When your classmates threaten you with felony charges

I&#x27;m not a lawyer, but I am professionally interested in this weird branch of the law, and it seems like EFF&#x27;s staff attorney went a bit out on a limb here:<p>* Fizz appears to be a client&#x2F;server application (presumably a web app?)<p>* The testing the researchers did was of software running on Fizz&#x27;s servers<p>* After identifying a vulnerability, the researchers created administrator accounts using the database activity they obtained<p>* The researchers were not given permission to do this testing<p>If that fact pattern holds, then unless there&#x27;s a California law governing this that I&#x27;m not aware of --- and even then, federal supremacy moots it, right? --- I think they did straightforwardly violate the CFAA, contra the claim in their response.<p>At least three things mitigate their legal risk:<p>1. It&#x27;s very clear from their disclosure and behavior after disclosing that they were in good faith conducting security research, making them an unattractive target for prosecution.<p>2. It&#x27;s not clear that they did any meaningful damage (this is subtle: you can easily rack up 5-6 figure damage numbers from unauthorized security research, but Fizz was so small and new that I&#x27;m assuming nobody even contemplating retaining a forensics firm or truing things up with their insurers, who probably did not exist), meaning there wouldn&#x27;t have been much to prosecute.<p>3. Fizz&#x27;s lawyers fucked up and threatened a criminal prosecution in order to obtain a valuable concession fro the researchers, which, as EFF points out, violates a state bar rule.<p>I think the good guys prevailed here, but I&#x27;m wary of taking too many lessons from this; if this hadn&#x27;t been &quot;Fizz&quot;, but rather the social media features of Dunder Mifflin Infinity, the outcome might have been gnarlier.

I don&#x27;t understand why in both contracts and legal communication (particularly threatening one), there is little to no consequence for the writing party to get things right.<p>I&#x27;ve seen examples of an employee contract, with things like &quot;if any piece of this contract is invalid it doesn&#x27;t invalidate the rest of the contract&quot;. The employer is basically trying to enforce their rules (reasonable), but they have no negative consequences if what they write is not allowed. At most a court deems that piece invalid, but that&#x27;s it. The onus is on the reader to know (which tends to be a much weaker party).<p>Same here. Why can a company send a threatening letter (&quot;you&#x27;ll go 20 years to federal prison for this!!&quot;), when it&#x27;s clearly false? Shouldn&#x27;t there be an onus on the writer to ensure that what they write is reasonable? And if it&#x27;s absurdly and provably wrong, shouldn&#x27;t there be some negative consequences more than &quot;oh, nevermind&quot;?

I feel like this article reflects an overall positive change in the way disclosure is handled today. Back in the 90s this was the sort of thing every company did. Companies would threaten lawsuits, or disclosure in the first place seemed legally dubious. Discussions in forums &#x2F; BBS&#x27;s would be around if it was safe to disclose at all. Suggestions of anonymous email accounts and that sort of thing.<p>Sure you still get some of that today. An especially old fashioned company, or in this case naive college students but overall things have shifted quite dramatically in favor of disclosure. Dedicated middle men who protect security researcher&#x27;s identities, Large enterprises encouraging and celebrating disclosure, six figure bug bounties, even the laws themselves have changed to be more friendly to security researchers.<p>I&#x27;m sure it was quite unpleasant to go through this for the author, but it&#x27;s a nice reminder that situations like this are now somewhat rare as they used to be the norm (or worse).

Crazy story. The Stanford daily article has copies of the lawyer letters back and forth, they are intense - and we wouldn&#x27;t be able to read them if the EFF didn&#x27;t step up.<p><a href="https:&#x2F;&#x2F;stanforddaily.com&#x2F;2022&#x2F;11&#x2F;01&#x2F;opinion-fizz-previously-compromised-its-users-privacy-it-may-do-so-again&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;stanforddaily.com&#x2F;2022&#x2F;11&#x2F;01&#x2F;opinion-fizz-previously...</a>

The Stanford Daily article says “At the time, Fizz used Google’s Firestore database product to store data including user information and posts...Fizz did not have the necessary security rules set up, making it possible for anyone to query the database directly...phone numbers and&#x2F;or email addresses for all users were fully accessible, and that posts and upvotes were directly linkable to this identifiable information....Moreover, the database was entirely editable — it was possible for anyone to edit posts, karma values, moderator status, and so on.&quot;<p>That&#x27;s wild!

