Laws Threaten Web Security Researchers

ancientribe writes "A new report from a Computer Security Institute (CSI) working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents explores the effects of laws that might hinder Web vulnerability research. The report, which the group will present on Monday at CSI's NetSec conference, has some chilling findings about how fear of prosecution is muzzling some Web researchers from disclosing to Website operators security holes they find. The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys."

Re:In reality

[packetmon]

Funny you should mention, when I wrote a document on breaking Computrace's so called "LoJack for Laptops, I and my then corporate attorney faced all kinds of legal threats, etc.. At the end of the road, they were offering me a substantial return if I signed an NDA and kept my mouth shut. I didn't sign squat, instead I decided since they weren't going to fix their issues and misrepresent their service, I was going public with it, so I posted their emails alongside a written document of what LoJack was/is, what it did, etc., and cc'd them on it. The way I saw it was, If they're selling this to governments under the guise of security as their site states, those purchasing their product should know its snake oil. I received a few more emails of threat here and there and shrugged it off. Let them spend a kabillion dollars in legal fees debunking me and taking me to court. It would only draw attention in a court of law that I'm correct to post the insecurity of their program 2) they misrepresented it, 3) the media surrounding what's going on would hurt them more then help them.

I wrote a law review article on this

[Ethan+Preston]

I wrote a law review article on this here: http://www.eplaw.us/data/ComputerSecurityPublicati ons.pdf

My analysis was pretty economics-based, if I remember correctly (it was published in 2002).

The best First Amendment-side analysis was done by Eugene Volokh. Gene's paper considered much broader issues than our own paper.
http://www.law.ucla.edu/volokh/facilitating.pdf
http://www.law.ucla.edu/volokh/facilitatingshorter .pdf

His paper, if I remember correctly, would expand liability further than I would, but he's a UCLA law prof and I'm a class action attorney, so draw your own conclusions.

Dadvsi again ?

[Seferino]

This kind of law has been voted in France about one year ago. I've followed that one quite closely as, well, I'm a French researcher in the field of security. So far, the law hasn't been applied, but if it is ever makes it to a court with a judge who decides to apply it literally, I might well:

• Go to jail because I've tinkered with a web site (playing with POST or GET) -- because I've actively been looking for a security breach.
• Go to jail because I've taught my students that things like eval() (in JS or PHP) are unsafe -- this may be assimilated to teaching piracy techniques. Same thing goes for buffer overflows, nm, ldd, gdb, cryptographic attacks...
• Go to jail because I've disassembled a binary, put it through nm, ldd or anything similar to determine if it was safe to run it on my system, as that is reverse engineering. Same thing goes for writing a SELinux policy for a binary. Too bad my job is actually to design and implement tools to perform automatic analysis and/or watchdogging of third-party software.

Etc. As I mentioned, this law hasn't been applied yet, much less tested in court. I believe that, in the case of security researchers, they couldn't hold against a sensible lawyer. But I'm still somewhat anxious whenever I teach something to my students or whenever I write a paper about security analysis.

*sigh*

[jafac]

I know it's a tired and old cliche, but;

If Security Research is outlawed, ONLY OUTLAWS WILL DO SECURITY RESEARCH.

And that's not a desirable state of affairs, when you think about it, really.