Slashdot Mirror
Laws Threaten Web Security Researchers
ancientribe writes "A new report from a Computer Security Institute (CSI) working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents explores the effects of laws that might hinder Web vulnerability research. The report, which the group will present on Monday at CSI's NetSec conference, has some chilling findings about how fear of prosecution is muzzling some Web researchers from disclosing to Website operators security holes they find. The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys."
If society doesn't want this kind of security research, well, they aren't going to get it and will have to deal with the consequences.
Comment removed based on user account deletion
I told my kids to stay away from the clock, but it keeps pushing its ignorant linear 24-hour day on them.
All we gotta do is outlaw the holes as they become known. And to reduce this so-called zero-day effect, we'll look to the free-market to improve efficiency.
Microsoft One-Care Live (or whatever it is called) sound like a nice name for the service, doesn't?
You can't be ahead of the curve, if you're stuck in a loop.
A while back, I contacted a major ISP about an opening in their web based mail server system that would potentially expose the email from any account provided you knew the email address you wished to gain access to, not a hard thing to accomplish. I initially contacted the abuse@ department to explain what I found and how I, and here's the kicker, accidentally stumbled upon this. I wasn't looking for it or trying some form of pen-test, it was an accident.
At first I received an email back thanking me for pointing out the issue and a promise it will be resolved. This was then followed up by the busiest conference call I've ever been a participant of in my life where I was all but accused of starting the 1871 Chicago fire.
Thanks turned to anger as the engineers, obviously not wanting to get fired or "blamed" (god forbid anyone in America actually take blame for anything anymore) for this minor yet potentially nasty flaw, swore up and down that there's no way other than "actively attacking" the system could I have exposed this issue and that's when things got nasty.
I was threatened, with federal involvement (they never explained that part), emailed copies of recent arrests of hackers from Australia and told to get a lawyer. Four months later, there has been no follow-up, I've spent only eight-hundred in legal fees (I got lucky there) and the ISP quietly stopped harassing me.
I'm convinced this "attack" against anyone pointing web security flaws is all nested in this deep-rooted fear to admit ones mistakes. Web developers think if they admit a single mistake will never get another web development gig again. Ask yourself, would you hire a company that open admitted to making a security mistake on a website that was discovered? I'm interested in seeing where this goes.
Why do overlook and oversee mean opposite things?
People who wish to do illegal things will scoff at this law and do what they wish. They aren't concerned with being caught, and have no intention of reporting their findings anyway.
People who wish to do what is right will be prevented from doing so, as disclosure will land them in trouble, rather than fix problems. Soon, no-one will report problems, and those who wish to do what is right may no longer even research security flaws, due to the consequences of reporting their findings.
Tell me how law like this is good for anyone, other than criminals themselves?
Never look down your nose at others. Someday, someone is bound to see your boogers.
"The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding." -Judge Louis Brandeis Should the government attempt to impose legislation to criminalize security research, they'd have to understand they'd be opening a Pandora's box to heavy hitting criminal enterprises... Sound "tagline'ish"? Imagine something similar to TOR where people would be exchanging PoC and exploits for currency. Imagine the amount of administrators trying to run and put out brushfires on their systems because they had no forewarnings. Currently full disclosure and research are the sole mechanisms which a lot of administrators use to secure systems... That's like taking away a tornado early warning system from county that's prone to get hit by tornadoes. You have to love the idiocy of this government at times, hence the quote re-quoted... "insidious encroachment by men of zeal, well-meaning but without understanding. ... "Experience teaches us to be most on our guard to protect liberty when the government's purposes are beneficent." -Judge Louis Brandeis Beneficial to the government here is their own misconception that halting security research will halt attacks and perhaps drive e-crime down. Sure it will go down, only down to the underground were attacks will be more silent and effective and cause more harm then the government understands.
Infiltrated dot Net
inform the systems admin anonymously and tell them they will be watched and if the security hole is not patched soon you will go public with the info...
;p
i am posting this comment anonymously to protect my identity
The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys.
Inadvertently? I don't think so. This kind of stuff is often done on purpose, and not always for the stated reasons.
The higher the technology, the sharper that two-edged sword.
I wrote a law review article on this here: http://www.eplaw.us/data/ComputerSecurityPublicati ons.pdf
r .pdf
My analysis was pretty economics-based, if I remember correctly (it was published in 2002).
