 I do want to give thanks real quick to all the folks who've helped put this together. There's a lot of volunteers who've come and offered their time and expertise in terms of putting together the sound and equipment and Big Nerd Ranch has also graciously loaned us their offices which is where we're currently meeting and the folks who showed up to ask questions who are here in the crowd, thank you for coming. So with that said, yes, we're here to talk about that, we're going to take a step through each of the panelists and let you speak a little bit about yourself and maybe speak to what your awareness of is of Senate Bill 315 and maybe what your concerns are or your thoughts, your initial impressions are. So we'll start here. Hello, so my name is Xavier Ash. I've got 25 years and experience in the security field. I've been a practitioner, a security consultant researcher, a little bit of everything throughout the years. Currently I am running a security consulting company out of Acworth, Georgia. And so I've, you know, a lot of concerns around the culpability and around the people I work with doing the different security research. So look forward to talking about that aspect of it. All right, hello everyone. My name is Lane Timbs. I have been working in this area for about 18 years across software and IT and cybersecurity. PhD from Georgia Tech and Electrical and Computer Engineering. I currently have been working for the past six years in vulnerability management. So in terms of vulnerability discovery, this bill has a lot of interest in myself and my colleagues, particularly concerned with some of the vague language as well as possible business impacts that we could have in our community. My name is Kate Bennett. I also have a degree from, a master's degree from Georgia Tech and ECE. And my concern about this bill is data protection. I feel more comfortable knowing that there's many people with security knowledge out there helping protect my data by submitting to companies issues that they find with the websites that the companies own because only the companies that own the website can actually fix it. So by not reporting it, doesn't mean it doesn't exist. It means that other people could find it and maybe other people who we don't want to find it. So that's my concern and I've been in security industry for over eight years now. Excellent. Thank you. So I think one of the things that we might want to do for our audience and if you have questions, feel free to ask on Facebook Live and we'll definitely get those over to the panelists is to just recap real quick what is Senate Bill 315 and why it might be of concern. So I think we skipped that a tiny bit. Does anybody want to take a stab at explaining that to the folks who might be watching us? I'll take a first stab at it. The reason that the bill exists and is that Georgia is one of the few states that does have a gap in its coverage of what is illegal when it comes to doing different bad things with computers. So in specifically, Georgia did not have something around unauthorized access of computers. Basically, you have to go and you have to cause damage. You have to do something that covers some of these other laws that currently exist, but unauthorized access and some of the nuances around that. So that's the reason that the legislators started down this path and covering it. And the reason that we're here is that it's really hard to be able to outlaw what we want to get outlawed without stepping on the toes of the security industry. Since a lot of what we do in the security industry can be considered unauthorized access, but the reason that we do it is to find security vulnerabilities, like I mentioned, find situations where there's an inadvertent disclosure of information. So the bill's original intent is, while good, has really kind of missed its mark in being able to cover the gap that we need to, but leave the protections in place for those who do this on a daily basis. Yes. That's okay. Anything you would like to add to either of you, Kate or Lane? Are we just discussing what's in it? Yeah, what's in it exactly? Like, so what is the impact for the average person who may not be aware of what the bill is doing? So for the average person, if you accidentally go to a web link that's open to the public and you weren't supposed to have access to it, even though you do have access to it, then where does the bill come into play in that instance? Honestly, it could go to court and you would probably be found not guilty eventually, but then there's potential loss of wages and reputation and all this other kind of stuff. So that's for the just the average user. For someone in security, where we're, you know, we have legitimate business reasons for testing different things, let's say open source technology or we're reselling components of something that was supposed to be certified, let's say a flash component or even a processor. And honestly, we need to be testing that before we deliver it as a full package. Now could where does the bill leave these things? I don't think it really covers everything that it needs to in the way that it's written. So what I'm hearing you say is that I'm hearing you say that there's a gap there between the protection that we would like to see the bill provide and what it would actually provide for the public. So what do y'all's takes on the impact for let's say the research community? How would the research community be impacted by this bill? And as I understand it, the bill is saying that anyone who accesses a computer or computer network with knowledge that the access is without authority would be guilty. They could go to jail for up to a year, right, or they could see a fine of up to $5,000 or possible probation. But there are some, there are a couple of carve-outs and I'm curious as to how the research, are those the research community covered by those carve-outs? Are they going to be protected so they can still do the work to discover vulnerabilities and then issue patches for those vulnerabilities? It could be that, I mean you're covered by the company that you work for. Now are you covered by these other companies? And that's the big question. The NDA agreements have to be much more precise and have these kind of statements that say oh you cannot send anyone, any of our employees to jail for discovering anything that's found on, and I'm not sure that NDA agreements currently cover this level. I mean usually when we find security, I work for NagarVision by the way, and I used to work for NDA. When we find issues with our vendors either hardware or software, we let them know because we want them fixed. We don't say hey let's get into a court war of who's fault it is. We just want the issue fixed. Can you go into more detail what you mean? So where you say that there are other companies where you may run across vulnerability in the course of your work? Maybe you can't because you had signed an NDA which I think for folks who are maybe not in the industry that stands for a non-disclosure agreement but maybe you could give us a hypothetical example that would be close to what you might see as a typical heart bleed. Heart bleed was a good example. Was heart bleed for the folks? There was an issue with the heart bleed is if I remember correctly it was replicating data to make sure that your servers were never down and I forget exactly what that issue was but at one company I worked for a long time ago we used that software and had we known that there was a security issue then and we could have easily found it. This was back in 2006 which is probably what we didn't find it. We have much better security testing now but if we had found that and we reported it then where does that fall in? I'm not sure that this bill covers these kinds of things. Legitimate business needs to be defined. Like in Florida there's actually a section that's called definitions referencing Florida chapter 815 computer-related crimes. There's definitions listed of offenses so it would be really nice if we could have something that says definitions and also in the offenses it says what let me read the exact because I don't want to misquote. It says it says basically sorry I can't find it. It's basically the intent or purpose to deface the company or the intent and purpose to cause harm. Yeah that's one of the things that we know is not addressed in the Georgia version of the bills. There's not anything addressing intent. The Florida bill does and I'm sorry I can't find it at this particular moment but if we could copy that even copy what Florida did and put it in the Georgia bill then I think that would be you know the obvious intent of a company to find security vulnerability would be to fix it and to protect people's data and not cause harm to others. Do you mind if I add to that? So she mentioned this vulnerability called heart bleed. There's other there's many vulnerabilities that security researchers discover on a daily basis but some of them are you know you can take note of like heart bleed and shell shock and many others that are very very highly impactful vulnerabilities in terms of if malicious actors find these vulnerabilities and exploit them that has a huge impact on us in society. But a lot of these vulnerabilities are found by independent security researchers who might not actually be doing pen testing or vulnerability discovery for a company and so to me that's a huge problem with this. How big heart bleed was something I heard about and for the folks at home my background is not security but as an application developer that's the day job when I'm not serving the folks in 119. How widespread was the impact of that because I think folks may be missing the magnitude of some of these issues they might not realize how large and widespread they can be could you speak to that? Yeah so heart bleed was an information disclosure vulnerability if I recall literally impacted virtually every server on the internet I mean I would not go far out from saying that any