers from responsibly researching or disclosing vulnerabilities, but like other, similar “let’s make malware more illegal” bills before it, SB 30’s attempts to protect researchers could “use a little more work,” as pointed out by Ars Technica‘s Sean Gallagher.
It covers much of the same ground as does Federal law, but SB 30 would take it a step further by labelling the mere possession of ransomware as a misdemeanor that would carry a penalty of up to 10 years imprisonment and/or a fine of up to $10,000.
The draft could get yet more draconian still: Earlier this month, members of the Maryland Senate Judicial Proceedings Committee said they’d actually prefer to make the crime a felony, according to Capital News Service.
The problematic outlawing of “unauthorized access”
Besides mere possession of ransomware, the bill would outlaw unauthorized, intentional access or attempts to access…
…all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed.
It would also criminalize acts intended to “cause the malfunction or interrupt the operation of all or any part” of a computer, the network it’s running on, and their software/operating system/data. Also verboten: intentional, willful, unauthorized possession or attempts to identify a valid access code, or publication or distribution of valid access codes to unauthorized people.
Where does that leave researchers? Partially protected by a thin blanket that doesn’t protect them from liability, experts say.
The bill does holler out an exemption for researchers, rendered in full caps in the draft:
THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES.
But that doesn’t cover any of the extensive list of “thou shalt not touch without authorization” aspects of the bill that could spell trouble for researchers and keep them from reporting vulnerabilities. Well-known vulnerability disclosure policy expert Katie Moussouris – the founder and CEO of Luta Security and creator of Microsoft’s bug-bounty program – told Ars that as it’s now worded, the bill would…
…prohibit vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored.
The truth is that organizations ignore responsible vulnerability reports all too often. That’s why responsible disclosure programs have reporting windows: once the clock ticks down, plenty of researchers give up on waiting for a response and go ahead and publish vulnerability details. The rationale: the longer a vulnerability exists, the higher the chance it will be exploited by hackers.
Maryland should follow Georgia’s lead and rethink this
SB 30 is currently still under review. Were it to pass in its current form, there is, of course, a chance that the governor might veto it. That’s what happened to the equally, similarly misguided hacking bill, SB 315, that was passed in Georgia in 2018.
From Governor Brian P. Kemp’s veto message:
Under the proposed legislation, it would be a crime to intentionally access a computer or computer network with knowledge that such access is without authority. However, certain components of the legislation have led to concerns regarding national security implications and other potential ramifications. Consequently, while intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so.
Hopefully, Maryland’s lawmakers will take a much closer look at the proposed bill and listen to experts like Moussouris. Hopefully, they’ll come to realize that the legislation may very well harm the very people who are working to protect the state.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.
The post #comptia | #ransomware | Let’s make ransomware MORE illegal, says Maryland – Naked Security appeared first on National Cyber Security.
View full post on National Cyber Security
#comptia | #ransomware | Bill Would Make Possession Of Ransomware A Crime In Maryland – CBS Baltimore
Source: National Cyber Security – Produced By Gregory Evans CAPITAL NEWS SERVICE — State lawmakers heard arguments Tuesday on a bill that seeks to add criminal penalties for knowingly possessing ransomware with the intent to use it in a malicious way. Ransomware is a type of malware that can impede the use of a computer […] View full post on AmIHackerProof.com
COLLEGE PARK, Md. (ABC7) — The Anti-Defamation League estimates that some 30,000 printers on college campuses nationwide, including the University of Maryland in College Park, were accessed late last week to print out hateful flyers. The flier asks, “The white man if he is sick and tired of the Jews destroying your country through mass immigration and degeneracy, and calls on the white man to join in the struggle for global white supremacy.” The Anti-Defamation League and other organizations are reporting that avowed white supremacist Andrew Auernheimer admits to being behind the attack that delivered the Anti-Semitic flier to thousands of printers at universities across the country. Jewish students on campus we spoke with told us they are disappointed that people still communicate in such hateful ways. Student Lydia Sonenklar says, “It’s very sad for me when I see people just hate each other based on differences that don’t really matter so much, and I have a really hard time wrapping my head out it.” Student Tsvi Glazer says, “It’s unfortunate but it doesn’t affect us so much because we have a strong connection, a strong community and we can all help each other get through anything that happens.” A […]
The post University of Maryland network receives anti-semitic fliers from Hackers appeared first on National Cyber Security.
View full post on National Cyber Security
Close to a week passed after a supremacist feature became a web sensation on online networking. The feature demonstrated individuals from a University of Oklahoma organization who were droning and singing supremacist tunes. All things considered, the debate is still suspended and we have another. An email from a University of Maryland organization has additionally surfaced stacked with sexist, bigot and even criminal dialect. Read More….
The post University of Maryland: Racist Email Further Being Invested appeared first on Dating Scams 101.
View full post on Dating Scams 101
CORBIN, Ky. (AP) – Authorities say a teenager killed in a shootout Saturday with police in Maryland prompted the search of his home over 500 miles away in Kentucky, where the bodies of his parents and younger sister were found.
Friends and relatives of 16-year-old Jason Hendrix were struggling to understand how the boy, a faithful churchgoer who was baptized just two months ago, could end up as the suspect in the execution-style slayings.
Corbin Police Chief David Campbell says Hendrix, a high school ROTC student and active church member, was angry at his parents for taking away his computer privileges.
Police believe the victims were gunned down late Wednesday afternoon in their home.
The post Police connect officer-involved shooting in Maryland to triple homicide in Kentucky appeared first on Parent Security Online.
View full post on Parent Security Online