Interestingly, Ashton Cofer and Teddy Solomon of Fizz tried some PR damage control when their wrongdoing came to light <a href="https:&#x2F;&#x2F;stanforddaily.com&#x2F;2022&#x2F;11&#x2F;01&#x2F;opinion-fizz-previously-compromised-its-users-privacy-it-may-do-so-again&#x2F;#comment-6034722532" rel="nofollow noreferrer">https:&#x2F;&#x2F;stanforddaily.com&#x2F;2022&#x2F;11&#x2F;01&#x2F;opinion-fizz-previously...</a>. Their response was weak and it seems like they&#x27;ve refused to comment on the debacle since then.

How can you legally threaten someone and not face consequences, but if you threaten someone with physical violence you can go to jail?

&gt; And at the end of their threat they had a demand: don’t ever talk about your findings publicly. Essentially, if you agree to silence, we won’t pursue legal action.<p>Legally, can this cover talking to e.g. state prosecutors and the police as well? Because claiming to be &quot;100% secure&quot;, knowing you are not secure, and your users have no protection against spying from you or any minimally competent hacker, is fraud at minimum, but closer to criminal wiretapping, since you&#x27;re knowingly tricking your users into revealing their secrets on your service, thinking they are &quot;100% secure&quot;.<p>That this ended &quot;amicably&quot; is frankly a miscarriage of justice - the Fizz team should be facing fraud charges.

Interesting. My school has a very similar platform, SideChat, which I doubt is much different. Makes me wonder how much they know about me, as I was permanently banned last year for questioning the validity of &quot;gender-affirming care.&quot;

Commentary on the journalism:<p>Fantastic for calling Fizz out. &quot;Fizz did not protect their users’ data. What happened next?&quot; This isn&#x27;t a &quot;someone hacked them&quot;. It&#x27;s that Fizz failed to do what they promised.<p>I&#x27;m still curious to hear if the vulnerability has been tested to see if it&#x27;s been resolved.

I think I might be a bit of an outlier on this, but I struggle to see the value of imposing an embargo date in a security disclosure unless it&#x27;s sent to a large institution that is used to a formal process like that. In most cases, if you&#x27;re trying to communicate to someone that you&#x27;ve found a vulnerability under the pretense that you&#x27;re doing it for the greater good, why begin by the relationship with a deadline before you &quot;go public?&quot; Wouldn&#x27;t that be something you do later on if it appears that they&#x27;re just blowing you off and won&#x27;t do anything about it?<p>I don&#x27;t think this applies to the reporter in this case, but it does seem like there&#x27;s a bit of a trend in security research lately to capitalize on the publicity of finding a vulnerability for one&#x27;s own personal branding. That feels a bit disingenuous. Not that the appropriate response would be to threaten someone with legal action.

&gt; One Friday night, we decided to explore whether Fizz was really “100% secure” like they claimed. Well, dear reader, Fizz was not 100% secure. In fact, they hardly had any security protections at all.<p>It&#x27;s practically a given that the actual security (or privacy) of a software is inversely proportional to its claimed security and how loud those claims are. Also, the companies that pay the least attention to security are always the ones who later, after the breach, say &quot;We take security very seriously...&quot;

I found this story about the same situation (linked from the OP) easier to follow: <a href="https:&#x2F;&#x2F;saligrama.io&#x2F;blog&#x2F;post&#x2F;firebase-insecure-by-default&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;saligrama.io&#x2F;blog&#x2F;post&#x2F;firebase-insecure-by-default&#x2F;</a>

There should be harsher penalties for lawyers like Hopkins &amp; Carley for threatening security researchers and engaging in unprofessional conduct like this.

Anyone can make a threat. There&#x27;s a bit of smarts needed to classify a &quot;threat&quot; as credible or not. Only really a law enforcement officer can credibly bring charges against you. Unfortunately, we live in a society where someone with more money than you can use the courts to harass you, so you even if you don&#x27;t fear illegitimate felony charges, you can get pretty much get sued for any reason at any time, which brings with it consequences if you don&#x27;t have a lawyer to deal with it. So I understand why someone might be scared in this situation, and luckily they were able to find someone to work with them, <i>pro bono</i>. I really wish the law had some pro-active mechanism for dealing with this type of legal bullying.

In my opinion, they went too far and exposed themselves by telling the company.<p>In all honesty, nothing good usually comes from that. If you wanted the truth to be exposed, they would have been better off exposing it anonymously to the company and&#x2F;or public if needed.<p>It&#x27;s one thing to happen upon a vulnerability in normal use and report it. It&#x27;s a different beast to gain access to servers you don&#x27;t own and start touching things.

The story has greatly reduced value without knowing who the individuals behind Fizz really are. So that we can avoid doing business with them. It would be different if Fizz was a product of a megacorporation.<p>“Keep calm” and “be responsible” and “speak to a lawyer” are things I class as common sense. The gold nugget I was looking for was the red flashing shipwreck bouy&#x2F;marker over the names.