server that was running some type of HTTPS was most likely impacted. So a website in general anybody serving a website? Yes and to you know when I said HTTPS this is the this is the secure portion of HTTPS so like when you go to your bank you're running over HTTPS you do not want any of that information compromised so yes very very impactful. So to set this up if an independent researcher were to have come across this and that independent researcher lived in Georgia or they discovered this on a company that was running in Georgia after this if this bill gets passed that independent researcher now has to think about the legal ramifications of notifying that now they possibly they possibly broken the law and that by reaching out and doing the right thing of telling the company telling the vendor telling the community that we have a vulnerability and that we need to get this addressed now they will you know probably not do that disclosure and so independent researchers a lot of which I work with and you know I've done myself is you know there are ways of getting paid for that type of research work there's a lot of programs where you know go to companies and you say hey I found a vulnerability in your site and they will you know the companies will pay for that and say thank you for helping us and pay for the research if they're if they can't get their work paid for on a legal basis by going to the company there's always you know there's the black market that that vulnerability can then be sold to bad guys and now we have situation where the intent was to help secure Georgia companies and inadvertently has now made Georgia companies less secure because of this bill and I think there's some some companies that are actually setting up programs for proper disclosure they're sort of saying this is how you tell us you found a vulnerability in our software systems I feel like Dropbox is one that I've seen in the news in the last month or so I talked about that I believe all the larger companies do but how widespread is that practice you know having a disclosure proper disclosure for problems with companies like what it what do you do as a security researcher when you find a problem and you say okay this is a problem I can see there's a vulnerability with this website what's the next steps so there are certain mechanisms in place for example bug bounty programs there I forget the name of the companies that are doing that but hacker one yes hacker one is one of them so those have in you know actual mechanisms in place where you they actually these companies will say come try to hack my system and if you find a vulnerability will even pay you for it if you find it under these various instances in terms of other companies let's just say Microsoft if you own a Microsoft software and you can use a say a black box approach where you just try to prove it and try to find vulnerabilities you can actually Microsoft has a mechanism in place where you can report said vulnerability and many other companies are like that when you start talking about say smaller companies that may have web services or websites and such I would say the vast majority of these do not have any type of security mechanism in place and even smaller the vast majority of the world does not have a security mechanism in place this is kind of we've been doing this for years now you know we've made a lot of progress in security but in terms of companies having security procedures in place it's still a very very small percentage security is a cost factory not a profit factor for most companies and that's why they're oftentimes not interested in security the internet of things the iot it's a scary scary thing right now it's beautiful technology but the percentage of these things the devices and software that are actually secure I mean almost hardly any are because they need to build their profit of you know products and software fast and get to market quick and so security is of no interest to them and so you could actually see some company say an iot company that's just getting started that has no interest in security potentially abusing a law like this to you know come fight back to or you know cause problems for researchers that are probing their products so if I'm hearing y'all correctly and and this is sort of there's a lot of unpaid work that goes on to find vulnerabilities share vulnerabilities in the community to help one another for the folks who are who are I think have integrity and ethics those there's a lot of that work going on is that a correct understanding of how a lot of these things get solved a lot of the vulnerabilities get discovered or you know the the process of a which if you're a security researcher independent security researcher you know and you're going out to find these two you know pay the bills you know that that's what your your expertise is in what you're going to do is is you know either contract out with a you know with a company and where you've already got that agreement like I said you get in the NDA you've got a contractual agreement to go and and and probe their systems but very often you're you're probing lots of different software that's kind of like off-the-shelf software you can go download some of this a lot of its open source free to download free to use and and and if you find vulnerabilities there you know the amount of you know use of that is it's pretty high and therefore can go to the various companies to work with and get you know funding or finding that vulnerability okay so if I understand you correctly then you're saying that in the course of a contract with a particular company you might discover vulnerabilities with the tools that they're using but those tools may be widely used other people may be using those tools and then all of a sudden those other people may be vulnerable as well you can't tell those folks is that because of the NDA or why would you not be able to tell those folks who are also using those same tools that they've got some problems that they may not be aware of um actually often you can uh it's it's just a matter of uh you know sometimes it's the particular usage of a company's way that they're using that tool um it's it's very highly modified and and so therefore they just their implementation has a vulnerability and so but that you know if they're if the software is still out there being used by other companies then you know especially if it's open source then you can be able to you know work with the community and and provide that information get the software change so that the community can be you know healed in that manner okay so I think to bring it back a little bit to the research side of things one of the things that maybe I'll touch on is that there's a decision point that as a researcher you may have to make should Senate Bill 315 uh receive the governor's signature or should he not sign it and become a law which is what would happen in Georgia so he has to be very explicit about vetoing so there's a decision point that a researcher might have to make where that could lead to maybe them not disclosing information okay so what about for the what what's the impact for the for me as the person on the street what is what is the what is the impact on both the short term and the long term so recently I did discover a vulnerability and a genetics website which is probably the last thing you want to discover because you cannot change your genetics anyway so I was just using the site like a normal user I honestly forgot my password so I clicked forgot password they emailed me the password I'd used in my inbox okay this is not good um so I knew going to detail why why that's bad for folks who may not be um experts well you you it should be that your password is encrypted in the database because if they're able to email it to you then they probably did not encrypt it that's one secondly email is not known to be the most secure way of communicating it can be if you do something like PGP encryption that that was not done it was just emailed me to to my gmail so now google can see it as well as anyone else who happened to be on the wi-fi network or just what you know lots of people could have seen this thankfully it was the only time I ever used that password good recommendation by the way for for anyone um so what I did was I replied to the guy I said this is a major security vulnerability so then I just did a quick look at some of the other things on the site no on on unauthorized access just using what I should have had access to as a user of the site and put together a list of the things that they needed to fix and in the last comment I said please do a complete delete of my user of the data in the database um which they went back and said that they won so that was a relief but that is I never I did not ask for money I just wanted my data especially my genetics data protected so that's um and when that would that be illegal with SB 315 possibly they could have come after me for saying I tested their system and another aspect of this that um we should we should talk about as we talked about the companies that um are are welcoming the researchers saying that we know that you know sometimes we make mistakes and that you know there's this you know infrastructure of of you know security researchers around the world that can help out and making sure that we have the most secure systems and so uh but that's not all companies and not all companies you know have invested in that um and some companies are not as friendly to the for you telling them that they have a security problem because like you said it's a call center they're going to have to fix something there might be legal ramifications there might be uh uh you know this might be a huge risk to their business and so uh the um the vendor or the company and and and now uh or if this company if this bill gets signed now has the option of contacting the police that instead of going and fixing the problem you know or calling their lawyers ensuing them they