Slashdot Mirror
Is It Illegal To Disclose a Web Vulnerability?
Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"
paste up a poster in the town square, announcing that the lock is broken on the back of the hardware store?
How is this different?
"We think people rightly feel that once they buy something, it stays bought," --Suw Charman, Open Rights Grp
It depends if your daughters bedroom is on a shopfront on Rodeo drive (or wherever).
Expecting privacy on a publicly advertised service is different to people using zoom lenses to peer through the fence of your gated community.
liqbase
Is this about discovering a vulerability, or trying to discover a vulnerability?
If I click a link, and something breaks, and I've 'discovered' a problem, I've probably not done anything. It just broke, and I was the one who was there.
If I try to find a problem, and do (even if I don't exploit it), then I might have been doing something I shouldn't.
A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.
As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.
Just my 2 cents, anyway.
Lost at C:>. Found at C.
So, this might not be relevant, but once I reported a cross-site scripting to a website by using a web anonymizer to create a hotmail account, sending exactly one message, and then never using the email account again.
Anonymizer tools have improved since then, especially for combating censorship. Would you be able to use TOR or something similar to report vulnerabilities without exposing your identity?
Powered by Web3.5 RC 2
That's where it's headed probably. White hats will be forced to keep their mouth shut and giggle to themselves.
*DrugCheese rants*
In the interest of full disclosure, Clare Boothe Luce said that. :)
It should depend on how you do it, and why you do it. If you do it with good faith intentions, it should be considered a good samaritan work. If they have not touched it after a while, you should be able to reveal its existence.
Colorful analogy, but most vulerabilities are not specific to one person's machine. Would you go "kick someone's ass" for finding a flaw in their own house's security that just happened to affect you too?
Not really a good comparison since your house is private and websites are essentially open to all comers.
It's more like checking the locks on the backside of a Walmart. Suspicious, but not illegal, and not nearly as unethical.
Heck, you may actually have a legitimate reason to be back there - such as offloading goods from a truck.
The same can be said for security vulnerabilities in websites. You can easily stumble across them when you're not even looking in places that you're supposed to be.
Mod me down and I will become more powerful than you can possibly imagine!
What's the problem with sending info to a webmaster? And what's the point of doing anything else? If you post it publicly, you've created a race condition between script kiddies and the site admin, and should be punished. If you send it to the webmaster, you are doing a service, and shouldn't be punished. As long as you don't exploit it, you should be ok.
http://bgcommonsense.blogspot.com
Some interesting comments from Bruce Schneier and Marcus Ranum (and Microsoft too) on the debate. http://www2.csoonline.com/exclusives/column.html?C ID=28088
It's more like advertising that given brand and implementation of a lock is faulty. It may or may not impinge on you but in either case it's general enough to be of benefit to people besides you. Would you like to know that every model of the car you own happens to accidently use the same key? I would.
Would you say anything if you were in an airport and noticed a door unlocked and ajar leading from the public area to the tarmac around the aircraft?
You could report it through a 3rd party like The Zero Day Initiative, a division of 3com's Tipping Point intrusion prevention service.
That gives small time security experts a platform of anonymity to disclose vulnerabilities to anyone (not just 3com's customers) while retaining the possibility of a reward.
It would be perfectly legal to stand on the street and stare at my naked daughter through her bedroom window.
She has drapes for this.
Two questions:
Is she cute?
Does she use her drapes?
A few years ago I was renewing my car tabs on the WA state's site and they had a box for 'donations to DOT' or somesuch. For kicks I tried putting in a negative value, and sure enough it reflected the total for my tabs as less. I went ahead and submitted things with a dollar taken off the value, just to see if it would actually go through. Sure enough, a week later I received my tabs, and the mathematically correct but embarrassing negative donation on my receipt.
I ended up calling them and letting them know about the bug. They were nice about it, and the next year at least it was fixed.
-Nic
Making mistakes != being stupid. If someone found a vulnerability in your site wouldn't you want them to let you know about it? On the other hand, if you had already been warned about this vulnerability and done nothing about it then yes, that would be very stupid.
Each time an exploit comes out, the pattern is the same. the company doesn't announce it, anti-virus makers are either paid off (as in 'approved' spyware and/or rootkits) or not kept informed, and once the story breaks, the public relations machine starts. The researcher is vilified as a hacker, the problem is denied or minimized, and the prospect of a patch is left moot because this would require accepting that a huge problem exists. Most of us scream that this is ridiculous, companies should tell everyone when an exploit shows up, and patch it as soon as possible. More to the point, they should expose their source code to scrutiny in order to better provide services to their customers.
