Slashdot Mirror
Is It Illegal To Disclose a Web Vulnerability?
Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"
People shouldn't stick their node where it doesn't belong.
What if some Peeping Tom was leering at your daughter through the window, "to check for vulnerabilities in your home security"? It doesn't sound so good now, does it?
paste up a poster in the town square, announcing that the lock is broken on the back of the hardware store?
How is this different?
"We think people rightly feel that once they buy something, it stays bought," --Suw Charman, Open Rights Grp
And if I catch you, you are going to get seven shades kicked out of you. Pissing about with what's not yours always has repercussions.
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Why not just disclose them anonymously through tor or the like? Nobody can prosecute you then.
Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick.
No good deed goes unpunished. The lesson here is, lett the poor bastards find out about the problem after it's too late.
The theory of relativity doesn't work right in Arkansas.
Shameless self promotion!
Is this about discovering a vulerability, or trying to discover a vulnerability?
If I click a link, and something breaks, and I've 'discovered' a problem, I've probably not done anything. It just broke, and I was the one who was there.
If I try to find a problem, and do (even if I don't exploit it), then I might have been doing something I shouldn't.
A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.
As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.
Just my 2 cents, anyway.
Lost at C:>. Found at C.
One problem is the lack of qualifications to call oneself a legitimate security researcher. Every two-bit script kiddy hacker in the world is a "security researcher" by the current definition. Unfortunately, many of the current actually-qualified security researchers have some sort of black-hatting in their background, which, to my mind, makes them suspect in the first place.
It's an issue of trust. If you sit outside the system and make pronouncements, it's difficult to trust what you say. If you break into a system, then it's even more difficult to trust what you say, since, of course, you've been in there, maybe rummaged around, broken who know's what, etc.
"My God...it's full of trolls!"
So, this might not be relevant, but once I reported a cross-site scripting to a website by using a web anonymizer to create a hotmail account, sending exactly one message, and then never using the email account again.
Anonymizer tools have improved since then, especially for combating censorship. Would you be able to use TOR or something similar to report vulnerabilities without exposing your identity?
Powered by Web3.5 RC 2
In the interest of full disclosure, Clare Boothe Luce said that. :)
Sooner or later, they will learn that they need to secure their site after they get hacked, used for a warez dump and find out that they have to pay (literally) for using 8x the bandwidth they paid in advance for.
Expensive lesson usually means lesson learned.
Why are we supposed to help the stupid? Let them continue doing stupid things until they get pwnt and it costs them their business.
1q2w3e4r5t6y7u8i9o0pqawsedrftgthyjukilo;p'azsxdcf
It should depend on how you do it, and why you do it. If you do it with good faith intentions, it should be considered a good samaritan work. If they have not touched it after a while, you should be able to reveal its existence.
"There is no way to report a vulnerability safely."
-fb Everything not expressly forbidden is now mandatory.
If the intent is malice, then it's wrong.
.. then I don't see why a vuln can't be disclosed.
.. you'd want the right to tell your friends about it .. correct. I should have the right to tell my friends anything that may protect them from harm.
If a vuln. is disclosed on a major site, and there is proof that the finder of the vulnerability took reasonable steps to report it to the operator
Because that would simply be informing the public that website is insecure. Real World example, if security guards from a security contracting company were always sleeping on the job
Second, maliciously probing a site with the expressed purpose of finding a vulnerability should be treated the same as someone trying to break into some place. However, genuinely accidentally (via a typo or something) stumbling upon an issue should not be prosecutable. There is a gray line with this of course, because sometimes acting on moderate curiosity should not be frowned upon.