can call the police and have a security researcher arrested uh for trying to improve the security of the of their technology that sound that sounds incredibly chilling yeah so uh lane did you want to speak to the longer term impacts did you have anything you wanted to add for the average person on uh how they may be impacted by this bill uh longer term impacts um this could definitely um start reducing our overall security as uh as i mentioned earlier the vast majority of vulnerabilities um are discovered by people outside of a given company that might have a product and so if these folks stop especially the ones in georgia stop doing this then overall we'll have a reduced amount of security because the bad actors are act they're looking as well so they'll find them and then they'll they'll use them for their own profit and motives uh the other thing uh in terms of the long term is is a bill like this could definitely potentially uh impact um our business community in terms of companies looking to come here and for me that's very concerning uh but in the long term you know uh less folks working in security is definitely nowadays with everything becoming computerized with everything becoming connected this is not a time you want to impact people that are trying to make that technology better yeah that's that's uh that's great that's what one of my questions that I wanted to touch on was what is the impact for the business community and so maybe y'all could take it a little more personal uh we've been talking sort of in the abstract a little bit but um you know could you speak to what the what your what your experience has been with the growth of the security industry in georgia and what you've seen it what you've seen it when you first maybe moved here when you started getting into the industry how much it's grown um and then and then and speak to maybe a little bit of what lane you can add some more if you'd like to as to what you could see the impact being going forward uh should this bill not be vetoed so I can start with that by um you know a couple years ago I was uh you know employee number one in startup here in alana um uh drawbridge networks and information security uh company and so um we had uh a team that uh we had a couple folks in new york and a couple folks in alana um and we wanted to grow our alana team because the resources are here there are great security uh folks in alanda it's a great market for finding those talented individuals um you know fast forward if this we were in that situation if i'm in that situation again where we are deciding where do we build up our technical resources uh in a bill like this uh we would decide to build that security team in a state not in georgia right there come out of the land and so therefore you know that decision we made a decision to you know move to move our our uh grow our team in alana versus new york and that would be a decision we'd go the other way after this bill's passed how how easy is it to do that that's one of the questions that i think um that i've heard asked in the past is um oftentimes companies uh they see legislation that they don't like they'll say uh you know what if this goes the way that i don't think it should go we're going to have to make different decisions um and so i'm curious just as how feasible is that in the security industry for somebody to say yep we're not going to continue to invest in georgia is it something that's easily done or is it difficult and you know what what sort of other considerations would you make when you make that decision i believe that you know it's it is uh you know really according on the size uh of the of the company that we're talking about but that in general uh the work that we do in security can really be done anywhere so the mobility of the workers here uh is very high and so if i had a security team uh you know in place and and uh i wanted to keep those individuals but reduce my uh legal liability uh i could easily offer you know them to move them to another state and and uh it would be a fairly low cost uh it's not like uh shutting down companies or anything it's just access to the internet uh and and having that the people in the right place and and so it's uh security is one of those hot markets right now at lana's got a great uh you know uh and and georgian in general has got a great history in and growing that community but this will definitely chill that as we see more and more companies small and big uh decide to you know what i think we're going to invest our time and money in and building that security team elsewhere katelyn do you have anything you want to add yes uh i went to the georgia tech career fair yesterday and i noticed that there was many more companies looking for security many in the state of georgia many um i went a couple years ago and security you know i'm a security specialist you guys are hiring no no we need to get the product working first that we want developers that's what everyone said this year they said you're in cyber security please come talk to us um so they were actively looking for more cyber security people uh if anyone's looking for a job that's a heads up many companies are looking now uh and it was all over the state uh carolton uh winter robins several in atlanta georgia tech has a cyber security lab so i'm not sure if they would be exempt because they are funded by the state i know that many people who work there are very concerned about this bill and they have written letters also to the governor about this bill so that would you know it would if i'm looking at going to gel or paying five thousand dollars by just doing my job that certainly does you know make working from home in another state uh florida for example um a little bit more appealing of course if it doesn't pass then alana is a super nice city so when i was in college and first started considering security i remember that i said to myself i'm going to work for iss internet security systems and by the time i finished iss was bought out by abm and a lot of the colleagues that i currently work with came from iss and so i ended up working for a company that had iss people there so it was the equivalent uh at that time you know security was you know a growing i would say growing in atlanta i don't know the numbers but now it's just booming everywhere so from business and the whole spectrum from analysts to engineering consulting product development you name it the whole shebang is here in the city and then from an education perspective as she mentioned geordie tech uh they've got a number of security labs gtri geordie tech research institute has cypher lab which is for security geordia state university is currently firing up a new uh security program highly collaborative across the business school and various things so there's a lot of and this this is a program that's just starting at geordia geordia state um kennesaw has an information security program we have a few of our colleagues that have gone from there so um this could you know it could impact business university you name it so definitely these things are you see we really need to consider it deeply uh from that perspective and the other aspect is while it is very easy to move individuals to you know decide to put those in different states when you go and and look at investing in uh you know expanding your your corporate footprint and you look at uh you know expanding and actually putting in office buildings and and uh and saying that we're going to start expanding into this market um you know the risk of of you know legal liability is is evaluated and you know this is sending a pretty uh you know it's a mixed message to those you know technology companies that know that we've got all this great talent here in geordia and they would love to be able to tap into that uh but if this is kind of um you know omens to come of a more and more uh and legal entanglements and just doing you know day to day security work you know that that that will uh you know those those three five ten year plans uh you know they're going to look at investing those in other cities and so not only will it you know have an immediate chilling effect uh but i think that we will also see some uh some big dollars decide to to move into other states yeah that's um that's uh definitely a concern that i share one of the things i'm worried about is if we're if folks are growing at the small companies but they decide not to grow because there's too much risk there on individual level because there's not maybe a large company who could protect and support them should they stumble across a situation that would put them in the crosshairs of this bill uh then who are those big companies hiring five and ten years down the road yeah that's um i'd like to we've talked about that that sort of chilling effect they would have um but i'd like to maybe turn our focus a little bit to one of the provisions in there which is um that uh sort of sanctions active defense measures defense measures are also known as hackback so um if one of y'all would be willing to speak to what that is exactly maybe explain it for the folks who are watching uh as to what hackback is um and then we could dive into why that may be of concern or maybe maybe you don't have concerns and and if y'all had some conflict here that'd be fun too uh some maybe some disagreement but if but touching and going into a little bit why that why they're what that provision could mean for georgia start with that so um the you know the the language here cyber security active defensive measures that are designed to prevent or detect authorized computer access so this this idea that there's some type of active defense uh implies that you are are reaching back out to whoever you're defending from and that's where that term hack back comes from is is that you know i've detected an attack and so now i'm going to go and do something back now a lot of times that is uh you're you're you're just collecting information you know you're you're