My Career as a Bulk Downloader


The core of the case against Aaron Swartz was that he downloaded millions of academic articles from JSTOR without permission. He did so by sneaking into an MIT wiring closet and evading MIT’s and JSTOR’s attempts to detect and block him. But the heart of the case, the conduct without which there would have been no point and no problem, was the downloading.

To put this in perspective, I, too, am a bulk downloader. James has downloaded his thousands, and Aaron his ten thousands. And there but for the grace of the Assistant United States Attorneys (who wield god-like prosecutorial power), go I.

In law school, during my time at the Yale ISP, I wrote for and ran LawMeme, a blog about law and technology. (Here’s one of its greatest hits, Ernie Miller’s classic “Top Ten New Copyright Crimes”.) It was a Slashclone based on PHP-Nuke, and it ran from roughly 2001 to 2006 before succumbing to script kiddie penetration attacks, a lack of new content, and administrative neglect. The domain names expired, the content-management engine was hacked beyond repair, and the powers that be ultimately made the sensible decision to pull the plug and not to try reviving it.

But this meant losing an archive of about fifteen hundred posts. I had a strong personal attachment to some, like the post that would ultimately become Accidental Privacy Spills. Others, like my posts on the Search King lawsuit, were the first draft of history. Ernie’s posts on the copyright disputes of the early oughts were memorable, vivid pieces of writing that deserved to be saved.

So I took on the task of making a static archive of what could be salvaged from LawMeme. LawMeme itself had been dynamically generated: each page was assembled from various chunks of content thrown together by the server on the fly. The archive would consist simply of fixed, unchanging webpages. There’s no good index to them, but if you search for “LawMeme” and any of the topics we wrote about, you’ll see articles that look more or less as they did back in the site’s heyday.

But to create the archive, I couldn’t just go back to the long-defunct LawMeme site itself. Instead, I had to turn to the Internet Archive’s Wayback Machine, which keeps snapshots of webpages from over the years. But with well over a thousand posts to retrieve, I didn’t want to sit there copying by hand.

And so I became a bulk downloader. I wrote a Perl script: a simple, 70-line program that exhaustively went through the Wayback Machine, looking for a copy of each LawMeme article. Just like Aaron’s script, mine “discovered the URLs” of articles and then downloaded them. And just to show how mainstream this is, I’ll add that I built my script around an elementary one that Paul Ohm published in “Computer Programming and the Law: A New Research Agenda,” his manifesto for why more law professors should write code. Paul’s script downloaded and analyzed the comment counts on posts from the popular legal blog The Volokh Conspiracy.

I think this was completely legal. But in today’s environment of fear and prosecutorial intimidation, who can be sure? I own the copyright in my own posts, I had the permission of the ISP to create the archive, and the implied license that all of the contributors gave to LawMeme would almost certainly cover this backup. But almost certainly is not absolutely certainly. Maybe some AUSA wants to build a career taking down professors, putting me in the crosshairs.

Or take the Internet Archive’s terms of service. By using the site, I supposedly promised not “to copy offsite any part of the Collections without written permission.” The site’s FAQ qualifies this statement a bit, adding, “However, you may use the Internet Archive Wayback Machine to locate and access archived versions of a site to which you own the rights.” Again, I was confident that this covered me. But confidence is not certainty. I assumed that no one would care to press the question. After Aaron, is that such a safe assumption?

I can’t imagine that the Internet Archive would have a problem with what I did. Recreating lost websites for the sake of the public and posterity is completely consistent with Brewster Kahle’s expansive humanist vision of digital archiving. But JSTOR quickly made its peace with Aaron, and that didn’t save him. Would Brewster’s blessing save me from the wrath of the feds?

Indeed, my script waited a second between each download. I didn’t want to put too much of a load on the Archive’s servers. But a cyber-Javert could describe it as an attempt to evade detection. Then, to get the webpages to display right in the LawMeme archive, I wrote another script to delete the bits of HTML added by the Internet Archive to the pages in its archive. Was that an effort to hide my tracks?

Another one of Paul’s papers presciently predicted the way our computer misuse statutes were vindictively turned against Aaron. In The Myth of the Superuser, Paul describes how these laws are written to protect against a mythic bogeyman, the all-powerful demented superhacker, capable of breaking into and destroying any computer system, bent on sowing chaos and devastation online. But the laws are used to punish minor misdeeds by unthreatening defendants. Imagine Mr. McGregor training a howitzer on Peter Rabbit and you have the idea.

