87 comments

[ 6.2 ms ] story [ 141 ms ] thread
Debate on CISPA is happening on the floor right now, you can watch online here: http://www.c-span.org/Live-Video/C-SPAN/

But most importantly, take 2 minutes and call your House Rep and tell them what you think about CISPA: https://eff.org/r.5bPw

I called my reps last week, but it also might not be a bad idea to drop Rogers a line on twitter, explaining who and what you are, and telling him that you oppose the bill.

I found it quite cathartic.

I hope you didn't forget to mention that you're neither 14 nor residing in a basement.
As Senator Mark Hanna said in 1895 (118 years ago!): "There are two things that are important in politics. The first is money, and I can't remember what the second one is."[1] If you want to understand why Representative Mike Rogers is mocking CISPA opponents as "14 Year Old Tweeters in Their Basement," just ask, who finances his political campaigns?

I hate to be cynical, but calling your Representative may not be enough. Judging by Hanna's 118-year-old quote, it's never been enough. In the long run the solution might be campaign finance reform, but in the short run we may also want organizations like the EFF to raise money so they can finance political campaigns aligned with their values, gaining more influence over the political process.

--

[1] http://www.goodreads.com/quotes/405598-there-are-two-things-...

Is there a good lobby to donate to that lobbies for EFF-like positions?
EFF is happy to take your money.
Does the EFF lobby though?
Yes, they do quite a bit of lobbying.
This makes me happy to continuing donating to the EFF every year.
The EFF and the ACLU defend personal freedom by lobby and direct litigation in court. They both been earning my money, someone who trades in information, for years.
it seems these days you can swap out the word "politics" in that quote with just about any other field and it'll remain just as true.
That's what we call capitalism. The difference is that politicians are supposed to represent the people, not just the people with money, but in practice they are also capitalists.
I'm curious as to why you think this is unique to capitalism. Politicians in every political system tend to help those who can return the favor. Whether it's communist leaders who award control of industries to their army buddies or socialist leaders who enact barriers to entry to advantage their schoolmates, this occurs everywhere.

At least when it's pay-for-favors the public can follow the money. Not to mention the fact that under this system, any ordinary citizen has a much better chance of affecting outcomes by encouraging others to pool resources than he would have under systems that afford people power mainly, or solely, through kinship or affiliation.

I think you've misread my comment. My "capitalism" bit was about "any other field", not politics.
(comment deleted)
It's being voted on today and tomorrow, make these days count.
Anytime someone's argument is the moral equivalent of 'my opponents are doodie-heads' I pretty much start ignoring them. It is a shame that an elected official, ostensibly 'leading' our country, is making such idiotic arguments and isn't more embarrassed about doing so.
The problem with ignoring politicians is that it just encourages them...
Yes, when I said ignore I meant from an information gathering perspective. If I care about an issue enough I will actively donate to organizations representing my interests. It is really all I can do when <insert idiot politician> is from an area I have no vote in.
Or if you ignore them they go along and do what the corporations want. What you need to do is vote out the incumbents during the next cycle. Irregardless of the party.
Unfortunately, you can ignore politicians, but they're not going to ignore you...insofar as your rights are concerned at least.
In some aspect he is exactly right - our CISPA fight needs support not only from tweeters, but from people like founders of Twitter who can speak in the language of money and campaign funds.

The tech industry is so much bigger and more important to USA economy than the content industry that allowing them to dominate the lobbying discussion is just a 'tail wagging the dog' situation.

CISPA has nothing to do with the content industry. You'll also find that the tech industry has plenty of lobbyists, and a few of them are supporting CISPA. (Ed: Ah, there's tptacek on this thread.)
Mike Rogers is making it very hard to defend CISPA by saying things like this, but I'll point out that what Mike Rogers thinks about CISPA opponents is probably the least important thing to know about the bill.

Something you might want to know is that "Fight For The Future" feels comfortable riling you up without telling you the full story about the bill. CISPA, according to FFTF, "lets the government spy on you without a warrant". In actual fact, CISPA is an opt-in measure that allows a company like Yahoo to share information about ongoing attacks --- which find a specific definition in the bill, more specific than any other cyber bill proposed --- with security providers and with law enforcement.

It's been my experience that most people who oppose CISPA are not familiar with what the bill actually says, even though CISPA is a very short bill. There are principled opponents of CISPA with very strong arguments, but sites like FFTF are unprincipled in their opposition to the bill.