going to go and scan uh that ip address and see uh you know what's going on there or or do some other just reconnaissance to help understand was this a real attack or is this something i need to respond to so there are situations many of those situations that are very benign and so uh i know that that was the intent of putting this language in here is to to understand that there's just certain times where unauthorized access is okay because i need to know enough information to know whether or not i'm being you know that this is a real security incident or not uh the problem is is that there's like like we noted before in the definition sections of this article uh it does not include any type of uh definition for this and so it is left up to uh the prosecution and judges to figure out uh and and really kind of has that slippery slope of being able to enable some pretty you know uh ugly behavior uh either by people that are just looking to you know skirt the letter you know uh skirt the law and then be able to use this as a as a an excuse to do bad things um or uh you know just kind of allowing you know those type of you know a gray area attack you know hackbacks to occur and that just over time it just gets it gets worse and worse so i think it's a very troublesome a bit of language and that uh you know that the security industry in general has been very vocal that we should not be allowing this you know like i said from small companies to large to give them that type of um you know legal shielding to be able to do that yeah this is something that i think google and uh microsoft they released a letter saying this was one of their concerns did did y'all will have something you would like to add uh to around that particular topic does it it sounds a little bit almost like revenge to me and i don't know i would never say revenge is a good method of handling things um one because it could have been an honest mistake um i i'll give an example of that because it sounds odd right so as a pen tester i will a lot of times create a large file just full of letters and numbers and i copy that to put it into a field of a website i'm testing for the company i work for to make sure that the field is protected to make sure nothing um the website handles it correctly um on all accounts so let's say you know i happen to be oh i i needed to check something uh on the vets web page so i i need to log in and see my cat's medical records because it has to be done before five and i accidentally hit paste thinking i'm pasting my cat's microchip number but instead oops i pasted the test data which is just a bunch of um characters i'm very much more careful if it's confidential data but these these characters have just numbers and letters oops i caused a denial of service because they hadn't protected that field because they hadn't protected that field their entire website went down now could they hack back at me because they found my oh it came from the side dress she said this i mean that's you know i would have been told wrote to them called him immediately say hey i'm sorry i took your site down um this is how i did it please restart your server right now and then here's the steps to correct it later um but this is honest mistakes like this i think do happen and there's many other examples too that i can't think of at the moment but i just don't think revenge is the way to handle things once again this could be just an issue of just not having the right technical people put the language together uh active defense is not a bad thing so it's actually the core my dissertation was active defense but it wasn't in a hackback perspective it was an ability of okay you're monitoring your networks you see cyber attacks happening you put active controls in place to stop you know the damage coming in and then you can distribute that information in form of what we call nowadays threat intelligence so you can actually say hey i saw this thing you know doing damage to my system i've put mechanisms in place to stop it and then you send this that information uh off to your um collaborating networks or partners or whatever so that they can actually implement those controls to prevent that type of an attack so once again it's not necessarily that active defense is bad but when you read it in the terms of hackback it's not good well the fact that it's included as an exception here of saying this type of unauthorized access is okay you know is the we imply that they really mean back back because if it was just active defense like we understand it you wouldn't need to add it to this bill and so the fact that it's in this bill kind of shows that that what they mean is is that we can now do unauthorized access because it's an active defensive measure and and that's where you know this is a really a Pandora's box i remember um maybe 10 20 years ago talking to my relatives who are maybe less a little little less experience with computers than i was and talking to them about the dangers of clicking on links and that might they may get an email and what that could do to their computer and how that might allow a Trojan horse in there and they were like well what would happen if that if that happened and i would say well you're probably would turn into an email spam relay where people would be then sending out a bunch of spam from your computer and so i think one of the things that that i'm hearing is if we're the the the work of a attribution of who is responsible for a problem would be something that's a little bit difficult can you all speak to that and how that might play in with uh hackback uh so what he's speaking of here is that you know when you go and and do something on the internet you're you have uh you're coming from an ip address it's like when you send a mail you've got this return address and so that is what a lot of us in security when they see an attack come in they say oh it's coming from this ip address they're the ones that did the attack but like you mentioned uh that that might be the place that the attack originated but it might not be you know that person's server that the people that own that ip address it might not they might not know that they're you know being used to send this attack and so for folks to be able to then enable this uh you know uh hacking back uh will cause undue harm on you know individuals and companies that uh you know are unwittingly part of this attack uh we saw this um you know about a year or two ago with a worm that went around and attacked internet of thing devices you know our toasters and our our thermostats and they became part of us networked this botnet that went out and did all these attacks so i do not want a georgia company attacking my house because my thermostat was part of an attack so this this legalizes that and that that's that's a very sad state of affairs so dr andy green said in the facebook feed adversaries will typically compromise a system in order to launch attacks from the idea of active defense or hacking back could cause innocent systems to be unfairly targeted for offensive activities in other words attribution is hard yo the other aspect of this is that makes it interesting and and and is is is an aspect that i wanted to get to is is on you know second page of the bill for us to have it printed out but it's it's the scope of this you know we keep talking about georgia companies or georgia people that that live in the state but the way that this is counted out is that basically it says other you know a computer a computer network so basically if the packets from one from the attacker to the attack e goes through a georgia you know network cable they could be criminally liable and so the the the scope of this and all of the you know dangers that we talk about isn't necessarily scoped down to just georgia companies or georgia uh individuals uh you know and so with you know having a huge footprint of level three and uh all sorts of l3 and other communication companies that we you know that it might have a chilling effect on the expansion of using georgia as a conduit for sending you know network traffic if they have to avoid you know being you know having legal liability just by not routing through georgia-based networking equipment uh you know also is something that should uh should be looked at yeah so what i'm hearing is the company who is hacked uh or the the agent who is doing the hacking they may not be in georgia that neither of those parties would be it's possible would be in georgia at all is that correct that's correct and and think about the undue you know resources we're we're gonna ask our our um you know prosecution and our police to go and and you know go after this type of uh a crime uh this is not something our georgia you know prosecution team should be handling and i think that that you know that there's an undue uh impact on you know trying to have uh our state try to police the internet that's not what we should be in so it sounds like all of a sudden georgia would be responsible for the rest of the united states helping them out and uh and trying to solve their their hacking woes as well as our own that brings up an issue that or an aspect of this issue that i've always wondered about we talked about attribution being hard very difficult to know who is the ultimate source especially if people are using decoys um how often in your all's work do you see uh do you see where does it seem like the the attacks come from are they typically originating from ip addresses return addresses that would come from inside of georgia that you would expect to be from in georgia or are they coming from florida or are they coming from you know what do y'all see when you're when you see attacks on maybe the networks or systems that you've been responsible for helping to protect or strengthen um really from all over i don't know if i've ever really seen any data says georgia's got a lot of you know attacks coming from there china russia um all over the uk and such canada um i mean they're really all