Aaron’s Law is a start, but the problems with our computer crime laws, and with criminal law in general, run much, much deeper. The Department of Justice thinks millions of parents who made Facebook accounts for their children are federal criminals. Read the majority opinion in United States v. Nosal and ask yourself whether you’ve fudged your age on a dating site, or let someone else use your account, or used a workplace computer to check the baseball scores. Judge Kozinski noted, skeptically, “The government assures us that, whatever the scope of the CFAA, it won’t prosecute minor violations.” Tell that to Aaron’s family.

I am Aaron Swartz-icus, and so are you.


I do hope that along with all the righteous and well-warranted outrage over Aaron Swartz’s case, and in addition to a reform of CFAA (“Aaron’s Law”), there is also attention paid to how the very same bullying tactics are used day in and day out by federal prosecutors all over the country, to coerce guilty pleas and generate excessive sentences — measured not in months but often in decades — against countless other young men of around Aaron’s age who are not white, wealthy or prodigies, but who are human beings nevertheless, who have families and friends who love them, whose own particular talents are made to go to waste, who have been caught up in the “war on drugs” and become statistics in our national scandal of overincarceration.


I agree. Part of what has made made people sit up and take notice of Aaron’s story is that it has shown the immense and coercive power at work in the daily administration of our criminal justice system to an audience that does not usually have such things brought to its attention. The treatment he received — using an insanely disproportionate sentence as a threat to pressure him into accepting a sentence that is “only” seriously disproportionate — is a standard part of the prosecutorial toolkit.


As the Digital Librarian of the Internet Archive which runs the Wayback Machine James refers to, we too bulk download and encourage others to download from us (as long as we do not get in trouble from others).

Our terms-of-service is now a decade old, and was written, as many are, with an eye of keeping us out of trouble from others. Since the Wayback Machine contains materials from others we put in the crawling CYA. Updating terms-of-service is hazardous business and not much fun— so it is often neglected.

There is bulk downloading and there is bulk downloading. Some downloading is for doing datamining projects, some for archiving, and some are for duplication of someone service. I imagine some providers would be fine with some uses but not others— but trying to define the difference in a terms-of-service could be very hard leading to sweeping statements which then are selectively applied.

Having the Feds jump on people for violating a terms of service, and in the case of Aaron, even having the feds keep going after a user after the site said they have settled any issues, is inappropriate and quite frankly frightening.


I, too, am a bulk downloader.

“Hi Paul.”


You are a law professor, and yet it seems to me you have mis-stated something absolutely critical about the legal basis of the case that must be clear to you.

What Swartz took from JSTOR’s was clearly labeled as someone else’s property; involved actions clearly labeled as something he was not supposed to do (and he knew it, which is why he wasn’t just able to do it from home, or use the JSTOR tools to download 4 million articles, etc.); and, at least from a legal perspective, intended to take something of value from someone else (namely, JSTOR’s exclusive right to distribute archives it created—which is vital to note; JSTOR created the archives in order to distribute them). There is no getting around this; JSTOR only backed off the legal case when it secured the return of all its files and Swartz’s promise not to distribute them. On its face, this demonstrates that JSTOR considers those files and its exclusive right to distribute them of significant value.

While you may or may not have been violating archive.org’s TOS, you took material that is available on the public web and that you or your associates had a direct hand in creating. Nobody has ever tried to charge for access to it, and archive.org had no established exclusive right to distribute it.

As a law professor you must know that there must be a theft of property at the core of a theft-related crime in order to move ahead with prosecution. Like those who have suggested that by spoofing MAC addresses they could be just as vulnerable to prosecution as Swartz was, they mistake means for acts. Whether or not you agree that he did it, the action against Swartz was for breaking and entering to steal something that belongs to somebody else. You did nothing of the sort. There would be nothing to take action against you in court for—no conceivable economic or any other harm to Archive.Org for distributing its already freely-available content.


As long as you’re now discussing the prosecutorial toolkit I will note the following:

You wrote to me 16JAN2013 on Laboratorium.net:

John, it’s not just unethical to base the sentence for crime A on the defendant’s potential to commit crime B in the future, it’s unconstitutional. It would violate the Sixth Amendment right to trial by jury.

The following is excerpted from The US Sentencing Commission (USSC) Guidelines Manual issued November 2012, Chapter 1, Page 4:

A philosophical problem arose when the Commission attempted to reconcile the differing perceptions of the purposes of criminal punishment. Most observers of the criminal law agree that the ultimate aim of the law itself, and of punishment in particular, is the control of crime.