The best First Amendment-side analysis was done by Eugene Volokh. Gene's paper considered much broader issues than our own paper.
http://www.law.ucla.edu/volokh/facilitating.pdf
http://www.law.ucla.edu/volokh/facilitatingshorte
His paper, if I remember correctly, would expand liability further than I would, but he's a UCLA law prof and I'm a class action attorney, so draw your own conclusions.
Now, if the thing's busted and somebody get's hacked, well . . . we exercised due diligence in the manufacture, testing and marketing of our product. No problem, as far as I can see.
OTOH, if (for example) some snot-nosed college kids and their dog publish a detailed description of a flaw in our product, we have to either make sure they're wrong or fix it pronto. Else, our fiscal arse is swinging in the breeze, ripe to be violated in court for liability issues. Say, there oughtta be a law making it illegal for mere mortals to figure out how our product works and how to defeat it - that's the ticket! Great! We can push it as being in everybody's best interest, 'cuz it'll be a way to put evil hackers in jail. Yeah, that's it!
Now, have the police pick up those punk kids - they were last seen driving a green van.
The article summery mentions "web" or "website" five times. I expect the corporate media to confuse http with the whole Internet, but slashdot should be better. Don't these laws impact security researchers investigating POP, SSH, SMTP, IMAP, various game services, various chat services, and etc other Internet protocols just as much as http? Why only point out the impact on the web in that case?
------ Take away the right to say fuck and you take away the right to say fuck the government.
So you cant personally disclose the vulnerabilities to the site operator...then anonymously offer them up to the public instead. Let the script kiddies and black hats get ahold of them for a couple days. The messsage might get painful but at least they will be made aware of the problem. This hide your head in the sand and pretend everything is ok approach to internet security is both poor and dangerous. Optimally rather than holding white hat's responsible for finding holes there should be regulation not only absolving the white hats but holding the site owner liable if the problem is not fixed. Of course I think ISP's should also share responsibility for zombied PC's on their network as well, but they are paying customers so we just do nothing and whine about the problem instead.
Etc. As I mentioned, this law hasn't been applied yet, much less tested in court. I believe that, in the case of security researchers, they couldn't hold against a sensible lawyer. But I'm still somewhat anxious whenever I teach something to my students or whenever I write a paper about security analysis.
Render to Caesars' what is Caesar's, render to others, as a ghost, what should be done.
When crucified by Caesars' laws, hope it is not due to a sin of pride or self-exposure.
Elite defense is always that pseudo-proof can only be spun-truths by Caesars' minions.
Also, Caesars' minions can create (never prove) spun-truths, except in witch-hunt courts.
When in the world/lands of Caesars always hide and lie to avoid fry and die legal services.
Witch-hunt forensics are for criminal persecution of heroes and innocents, not prosecution.
Do not break any Caesar's laws in support of an agenda, or for personal gain, and most.
importantly never be a martyr, because when trapped by law you gain only pain and shame.
Avoid battles you cannot win, because all Caesars' laws eventually grow old and pass.
Do the right thing for US, EU, and others always. The law today is never the law tomorrow.
Remember, you can only hold your breath till tomorrow when it's a couple minutes till midnight.
May the GOD of the present Caesars keep you, family, and friends safe from harm until tomorrow.
Folks, these are truly nutty fucking times, for nutty fucking Caesars, tomorrow will be better.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
CMP Technology's Computer Security Institute Creates Cross-Disciplinary Group of Web Security Researchers, Computer Crime Law Experts and Agents From the U.S. Department of Justice to Discuss Web 2.0 Research Roadblocks
Group's Initial Report to Be Released at Computer Security Institute's NetSec Conference on June 11
SAN FRANCISCO, June 4 /PRNewswire-USNewswire/ -- The Computer Security
Institute (CSI) today announced it has formed a cross-disciplinary working group of Web security researchers, computer crime law experts and agents from the U.S. Department of Justice on the legal barriers to Web 2.0 vulnerability research and disclosure. The group will release its first report Monday, June 11 at CSI's NetSec conference in Scottsdale, Ariz.
"Security researchers are able to identify and publicly disclose
software vulnerabilities or further write proof-of-concept exploit code
without fear of criminal prosecution," said Jeremiah Grossman, CTO of
WhiteHat Security and a contributor to the group. "But Web security
researchers' aren't so lucky: under some laws, a researcher could find
himself prosecuted for simply looking for Web site vulnerability, much less disclosing it publicly."
