[ISN] When Gaming is a Gamble

From: InfoSec News (isn@private)
Date: Wed Mar 24 2004 - 04:02:15 PST

  • Next message: InfoSec News: "[ISN] Lieberman blasts Bush cybersecurity plan"

    http://www.securityfocus.com/columnists/229
    
    By Mark Rasch 
    Mar 22 2004
    
    As a computer security expert, you are hired by an offshore casino in
    the Cayman Islands to develop a security and authentication
    technology. Your client is a licensed Cayman casino that has been
    operating for over 30 years, and wants to make a foray into online
    gaming.
    
    You perform a standard penetration test, a security assessment, an
    architecture and code review, help establish the SSL and
    authentication protocols, and help with firewall implementation and
    monitoring -- you know: the full suite of security services. You test
    the beta site and its configuration, and give your stamp of approval.
    
    With check in hand, you return to America and days, weeks or months
    later, the site goes active. A few weeks after that, you are visited
    by an FBI agent with a federal grand jury subpoena seeking records
    relating to your security work. Weeks after that, a knock on the door
    announces the arrival of deputy U.S. Marshals with a warrant for your
    arrest for violation of 18 U.S.C. 1084 and 18 U.S.C. 2.
    
    Your computer security consulting may have earned yourself a one-way
    ticket to the hoosegow.
    
    U.S. law generally makes it a crime if you are "engaged in the
    business of betting or wagering" and you "knowingly [use] a wire
    communication facility for the transmission in interstate or foreign
    commerce of bets or wagers or information assisting in the placing of
    bets or wagers on any sporting events, or contest..." This statute, 18
    USC 1084, is called the "wire act" and has been applied for more than
    70 years to go after offshore bookies who seek to evade U.S. law by
    locating overseas.
    
    However, Internet gambling is legalized in Liechtenstein, Gibraltar,
    Australia, New Zealand, Costa Rica, and a few Caribbean islands. So
    the first question is whether Internet gaming by a company in a
    country that permits it is a violation of U.S. law. The U.S. Justice
    Department argues that it is -- and has the arrests and convictions
    (well, guilty pleas) to prove it. The theory is that entities that are
    in the business of betting or wagering (even where this is legal), who
    use international communications facilities like the Internet, and in
    some way "enter" or "affect" the United States or U.S. citizens, are
    violating the Wire Act.
    
    What does this mean to you, the security professional? You aren't in
    the "business" of betting or wagering. You haven't taken any bets over
    international wires.
    
    
    Living Vicariously
    
    A recent New York Times article reports that U.S. prosecutors are
    beginning to use the federal aiding and abetting statute to
    investigate and potentially prosecute those who, through perfectly
    lawful activities, assist online gaming companies that flout U.S. law.  
    This includes banks, broadcasters, ISPs and advertisers who help these
    casinos get their message out. The same net could easily snare
    information security professionals who, either deliberately or
    inadvertently, assist the gamers in their activities.
    
    This represents a potentially dangerous trend for information security
    professionals. Security, by its nature, is intended to facilitate
    concealment. It ensures that only those authorized to "enter" may do
    so. If properly implemented, it can protect the confidentiality of
    communications, prevent unwanted parties from accessing files, and
    even arrange for files to "self destruct" when improperly accessed.
    
    With this power comes some responsibility, and some duty to inquire
    about the use of the technology. Clearly if a narco-trafficker in
    Bogota or a member of Al Qaeda in Afghanistan seeks assistance in
    concealing their activities, the moral as well as legal answer is a
    resounding, "no." In fact, in the case of the terrorist (or a group
    designated by the government as a terrorist organization), providing
    "material support" is a criminal offense, even without the aiding and
    abetting language.
    
    But the U.S. government's assault on those who assist gamers presents
    a much more difficult issue. It essentially imposes responsibility on
    the security professional to inquire of his or her clients the reason
    they are seeking confidentiality, integrity or availability, and to
    make an independent judgment about whether these reasons may violate
    the laws of any nation that may touch the networks -- all under
    penalty of criminal prosecution.
    
    Thus, a network administrator for Arthur Anderson who provides copies
    of Norton utilities runs a risk (albeit a small one) of indictment
    when the software is used to wipe files relating to Enron.
    
    The criminal conspiracy statute, 18 U.S.C. 371, is known as "the
    prosecutor's friend" because of its talent for incarcerating people
    even tangentially connected to criminal activity. Yet even this
    statute requires the government to show an agreement to commit a
    crime. The aiding and abetting statute requires no such proof. It only
    requires the government to show that, with knowledge (express or
    implied) that a party intends to commit a crime, the defendant
    provided material support for that person.
    
    And the punishment for aiding and abetting is the same as for
    committing the underlying crime.
    
    Applying this rationale to Internet crimes and information security
    professionals is a dangerous and inherently slippery slope. The
    information security professional who sets up a secure website for
    people to protest against Chinese occupation of Tibet runs the risk of
    criminal and capital punishment in China. The man who sets up the
    secure payment system for a Norwegian purveyor of dirty pictures may
    be prosecuted in the United States for a vicarious violation of U.S.  
    "indecency" laws.
    
    A line must be drawn -- clearly. If a person with intent to facilitate
    criminal activity deliberately does so, then it's fair game to
    prosecute. But we should not impose on the security professional a
    duty to know what the laws of the world are as applied to Internet
    activities. Hell, even us lawyers can't keep track.
     
     
    SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the
    Justice Department's computer crime unit, and now serves as Senior
    Vice President and Chief Security Counsel at Solutionary Inc.
     
    
    
    
    _______________________________________________
    isn mailing list
    isn@private
    http://www.attrition.org/mailman/listinfo/isn
    



    This archive was generated by hypermail 2b30 : Wed Mar 24 2004 - 07:31:12 PST