Beyond this point, however, the consensus seems to break down. Some argue that appropriate punishment should be defined primarily on the basis of the principle of “just deserts.” Under this principle, punishment should be scaled to the offender’s culpability and the resulting harms. Others argue that punishment should be imposed primarily on the basis of practical “crime control” considerations. This theory calls for sentences that most effectively lessen the likelihood of future crime, either by deterring others or incapacitating the defendant.

Adherents of each of these points of view urged the Commission to choose between them and accord one primacy over the other. As a practical matter, however, this choice was unnecessary because in most sentencing decisions the application of either philosophy will produce the same or similar results.


Everyone is appropriately commenting about how the possible misapplication of the CFAA to (relatively) ordinary activities like downloading publicly available data makes them scared. Consider, then, how much more of a chilling effect the CFAA has on Good Samaritan reporting of security holes. See this report from the Computer Security Institute.

I just might have personal experience with this area. I found it appalling that the report I cite above quoted an official saying

After the Cuthbert case, Derek Wyatt, a member of Parliament, and chair of the All-Party Internet Group (APIG) said, “It has never been the intention of myself or APIG that any revisions to the Computer Misuse Act would infringe upon security professionals’ ability to do their job. However, with regards to Daniel Cuthbert, his ‘job’ was not to test the security of the Web site, but rather to determine whether the charity was in fact legitimate.” Wyatt said Cuthbert could have searched for the DEC on the list of registered charities instead.
without noting that Wyatt’s idea, that verifying that a charity is legitimate would protect someone from phishing using that charity’s name, is patently absurd, and just emphasizes that people without a security mindset often underestimate their inability to understand security related issues (note that this doesn’t mean I believe that Cuthbert’s actions were a good way to check for phishing, just that Wyatt’s recommendation certainly isn’t).

To return focus to what happened to Aaron, I noticed a common theme in many of the cases cited in the CSI report: when security weaknesses are brought to light, it appears that one of the most common reactions from the people whose job it was to prevent these weaknesses is to franticly search for someone else to blame for the damage which is actually their personal responsibility: the CFAA, of course, being the ideal weapon to use for this redirection. My guess is that MIT’s treatment of Aaron’s case was heavily flavored with that particular human foible.


Withheld by Prosecution, if our computer misuse laws operated the way you claim, they would be less problematic. But they do not. You make an ethical argument that my actions are distinguishable from Aaron’s, not a legal one. But my point was that we cannot trust prosecutors armed with expansive statutes to behave ethically.

In the initial wave of attempts to prosecute computer crimes as common-law and statutory theft offenses, the fact that downloading information didn’t deprive the computer’s owner of it (and therefore didn’t satisfy the central factual element of traditional theft) proved a sticking point for many courts, including the Supreme Court.

Congress and state legislatures responded in two ways. First, Congress successively developed an expansive law of criminal copyright infringement. The essence of harm there is the one you describe: copying something (information) that belongs to someone else without permission, thereby impairing the owner’s economic interests in exclusivity. Whether or not they’re behind a paywall or on a secure system has nothing to do with the crime. (And note that Aaron was never charged with criminal copyright infringement …)

Second, there are federal and state computer misuse statutes. And, by and large, these statutes simply do not contain the restriction you describe. The federal Computer Fraud and Abuse Act, for example, applies to anyone who “intentionally accesses a computer without authorization … and thereby obtains … information from any protected computer.” The statute does not require that the information be copyrighted, that it be secret, that it be “owned” in any sense, or that it not be otherwise available.

John, have a look at United States v. Booker before you start citing the Sentencing Guidelines as authority for what kinds of sentencing decisions are constitutional.


Already looked at Booker; it was the first thing that popped up. Convicted persons all the time are required to follow-up with Drug tests or stay 1000 feet from a public school as deterrents to further activity. It would seem to me that the USSC is reasonable enough authority and fully aware of Booker in the guidelines. It mentions that there are ‘observers of criminal law’ who have no problem with the ‘crime control considerations’ being well within constitutional grounds.

As to evidence presented to the jury or admitted by the defendant in court my guess would be that the prosecution would have entered into evidence the statement of AS among many others that:

“There is no justice in following unjust laws. It’s time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture.”


