Question 1
In United States v. Morris (2d Cir. 1991), Robert Tappan Morris released the first Internet worm. He did not intend to cause the widespread damage that resulted. The Second Circuit nonetheless affirmed his CFAA § 1030(a)(5) conviction. What is the controlling doctrine this case established regarding intent? A CFAA § 1030(a)(5) requires proof that the defendant intended to cause the specific damage that resulted; accidental damage cannot support a conviction. B The word "intentional" in § 1030(a)(5) modifies the access, not the damage — intent to access the systems is sufficient, even if the damage was unintended. C Morris was convicted because the government proved he intended the damage using circumstantial evidence of the worm's design. D The Second Circuit held that § 1030(a)(5) is a strict liability statute requiring no intent element at all.
Question 2
Kevin Mitnick's sentence included a condition banning him from using computers without probation officer approval until 2003. What does this aspect of the Mitnick case establish for researchers? A Computer bans are unconstitutional restrictions on liberty and were later invalidated on First Amendment grounds. B Post-conviction supervised release conditions restricting computer use are upheld by courts, and violations of those conditions are charged separately — making the effective sentence longer than the original term. C Mitnick's computer ban was only possible because he committed crimes before the Internet became commercially widespread; courts cannot impose such bans in the modern era. D Federal courts may only ban defendants from using specific computer systems proven to have been used in the offense, not computers generally.
Question 3
Albert Gonzalez was an FBI informant while simultaneously operating the largest credit card theft ring in history. His cooperation credit was "effectively nullified" at sentencing. What specific sentencing doctrine does the Gonzalez case illustrate? A A defendant who cooperates with the government always receives a substantial sentence reduction regardless of parallel criminal activity. B Cooperation credit can be voided or substantially reduced when the defendant continues criminal activity while operating as an informant — the double-agent posture eliminates the credit's value. C Gonzalez's sentence was reduced because his SQL injection techniques provided the government with valuable cybersecurity intelligence. D § 1028A aggravated identity theft cannot be applied to financial data card theft because payment cards are not "means of identification" under the statute.
Question 4
United States v. Auernheimer (3d Cir. 2014) is frequently cited by security researchers as a case vindicating CFAA research into publicly accessible systems. Which statement accurately describes what the Third Circuit actually held?A The court held that accessing an API endpoint with no authentication present is lawful under CFAA because Van Buren's "gates up or down" test is satisfied. B The court vacated the conviction on venue grounds only, declining to reach the merits of whether the CFAA theory was valid, meaning the underlying theory that systematic API enumeration violated CFAA was never rejected. C The court held that AT&T bore responsibility for the breach by failing to authenticate the endpoint, creating an implied authorization for any researcher who discovered the flaw. D The court reversed the conviction because the jury instructions misstated the "authorization" standard under CFAA.
Question 5
Hector Monsegur (Sabu) led LulzSec attacks on Sony, PBS, the CIA, and Senate.gov. He secretly began cooperating with the FBI after his arrest and recorded over 300 hours of co-conspirator communications. His sentence was 7 months time served on charges carrying 10+ years. What does the Sabu case establish about cooperation in hacking prosecutions? A Cooperation is only meaningful if the defendant has no prior criminal history — Sabu benefited from this because LulzSec was his first offense. B Active cooperation that produces new arrests and investigations — not just pleading guilty — can reduce a decade-plus sentence to time served; Sabu is the most consequential cooperator in hacking history. C Cooperation benefits are capped at a 50% sentence reduction regardless of the value of assistance provided. D Sabu received time served because the government could not prove he personally executed any of the LulzSec attacks.