I'm not familiar with the bill, but based on your description, why does there need to be a bill to share information about attacks with law enforcement and security providers? Why couldn't this happen already? If Yahoo! were sharing data with a security agency about an attack, this would seem pretty reasonable.
Why not just read the bill?
Just read it. Unless I'm mistaken there's a liability shield. If that's true, this bill is bullshit. Liability shields do not protect consumers. They use the force of the State to protect corporations, which is totally against the free market.

"EXEMPTION FROM LIABILITY.—No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self- protected entity, or cybersecurity provider, acting in good faith"

The liability shield is practically the whole point of the bill; there are something like 10 federal laws that restrict what information can be shared in any circumstance, intentionally or not, which precludes a bunch of different forms of cooperation during attack.

A simple use case for this law: you are under a concerted DDOS attack. Your network deals with, say, drivers records. Drivers records are protected under the DPPA. You want to share NetFlow information with a 3rd party DDOS tracking service. Today, your general counsel needs to authorize any such sharing explicitly. Post-CISPA, you could make arrangements to share that information automatically.

Problems sharing information due to existing federal laws and the liability shield, to me, are unrelated. And what is the point of existing laws if they're just going to create another layer of laws to bypass them? Who's going to oversee this network of cyber security entities? The State? I just don't see much accountability in that. Maybe if there were independent, non-state third parties reporting to consumers and providing transparency.
This is in my opinion a totally reasonable criticism of CISPA.

Taking the opposing position, I might argue:

(a) Our total ineffectiveness at responding to current network security attacks is such a pressing issue that a legislative "patch" makes sense, rather than spending time litigating fiddly changes to tens of existing statutes.

(b) It might not be to our benefit to relitigate the protections of those existing privacy bills; the result might be a weakening of existing privacy protections. Creating a common-sense exception that says "you can share malware or DDOS netflow traces no matter what kind of company you are" might leave our civil liberties safer in the long run.

Why on earth would you need to send the actual drivers records? Of course we don't want to share that. Nothing in the DPPA prevents sharing netflows.

And that is kind of a poor justification because we know that society doesn't currently have an epidemic of people DDoSing the DMV.

Someone else wants this passed, and they really want it passed. It ain't the DMV.

You don't. You only need to reveal information that could with analysis be used to derive information protected under some piece of privacy legislation.

Incidentally, the DPPA wasn't written to lock down the DMV.

I use the DPPA as an example of surprising limitations on the ability of private companies to share operational data that could conceivably due to operator error or time constraints potentially include protected information. Another example: FERPA.

What you say is misleading. You say "allow them to share," when you should say "immunity from prosecution related to damages resulting from them sharing."

Basically, it's open season on surveillance because now companies aren't liable if requests are followed in "good faith," which essentially means "we did whatever the government wanted."

I'm not sure how anything you said contradicts anything I said. Service providers are, by the way, not immunized from civil suits if they share information not incident to an actual attack.
And how are the affected people to know that such information has been shared, if you can't even make a FOIA request?
Any bill that ever allows private companies to share information with the USG is going to include a FOIA exemption, because the alternative is that no private company's management team would ever allow information to be shared under any circumstance, as it could allow the public access to trade secrets, contractually confidential information, and market intelligence.
Ok, but you haven't answered my question.
I think my answer is they probably won't know. The purpose of the bill is to allow sharing of operational data about network security attacks. The bill isn't intended to allow private companies to share your Facebook profile or email.

I guess you could argue that malware often uses mail to spread, and that a social media provider might dragnet a whole bunch of email spools to collect malware samples and then forklift it to LEOs for investigation. That would be bad.

The bill takes some small steps to keep that from happening, but probably not enough.

Anything can be roped into "actual attack." Remember the actual language of the bill, since you read it: "theft of intellectual property." What the hell does that mean?

Of course there is no oversight aside from the people who are making requests, so the idea that a company would actually be penalized for releasing info "unreleated to cyberthreats" is laughable at best.

Like I said upthread, CISPA goes further in trying to actually define what a "cyberattack" is than any other bill I've read. How would you modify the definitions in the bill?
You and I have discussed DHS related things before, and I think we simply have differing views on this entire thing. I simply don't want any more power going to the most demonstrably incompetent branch of government in the history of the US (including, of course, everything historically that came out of the 1947 act that this is a rider to).

I do agree with you that the definitions of cybercrime and attacks in CISPA would be a start for the framework for coherent legislation. I just don't think that DHS should continue to be added onto piecemeal until they control 100% of all law enforcement activities as well, since let's face it, that's the eventual goal.

To add, it doesn't even say "actual attack", it basically says anything related to security and "acting in good faith."
I agree that "good faith" is crappy language.
And here is the main problem with the bill. "Not incident to an actual attack" is not reflective of the language used. It's so vauge that you could drive a truck through it. Or, a $2+ billion Utah datacenter, for instance.
The statutory "good faith" language is a problem, in that "good faith" isn't well defined anywhere. But what are the additional changes you'd make to the liability exemption to tighten it up?
The wildcards (such as "good faith", but there are others) are non-starters. You don't even need to reason about the finer points of the bill with that in there.

But ideally? I don't want anybody to share any information of mine to any third party, without my consent, at any time. I'm having trouble thinking of why that would be necessary.

I'm willing to entertain reasonable arguments as to why it might be necessary, and may make some compromises (without wildcard language) in light of a compelling argument, but nobody sponsoring CISPA has even made an attempt to do that.

Sure. Here are two examples.

1. You're a web app company that routinely comes under DDOS attacks. A private security company would like you to subscribe and push Netflow traces to them during attacks, so they can derive minimal ACLs and relay them to ISPs so the attack could be filtered upstream. That Netflow data could in theory contain some of your traffic, and further could be statistically de-anonymized to reveal your personal usage of that service. Currently, you need authorization from your counsel every time you share that Netflow data; post-CISPA, you could get a one-time authorization and automatically push Netflow to the anti-DDOS provider.

2. You're working with several social networking companies to track down a browser malware attack that transmit itself through online messages. You'd like to collect a large volume of samples programmatically to share with other providers and LEOs, but you're extremely concerned that in doing so you might reveal details about private messages, perhaps even by sharing which users have messaging relationships with other users. Pre-CISPA, your counsel might refuse that sharing outright; post-CISPA, you'd have statutory protections for sharing that operational data in the course of responding to malware.

So getting an internet connection from a company that has opted in means I have no protection against searches and seizures (almost arbitrarily based on an individual's web habbits).

So what if it's written specifically? People often don't have much of a choice when it comes to their ISPs, and wouldn't be able to just choose another one that doesn't opt in. In the modern world, where people use the internet for every facet of their life, this essentially means law enforcement gets to know every detail about you, without the need for any reasonable suspicion.

I really don't understand how this isn't a violation of the 4th Amendment. Our rights as citizens and as people are being removed by bills like this, and by law enforcement and large service platform based businesses redefining what personal information is ours to control and own.

> So getting an internet connection from a company that has opted in means I have no protection against searches and seizures (almost arbitrarily based on an individual's web habbits)

no, that's not anywhere in the bill. did you read the bill?

I'd argue that it is.

He's on "Hacker News". It would be perfectly reasonable for an automated system that is designed to look for security-related activity to report that fact. The bill, as it is written, says any action his ISP now takes, or anyone that they share his information with (which would then be allowed to do, with anyone in the poorly defined "cybersecurity club"), is fully acceptable as long as it was "in good faith." And who could argue that? Hacker News is benign, but it's an honest mistake.

How does the bill's definition of an attack include sites with "hacker" in the name?
CISPA contains no definition of "attack", nor does it limit itself to "actual attacks", or anything resembling that language.

Furthermore, if it did, it doesn't matter. Bad actors are allowed to be wrong, with impunity, if they promise that it was "in good faith".

     4) CYBER THREAT INFORMATION.— 
      ‘‘(A) IN GENERAL.—The term ‘cyber 
      threat information’ means information directly 
      pertaining to— 
      ‘‘(i) a vulnerability of a system or net-
      work of a government or private entity; 
      ‘‘(ii) a threat to the integrity, con-
      fidentiality, or availability of a system or 
      network of a government or private entity 
      or any information stored on, processed on, 
      or transiting such a system or network; 
      ‘‘(iii) efforts to deny access to or de-
      grade, disrupt, or destroy a system or net-
      work of a government or private entity; or 
      ‘‘(iv) efforts to gain unauthorized ac-
      cess to a system or network of a govern-
      ment or private entity, including to gain 
      such unauthorized access for the purpose 
      of exfiltrating information stored on, proc-
      essed on, or transiting a system or network 
      of a government or private entity	
You're right that I phrased this more casually than the bill does, which harms my point but I believe still leaves it standing.
> You're right that I phrased this more casually

Did you think that I was suggesting you were merely phrasing it casually, or is that a subtle argument technique? ;)

No, I was owning up to the fact that by saying CISPA only pertained to "attacks", I was making it easier to accept my premise. You were right to point out that the language in the bill is more subtle than that.
That is a dishonest attack against a short marketing website. Your comment defends CISPA without telling the full story of the bill, just like this website did. You used a short description of what you think are relevant points that support your case, just like this website. Except that the website includes links to analysis by EFF, ACLU, Sunshine Foundation and others to support their arguments.
Maybe FFTF can tell us how many people hit their signup sheet, versus the number of people who click through to the background information.

Maybe you could point out the call to action I must have missed on this site, urging readers to learn more about the bill before signing up with FFTF.

How does the number of people who hit the signup sheet and didn't read the details matter to their argument or how they have backed up their position?
The site is not designed to get people to learn about CISPA, it's designed to elicit an immediate reaction. The fact that it somehow links to additional background information (we'll stipulate that the background information is accurate) is not a meaningful response to my complaint.
(comment deleted)
By "opt-in", surely you mean I'll be asked before data hosted in my accounts or pertaining to me is shared? If that's the case then I don't see anything wrong with CISPA.
Can't said companies already opt-in to share information about "ongoing attacks"?
No. It is much more complicated than that.
Really? Google/Facebook "opt-in" to something akin to this already don't they?

Care to give a few more examples of what makes it more complicated?

Here we go with you again, tptacek.

I have far fewer karma than you, and have been on HN far fewer days, but I'm not stupid. And I know that your hypocrisy on every single HN post regarding CISPA is reaching an intolerable level.

Your rhetoric is flawed at a very basic level -- you claim that the EFF and other institutions are not telling you the complete truth about the bill and advocate it with such ferocity, yet, even you fail to present valid arguments.

You use smoke-and-mirrors tactics to distract readers from the real point -- which is not whether anti-CISPA institutions are telling you "the whole truth" -- but whether CISPA infringes on the Fourth Amendment. The bill has loopholes, and the traditional unclear and tangled legalese that is all too prevalent in bills such as these only ensures there will be more to come.

Sometimes a vocal majority can be wrong. But that doesn't mean you should discredit their rhetoric, because it's valuable. If we all did what you said, we would be likely still be living in monarchical England.

Given that you are running a security company, in that respect you have personal interest in this bill getting passed, right?

The problems with the bill are mainly this:

1. The immunity gives companies an incentive to share more data.

2. There is neither oversight nor transparency for the sharing of information and other measures companies are allowed to take based on this bill, and what the government and third parties are allowed to do with the information.

3. Even if there were oversight, the conditions under which the companies would get immunity are so broad and ill defined that there is practically no restriction on that.

I would like to add that there are people who make hysterical arguments against the bill, but that doesn't mean that the bill isn't bad.

We run a software security engineering firm, we don't do FedGov work, and in no way benefit from CISPA.

The whole point of the bill is to get companies to share more data.

CISPA not only works for sharing of information with the government, but also with security companies.

Your second sentence is a rather weak counterargument. (1) would be fine on its own, it is in the context of (2) and (3) that it is not; the incentives make (2) and (3) extra bad.

We are a SOURCE of threat information. We are not a consumer of threat information.
Wouldn't CISPA also protect the companies providing information to you by giving you permission to test and/or access to their systems, and hence be beneficial to your business? Why aren't you a consumer of threat information that way?
I think you have absolutely no idea what it is we do.
Why are you so defensive and rude? I think I have an idea what you do. You check applications for security vulnerabilities. While doing this, you may access information that usually would be considered information that the company you are investigating would not be allowed to give you. But with CISPA, they would be allowed to give you.

FYI, you have a dead link: http://www.matasano.com/services/shipsafe/

I like the guy who asks why I'm being rude after suggesting that I arrived at my public policy positions out of a concealed financial interest.

You have a weird and broken understanding of how engineering firms are contacted to test for vulnerabilities. CISPA has absolutely no bearing on my firm whatsoever.

Can you explain how the way engineering firms are contracted means that CISPA has absolutely no bearing on your firm? As far as I can see, the bill doesn't say that if a company is contracted in a certain way, then its protections don't apply.

Surely it's not rude to ask if you have a personal interest, given that (1) CISPA has explicit provisions for security companies (2) it's not clear why this would not apply to your company and (3) you defend CISPA on almost every CISPA post on hacker news.