Are you sitting down? good. They won't and they don't care. The first rule in the PR handbook is to deny and put off realization. If the big front is that there isn't a problem, or that a crack of a voting machine can only be done in a lab, and months down the road, the company quietly sues the researcher or releases a patch, they win. People have a limited attention span and fatigue quickly in the face of fear and hysteria. As long as your company's admission of guilt comes well after the original problem, or not at all, people are happy.
With this in mind, let's look at the law. thankfully, whistleblowers have some protection, and some internal voices about code might not be silenced, especially if the review takes place within the judicial system, and not through a new law. Of course, corporate secrecy, as in the case of Apple and HP, is pretty extreme, and most employees wouldn't risk the civil consequences of voicing a problem that doesn't rise to the level of a public safety hazard.
Outside researchers are in more and more trouble, and this really only leads to problems for the customer base as a whole. We rely on sites like MOAB to shame companies into action. We also rely on OSS competition in order to make products like IE better--Firefox gives an economic incentive to Microsoft to improve their product, otherwise, security development would have languished.
Very few analogues exist in the places where this is critically important: commercial and banking software. CITIbank suffers a classbreak and doesn't bother informing their customers. Security conscious customers can voice their discontent and move to another bank, but we have to trust that the new bank is as averse to security breaches as we are. For the rest of the millions of customers, security will not improve. Since identity theft costs are largely borne by the customers, the banks don't care. because the banks don't care, it is much easier, and better in their eyes, to make publishing voulnerabilities like this one illegal and trust that their customers will never be the wiser.
check out this article:
[PDF] Why information security is hard
But then, it's not your business, either.
Should you discover a security vulnerability, the correct response is to forget it. Here's why:
Naturally, we might feel a sense of duty to help someone out - if they have an exposed security flaw, we naturally want to help them. But first consider how it will be received. Most companies would rather produce software with publicly unknown flaws than to produce perfect software, websites, etc... at a much higher cost.
And, if you feel that the website owner would appreciate knowing, you might at least disclose it from an anonymous email address.
The society for a thought-free internet welcomes you.
in most states it would be illegal for her to stand in view of someone in the street naked. what does that say about website vulnerabilities?
turn up the jukebox and tell me a lie
It's not illegal to stand on the corner and say, "That house over there is selling cocaine for $10."
It is illegal to stand on the corner and say, "That house over there is selling cocaine for $10." when you are hired by the cocaine house.
So are these people saying, "Product X sux because of this vulnerabily xyz here, exploitable via abc", and that's that, or are they saying, "Product X sux because of blah blah blah, and company X, could you pay me $10 or I'll release the info?"
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Funny you should mention that. Just this year, a woman looking for her wallet pushed open a door to a parked airplane at Newark. An alarm went off. Nobody paid any attention. She was alone on the airplane for several minutes checking around the seat for her wallet.
there is a difference in smashing the window, and being smart enough to observe that he's left his window open. then leaving a post-it (not visible to the public) that the window is open, and to close it.
smashing the window means you've actually made the system more vulnerable than it was, which is not the case in this argument.
I once found childporn and told both the hostmaster and the police. After several days nothing had been done, so I went to the press. Right when it came out, the site went down. Good for me?
he police was after me because of:
1) Falcifying my identity, because I gave a fake adress on gmx.net
2) spreading of chldporn, because I replied to a Usenetmessage with the URL still in it
3) Obstruction of a police investigation. Because there was an investigation going on.
I never got a reply from the webmaster, because he apparently was not allowed to do anything, nor remove the site, because the police was investigating it already.
I never got a reply from the police, because their mailserver was down
I was able to explain to them what I did.
I had a very understanding boss, which was the one where I posted from and whom they told they needed the person posting because of a child-porn related crime investigation. At other places I might have lost my job.
It goes without saying that that sighting of childporn must have been a fluke. I have not ever seen any childporn or any other illegal activity on the Internet.
To sum it up: if diclosing web vulnerabilities is outlawed, only outlaws will disclose web vulnerabilities. Oh , and they don't.
Don't fight for your country, if your country does not fight for you.
If you don't own the website or you don't have the owners permission then it is illegal for you to attempt to access the web server except if you are "using it properly" (eg. you actually surf the web site via the links). So if you have found the exploit without permission then you have already committed a crime. Then telling people about it is 1. stupid, 2. gives people evidence to have you charged. As to whether it is illegal to disclose the vulnerability is anybodies guess. I would think that it wouldn't be illegal but i still would not do it.