What's the problem with sending info to a webmaster? And what's the point of doing anything else? If you post it publicly, you've created a race condition between script kiddies and the site admin, and should be punished. If you send it to the webmaster, you are doing a service, and shouldn't be punished. As long as you don't exploit it, you should be ok.
http://bgcommonsense.blogspot.com
Some interesting comments from Bruce Schneier and Marcus Ranum (and Microsoft too) on the debate. http://www2.csoonline.com/exclusives/column.html?C ID=28088
It's more like advertising that given brand and implementation of a lock is faulty. It may or may not impinge on you but in either case it's general enough to be of benefit to people besides you. Would you like to know that every model of the car you own happens to accidently use the same key? I would.
If you want to report a bug, and your not sure if it'll go down well with the fat cats at the top, post it anonymously.
Anyone who is clever enough to find a bug ought to be clever enough to notify those who should be informed without leaving oobvious traces as to who they are.
You can't be sued if you don't exist...
That doesn't stop people trying though...
There is no psychiatrist in the world like a puppy licking your face - Ben Williams
If disclosure of vulnerabilities stops, exploits will still occur... only no one will know how they work or how to stop them. yeah, this is progress.
I had a similar experience. I was doing some research on a cell phone that I was going to purchase. I wandered onto a poorly written blog/website. He was a "professional" webmaster. He had random screen shots posted up on his site. He had a webmail service that he ran. Had user names, real names, AND passwords all in one pic. Not to mention he had a few sensitive cell phone network plans unsecured. Scary
Armed with this fair and just legal precedent, we can finally put all those scheming hoodlums from Bugtraq in Federal PMITA Prison where they belong.
Slashdot Burying Stories About Slashdot Media Owned
i can't believe people actually ask such IDIOTIC questions.
offcourse it's illegal.
if you don't report it anonymously ONLY TO THE OWNER OF THE SITE and instead do it publicly you should be arrested and locked up with no questions asked.
in fact i'd consider doing the same even if you did it anonymously if the owner didn't actually ask you to find bugs on the site.
every thing has bugs.exploiting them doesn't take a genius.
A few years ago I was renewing my car tabs on the WA state's site and they had a box for 'donations to DOT' or somesuch. For kicks I tried putting in a negative value, and sure enough it reflected the total for my tabs as less. I went ahead and submitted things with a dollar taken off the value, just to see if it would actually go through. Sure enough, a week later I received my tabs, and the mathematically correct but embarrassing negative donation on my receipt.
I ended up calling them and letting them know about the bug. They were nice about it, and the next year at least it was fixed.
-Nic
those that ask *best whiny voice* "Is it ok if I do this? Will I get arrested? Is it illegal to do this?"
and those that proudly proclaim "I am doing this and no-one can stop me. If you think you can arrest me for this, YOU ARE WRONG."
The first kind of people contribute nothing to our freedoms. They are crippled by uncertainty and their annoying whining makes people think that, hey, maybe there is something to fear. The second kind of people challenge the norms and make that which was uncertain clearly not illegal. Hey, if they can get away with it, maybe I can too!
So my advice: stop whining and grow a backbone.
How we know is more important than what we know.
Each time an exploit comes out, the pattern is the same. the company doesn't announce it, anti-virus makers are either paid off (as in 'approved' spyware and/or rootkits) or not kept informed, and once the story breaks, the public relations machine starts. The researcher is vilified as a hacker, the problem is denied or minimized, and the prospect of a patch is left moot because this would require accepting that a huge problem exists. Most of us scream that this is ridiculous, companies should tell everyone when an exploit shows up, and patch it as soon as possible. More to the point, they should expose their source code to scrutiny in order to better provide services to their customers.
Are you sitting down? good. They won't and they don't care. The first rule in the PR handbook is to deny and put off realization. If the big front is that there isn't a problem, or that a crack of a voting machine can only be done in a lab, and months down the road, the company quietly sues the researcher or releases a patch, they win. People have a limited attention span and fatigue quickly in the face of fear and hysteria. As long as your company's admission of guilt comes well after the original problem, or not at all, people are happy.