Wrong again, John. Drug testing is a condition of supervised release, not a sentence. A defendant who has been sentenced for crime A will have that sentence reduced (be let out of prison early) in exchange for taking part in drug testing and other conditions. Sex offender residency rules aren’t sentences, either: they’re civil, not criminal. And, as you’ll see if you care to read the Guidelines themselves, rather than the introductory sections that explain the general philosophy of criminal law, the actual Guidelines are concerned almost exclusively with the defendant’s previous conduct. You say you looked at Booker, but you have not even engaged with the Sixth Amendment, let alone the other Constitutional guarantees (the Ex Post Facto Clause, the Bill of Attainder Clause, the Due Process Clause, the First Amendment, etc.) securing the fundamental principle that the government may only punish people for what they have actually done.

These are, by the way, exactly the same kind of mistakes about law you are constantly making when discussing the Chafee Amendment: no awareness that legal sources come in a hierarchy of authority, and no willingness to look at the larger picture of how different provisions fit together overall. The difference being that there, you are enough of a subject matter expert to have a real point, whereas here you are speaking from ignorance.


So now I am ignorant and you do not feel that the USSC and its Commissioners are not sufficient authority on the constitutionality of federal sentencing procedures. You’re right; I did not read the whole 500+ pages of the Guidelines. This all started on your other column when I was trying to determine, other than from some irrational motive, why the federal prosecution in this case seemed so over to the top — nothing more than that.

Again, in explaining general sentencing philosophy, the USSC said that the 2 basic schools are ‘just deserts’ and ‘crime control’. They could have said right then and there for all those who are not federal criminal law experts that the ‘crime control’ school presents a basket load of constitutionality issues and may even be in-and-of-itself totally unconstitutional. What they said was that such approach is favored by a group of ‘observers of criminal law’ maybe even some of those on your own NYLS faculty.

And as I read above, you used the word ‘insane(ly)’ to characterize the methods and maybe motives of the Boston Federal Prosecutor’s office. Maybe you spend too much time reading TechDirt.


John, that’s not what I said. But I suppose this is my own fault. If you don’t read legal documents carefully, why should I expect you to read my comments carefully, either? I’ll walk through this once more, and them I am done engaging with you on this issue.

The Sentencing Commission was explaining the underlying purposes of criminal law. Those include retribution against wrongdoers, deterrence of the particular individual from committing this specific offense, deterrence of others in similar situations, and incapacitating the particular individual from committing future offenses. The first corresponds to “just deserts”; the latter three to “crime control.” And there are other purposes, too, like making pubic expressive statements of society’s values and rehabilitating offenders so that they no longer want to harm others.

You are reading “crime control” as though it only means incapacitation — but it means these other things, as well. And criminal law theorists (whose work I read, whom I talk with regularly, and with whom I have even co-authored an article) focus overwhelmingly on deterrence rather than on incapacitation as a legitimate justification for and explanation of criminal law, criminal procedure, and sentencing. (Orin Kerr’s detailed post on Swartz, for example, is heavily deterrence-focused.

But the passage from which you quoted is a general background discussion of criminal law and sentencing; it is not itself legally operative. (It’s rather like the legislative history of the Chafee Amendment you’re so fond of quoting: relevant to understanding law, but not law itself.) The actual Guidelines do not allow for any significant consideration of incapacitation. That’s because they’re drafted as instructions for determining a sentence based on what the defendant has actually done. Booker made the Guidelines discretionary rather than mandatory because the jury trial right is so strongly linked to making sure that criminal punishment is only imposed for a defendant’s actual conduct. The judicial fact-finding involved in calculating a mandatory sentence, the Court concluded, took that fact-finding away from the jury.

Now, one hardly needs to know all of this theory and doctrine. Plenty of other people have made quite helpful contributions, here and elsewhere, without knowing any of it. But you set yourself up as an authority on it, reaching out to the Sentencing Guidelines Manual, pulling out a quotation, and saying, “Look what I have found! The experts agree with me!” Except that they don’t, because you have ripped the quotation out of its legal context, and out of its context in the Guidelines Manual.


So I guess you’re right: rather than “lessen(ing) the likelihood of future crime” — which to my non-lawyerly look at the Boston Fed prosecutor’s prosecution seemed about the only rational explanation of their seemingly excessive zeal — I guess, as you choose to characterize it from your Professorial Law School capacity, they were all just insane. You seem to offer no other explanation.

So now I’ll quietly wait in my misguided capacity for the HathiTrust Appeal & the special WIPO SCCR session next month where I have a better grasp on the subject matter but still remain ignorant of the law.


James,

I appreciate your response to my earlier question, though I’m not convinced that I’m making a distinction of ethics as opposed to law. The indictment against Swartz returns repeatedly to the deprivation of value that JSTOR (and the publishers) would have experienced had the materials been distributed, and appears to have evidence not available to us that distribution was his intent. I take the total shape of the charge to be directly related to that: which is to say that, had he not taken anything of value (which I insist is the case in your example), the charges would have been different, if they had been made at all.

But there is a more direct response to this question. You say, “our computer misuse laws… do not operate this way.” That suggests to me that many people are being charged and convicted for computer fraud when the underlying action involves doing nothing of any conceivable economic benefit to the actor or harm to the victim. In Ron Kaminsky’s posting, he links to a document that describes a case in the UK involving Daniel Cuthbert that does look like this: Cuthbert used “hacking tools” (broadly construed) but took nothing of value and didn’t damage anything, and was charged nevertheless. This case does appear to be clear overreach in the way you describe; however, although convicted, Cuthbert’s entire penalty was about $1750, $1000 of which was court costs.

If the reasoning suggested in your blog post was correct (and you are not alone in suggesting this by any means), I would think there would be a large number of such cases, and I would expect the penalties to be outsize (I am not sure $700 plus court costs meets this test). I am a professional in this field but not a lawyer or law professor, so while I’d assume I’d have seen news of this, I haven’t researched the question in legal resources. Is there, in fact, a large number of such cases? The Swartz case is very heated and some of its facts are in dispute and some will never be known. I would be more easily persuaded that the law itself was flawed (which I am, to be clear, not opposed to at all; my original point in posting is that I don’t see a close enough parallel between your scenario and the Swartz one) if I could be pointed toward a body of cases in the US that resemble Cuthbert’s or the scenario you describe in your own posting.


Withheld:

Cuthbert used “hacking tools” (broadly construed)
Er, what exact hacking tools are you talking about? Web browsers? His brain? His special knowledge?

If I sent you an email with a hyperlink to the URL which he attempted to visit, should your following that link justify your being prosecuted? Personally, I would guess not. And why? Because you did not follow that link with malicious intent. Unfortunately, as far as I can see, Cuthbert didn’t have malicious intent, either.

As for your assessment of the monetary damage to Cuthbert, you do not factor in the fact that even being investigated almost certainly affected his ability to work as a security contractor for a bank.

Given the ruling in Cuthbert’s case, whenever I get a 404 warning on an old hyperlink and try to access the parent directory to see if I can figure out to where the linked material has moved (if that is the reason for the 404), I’m “hacking” that website’s webserver. I guess I’m lucky not to live in the UK…


Ron,

I meant that the prosecutors and court appeared to think Cuthbert’s actions met the legal definition of hacking, in whatever way that law describes it. The document you posted indicates two things, both fairly general: “Cuthbert probed a site application with a trivial shell command to test its security” and his actions triggered “the site’s intrusion detection system (IDS).” Given that Cuthbert was a “professional security contractor” I assume he knew what intrusion detection systems might be looking for. I have fairly good technical knowledge and don’t know how to trigger an IDS via shell commands, or via typing something in a URL. Depending on how the law is written, that sounds like “hacking” in the most broad definition to me. I would not run shell commands against a website that was not part of the application suite it exposes, and while I might not expect trying to do that to be illegal, I’m not sure I would think I had a right to do it either.

At any rate, my point was to agree with you, that Cuthbert’s case seems over the top, and that if there are a bunch of cases like it, particularly in the US since we are talking about US law, I would find that persuasive evidence for remaking the CFAA. “Hard cases make bad law” and Swartz’s case strikes me as a hard one indeed, for any number of reasons, and I’d like to know about other less hard cases that resemble his (or James’s original posting scenario) to be convinced that the CFAA is bad law. I have no problem with the CFAA being bad law, either. I’d just like a broader evidence base from which to make that determination.


Good questions, withheld. The short answer is that the CFAA is both a civil and criminal statute and uses identical definitions for both. This means that competitors suing each other often push for expansive readings. Prosecutors don’t bring those ambitious cases as often (the Lori Drew and Aaron Swartz prosecutions being the highest-profile ones). But the civil cases are on the books defining quite broad scope, leaving many Internet users dependent not on authoritative statements of the courts that certain conduct is okay, but rather on the less certain belief that prosecutors will choose not to bring certain cases.