I realize it is quick to be against Fizz, but I thought ethical hacking required prior permission.<p>Am I to understand you can attempt to hack any computer to gain unauthorized access without prior approval? That doesn&#x27;t seem legal at all.<p>Whether or not there was a vulnerability, was the action taken actually legal under current law? I don&#x27;t see anything indicating for or against in the article. Just posturing that &quot;ethical hacking&quot; is good and saying you are secure when you aren&#x27;t is bad. None of that seems relevant to the actual question of what the law says.

Ethically, they did the good thing by challenging the &quot;100% secure&quot; claim. Legally, they were hacking (without permission). Very high praise to the EFF for getting them out of trouble. Go donate.

Given the aggressive response from this company, it is less likely that it will become the target of any security researchers in the future (who wants the hassle ?). That by itself makes their app less secure in the long term. Also, who&#x27;d want to support founders with this &quot;I will destroy you!, even though you helped me improve my system&quot; mentality ? I wouldn&#x27;t be surprised if this startup dies off from this info.<p>Kudos to Cooper, Miles and Aditya for seeing this through.

A private individual or company cannot file criminal&#x2F;felony charges. Those are filed by a County Prosecutor, District Attorney, State Attorney, etc after being convinced of probable cause.<p>They could threaten to report you to the police or such authorities, but they would have to turn over their evidence to them and to you and open all their relevant records to you via discovery.<p>&gt; Get a lawyer<p>Yes, if they&#x27;re seriously threatening legal action they already have one.

Those classmates committed felony extortion with their threat, just as an aside.<p>That would&#x27;ve been a better legal threat to put on them as a offensive move, instead of using the EFF. &quot;Sure you can attempt to have me jailed but your threat is clear-cut felony extortion. See you in the jail cell right there with me!&quot;

&gt; Stay calm. I can’t tell you how much I wanted to curse out the Fizz team over email. But no. We had to keep it professional — even as they resorted to legal scare tactics. Your goal when you get a legal threat is to stay out of trouble. To resolve the situation. That’s it. <i>The temporary satisfaction of saying “fuck you” isn’t worth giving up the possibility of an amicable resolution.</i><p>Maybe it&#x27;s because I&#x27;m getting old, but it would never cross my mind to take any of this personally.<p>If they&#x27;re this bad at security, this bad at marketing, and then respond to a fairly standard vulnerability disclosure with legal threats it&#x27;s pretty clear they have no idea what they&#x27;re doing.<p>Being the &quot;good guy&quot; can sometimes be harder than being the &quot;bad guy&quot;, but suppressing your emotions is a basic requirement for being either &quot;guy&quot;.

Do you think that someone less ethically minded could have resolved the issue more simply by redirecting their landing page to a warning that the site was insecure and shutting it down incurring near zero personal risk of retaliation and letting people make an informed choice about continuing to use the site.<p>This is wholly and obviously illegal but so is the described ethical hacking. You have adopted a complex nuanced strategy to minimize harm to all parties. This is great morally but as far as I can tell its only meaningful legally insofar as it makes folks less likely to go after you nothing about it makes your obviously illegal actions legal so if you are going to openly flout the law it makes sense to put less of a target on your back while you are breaking the law.

Attitude like that from companies&#x2F;developers&#x2F;etc. are the reason why a lot of white-hat security researchers are in fact grey-hat.

Thank the lord for the EFF.

Best advice I can give someone is never do security research for a company without expressed written consent to do so and document everything as agreed to.<p>Payouts for finding bugs when there isn&#x27;t an already established process are either not going to be worth your time or will be seen as malicious activity.

Unless you&#x27;re looking to earn a bounty, always disclose testing of this type anonymously. Clean device, clean wi-fi, new accounts. That way if they threaten you instead of thanking you you can just drop the exploit details publicly and wash your hands of it.

This sounds a lot less interesting than the title makes it out to be. Is the fact that it is a &quot;classmate&quot; really relevant? Would the events have happened differently if it was another company with no connection to the school?

In short, if they are a company and are not 100% secure and they say they are then they are committing fraud. The person doing the testing is providing the evidence for a legal case and no amount of legal threats change that.

The article asserts &quot;there are an increasing number of resources available to good-faith security researchers who face legal threats&quot;. Is there an example of such, outside of the EFF? How do beginners find them?

Makes me so happy to know EFF and ethical hackers like this exist. I know they can’t test every app and every situation, but that there are hobbyists like this is such a testimony to humanity.

This isn&#x27;t the first time a security research who&#x27;s politely and confidentially disclosed a vulnerability has been threaned. There&#x27;s an important lesson to glean from this.<p>The next time someone discovers a company that has poor database security, they should, IMO: (1) make a full copy of confidential user data, (2) delete all data on the server, (3) publish confidential user data on some dumping site; and protect their anonymity while doing all 3 of these.<p>If these researchers had done (2) and (3) – and done so <i>anonymously</i>, that would have <i>not only</i> protected them from legal threats&#x2F;harm, but also effectively killed off a company that shouldn&#x27;t exist – since all of Buzz&#x2F;Fizz users would likely abandon it as consequence.

Maybe its just my Oppositional Defiant Disorder talking, but I would have nuked their db after that bs threat.

Wait, they are a company called Fizz, that was formerly called Buzz [0]? Talk about on the nose.<p>[0]: <a href="https:&#x2F;&#x2F;stanforddaily.com&#x2F;2022&#x2F;11&#x2F;01&#x2F;opinion-fizz-previously-compromised-its-users-privacy-it-may-do-so-again&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;stanforddaily.com&#x2F;2022&#x2F;11&#x2F;01&#x2F;opinion-fizz-previously...</a>

Don&#x27;t you have to ask for permission to be white-hat?

That&#x27;s why you always do anonymous immediate full disclosure.<p>Nothing else is ethically viable. Nothing else protects the researcher.

&gt; And then, one day, they sent us a threat. A crazy threat. I remember it vividly. I was just finishing a run when the email came in. And my heart rate went up after I stopped running. That’s not what’s supposed to happen. They said that we had violated state and federal law. They threatened us with civil and criminal charges. 20 years in prison. They really just threw everything they could at us. And at the end of their threat they had a demand: don’t ever talk about your findings publicly. Essentially, if you agree to silence, we won’t pursue legal action. We had five days to respond.<p>This during a time when thousands or millions have their personal data leaked every other week, over and over, because companies don&#x27;t want to cut into their profits.<p>Researchers who do the right thing face legal threats of 20 years in prison. Companies who cut corners on security face no consequences. This seems backwards.<p>Remember when a journalist pressed F12 and saw that a Missouri state website was exposing all the personal data of every teacher in the state (including SSN, etc). He reported the security flaw responsibly and it was embarrassing to the State so the Governor attacked him and legally harassed him. <a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;tech-policy&#x2F;2021&#x2F;10&#x2F;missouri-gov-calls-journalist-who-found-security-flaw-a-hacker-threatens-to-sue&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;arstechnica.com&#x2F;tech-policy&#x2F;2021&#x2F;10&#x2F;missouri-gov-cal...</a><p>I once saw something similar. A government website exposing the personal data of licensed medical professionals. A REST API responded with <i>all</i> their personal data (including SSN, address, etc), but the HTML frontend wouldn&#x27;t display it. All the data was just an unauthenticated REST call away, for thousands of people in the state. What did I do? I just closed the tab and never touched the site again. It wasn&#x27;t worth the personal risk to try to do the right thing so I just ignored it and for all I know all those people had their data stolen multiple times over because of this security flaw. I found the flaw as part of my job at the time, I don&#x27;t remember the details anymore. It has <i>probably</i> been fixed by now. Our legal system made it a huge personal risk to do the right thing, so I didn&#x27;t do the right thing.<p>Which brings me to my point. We need strong protections for those who expose security flaws in good faith. Even if someone is a grey hat and has done questionable things as part of their &quot;research&quot;, as long as they report their security findings responsibly, they should be protected.<p>Why have we prioritized making things nice and convenient for the companies over all else? If every American&#x27;s data gets stolen in a massive breach, it&#x27;s so sad, but there&#x27;s nothing we can do (shrug). If one curious user or security research pokes an app and finds a flaw, and they weren&#x27;t authorized to do so, OMG!, that person needs to go to jail for decades, how dare they press F12!!!1<p>This is a national security issue. While we continue to see the same stories of massive breaches in the news over and over and over, and some of us get yet another free year of monitoring that credit agencies don&#x27;t commit libel against us, just remember that we put the convenience of companies above all else. They get to opt-in to having their security tested, and over and over they fail us.<p>Protect security researchers, and make it legal to test the security of an app even if the owning company does not consent. &lt;&#x2F;rant&gt;

More like fizzle.

TLDR on the actual hack, they forgot to set Firebase security rules, yet again.<p>How do devs forget this step before raising 4.5 million in seed funding?

tl;dr?

Yet another example of someone security &quot;testing&quot; someone else&#x27;s servers&#x2F;systems without permission. That&#x27;s called hacking. Doesn&#x27;t matter if you have &quot;good faith&quot; or not. It&#x27;s not your property and you don&#x27;t get to access it in ways the owners don&#x27;t desire you to access it without being subject to potential civil and criminal enforcement against you.