over but you know china and russia is where i've seen a lot of attack sources coming from i want to speak as to why i want to speak as to why they're from china and russia is they uh china and russia do not have extradite uh extradition policies so they will not extradite hackers back to the united states whereas canada would in that same scenario just because i see it coming from china it could still be coming from georgia but bouncing across multiple hacked nodes once again the attribution problem the other aspect of this is to answer your question is that more often we're seeing the the originating source be from a cloud provider so amazon microsoft you know ibn those those cloud services what they do is is they put up servers all over the world and at any point when you go and access or see data coming from a particular p address you don't know where they're coming from and and uh as as we've got other parts of the world trying to regulate data uh in europe to say you know data that resides in europe we're starting to get the cloud providers to start letting us know where our data is and our servers are um and so if we're trying to figure out is this you know server is this service in georgia part of georgia that's a very hard things to do uh with cloud services whoever it takes us please repeat the question dr indy green says ask are any of you bothered by the same household exemption carved out so the question was are is anyone up here on the panel bothered by the same household exemption that's uh in the carve out section so i think to to to set the stage and then i'll let y'all address any concerns uh there's there's four classes in this bill for folks who don't have it in front of them who are exempt from this uh one of the one of the ones that we already spoke about was the cyber security act of defense another one would be uh people who are members of the same household uh so uh the way i understand that would be um uh if i'm in that's let's say i have a a relative in the household of a spouse or a child or uh an aunt or an uncle or someone and i need to access their systems i would be able to do so uh and i would not be subject to criminal prosecution under this bill so would y'all like to take that um i actually think this would make divorce court much more fun you know if you can so if you if you see someone on uh i've watched the divorce court a couple times with my aunt um so you see exactly what date did the person move out and exactly what date was the computer accessed and if the computer was accessed the day after the person officially moved out then even though the computer might have been left there for a couple days and these are the kind of and and because there it was an argument they're they're probably highly interested in making some kind of legal case against this other person and yeah i have uh some friend a friend who practices uh law and he says the most vicious law is unfortunately folks involved in family law family law yes so that's one concern how it's um it could it's not specific enough um another and another concern is that um you know i set up my parents computers they're in alabama you know did they give me access sure they want it to magically work that was i don't know if that's enough access about asked him uh sometimes they'll say what password i never had i never had to give a password so they're we get into situations like this and that's just a basic example there's many more so i haven't really put much thought into this particular one but now that he's asked and i'm thinking about it this is going to actually be pretty nasty if you consider you know when you say members of the same household i assume family members but it does it also mean that you're living there so what if you've got a fiance or you know say that's living with you who has some really evil you know things they want to do and they they install they you know in it you know they you know they access your cell phone without authorization and add some type of tracking software or something on there i'm just giving an example so it could actually lead to some some bad outcomes i think that yeah there's there's definitely two aspects of this is one is you know assuming the spouse or some type of like you know parent to parent or adult to adult relationship um you know there's the situation of extended family i i you know i live in a multi-generational home so i it's you know household is is a there's a lot of people underneath my roof but that the other situation is you know as he is parent to child and and and understanding the ramifications between you know this does not say parent to child so is it okay for now for my kids to access my my computer systems without without the authorization so that's that that's it without more you know definitions around this exploring this it is again a situation that is fraught uh for you know with the possibility of abuse here and and and and just because somebody is you know living under the same roof uh they should not necessarily have to give up their you know uh privacy and and right to have you know that that technical device that that they can have protections from okay so there's a follow-up question they quite he asked any thoughts about people in abusive relationships living in the same household getting a pass and the original senate version had precisely that language about parents children that you just mentioned it was broadened to be the the whole house so thoughts about that and then i will add personally there's also concern about elderly parents you know who may not be have all their faculty together these are you still in the same household with your adult parents when you live separately okay so i heard a three-part question there and i'll do my best to repeat it feel free to correct me frank if i don't get quite right the first portion was what would be the ramifications if there were an abusive relationship in a household the second one would set the point that there were in the senate version of this bill the language initially specified parent to child and then i think this expanded version came about in the final version of the bill that was passed by both house both chambers and then the third piece was if you have a maybe an elderly parent whose mental faculties have waned or or they're suffering from from some mental illness and you technically don't live together with them anymore but yet you're starting to become responsible maybe for more of their for more of their care from a remote aspect so what do you might like to speak to one two or three of those situations well my parents do have all their faculties and they still prefer me to set up their passwords and all their they would like to click the facebook icon on their phone and have it to work and i think i i've heard my other friends say the exact same thing um and so i i don't see why we would get into some kind of legal you know drama over these kinds of things yeah i think in that case they would probably say that that you have their full their full authority they're giving you full authority to act in their interest but i think maybe the question becomes if they're no longer able to grant that from a from a legal standpoint that becomes a little more but it's also if the police just asked them did you give her the password no they might still say no because they didn't they asked me to set it up i set it up i didn't necessarily give them all the details on how i set it up i just said hey you know it works beautifully on your tablet you just click here and so someone was to ask them did they give the pop did i did uh they give me their password no um so it's possible also they they asked me what the password is you know um i'm thinking of the scenario in which you know police are called out to a situation to some type of domestic situation where the between parent child between two adults um or you know with the elderly um and the police generally have to make a call and whether or not you know a law has been broken they're going to try to help but they have the confines of the law and so what this is do is this is giving them another decision point is that you know if somebody makes a claim that they have accessed you know uh you know that uh that that's you know that this basically takes away that opportunity for that policeman to say uh you know i don't see signs of abuse you know i don't see a legal reason to get them in for abuse but if you know if you were to say to that uh you know is that they made that claim and and this you know was vetoed that you know you could you could have that policeman have a good reason to you know pull somebody out of that situation and so you know basically arguing that you know that uh by not having this clause in would give the police more options to help you know uh deal with domestic issues lane anything to add no okay um so i think i'm not sure if there's any aspect of the bill that we haven't touched on yet i think there was a another clause that talked about legitimate business activity but just sort of taking a step back from the discussion that we've had so far in this forum uh i think one of the things that that i can draw out is that there's a lot of nuance a lot of complexity that maybe we in the legislature didn't have quite enough time to appreciate um and i think we're getting close to wrapping up maybe there are a few more questions if they want to get in please get those questions in um i see that that frank raised his hand so we'll definitely come back to that but while when he asked that question also be thinking about um maybe some final statements that you want to share uh what is your position on this bill what would you like to see happen going forward just be giving some thought to that and uh and we'll and we'll take this question real quick yeah so the question is from andy clark is there a way you would define access that would make the bill workable so the question just repeat and the mic is there a way that we would define access in a way that would make the bill workable yes access comma with malicious intent comma that would be i that would make it much more acceptable to me do you want to drop the mic after that one yeah i think she has a very good point i think that um you know when we started you know and we we've worked with the legislature and a lot of these you know these these exemptions were put in through the legislative process and i think that we've made some really good progress from the original uh and and to add these in um but that um you know we just need to do a little bit more work and making sure that we have the right exemptions in place um and so uh you know being able to have some type of of intent language um and uh and also making sure that folks that even if they're not intending to harm but are still intending to find the exploits as part of a security research that those are exemptions so i think that's the the you know the is not only just making sure that we have um you know a clear definition of of access that is uh um similar to other states so that you know our legal system has less paperwork to do with but that uh also that we have the you know the proper exemptions in place to make sure that uh we uh continue to allow georgia to be you know a great place for security companies there was one part of the bill that i don't think we've covered as much is uh the to the the punishment and so accessing and defacing are equivalent in this bill whereas we do have currently have a law that says you can't access someone's computer and start making changes that would be harmful or deleting data and so now we have that which is also i think a five thousand dollar fine or it's a felony oh okay so it is different oh okay i still think it's it's a very harsh punishment for the things that we've been discussing that brings up a topic i think we discussed a little bit with uh before we got started which is for the folks who may be non-technical who are watching this what is a great way what is their analogy or metaphor a way that we can frame this would help them appreciate because when we're talking about computers i know that one of the things that i struggled with when i first started getting into computers which i didn't do until college was uh that it can be a bit abstract right it's there's not there's not a physical something you can touch and feel you're working with bits and bytes uh what it would be your take on the best way to explain this to somebody who may not have the experience that we have of working in this field um and if you want to touch on that while wrapping up with some closing remarks then i think that would be fantastic anybody can take it any way sure um you know i've looked at a different number analogies here i think that uh you know the thought of a library right the internet's like a big public service where there's a lot of things that you can go and just go up to and pull the book down and take a look at it um and then there's times where you need to go and talk to somebody and say hey i'd like to go you know i'd like to get that book please and if that person reaches up grabs that book and gives it to you you have that assumption that that you can you're allowed to look at that book um if that person made an error and gave you a book that you're not authorized to view uh then um uh you know this is this is the situation which we're uh looking at ourselves being able to uh have individuals that you know by accident uh or as as designed to help test security settings you know are going to just be doing basic requests we're just talking about accessing systems it's a very simple uh thing to do but that um you know uh by by um you know having this law we're basically exposing the uh the individuals uh the individuals uh security researchers um and just you know um putting a whole lot of of legal ramifications on something that should be fairly uh straightforward so that's where i went with it you know the the library analogy i think that that kind of may help out some and and try to understand what we're talking about here so is that you guys think of a better one that or something i would say i give another example maybe two examples uh let's say you you go into town and you go into a store the doors open they're open for business uh you go into the store um do you have access are you authorized to access that store uh could they sue you for trespassing um potentially they could if they if they wanted to abuse um their situation or the scenario or the language the law whatever another situation is consider this let's say you have a car or a truck uh nowadays they're all computer controlled okay um who owns that truck you when you buy it uh who owns the software inside of that vehicle you with the car manufacturer well nowadays actually it's not it's it could be the car manufacturer so let's say you go buy a module a third-party module or these little devices where you can actually interfaces with the computer's car's computer and you modify it because you want it to go a little faster could you go to jail for that literally this says that you could um for me i guess the first example i thought of was uh if you lost a driver's license on the ground uh the ground is a public ground public street is equivalent to a public uh web space and so if i lost my license i'd want someone to pick it up and either give it back to me or give give it to an authority and now this with this bill uh before this bill if it's not signed we can still do that as security researchers we can um help protect data license a license is a piece of data um if the bill is signed and becomes law then it i feel that it makes picking up that license illegal so then i don't pick it up i leave it on the ground um a person with malicious intent will probably still pick it up and then the state of georgia would be known for having more of this data just lying around waiting to be picked up so i think it would cause us to be less secure than than more secure which is the intent yep i'll inject a question so one thing we haven't covered yet is the internet of things and we all have those devices we bring them into our homes and we hook them up to our network um when if senate bill 315 becomes law uh what are some of the implications on on internet of things devices and the security of georgia people's homes okay so that uh it depends are you trying to probe your own devices that you own uh in that scenario it's i kind of map it back to the car the automobile example uh depending on the device manufacturer if they put inside some type of fine print that you can't probe that device looking for security issues then they could exploit this law so um that's one let me let me give you a guess an example you can repeat this so you have an iot device that's manufactured by a foreign manufacturer and they do a very limited run because they're off to the new model so a secure security researcher uh thinks it's insecure and they start to probe it this device communicates with the cloud so uh what are the implications of being able to say wait this particular webcam is so insecure you should not use it to monitor your babies um because of it's it's anyone could watch the feed what's there well i think that you know you bring up a very good point even if you're not a security researcher you know people could stumble you know they're technically adept they stumble upon you know some of these uh iot devices are built very you know poorly with with very little or no security in mind and they say well okay i didn't realize that i was you know putting my baby on the internet now they just tweet that they say oh my god look at this this is awful okay they've just now you know uh you know told you know admitted to doing what's illegal in this bill and so if that manufacturer decides they don't want to deal with you know pay their lawyers to do it they just call up the georgia prosecution's office and and have them go arrest those people and that is you know that is the type of of of you know legal situation that we would be in and you know i've had somebody kind of pushed back in these discussions say nobody's nobody's gonna abuse the law like that i mean that's not the intent of the law and i've heard it from you know the people that that frame this it's like well uh um the dmca dcma sorry dcma right that the digital communications millennial act is it get it right there we go so i'm just like see it bouncing around that you know is one of the like most prime you know examples of of abuse of a law is that you know i've had there's just you know thousands of instances where you know individuals were you know being sued for hundreds and there were thousands of dollars uh you know for you know thinking that they were sharing music videos or they posted something on youtube but you know i've got one of my facebook videos has been taken back because i was singing along to a song and so you know that there is there is definite precedence uh in this in this country that we will use whatever legal means we have possible to uh uh you know companies will will use those to um you know uh to get the to get the ends that they want um and so we definitely should be you know exploring the possibilities and and not just being naive to think uh you know it probably won't be abused in this way i think this touches on something this is maybe a little bit larger than our discussion around senate bill 315 is that uh that the infringement on this you know the the criminal violation of this particular bill should have become law is is impacted by the scale and power of technology so when we're using computers there are tool and they can be used for good or they can be used for nefarious purposes but they augment our ability to do that and i think what i'm hearing you say a little bit is touching on that which is that the enforcement of this law can also be augmented by technology so uh i can imagine a situation where we you would you could do some sentiment analysis