With this in mind, let's look at the law. thankfully, whistleblowers have some protection, and some internal voices about code might not be silenced, especially if the review takes place within the judicial system, and not through a new law. Of course, corporate secrecy, as in the case of Apple and HP, is pretty extreme, and most employees wouldn't risk the civil consequences of voicing a problem that doesn't rise to the level of a public safety hazard.
Outside researchers are in more and more trouble, and this really only leads to problems for the customer base as a whole. We rely on sites like MOAB to shame companies into action. We also rely on OSS competition in order to make products like IE better--Firefox gives an economic incentive to Microsoft to improve their product, otherwise, security development would have languished.
Very few analogues exist in the places where this is critically important: commercial and banking software. CITIbank suffers a classbreak and doesn't bother informing their customers. Security conscious customers can voice their discontent and move to another bank, but we have to trust that the new bank is as averse to security breaches as we are. For the rest of the millions of customers, security will not improve. Since identity theft costs are largely borne by the customers, the banks don't care. because the banks don't care, it is much easier, and better in their eyes, to make publishing voulnerabilities like this one illegal and trust that their customers will never be the wiser.
check out this article:
[PDF] Why information security is hard
"
No? Does the word anonymous ring a bell?
What?
But then, it's not your business, either.
Should you discover a security vulnerability, the correct response is to forget it. Here's why:
Naturally, we might feel a sense of duty to help someone out - if they have an exposed security flaw, we naturally want to help them. But first consider how it will be received. Most companies would rather produce software with publicly unknown flaws than to produce perfect software, websites, etc... at a much higher cost.
And, if you feel that the website owner would appreciate knowing, you might at least disclose it from an anonymous email address.
The society for a thought-free internet welcomes you.
Like others, Meunier ended up with a "don't tell" policy...these sorts of happenings bode ill for all of us, all of whom have information vulnerabilities in more ways/places than we care to think about.
Step one: Access the internet where you're practically untraceable, such as at an internet cafe or with an AnonDSL account.
Step two: Open and use an anonymous e-mail account.
Step three: Report the vulnerability.
... I intend to smash a window in the back of my neighbours house, then stick a postit note on his front door letting him know that I have discovered a potential problem with his home security.
What is the framework of the researchers in question? If a person is an academic studying the field of network security or whatnot, they can probably give a reasonable justification for doing this sort of snooping as research. If I were advising a person in that position, I'd suggest to them maybe asking permission first-- how hard is it to write a letter to another university and inform them that you are a student who is going to look for (but not break/exploit) security flaws, then report them in the course of reporting your research to your own university.
OTOH if you're a private security firm I think you absolutely must request permission from the owner of a potentially insecure network, otherwise you're just a squeegee guy at the stoplight, only you know, with data.
But if you're in the wild, and you're just "trying the locks" hoping they'll snap open, you're on your own. And God have mercy on your soul. How's that different from walking through your neighborhood jiggling doorknobs? It's very easy for a person to fix their neighbor's unlocked-door-problem, if they have an old fashioned door that can be hand locked and closed. Well in the neighbor's house analogy, the law doesn't give a crap if you lock the door behind you and don't touch anything, you're still technically guilty of B&E. Yes, you could get away with it because you can at least do the favor of locking it and choosing not to touch anything. But what if they have a deadbolt? The only way to fix that problem is to let them know so they can use the key or lock it from the inside, but the route to making the discovery that their house is unlocked is already covered by the B&E law.
Network security is all deadbolts, right? You can't quite lock the door behind you (fix their code) if you find an exploit. If you get in, even if you don't take anything, you're breaking and entering. In that case, if you publish the fact you got in by active means, you're taking a grave risk--maybe if you could somehow demonstrate that you "just found it," then maybe you can expect to get away with reporting it. But if the only way to find it is to be actively looking, the risk is yours as well, since if you know so dang much about network security, you probably should know they're not using the old knob-based locks anymore. Are they? I don't know from network security, but I know you can't wander around fiddling with locks on houses, many of which don't contain nearly half the sensitive info that computers do.
yes. that's all I'm going to say in all comments from now on.
