Slashdot Mirror
Laws Threaten Web Security Researchers
ancientribe writes "A new report from a Computer Security Institute (CSI) working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents explores the effects of laws that might hinder Web vulnerability research. The report, which the group will present on Monday at CSI's NetSec conference, has some chilling findings about how fear of prosecution is muzzling some Web researchers from disclosing to Website operators security holes they find. The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys."
If society doesn't want this kind of security research, well, they aren't going to get it and will have to deal with the consequences.
People who wish to do illegal things will scoff at this law and do what they wish. They aren't concerned with being caught, and have no intention of reporting their findings anyway.
People who wish to do what is right will be prevented from doing so, as disclosure will land them in trouble, rather than fix problems. Soon, no-one will report problems, and those who wish to do what is right may no longer even research security flaws, due to the consequences of reporting their findings.
Tell me how law like this is good for anyone, other than criminals themselves?
Never look down your nose at others. Someday, someone is bound to see your boogers.
"The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding." -Judge Louis Brandeis Should the government attempt to impose legislation to criminalize security research, they'd have to understand they'd be opening a Pandora's box to heavy hitting criminal enterprises... Sound "tagline'ish"? Imagine something similar to TOR where people would be exchanging PoC and exploits for currency. Imagine the amount of administrators trying to run and put out brushfires on their systems because they had no forewarnings. Currently full disclosure and research are the sole mechanisms which a lot of administrators use to secure systems... That's like taking away a tornado early warning system from county that's prone to get hit by tornadoes. You have to love the idiocy of this government at times, hence the quote re-quoted... "insidious encroachment by men of zeal, well-meaning but without understanding. ... "Experience teaches us to be most on our guard to protect liberty when the government's purposes are beneficent." -Judge Louis Brandeis Beneficial to the government here is their own misconception that halting security research will halt attacks and perhaps drive e-crime down. Sure it will go down, only down to the underground were attacks will be more silent and effective and cause more harm then the government understands.
Infiltrated dot Net
inform the systems admin anonymously and tell them they will be watched and if the security hole is not patched soon you will go public with the info...
;p
i am posting this comment anonymously to protect my identity
So you cant personally disclose the vulnerabilities to the site operator...then anonymously offer them up to the public instead. Let the script kiddies and black hats get ahold of them for a couple days. The messsage might get painful but at least they will be made aware of the problem. This hide your head in the sand and pretend everything is ok approach to internet security is both poor and dangerous. Optimally rather than holding white hat's responsible for finding holes there should be regulation not only absolving the white hats but holding the site owner liable if the problem is not fixed. Of course I think ISP's should also share responsibility for zombied PC's on their network as well, but they are paying customers so we just do nothing and whine about the problem instead.