Tag Archives: Department of Justice

Department of Justice Won’t Prosecute White Hat Security Researchers



The U.S. Department of Justice (DOJ) announced a new policy for charging cases under the Computer Fraud and Abuse Act (CFAA). The purpose appears to be to allow White Hat security researchers to continue doing what they do, without getting arrested for it.

From the DOJ press release:

The policy for the first time directs that good-faith security research should not be charged. Good faith security research means accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

Deputy Attorney General Lisa O. Monaco said, “Computer security research is a key driver of improved cybersecurity. The department has never been interested in prosecuting good-faith computer security research as a crime, and today’s announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”

The DOJ policy clarifies that hypothetical CFAA violations that have concerned some courts and commentators are not to be charged. This includes: embellishing on an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a terms of service are not sufficient to warrant federal criminal charges.

In addition, the DOJ made it clear that “the new policy acknowledges that claiming to be conducting security research is not a free pass for those acting in bad faith. For example, discovering vulnerabilities in devices to extort their owners, even if claimed as ‘research’, is not in good faith.”

Vice reported that the new policy addresses decades of uncertainty around the law and security research. According to Vice, the policy comes into effect immediately and all federal prosecutors who wish to charge cases under the CFAA are required to follow the policy.

TechCrunch reported: The Computer Fraud and Abuse Act, or CFAA, was enacted in 1986 and predates the modern internet. The federal law dictates what constitutes computer hacking – specifically “unauthorized” access to a computer system – at the federal level.

According to TechCrunch, CFAA has long been criticized for its outdated and vague language that does little to differentiate between good-faith researchers and malicious actors who set out to extort companies or individuals or otherwise cause harm.

I think the policy change made by the DOJ will help clarify what is considered to be beneficial (such as good-faith research) as compared to those who discover vulnerabilities in devices for the purpose of using to to extort the device’s owner. I’m hoping that the list of things that make courts and commentators confused should now be easier for them to understand.


DOJ Seized $3.6 Billion in Stolen Cryptocurrency



The U.S. Department of Justice (DOJ) has arrested two individuals for an alleged conspiracy to launder cryptocurrency that was stolen during the 2016 hack of Bitfinex, a virtual currency exchange. According to the DOJ, the cryptocurrency that was seized is presently valued at $4.5 billion. Law enforcement has seized over $3.6 billion in cryptocurrency linked to the Bitfinex hack.

“Today’s arrests, and the department’s largest financial seizure ever, show that cryptocurrency is not a safe haven for criminals,” said Deputy Attorney General Lisa O. Monaco. “In a futile effort to maintain digital anonymity, the defendants laundered stolen funds through a labyrinth of cryptocurrency transactions. Thanks to the meticulous work of law enforcement, the department once again showed how it can and will follow the money, no matter what form it takes.”

The Wall Street Journal reported that the two people were both arrested without incident Tuesday morning in Manhattan. They have promoted themselves on social media as entrepreneurs with deep knowledge of tech and a love of travel.

According to The Wall Street Journal, at the couple’s appearance in Manhattan court, U.S. Magistrate Judge Debra Freeman set bond at $5 million for Mr. Lichtenstein and $3 million for Ms. Morgan, requiring that their parent’s homes be posted as security. The judge also ordered that they not have devices with internet access and prohibited them from conducting cryptocurrency transactions.

The two are facing charges related to conspiracy to commit money laundering and conspiracy to defraud the U.S. They were not charged with the hack of Bitfinex.

IBM explains that the blockchain has an immutable record of transactions. No participant can change or tamper with a transaction after it’s been recorded to the shared ledger. Transactions are recorded only once, eliminating the duplication of efforts that’s typical of traditional business records.

In short, the couple who allegedly attempted to launder a large amount of cryptocurrency left a trail of transactions that the Department of Justice used to discover the scheme. I’ve seen people on social media suggest that the blockchain is private and untraceable. However, the DOJ was very able to find the information they needed.


U.S. Department of Justice Unveiled Civil Cyber-Fraud Initiatives



The U.S. Deputy Attorney of the Justice Department, Lisa Monaco, unveiled two new enforcement initiatives aimed at targeting cryptocurrencies and government contractors who fail to report cyber breaches, Reuters reported. The U.S. Department of Justice website calls it the Civil Cyber-Fraud Initiative.

The initiative will combine the Justice Department’s expertise in civil fraud enforcement, government procurement and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical systems.

Reuters reported that Deputy Attorney of the Justice Department, Lisa Monaco, gave a virtual speech at the Aspen Cyber Summit, about the new initiative. It includes a mix of anti-money laundering and cybersecurity experts. In addition, the initiative will focus on cryptocurrency.