People who actively go out searching & snooping are being vigilantes (rather than "concerned citizens" who just happen to notice something and report it).
Engineering is the art of compromise.
...is a suitable punishment for putting it there in the first place.
And it is also getting harder and harder to do stuff anonimously... Governments are even planning to forbid anonimous usage of the web.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
Your fly is open.
* accessing data not intended for such user or logging into a server or account which the user is not authorized to access
* attempting to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without proper authorization
* attempting to interfere with service to any user, host or network, including, without limitation, via means of submitting a virus to the Web Site, overloading, "flooding", "spamming", "mail bombing" or "crashing"
* sending unsolicited e-mail, including promotions and/or advertising of products or services
* forging any TCP/IP packet header or any part of the header information in any e-mail or newsgroup posting
Violations of system or network security may result in civil or criminal liability.
As someone who researches vulnerabilities and does IT Security for a living I do not find this too hard of an issue to deal with. If you are poking around someone else's website to look for a vulnerability, flaw, or bug, then you should be prepared to deal with the consequences. It is your choice whether or not to start testing for various things that could lead to a SQL injection, XSS issue, directory traversal, authentication bypass, file inclusion, or whatever the vulnerability or issue might be. If the site happens to be running some free or commercially available software, guess what you can do? Get a copy of it yourself and test it. Alternatively, guess what else you can do? GET PERMISSION. If you aren't authorized to start snooping then you deserve to be punished, embarassed, prosecuted, and smacked down.
I did vulnerability research on server at my university when I was starting out. I went out and got authorization to do so. In most instances they have a test/dev server they permitted me to test on. I published these vulnerabilities in the form of an advisory publicly after contacting the vendors. You do not have the right to decide to do whatever else you want on someone else's website.
Should you be allowed to try and steal stuff from a store just to see if they're vulnerable to being robbed? Can you break into that same store to see if your sledge hammer breaks their glass? What if you were doing all this just to show them it could be done and not to rob/harm them? So what.. your ass is getting arrested. I think this is the same point posts above had made and it is 100% valid.
NOT exposing an insecurity in any application only helps the true criminals. Or does anyone here (or anywhere) doubt that this information is readily available to those that cause the real harm, those that hack for profit?
An insecure webserver is becoming one of the cornerstones of phishing attacks. Today, ISPs routinely block access to those servers the attackers setup in some countries that have more pressing problems than finding criminals that do damage in other countries. We can't grab those servers, but at least ISPs are becoming more and more helpful in shutting down the routes to those servers.
This is impossible with "legit" servers. In other words, insecure web servers are becoming the cornerstones of very profitable attacks. And those attackers routinely use and have 0day exploits avilable to them. Does anyone think they rely on published security holes?
If there is one group who would benefit from obscured security holes, it's the true criminals. Because web admins would not even know what hits them. They don't have access to the information.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Do you personally gain anything from disclosing a vulnerability? No. And no matter how stupid it is, the reality is, you can be criminally prosecuted for disclosing it, no matter how you choose to do it. You risk hundreds of thousands of dollars in legal bills and a conviction.
This is like a bet. If someone offered to make a bet with you, "if you win, you don't get anything. If you lose, I will amputate your left arm." Would you take that bet? Probably not, and when you disclose a vulnerability, that's the bet you're taking.
"The road to hell" and all that.
No can be compelled to believe in your good intentions.
Your actions were disruptive, possibly hostile, and that is all anyone will ever need or want to know.
I think this kind of hounding of people not only not deter others, but leads to more exploitation of such vulnerabilities.
Assume someone comes across such a vulnerability, maybe by accident, maybe deliberately. Now if he doesn't intend to exploit it, there are two choices for him. 1) contact the sysadmin/company and explain what he did, and how it can lead to problems, in which case he'll be prosecuted, or 2) do nothing about it. Now the second option is not really a realistic one, chances are he's going to be posting the info somewhere online, or might be tempted to exploit it himself, knowing every waking day of his life that there's this door he can walk-in.