If from this point on you would like to tell yourself that my non-responsive comment here, and my future lack of responsiveness to any of your other comments, implied that you Perry Mason'd some kind of acknowledgement of my corrupt CISPA dealings out of me on Hacker News, you have my blessing.
It is indeed unfortunate that in you reply to the substance at little as possible, since this way neither I nor other readers can benefit from your knowledge. The bill is not very large, so it would not be hard for you to show that it does not apply to your company, if indeed it does not. I don't think this has anything to do with corruption, but it does have something to do with bias. However, since you clearly genuinely believe that this bill does not pertain to your company, this possibility for bias has already been eliminated whether or not the bill actually does apply to your company. Still, I think that's an interesting question.

As far as I can tell, these sections of the bill indicate that it does apply to your company:

    ‘‘(A) CYBERSECURITY PROVIDERS.— Not-
    5 withstanding any other provision of law, a cy-
    6 bersecurity provider, with the express consent 
    7 of a protected entity for which such cybersecu-
    8 rity provider is providing goods or services for 
    9 cybersecurity purposes, may, for cybersecurity 
    10 purposes— 
    11 ‘‘(i) use cybersecurity systems to iden-
    12 tify and obtain cyber threat information to 
    13 protect the rights and property of such 
    14 protected entity; and [...]
So, if the company your are investigating gives you consent, you may obtain cyber threat information. Note that this says nothing about the way the company is contracted.

What is cyber threat information?

    1 ‘‘(2) CYBER THREAT INFORMATION.—The term 
    2 ‘cyber threat information’ means information di-
    3 rectly pertaining to a vulnerability of, or threat to, 
    4 a system or network of a government or private enti-
    5 ty, including [...]
So this means that you can get all information pertaining to a vulnerability, and CISPA will protect the company you're getting that information from. This is so vague that it could be virtually any data. But it gets better:

    ‘‘(4) EXEMPTION FROM LIABILITY.—No civil or 
    12 criminal cause of action shall lie or be maintained in 
    13 Federal or State court against a protected entity, 
    14 self-protected entity, cybersecurity provider, or an 
    15 officer, employee, or agent of a protected entity, self- 
    16 protected entity, or cybersecurity provider, acting in 
    17 good faith— 
    18 ‘‘(A) for using cybersecurity systems or 
    19 sharing information in accordance with this sec-
    20 tion; or 
    21 ‘‘(B) for decisions made based on cyber 
    22 threat information identified, obtained, or 
    23 shared under this section
So even if a company managed to share data that would not be allowed, as long as it's acting "in good faith" everything is A-OK. Given this I fail to see how your company is not a consumer of cyber threat information as defined in this bill.

If you are so easily offended, you may wish to review your own writing style, since your comments are far from the least argumentative on HN (and I do not just mean this thread).

Thanks for your blessing, you have mine as well.

essentially he is right. I mean reddit is the "occupy" of the internet.
I find the choice of "14 year olds" quite fascinating, because 14 year olds don't have voting rights. If 14 is replaced with 18, then suddenly the phrase takes a completely different tone, since then it'd be disenfranchising a block of the population that has legitimate voting rights.

I feel that 14 was chosen deliberately to give teh additional implication that CISPA opponents "don't have the right to oppose it" or something along those lines.

It's also bizarrely tone-deaf metaphor-mixing.

the pejorative "basement" refers to an adult who doesn't have their own residence, and so lives in extra space in (but near the edge of) their parent's home, while pretending it is a separate residence. It doesn't make any sense to call a 14-year old a "basement"-dweller, they would have a regular bedroom.

Don't spend the energy debating this now. Wait until after you call your representatives and then comment.
> Rep. Mike Rogers Calls CISPA Opponents "14 Year Old Tweeters in Their Basement"

Yes -- a bunch of people who are four years away from being able to vote Rogers out of office.

And I call Mike Rogers a 54(?) year old political hack without a actual argumentative leg to stand on. This would be just another trite case of legislators wearing their donation sources on their sleeve, but the truth is that these kinds of people are dangerous to not only the tech industry in general, but really more foundational elements (I hate to sound like a CATO-monkey, because that gets irksome, but guys like Rogers and Feinstein really do trammel on "freedoms" pretty rampantly).

I've read through CISPA. It's got some very elegant wording, but its contemptible all the way around in what its going after.