To tackle this question, this working group is not to espouse any particular position, but rather to identify, debate and explain all the legal, ethical, social and technological considerations feeding this issue. "This report serves as a meeting of the minds, bringing together ideas and concerns from the developers, security researcher and law enforcement communities making it a unique touch point for everyone caught in the frenzy of Web 2.0," added Grossman.
Within the report will be:
A question and answer period with some members of the working group will follow the report presentation. Members of the working group include: Brian Chess, founder and CTO of Fortify Software; Jennifer Granick, executive director of the Center for Internet and Society, Stanford Law School; Jeremiah Grossman, CTO, WhiteHat Security; Billy Hoffman, lead researcher, SPI Labs; John Lynch, deputy chief, Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice; Scott Parcel, vice president of engineering, Cenzic; Jon Rusch, special counsel for fraud prevention, Criminal Division, U.S. Department of Justice; Lee Tien, senior staff attorney, Electronic Frontier Foundation; and Jacob West, manager of the security research group Fortify Software.
Sorry, this doesn't look inadvertent to me. It looks like the people in charge of various systmes don't like being told that they aren't doing their jobs properly, so they are arranging to "shoot the messenger".
In such circumstances, it doesn't pay to be a messenger. If you are one, the only sane thing to do is to lie, and report only good news. Then it comes as a totally unexpected surprise to the ones in power that they have lost whatever they were trying to defend. Totally unexpected. At this point messengers may or may not be blamed for deceiving them, but prudence would suggest that the job of messenger is better avoided.
SURPRISE!!
And it's never the fault of the people who decided to "shoot the messenger" in the first place. It's the fault of someone who doesn't have a strong power base. Facts don't have muct to do with how blame gets passed around.
I think we've pushed this "anyone can grow up to be president" thing too far.
When exploits are outlawed, only outlaws will have exploits.
Welcome to the Panopticon. Used to be a prison, now it's your home.
When ever a government gets involved they make things worse. Thats why the old joke "We're from the government, we're here to help" is so funny!
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
Why the fuck can't human error be looked at as the same type of error that manufactures or farmers make? In the context of software, it is the exact same thing. If omeone recalls a part of a car because it is faulty and can cause you extreme damage, lets say physical not to mention economical, then that specific part is replaced and the system of the car is working fully functional with nothing hindering it.
Now lets look at software. Some noob codes a web application, does not sanitize any input, allows for xxs, and for some god forsaken reason, they give access to anyone in the whole system if you enter a specific persons email in a GET url string. Why the fuck can't these people be held liable the same way car companies and held liable? Or the same way a farmer is held liable if his crop gets a bunch of people sick? Is reporting something that hurts or exposes a bunch of people to personal or financial devastation now labeled a bad thing?
This is why in my security research I am pure blackhat. I will never ever alert a company of any flaw simply for the fact that these 99% of these companys have the courage of a prissy girl. They could care less about their customers, owning up to their mistakes, and doing good sound business. So why should a researcher give more care to a companies customers than the actually company doing the damage? I would rather sell my exploit to some mafia organization for 5 figures. Id rather get root on that companies box and get all personal information about their CEO. I would rather not, help this company who fucked over their customers.
We must be fair to each other; can we agree, that if we are real and truly wasted in a Tough Shit Eliot Wasteland, that it is somehow appropriate that we are here/there together, 'knowing the place for the first time' after all is wasted and lost. All, humanity more than, I 'fear in a handful of dust." maybe a few more, but all wasted together of no great cosmic consequence. Boy; dude, this is a bummer trip I hope we all get off quite soon, with morphine there is less pain, and we can still fain as if humanity extinguished remains ... sane.
Oh, I guess, the only question remaining is what exactly are we all on?
Whoops, I apologize for the Steppenwolf [steppenwolf.com] omission by my multiple-personality commission, I will try to remember when I am back on earth to correct any of our future mistakes again. I hope it is earth we are talking about, maybe it is a different planet and species that is very wasted in the future, I remember something sometimes.
Thanks !HAVEFUN!
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
I know it's a tired and old cliche, but;
If Security Research is outlawed, ONLY OUTLAWS WILL DO SECURITY RESEARCH.
And that's not a desirable state of affairs, when you think about it, really.
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
The first rule of web security research is that you do not discuss web security research.
https://www.eff.org/https-everywhere