For people who give the argument that he shouldn't be snooping around in the first place, and that its same as someone checking the locks in my house. No its not same. There is no educational value in checking random locks. There is nothing to learn, and no motive other than ulterior. So if someone is snooping around in my house, its almost always for the wrong reasons, which is not the case online.
This kind of behavior from people making these laws is caused by laziness. They know if they come up with these stricter laws, they will be able to save on the implementation, i.e. save on proving whether someone intended to exploit or not. But by trying to save on the complicated court proceedings, they create a law which labels even the innocent as guilty.
Funny you should mention that. Just this year, a woman looking for her wallet pushed open a door to a parked airplane at Newark. An alarm went off. Nobody paid any attention. She was alone on the airplane for several minutes checking around the seat for her wallet.
I once found childporn and told both the hostmaster and the police. After several days nothing had been done, so I went to the press. Right when it came out, the site went down. Good for me?
he police was after me because of:
1) Falcifying my identity, because I gave a fake adress on gmx.net
2) spreading of chldporn, because I replied to a Usenetmessage with the URL still in it
3) Obstruction of a police investigation. Because there was an investigation going on.
I never got a reply from the webmaster, because he apparently was not allowed to do anything, nor remove the site, because the police was investigating it already.
I never got a reply from the police, because their mailserver was down
I was able to explain to them what I did.
I had a very understanding boss, which was the one where I posted from and whom they told they needed the person posting because of a child-porn related crime investigation. At other places I might have lost my job.
It goes without saying that that sighting of childporn must have been a fluke. I have not ever seen any childporn or any other illegal activity on the Internet.
To sum it up: if diclosing web vulnerabilities is outlawed, only outlaws will disclose web vulnerabilities. Oh , and they don't.
Don't fight for your country, if your country does not fight for you.
Yesterday, I was on a site with URLs of the form:
I wondered if the path was being untainted, so I tried the following:
Bingo - I had their /etc/passwd file. And then from there, a quick look at their motd gave me the OS, and from their I got the apache configuration.
Then I emailed the site owner, explained the vulnerability and how to fix it (using abs_path and a regular expression to untaint btw).
I can get prosecuted for that? That is so stupid. No more white hatting for me then. Fuck 'em.
-- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
If someone comes over to your house and tries to open the windows and see if they can climb in are they not trespassing? It seems like rattling doorknobs is a bold act that does border on criminal intent. It's not the same as going up to a door and knocking. we all know that. Probing a site for flaes is wrong
Some drink at the fountain of knowledge. Others just gargle.
For the second half ... WTF does having, or not having, your credit card # on file apply to this?? It seems a bit spurious to the conversation at hand, and I'll treat it as such. :-P
That one is easy, the person whose credit card number is on file is at risk of having the number stolen and then having the card maxed out. If it were me I'd definitely would want you to do something or you'd loose me as a customer as well as maybe be slapped with a lawsuit.
FalconShould there be a Law?
Due to website/browser/plugin problems, its often the case that a media file will
not play in the window. Now its usually not difficult to determine where on the
website the media is located. If you browse that directory using automatic indexing,
and download what is there, are you breaking the rules? What about parent and subdirectories?
After all you have not guessed a password or anything, but is it considered "out of bounds"?
On a related note, do web-spiders do this? Do they just follow the links or do they ever
try to go to the parent directory to index that.
If you don't own the website or you don't have the owners permission then it is illegal for you to attempt to access the web server except if you are "using it properly" (eg. you actually surf the web site via the links). So if you have found the exploit without permission then you have already committed a crime. Then telling people about it is 1. stupid, 2. gives people evidence to have you charged. As to whether it is illegal to disclose the vulnerability is anybodies guess. I would think that it wouldn't be illegal but i still would not do it.