Question 6
Paige Thompson (erratic) exploited a misconfigured AWS WAF via SSRF to access Capital One's S3 buckets, exfiltrating data on 106 million customers. She was convicted of CFAA § 1030(a)(2) and wire fraud but received no prison time. What factor most directly explains the light sentence, and what broader doctrine does the case establish about cloud SSRF attacks? A The light sentence reflected that SSRF attacks are a novel legal theory that courts are reluctant to punish; the case did not establish CFAA coverage for cloud SSRF. B Thompson received no prison due to absence of monetization intent and time served in pretrial detention; the case establishes that cloud SSRF exploiting IMDS (AWS metadata service) constitutes CFAA-covered unauthorized access regardless of the attacker's sophistication or intent. C The jury acquitted Thompson of all charges; the case is not a conviction and establishes no doctrine. D Thompson's light sentence was because she reported the vulnerability to Capital One before her arrest; responsible disclosure reduces criminal sentences.
Question 7
Arion Kurtaj of Lapsus$ was convicted of Computer Misuse Act offenses in the UK for hacking Microsoft, Okta, Nvidia, Rockstar Games, and others — including while on bail after a prior arrest. The jury found him guilty but he was found not criminally responsible due to mental disorder. What disposition did the court impose? A Kurtaj was acquitted by reason of insanity and released with no conditions. B Kurtaj received a suspended sentence with mandatory psychiatric treatment as an outpatient. C Kurtaj was placed under an indefinite hospital order — a detention in a secure psychiatric facility that replaces the prison sentence for defendants found guilty but mentally disordered. D Kurtaj's case was dismissed after the mental disorder finding because UK law does not permit conviction of mentally disordered defendants.
Question 8
Vladislav Klyushin was extradited from Switzerland to the United States and convicted of hacking filing agents (Donnelley Financial Solutions, Toppan Merrill) to steal pre-release corporate earnings reports, generating $93 million in illegal trading profits. He was sentenced to 9 years. What legal doctrine combination makes this case unique in cybercrime history? A Klyushin is the first defendant convicted under both CFAA and export control laws for exfiltrating U.S. financial intelligence. B Klyushin's case is the first to combine computer intrusion with money laundering charges based on Bitcoin conversion of hacking proceeds. C Computer intrusion to obtain material non-public information constitutes securities fraud; Klyushin received the longest sentence ever for a securities fraud scheme executed via computer intrusion, establishing CFAA + securities fraud stacking. D Klyushin's case established that extradition from Russia is possible when the defendant is detained in a third country — but this was already established in prior cases.
Question 9
Joseph Sullivan, Uber's Chief Information Security Officer, was convicted of obstruction of justice and misprision of felony. He did not hack anyone. His conviction arose from actions taken after a 2016 breach. What conduct formed the basis of the conviction, and what is the most significant precedent it sets? A Sullivan failed to notify affected users within the required breach notification window, making Uber's CISO the first convicted under a state breach notification statute. B Sullivan orchestrated payment of $100,000 in Bitcoin to the hackers and concealed the breach from the FTC while it was actively investigating Uber's security practices, labeling the payment a "bug bounty" — the first criminal conviction of a corporate CISO for breach response decisions, changing how CISOs must manage post-breach conduct. C Sullivan approved a cover-up scheme designed by Uber's legal team and received criminal liability for following counsel's advice — establishing that attorney-client privilege does not protect CISO conduct. D Sullivan was convicted for failing to implement adequate security controls that allowed the breach to occur, establishing a duty of care standard for CISOs under federal obstruction statutes.
Question 10
Marcus Hutchins (MalwareTech) created and sold the Kronos banking trojan in 2014–2015, before he became globally known for registering the WannaCry kill-switch domain in May 2017, stopping the worldwide ransomware outbreak. He pleaded guilty to two CFAA counts and received time served plus supervised release — no additional prison. What is the most legally precise lesson this case establishes? A Security researchers who engage in extraordinary public service are immune from prosecution for prior criminal conduct. B Prior criminal conduct (Kronos trojan authorship) remains fully prosecutable regardless of subsequent heroism; WannaCry heroism did not erase liability but clearly influenced sentencing discretion, illustrating that post-offense rehabilitation affects the sentence, not the verdict. C Hutchins was acquitted because the WannaCry kill-switch registration demonstrated he was acting as a law enforcement agent at the time of the prior offense. D The case establishes that malware authorship charges require proof that the malware was deployed by the defendant personally, not merely authored and sold.