“Cryptocurrency exchanges want to be the banks of the future, well we need to make sure that folks can have confidence when they’re using these systems and we need to be poised to root out abuse,” Monaco said. “The point is to protect consumers.”

According to Reuters, Deputy Attorney of the Justice Department, Lisa Monaco, also announced the use of a cyber fraud initiative, which will “use civil enforcement tools to pursue companies, those who are government contractors, who receive federal funds, when they fail to follow recommended cybersecurity standards.”

Personally, I think the Civil Cyber-Fraud Initiative could be a good thing. It sounds like it will enact enforcement against companies that are aware a breach occurred – but don’t tell their customers about it. Cryptocurrency is relatively new, and should have some regulation attached to in order to prevent fraud.

Some things the Cyber-Fraud Initiative includes:

  •  Use of False Claims Act to pursue cybersecurity related fraud by government contractors and grant recipients.
  •  A False Claims Act is the government’s primary civil tool to redress false claims for federal funds and property involving government programs and operations.
  •  A whistleblower provision, which allows private parties to assist the government in identifying and pursuing fraudulent conduct and to share in any recovery and protects whistleblowers who bring these violations and failures from retaliation.

“Zoom-bombing” Could Result in Fines or Imprisonment



The world is adjusting to the “new normal” of working from home and attending online meetings. While this is happening, a nefarious group of people have decided to enter Zoom teleconferences so they can be abusive to the people who are attending it. The Department of Justice wants people to know that “Zoom-bombing” can result in fines or imprisonment.

The Department of Justice U.S. Attorney’s Office Eastern District of Michigan posted a release titled: “Federal, State, and Local Law Enforcement Warn Against Teleconferencing Hacking During Coronavirus Pandemic”.

The release points out that the FBI reported this week that there has been a rise in “Zoom-bombing”, or video hacking, across the United States. Hackers are disrupting conferences and online classrooms with pornographic and/or hate images and threatening language.

Michigan’s chief federal, state, and local law enforcement officials are joining together to warn anyone who hacks into a teleconference can be charged with state or federal crimes. Charges may include – to name just a few – disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications. All of these charges are punishable by fines and imprisonment.

The Verge reported that the press release on the Department of Justice’s website under the US Attorney’s office for the state’s Eastern District is posted with support form the state attorney general and the FBI.

The press release includes a quote from Matthew Schneider, United States Attorney General for Eastern Michigan, “You think Zoom bombing is funny? Let’s see how funny it is after you get arrested. If you interfere with a teleconference or public meeting in Michigan, you could have federal, state, or local law enforcement knocking at your door.”

I understand that some people are getting bored while under “shelter at home” orders. That doesn’t give them the right to go online and harass people. I wonder when we will hear news about the first arrest of a “Zoom-bomber”?


U.S. Department of Justice Announced Antitrust Review of Big Tech



The United States Department of Justice announced that the Department’s Antitrust Division is reviewing whether and how market-leading platforms have achieved market power and are engaging in practices that have reduced competition, stifled innovation, or otherwise harmed consumers.

The Department’s review will consider the widespread concerns that consumers, businesses, and entrepreneurs have expressed about search, social media, and some retail services online. The Department’s Antitrust Division is conferring with and seeking information from the public, including industry participants who have direct insight into competition in online platforms, as well as others.

The Wall Street Journal reported that the inquiry by the Justice Department add “a new Washington threat for companies such as Facebook Inc., Google, Amazon.com Inc., and Apple Inc.”

CNBC reported: “The move is the strongest by Attorney General William Barr towards Big Tech, which faces increased scrutiny from both political parties because of the expanded market power the companies have and the tremendous amount of consumer data they control”.

CNBC also reported that shares of Facebook, Alphabet, and Amazon all fell more than 1% immediately after the announcement and that Apple’s stock also dropped.

This follows the European Commission’s antitrust investigation to assess whether Amazon’s use of sensitive data from independent retailers who sell on Amazon’s marketplace is in breach of EU competition rules.

There have been several investigations, by other countries, regarding questionable practices made by the big technology companies.

It seems to me that the more investigations that happen, the less likely it is that all of these big tech companies will come away from this without facing penalties, fines, or requirements that they make changes.


U.S. Homeland Security Shuts Down BitTorrent P2P Site



U.S. Homeland Security Shuts Down BitTorrent P2P Site
Ten people suspected of involvement with the EliteTorrents webserver were served warrants by homeland security agents. According to the U.S. government agency, this is the first criminal enforcement action taken against violators of copyright law who use the BitTorrent peer-to-peer (P2P) file swapping software. The operation, codenamed D-elite, targeted administrators and content providers working through the EliteTorrents website.

Continue reading U.S. Homeland Security Shuts Down BitTorrent P2P Site