I once tried to leave a comment on an article on a local newspaper's website. My subject had the word "Don't" in it, and I got a SQL error back from PHP. I changed my post and added "This website is vulnerable to a SQL injection attack. Send data as parameters" at the end of the comment.
I wonder how likely it is that the newspaper's website designer reads the comments generated by code he created. Or reads the error logs spewing SQL.
Ceci n'est pas une signature.
Bike U-locks had a defect and could be picked easily with a ball point pen. Informing people helps everyone. Informing no one helps bike thieves because they are the kind of people who find out these things and inform each other about them.
Why is this difficult to understand?
As for all the "doing something you shouldn't" bullshit, it's innocent until proven guilty. When did people become so terrified of freedom.
Do not tell boss that we're storing credit card numbers, usernames and passwords in plain text on our database server. I might get arrested.
(Posting anonymously so you don't know who I work for!)
I'm in the hole of the broadband donut.
Knowing Eric McCarty personally I have some level of insight into this case other than what's put out in the news media. For what it's worth here is my $.02.
I think we should establish stricter minimum guidelines for information security and hold those we choose to share our personal information with to them. Anyone in IT in the medical industry knows about HIPAA... usually with a groan. HIPAA can levy fines, shut down operations, etc... if you're not taking "reasonable and appropriate measures" in safeguarding sensitive data. Why should it be any different with other, equally personal data?
I understand the argument that "I wouldn't want someone picking my lock and then telling me that my lock was succeptable to being picked.", though I think the metaphor is stretched a little thin. The reality is that flawed code will be exploited eventually. Especially on higher profile sites. I think the goal should be to foster is an environment where there are responsible disclosure procedures available and allow there to be increased legal pressure for those who do not demonstrate adherence to established guidelines for information storage (see above).
Entities which store your data (companies, schools, etc...) will not be more responsible. There's no incentive for them to. It's more financially sound for them to respond under the current laws (mostly they're only required to do notifications, rarely will you be compensated to any amount near to what you will lose) than to fix the underlying security problems.
Another problem is the McCarty was prosecuted under new provisions in the Patriot Act which change how computer crimes can be convicted. It used to be that the government had to prove both unauthorized access and malicious intent. The malicious intent clause was dropped from the requirements. As such if you go forward and provide information about how the breach occurred and work with the site owners to resolve the issue before serious data loss can happen, you are criminally liable. This would be the perfect law if we could ensure it would be applied equally and fairly. Unfortunately many crimes cannot be prosecuted in this manner either because of geographic differences or lack of evidence (real hackers alter logs). As such it really only stands to prosecute those who aren't legitimate threats and gives the government some big news stories to try and lend credibility to the Patriot Act and the erosion of civil rights.
Kneel before Sig!
I was interviewed for this article by Scott Berinato. I have added some thoughts on the topic to my blog. A rich and robust vulnerability research community needs legal access to the software we are researching. As more and more software becomes web 2.0 instead of running on our desktops we will have less and less independent vulnerability research.
Vulnerability Disclosure in the new "Software in the Cloud" World
http://www.veracode.com/blog/?p=11
-Chris
and convicted for what you did. Did you gain anything from it? No. Did you risk anything? Yes, your freedom and everything you own and your family. The only thing to do about potential security problems is to do nothing unless it's on a system you are responsible for, and even then, if you are not a company officer, it may be better to just ignore it.
This will be my second post in here, something I normally don't do but I just recalled something from not so long ago that was actually posted on Slashdot. Do we all forget so quickly? Please read this:
3 2241&tid=172/
../../. However, he shouldn't have been doing that either. Tough one there.. but you've been warned!
http://it.slashdot.org/article.pl?sid=05/10/07/15
"Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question."
This is exactly what this article is discussing. Not only should you be held liable in some instances for "looking for vulnerabilities", you should be prosecuted. Now the above case is surely an extreme. Just reading the article I would be completely against prosecution in such an instance. Then again I wasn't part of the team that prosecuted or reported him. He might have tried to do a little more than just check a single
"There is no way to report a vulnerability safely."
not digitally so just send the company an actual real letter about it with no return address. TADA!
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Prosecution of people reporting vulnerabilities on sites should be predicated on the fact that the webmaster knows what he/she is doing.
I think some of these legal actions are driven by the fact the the webmaster is an idiot and is embarrassed,not to mention that all that crap he fed his boss about the website being bulletproof is just a bunch of BS.
Notice that the intent has been removed from the law. Why do you think so many security researchers have objected to the abject legal stupidity embedded and embodied by the Patriot Act (with the UK following closely behind under Blair)?
The whole Act was a legal coat hanger, yet another law that can be pulled out of the closet if there isn't a real reason to arrest and imprison someone. A sort of mini version of Guantanamo Bay where you can be convicted of a crime without any solid proof and with any sensible chance of a decent defense being denied.
Ah, it's a fine country..
Here in the UK, under the Police and Justice Bill, I'd be breaking the law by "Making, supplying or obtaining articles for use in offence under section 1 or 3". Section 1 and section 3 are references to the preexisting Computer Misuse Act of 1990. The implications of a statement like that are scary.
Tim Brown
What if I have the exact same lock as you, and I find a problem while dicking around with my lock? Surely I'm allowed to play with picks on my own lock?
Now, am I allowed to tell you that your lock has a problem, because I saw it on the exact same lock ?
No, never heard it before
Is it fair to the users of the site when the site gets cracked and all their personal information gets into the hands of criminals?
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
How many times have you seen a car with their lights on in a parking lot with nobody in the car?
In the old days, someone would check the doors to see if they were unlocked and turn off the lights for the person to keep their battery from running down.
Would you touch someone else's car today if the lights were on?
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
Clearly, you have no understanding at all of how web servers work, nor of how to actually secure information on one.
When a file is available in the web root, it is accessible via a web request, by design. If you don't want it to be available to the public, it either:
Negligence and/or poor server management practices on the part of the administrator do NOT equate to making someone else's actions illegal if they happen to find the file. If they don't know how to configure a web server to function securely, they shouldn't be managing one.
Simply orphaning a file by removing links to it does not in any way imply that it is a private file, nor should it, as many people use web servers -- quite properly -- to distribute files without necessarily posting links to them. While this might, to you, imply some desire for privacy or 'security', this is still the equivalent of sending personal notes on the back of a postcard (just like sending a non-encrypted file via e-mail, by the way). By placing the file in the public domain, your action makes the file public.
Similarly, if they put in place a script on a server that makes files available as part of a query string, they have an obligation as the server administrator to do enough due diligence to make sure that you aren't making available files outside of the web root. If this suggests a level of technical knowledge higher than they are comfortable with, then again, they shouldn't be deploying such a script.
To advance the discussion back to the level of vulnerability versus exploit, let's say the administrator has made a reasonable attempt to secure the script, but for whatever reason (say a buffer overflow in a java class file, since that's already been specifically brought up), there are still certain files outside of the webroot that are potentially exposed. Seeing a query URL on a site that will return files makes it a perfectly legitimate question to wonder what it will and won't return. Checking to see if it exposes critical system files is something the administrator should be checking for. Perhaps he did, and at the time he checked the files were protected, but a java upgrade on the host exposes the files, and not having time to do a full regression test, the administrator doesn't know the files are now exposed? It's perfectly reasonable for someone, realizing the obvious potential vulnerability of the aforementioned script, to be curious if it's been secured, and to check.
If we have to resort to analogies, this is not equivalent to trying to pick the neighbors locks. It is, however, the equivalent of walking by the neighbor's garage, at the edge of the sidewalk, seeing what looks to be an old cheezy latch, and checking it, just to see if it's actually secure -- not with the intent of stealing their lawnmower, but just to make sure it is secure. If it's not, you want to mention it to your neighbor, so they replace it.
Some folks seem to be uncomfortable with the idea of intent being so important in all of this. I have bad news for them. The determination of intent, as it should, does form a significant part of our criminal system. (Here note my official IANAL, so don't get all squirrelly now, just because I'm a layman.) There is not, and should never be, a simple cut and dried standard declaring something to be a crime without having to know the facts of the matter.
To make yet another analogy, punching someone in the face is a completely neutral act, until you understand the circumstances and intent. If you're trying to mug someone, then yes, it is a criminal act. If you're defending yourself from being mugged, then it is isn't, and no reasonable person should ever suggest it should be. (Yes, you have ridiculous cases where some absurd prosecutor allows some foiled criminal to press assault charges.
In common usage, hacker means what it means to commoners. This is not necessarily the same as the meaning to an elite club of people who use the term their own way.
Ah but in the case of "hacker" it was an elite club of people who put the idea of what hackers are into the public. Through the '70s up to the early '80s a hacker was someone who hacked, came up with a nifty trick, hardware and or software. The first tyme "hacker" was used in a negative manner was in the early '80s by a reporter, who at one tyme were called hacks or hackers too. After that more and more reporters described computer vandals as hackers, and eventually the public got the impression that hackers were vandals if not criminials. I realize the meaning of words evolve, but it really galls me to see the meaning of "hack" and "hacker" being twisted from something such as exploring or someone positive like an explorer to something, someone, bad like a criminal or vandal. Sure, a hacker may do something bad, but that's not the intension, and they may try to find a solution.
FalconShould there be a Law?
I have to agree with others here - if you are trying to break security on a live site, you are liable - given current laws.
On the other hand, why not set up your own lab and use that for testing? No one is going to prosecute you for breaking into your own gear.
Publishing "IIS has X vulnerability", is much better than saying "I found X vulnerability in IIS on Y's site". 'Y' won't appreciate it very much...
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
It seems that, in the referenced article, everybody was doing the right thing, but the net effect was the messenger got shot.
The student found a vulnerability, and rather than go public, told his professor. Very responsible, consulting upwards.
The Professor informed the owner of the vulnerable system through channels. Very responsible, staying within procedure.
Apparently the department which owned the vulnerable system took steps to fix it. Obviously very responsible.
When hacked, the department reported all recent activity to the investigators. Again, responsible, because the investigators are presumably the experts in data forensics and need to know what issues may or may not have led to the attack.
The investigator quite rightly wanted to speak to all potential suspects, and the professor as an honest broker, quite rightly, wanted to protect the academic integrity of his career and that of his student, but felt pressured to make potentially prejudicial statements about his student.
It seems to me, the tone of comments here on slashdot are along the lines of "dob, but don't take credit" or "don't dob, it's not worth the pain" - it's nowhere near that simple. The system, which at each individual stage worked well, in concert created an unsafe envirnment for people to do the right thing.
When the system potentially shoots the messenger, the message ultimately will not get through. That is no good for anybody. Even Nazi Germany and Stalinist Russia had some whistleblowing procedures aimed at making things better, democracies should welcome whistleblowing with open arms when via proper channels.
"I hope you like Guinness, Sir. I find it a refreshing substitute for, er... food." Col. Jack O'Neil, SG-1
And time is spelt 'time', not 'tyme'. Misspelling it is not cute, or anything.
Check volumn 20 something of the full edition of the "Oxford Englich Dictionary", OED. The spelling of time like I spell it, "tyme" is a correct English spelling. It's old and not used anymore but it's still a correct spelling.
Did you read my page? It appears you've not addressed any of the points therein.
Yes I did read it. You say I didn't address your points, neither did you address mine. Instead you say how I spell wrong.
FalconShould there be a Law?
means.
First, nowhere in your posts before now does "Obs" appear. Two, it seems you're still not adderssing my points. Seems you're using spelling and "Obs" to avoid them.
FalconShould there be a Law?