A notable example is Register.com v. Verio. The defendant there accessed whois data — which ICANN requires to be placed online and made publicly accessible — using an automated downloader. This violated the plaintiff’s terms of service; it sued and won, on contract, trespass, and CFAA theories. The ruling was narrowed on appeal, but the appeals court didn’t repudiate the District Court’s conclusion that it was irrelevant that this was information legally required to be made public.


Hi James,

Thanks for linking to that case. But if I read it right, that’s a civil case, and it involves both (alleged) breach of contract and the plaintiff’s assertion that it was deprived of economic value (or defrauded, through Verio’s implied representation that it was connected to Register.com).

That doesn’t seem quite like the scenario you describe in your posting, which I took to be, at least by implication, that criminal charges could be brought (and even are being brought) for computer fraud without any serious claim of economic or other damage.

I understand your point about prosecutorial discretion, and as I said I’m not opposed to a reasonable rewrite of (the criminal version of?) CFAA to make its terms clearer. I guess, to turn things around a bit, I’m not sure I’m persuaded that the Swartz case shows that the CFAA provides the government with a tool to hound perfectly innocent parties who are doing nothing more than regular internet stuff, which is what your scenario describes, even if it might sound that way theoretically. I don’t think the Swartz case qualifies as evidence for that—according to recent reports, even JSTOR’s initial reaction was that “The magnitude, systematic and careful nature of the abuses could be construed as approaching criminal action” (http://www.nytimes.com/2013/01/21/technology/how-mit-ensnared-a-hacker-bucking-a-freewheeling-culture.html?ref=business&pagewanted=all&_r=0).

Your claim appears to be that the law allows that sort of hounding of innocents in theory, which I’ll grant (although I presume that it’s an important function of judges to prevent such poor uses of law from continuing to trial). Without actual examples of individuals being hounded with no underlying harm, it seems potentially misleading to make the conceptual point.

To be more pointed, I don’t think Swartz was prosecuted for doing what you did. The documents show that many people in the legal process (including, I think, the judge who let the prosecution continue) were convinced that he had done something with deliberate intent to take something to which someone else had the rights and ascribed a value, which is fairly close to the ordinary criminal definitions of fraud and theft. In fact, one of the odd things I’ve noticed about the proposed Zoe Lofgren rewrite of CFAA is that I’m not at all sure it would have made any difference in Swartz’s case. I don’t read the indictment to say that the TOS violations were the core of their case—I think it’s the assertion (for which they appear to have additional evidence not available to the public) that Swartz intended to distribute the files which clearly belong to JSTOR, and that doing so would damage JSTOR significantly, and that the TOS is invoked because it clearly spells out JSTOR’s exclusive economic right to distribute the material, not simply the acceptable and unacceptable procedures for accessing JSTOR’s site.


Withheld:

The document you posted indicates two things, both fairly general: “Cuthbert probed a site application with a trivial shell command to test its security” and his actions triggered “the site’s intrusion detection system (IDS).”
There is not enough information for me to be sure, but I get the impression that Cuthbert, by looking at some of the URLs used at the site, understood that certain URLs were being tunnelled from the web server to (Unix/Linux) shell, and he tried to test whether the tunnelling was being done properly, by constructing a URL with a specific structure (e.g., by embedding a “;” in it with a second shell command after the “;”).
I have fairly good technical knowledge and don’t know how to trigger an IDS via shell commands, or via typing something in a URL.
Ah, but a URL is a URL. From what you say, you don’t have the expertise to know if a URL which I sent you in an email would trigger an IDS or not, so why wouldn’t you follow the link?
Given that Cuthbert was a “professional security contractor” I assume he knew what intrusion detection systems might be looking for.
Unfortunately, the skill set of a “professional security contractor” does not necessarily include “levelheadedness under stress”, and it may be that Cuthbert’s impulsive action was due to a certain level of (unjustified) panic. My gut feeling is that security professionals who first and foremost evaluate their every action with regards to their personal liability are probably not as effective as those who are less constrained. To make an analogy, I doubt that you would prefer to be operated on by a surgeon who was obsessed by the possibility that he would be sued for malpractice, compared to one who pays for malpractice insurance and just goes about his business. Unfortunately for security professionals, there is no possibility to be insured against criminal prosecution under the CFAA and similar laws, and many, I believe, erroneously think that “lack of bad intent” could fill a similar purpose.

Post a comment



You can use HTML style tags or Markdown.


Comment Preview: