INVITATION TO CYBERSECURITY 274 The definition of hacker we have been using in this text is a person who attempts to gain unauthorized access to a computer system or data or deny access to authorized users. It is no coincidence that the first part of this definition matches the language in the CFAA. This law and the many state laws that are similar to it, are why ethical hackers need to be wary. Well intentioned white hat hacking activities such as probing for vulnerabilities and penetration testing to improve security can violate the CFAA. This law is the main reason for the emphasis on procuring proper permission prior to performing pen testing is paramount! The first ever conviction of the CFAA was a case of white hat hacking going awry. Punishment under the CFAA can be minor (i.e., a misdemeanor conviction) such as a fine, or major (i.e., a felony conviction) such as five years in prison. Civil action can also be taken. Civil lawsuits are where one private party sues another party for causing harm—in this case, in connection with violating the CFAA. Lawyers battle it out over the interpretation of terms, so each word and phrase in the law is important. As cases are brought to trial and lawyers try to persuade judges how the laws should be interpreted, judge’s rulings set precedents. These precedents are then relied upon in future cases. However, the details of no two cases are identical, so it is not possible to know exactly how a judge will rule in any particular case. The CFAA has several key terms that are open to interpretation. Table 10.6 lists some of the most disputed terms from Section 2 of the CFAA and probable interpretations according to court precedents. Table 10.6 Key terms and interpretations for Section 2 of the CFAA. The following story will help shed light on how these terms might apply in a real-life case. Alice’s Brush with Cybercrime Alice was on the University’s registrar website looking over her grades on her transcript when something caught her eye in the address bar of her web browser. The URL included a familiar looking nine digit number. When she double-checked it against her
RkJQdWJsaXNoZXIy MTM4ODY=