on tweets and discover hey these people are tweeting about my insecure software so now let me turn around and see if i can draw up some criminal uh some criminal prosecution towards those folks so i think that's the other thing that's difficult about legislating uh uh technology especially with what computers allow us to do it takes it to a scale that we haven't received before so when we talk you mentioned earlier about the um where the bits and bytes are coming from and when we talk about what that scale we're not talking about now maybe we'll see 10 or 100 of those situations it could be in the billions of situations uh that would violate this law in that case and that's another thing that i think speaks to the the the criminal prosecution that heard some concerns expressed at one point of um if i run a scan that violates this law we're not talking about one year in jail we're talking about 300 000 years in jail uh should they be applied serially so um yeah i think uh i i know we're getting close to time here we've gone we've gone on for a little while um if there are not any other questions coming from folks take questions from online authority and from the audience okay any questions from the audience oh that's a great question the question was why is a phone not a computer does anybody want to take issue with that or redress that your phone is a computer it's got a processor in it so it's definitely a computer yes yes any that's what if we were if you want to think about the internet of things and you in defining any type of device that has computing and communication capabilities that is a computer so it this um you know if you got a copy of the bill you know article six chapter nine title 16 in title 16 there's a definition section and so you know the bill here doesn't modify any of the definitions that are there but there is a definite legal definition of what a computer is and and it does cover there are our phones uh and and so in in this instance uh that would be you know this bill would be applied to unauthorized access and so that would include picking up somebody's phone and and accessing it what about the refrigerator and and and that's coming yeah or the fight over the thermostat you know the the spouses fighting over the thermostat and i'm gonna you know call and have my wife arrested because she touched the thermostat unauthorized access i think they're the same household they got the car out darn no i think that's a fantastic point is is that the phone the phone all of a sudden uh is is a computer and so um uh i imagine situations where where folks access each other's phones maybe for uh you know joking purposes to have fun but now all of a sudden technically they're they've created a criminal they've created a criminal act by doing that and doing so there's another um i've accessed a couple people's stranger's phones uh one case they dropped it on state street i opened it called the last number and said hey would you like your phone back would you like your what did your friend want their phone back or the person you know another case is on a cruise ship i found an iphone it was unlocked it had it been locked i would have just turned it into the cruise ship but since it was unlocked i redialed the last number and said hey you know i found this phone he said oh it's my wife's phone thank you i'll come get it so i think there's it goes back to the like the driver's license a phone um if i lost my phone i would definitely want it back well in in those scenarios you know the the person that realizes that's not going to be pissed off and go and ask the police to go arrest you right but um you know when you're describing that thought about the situation you know i've got kids in school there's resource officers in those schools and those resource officers especially in high schools have to make a determination did this particular issue brick a law and do i need to take a kid in and and and you know arrest them for fighting for you know some of you know all the different things that happen in schools when does it cross that line and become illegal this will enable that resource officers start pulling in kids who are just grabbing one another's phones you know making something embarrassing post you know the type of of of things that happen um you know and that's an aspect you know i hadn't really even realized that that would be you know another place for abuse as those individual officers haven't you know could could you know overuse that that ability and and you know start getting a lot of kids uh arrested for this the kids could be 18 to still in high school could you guys talk a little bit about the student aspect of this bill and how we could stifle um job seeking for i mean we have kentucky state university george tech i mean they are teaching these courses for like ethical hacking as part of a curriculum because these are positions that will be sought after by graduates coming out of school uh if that's going to be illegal to practice that kind of work in this state we are growing students who will take their talents elsewhere and those states will benefit from from you know from our you know education system can you just talk a little bit about you know why that's you know not good you know it it it really kind of extends on a lot of the discussion we've had tonight about you know the chilling effect it's going to have on those independent security researchers so every time we've said independent security researcher that includes you know students of all ages both they're going to school and the ones that are learning by themselves online there's lots of self driven uh education for the security market and so um you know absolutely that this is uh you know a situation that kind of exposes them and you know they either will one you know if they if they if they know this exists will uh you know be able to make a decision that i don't want to go into that field you know it's it's it's it's you know you can get in trouble with law i don't want to go down that road right um or decide that you know i i i could do this but i have an opportunity to move elsewhere and so therefore i can i can move and and still pursue this line of work or or i think the third operation uh situation would be the most tragic is they run a foul and they find out the hard way that they're they they violated a statute and then find themselves in trouble um and especially if there was no malicious intent in the first place exactly and another aspect is what if the uh the universities or the teaching institutes have to stop provided this coursework period um when i was at alburn uh back in the 90s i there i could run any there it was a unit space system and i could run any command i wanted so i just tried running all of them right because you know you want you want to know what happens i think that's the a good place to do it at the university i ran into some that shouldn't have not been allowed and so i let the you know admins know these should not be allowed and i i think that's the proper thing to do and i think to just give students kind of an an open system and let them find vulnerabilities in it i think that that's a really good way to learn and i'd like you know i i gained a lot from it i think other students would too you know one maybe think of a line that that you know something to explain to to the audience that that might not understand that that the you know the security researchers you know that are doing these active uh you know going out and trying to find vulnerabilities that that you think about the security field you know if it's you know let's say a hundred thousand people or something along those lines there might be some small percentage of those that are doing that security investigations and that there's security researchers they're doing that stuff the rest of the guys what we uh we call blue team right these are the ones that are working for the companies that are defending um you know our georgia companies from hackers all over the world to understand how to defend yourself you really kind of not know how the attackers attack and so many of the time these these blue team folks will you know on their own on their own downtime you know look at these self-trained websites look at these blog sites you know understand you know and try the tools and see how they work now you know and that again you know by having this long effect uh you know basically would would again put that you know chill in that to be able to you know these folks will not be able to do that stuff on their own time you know they have to be as part of their daily activities you know they couldn't do any type of extracurricular training and and uh you know that that whole uh you know situation just makes it to where it makes it very hard to run a security team in georgia it sounds like it's raising the bar the barrier to entry it reminds me of the similar to having to have a do de clearance in order to just get your job done which i understand if it's for you know secret and confidential data but in the case of a very fast growing field like computer security i mean it would take honestly i think it would take the laws a long time to catch up to the technology we would constantly um we needed a lot a law that's uh officially written so that we're not updating it every uh however often you guys update yeah we get together once a year so um we have a couple questions one was about uh it's that kind of a partial do ctf so i don't know maybe you can capture the vlog yeah um and then the second question is is what is the best option for students adults and the public to protect themselves against their freedom of privacy against policy that works against their better interests that is from scott ingram thank you scott did anyone hear that yeah no i think that you know what we're gonna add is that you know um we keep talking about the security of a company and what we're really when we say that what we really mean is these companies hold our data we have a you know one of the large credit monitoring firms that's a georgia-based company we have a large airlines we have a lot you know so very large companies that have large databases that uh and we entrust them with our privacy with our private data um and so when we say that uh this bill will lower the security of georgia companies that means that your company your data will be at more at at risk of being stolen and being used by fraudsters uh and so that's the real implication of this is is that you know by by you know not having uh a uh growing cybersecurity community here in and lana that the georgia companies can can uh you know tap into and use those expertise those companies will be at greater risk for attacks and our private information will be exposed so this is this is in essence what you know uh you know when we say you know lower the security of a company and what we're meaning is just your data that's at risk i want to add to that i've heard a lot of people say oh but i haven't done anything um i don't you know if someone wants to see my data that's okay um data is an asset you can see this in and facebook and in google and and basically if it's uh uh basic personalized marketing so anything that if they know your height they know your eye color they know your hairstyle they know anything about you um if they know your genetics maybe they know you're you're you're prone to having high cholesterol they're like hey these things will help lower your cholesterol it's a it's just very um all data is pretty much marketable yeah there's there's three big companies that do this right yeah there's the trend uh transunion equifax and experience that's that's their that is what they do that's their their business is to acquire data about us as individuals and then turn around and sell that to other companies and that's that's their market so yeah for folks who may be not technical or not not aware that these folks have been doing this a long time they just been getting better and better at it and they have more and more opportunities to do that now because so much of our information is online there's a quick tangent on that um the the coined a term called infromatics i think that's how they pronounce it uh it's the idea of that you know information is assets but why isn't though why aren't those assets on the uh on the business sheet on the on the balance sheet and so there is actually a movement with the economists and and and technologists that are saying you know we need to you know say that that google isn't the combination of their servers it's the combination of their data and so we're going to see in the next you know five to ten years where we're we're just about starting to put real dollars on you know our data and and so they kind of get to that understanding that this data is not only in concept valuable data but we will see it on on public companies bottom line so that's that's we're definitely moving in that direction so i'll ask thank you everyone i'll just ask you jonathan so you can repeat it but i think al asked about uh capture the flags is uh have those been made illegal if this bill is signed or is that somehow allowed like authorization so the question was our capture the flag programs made illegal and for folks who may not be familiar this is uh typically an opportunity where uh where there's some type of token or flag that folks are encouraged to find in a system or a system of systems a network or computer network and the job is to maybe find vulnerabilities and there may be a sequence of vulnerabilities so it takes uh you know you find the first one which is sort of easy the second one's a little bit harder it's almost like a um you know some type of uh uh uh what's the game you play when you do this in real life i can't think of it off the top my not not capture the flag but almost like a treasure hunt right you know like a type of treasure hunt but you're doing it on the computer and you have to break the clues to find the vulnerabilities for each one um do anybody want to address his question i would say this might this could be a complex answer or a complex question both um on one end you would consider this authorized access if say a university or some type this would normally be set up by a conference or a training uh so various conferences that i go to black hat uh sector various ones they'll have uh capture the flag competitions where you go on site and various organization organizations have set up networks of devices and students or players competitors whatever can come in and try to hack these systems so in that case it would be authorized access and so from that perspective it should not be an issue however where the problem comes in is is if they're when you're setting up these systems you gotta understand you're installing software or you're you're using um if it's an iot device say a a baby camera or a router or whatever and you set that up in the lab and you're doing this with software that has known vulnerabilities at it or sometimes unknown none of vulnerabilities the question then becomes does the the owner of that software the producer of that software can they then say okay well you're hacking our system is it then unauthorized so that's where the complexity could could come into play i would not foresee that to happen but that is a possibility generally speaking it would be probably considered authorized access as long as you're playing it in an official ctf and not say it i'm i'm probing someone's site and i'm going to try to find a flag well that the assumption there is that they've set up their own capture the flag servers right and everything is is kind of contained within one system um you know that's not always the case a lot of times they use cloud-based services to host you know some of the things that they have to go out to find is out there i've i've been part of there's um uh the the social engineering capture the flags right they use facebook twitter i mean you know you're you're going out and using you know this is not just a closed system and so in those cases those capture the flag situations yes that this is you're going to be having you're asking somebody to go and purposefully do you know uh you know knowingly unauthorized access on on public facing systems and so on those and there's there's others that even expand you know make that line even further uh fuzzy media companies have created little puzzles when they go out and they're trying to engage people around the uh uh you know trying to watch this new film right is is that they'll put little clues in their posters and they go out to their websites and they have you know ways and and they're really asking people to go and hack those you know look at the source code of the html and go in and and and do some unauthorized access and they're you know so there's situations that that definitely start you will definitely cross the line here and and put people definitely at risk so i want to thank everybody for coming this has been fascinating so this is something that as a as a first time legislator uh this is an issue that i've been thinking about and it's amazing to me in that in this forum tonight that i've already had about at least at least four or five different things that i hadn't considered before that have raised more concerns that i've had around this so i definitely want to thank y'all for coming out and give you one last chance to wrap it up with any final final comments or statements i want to thank everybody who came out to this event anybody watching online thank y'all so much i think we've we've definitely exposed more concerns around this bill and maybe some unintended side effects i do think that this is something that we do need to address and i would love to come back next year with uh with with y'all's help to craft maybe some finer language that would be a little bit clear and sort of address some of the concerns that we've raised here but let me turn it over to each one of you and give you a chance to wrap up and say anything you might want to at the very end so i'll start so you know i think that you know what we're doing is urging the governor to please veto this bill um the um the the legal gap that we've got with this uh not having a law that make you know makes unauthorized access a a state uh you know misdemeanor is a is a very small gap it's something that we need to close up but there is not a large amount of activity that isn't also covered by federal law uh that is uh need for need for you to sign something that is fraught with so many errors uh that the amount of work to try to fix this and clean it up and the time between now and then uh you know is is there isn't enough uh reason to go ahead and sign this as is so you know please consider all the the uh the problems with the bill as it's currently written we will get this right next uh session so uh please veto thank you so computer security cyber security is actually one of the most challenging problems we are facing nowadays and um it is it's it's only going to get worse uh as we have more and more technology and so just just simply to say that you know you can address such a complex problem in two pages is just not sufficient i would love to see a lot more uh detail go into this potentially with um based off of significant input from technological technological experts who understand this a lot more in depth uh first i want to say thank you um mr johnathan wallis and thank you mr frank riyadh for um hosting this and i if you also have concerns about this bill you can write uh governor deal a letter um anyone can write a letter um i read a letter i so and also you can encourage your if you work for a software company you can encourage their company to write a letter to him as well to urge him to veto it and post on social media and thank you for listening and one more time i would say thanks to big nerd ranch for allowing us to host the event thank you very much thank you so much everyone and uh thanks for watching