I actually did find a real world security vulnerability of that form... Elevator in the building I worked in was prone to malfunction. the bottom floor of the building was a pub that was not open at 8 am when I went to work. normally visitors would be kept out of said pub by the fact that you would need a key for the elevator to go to that floor. one day I got on the elevator, pressed the button for the floor my office was on, when the doors opened I stepped out without paying much attention and found myself alone in the middle of the closed pub...
Now, is it my fault I ended up there? I don't think so... would the pub want to know they have this problem so they can install an additional security door/gate, probably. Was what I did illegal... maybe, I did tresspass on their property, though entirely by accident, had I been paying more attention I would not have exited the elevator, but I wasn't, so I stood in the middle of the pub long enough for the next elevator car to arrive.
would I get in trouble for reporting it? maybe... hard to say, people get insanely paranoid about security, and wether you are talking electronic security, or real world physical security, in most cases people would rather blame the person who found the problem than acknowledge the problem exists in the first place...
Bike U-locks had a defect and could be picked easily with a ball point pen. Informing people helps everyone. Informing no one helps bike thieves because they are the kind of people who find out these things and inform each other about them.
Why is this difficult to understand?
As for all the "doing something you shouldn't" bullshit, it's innocent until proven guilty. When did people become so terrified of freedom.
Knowing Eric McCarty personally I have some level of insight into this case other than what's put out in the news media. For what it's worth here is my $.02.
I think we should establish stricter minimum guidelines for information security and hold those we choose to share our personal information with to them. Anyone in IT in the medical industry knows about HIPAA... usually with a groan. HIPAA can levy fines, shut down operations, etc... if you're not taking "reasonable and appropriate measures" in safeguarding sensitive data. Why should it be any different with other, equally personal data?
I understand the argument that "I wouldn't want someone picking my lock and then telling me that my lock was succeptable to being picked.", though I think the metaphor is stretched a little thin. The reality is that flawed code will be exploited eventually. Especially on higher profile sites. I think the goal should be to foster is an environment where there are responsible disclosure procedures available and allow there to be increased legal pressure for those who do not demonstrate adherence to established guidelines for information storage (see above).
Entities which store your data (companies, schools, etc...) will not be more responsible. There's no incentive for them to. It's more financially sound for them to respond under the current laws (mostly they're only required to do notifications, rarely will you be compensated to any amount near to what you will lose) than to fix the underlying security problems.
Another problem is the McCarty was prosecuted under new provisions in the Patriot Act which change how computer crimes can be convicted. It used to be that the government had to prove both unauthorized access and malicious intent. The malicious intent clause was dropped from the requirements. As such if you go forward and provide information about how the breach occurred and work with the site owners to resolve the issue before serious data loss can happen, you are criminally liable. This would be the perfect law if we could ensure it would be applied equally and fairly. Unfortunately many crimes cannot be prosecuted in this manner either because of geographic differences or lack of evidence (real hackers alter logs). As such it really only stands to prosecute those who aren't legitimate threats and gives the government some big news stories to try and lend credibility to the Patriot Act and the erosion of civil rights.
Kneel before Sig!
This will be my second post in here, something I normally don't do but I just recalled something from not so long ago that was actually posted on Slashdot. Do we all forget so quickly? Please read this:
3 2241&tid=172/
../../. However, he shouldn't have been doing that either. Tough one there.. but you've been warned!
http://it.slashdot.org/article.pl?sid=05/10/07/15
"Security consultant Daniel Cuthbert worried that he'd been stung by a phishing scam when he donated to a Tsunami relief effort in London, UK. He was convicted for hacking and lost his job after running a couple of checks on the website in question."
This is exactly what this article is discussing. Not only should you be held liable in some instances for "looking for vulnerabilities", you should be prosecuted. Now the above case is surely an extreme. Just reading the article I would be completely against prosecution in such an instance. Then again I wasn't part of the team that prosecuted or reported him. He might have tried to do a little more than just check a single
Prosecution of people reporting vulnerabilities on sites should be predicated on the fact that the webmaster knows what he/she is doing.
I think some of these legal actions are driven by the fact the the webmaster is an idiot and is embarrassed,not to mention that all that crap he fed his boss about the website being bulletproof is just a bunch of BS.
How many times have you seen a car with their lights on in a parking lot with nobody in the car?
In the old days, someone would check the doors to see if they were unlocked and turn off the lights for the person to keep their battery from running down.
Would you touch someone else's car today if the lights were on?
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling