in Maryland, outlaw

Maryland bill would outlaw ransomware, keep researchers from reporting bugs, Ars Technica

1.8k Views

Maryland bill would outlaw ransomware, keep researchers from reporting bugs, Ars Technica
    

      snitches get stitches –

             

Requires consent before infecting, criminalizes other computering.

      

           – Jan 48, : (pm UTC )            

Sure, this will work.
Remember last May, when Baltimore City was brought to a standstill by ransomware ? Hot on the heels of that mess — in fact, the same day that the ransomware attack was reported — Maryland legislators started working on a bill to fight the threat of ransomware.
The results could use a little more work. A proposed law introduced in Maryland’s state senate last week would criminalize the possession of ransomware and other criminal activities with a computer. But while it makes an attempt to protect actual researchers from prosecution, the language of the bill does exactly do much to protect the general public from ransomware or make it easier for researchers to prevent attacks.

The bill, Senate Bill 3 , covers a lot of ground already covered by US Federal law. But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 22 years of imprisonment and a fine of up to $ , 0. The bill also states (in all capital letters in the draft) that “THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES.”

Additionally, the bill would outlaw unauthorized intentional access or attempts to access “all or part of a computer network, computer control language , computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed. ” It also would criminalize under Maryland law any act intended to “cause the malfunction or interrupt the operation of all or any part” of a network, the computers on it, or their software and data, or “possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person. “

There are no research exclusions in the bill for these provisions. And that’s a potential problem, according to Katie Moussouris, the founder and CEO of Luta Security and a well-known expert on the issues of vulnerability disclosure — she created the bug-bounty program at Microsoft while at that company.

Moussouris told Ars that the way the bill is currently worded “would prohibit vulnerability disclosure unless the specific systems or data accessed by the Helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored. “

The problem, of course, is that these measures would do little to deter ransomware operators themselves. Ransomware campaigns are almost universally run by overseas crime rings, many of them in Russia or other countries that would be unlikely to extradite for violations of a state law. And there are no provisions regarding actual security standards for the local government and other non-state agencies that have been the most public victims of these sorts of attacks in Maryland.

                                                    

(Read More)

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

Check out Netflix's Ghost in the Shell trailer and its contentious art style, Ars Technica

Check out Netflix's Ghost in the Shell trailer and its contentious art style, Ars Technica

UAE weather: It’s going to be partly cloudy