Slashdot Mirror

← Back to Stories (view on slashdot.org)

Laws Threaten Web Security Researchers

Posted by CowboyNeal on from the freedom-to-pry dept.

ancientribe writes "A new report from a Computer Security Institute (CSI) working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents explores the effects of laws that might hinder Web vulnerability research. The report, which the group will present on Monday at CSI's NetSec conference, has some chilling findings about how fear of prosecution is muzzling some Web researchers from disclosing to Website operators security holes they find. The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys."

3 of 42 comments (clear)

  1. who cares? by nanosquid · · Score: 4, Insightful

    If society doesn't want this kind of security research, well, they aren't going to get it and will have to deal with the consequences.

  2. The fatal flaw by L0neW0lf · · Score: 4, Insightful

    People who wish to do illegal things will scoff at this law and do what they wish. They aren't concerned with being caught, and have no intention of reporting their findings anyway.

    People who wish to do what is right will be prevented from doing so, as disclosure will land them in trouble, rather than fix problems. Soon, no-one will report problems, and those who wish to do what is right may no longer even research security flaws, due to the consequences of reporting their findings.

    Tell me how law like this is good for anyone, other than criminals themselves?

    --

    Never look down your nose at others. Someday, someone is bound to see your boogers.
  3. An easy fix for this one... by grapeape · · Score: 4, Insightful

    So you cant personally disclose the vulnerabilities to the site operator...then anonymously offer them up to the public instead. Let the script kiddies and black hats get ahold of them for a couple days. The messsage might get painful but at least they will be made aware of the problem. This hide your head in the sand and pretend everything is ok approach to internet security is both poor and dangerous. Optimally rather than holding white hat's responsible for finding holes there should be regulation not only absolving the white hats but holding the site owner liable if the problem is not fixed. Of course I think ISP's should also share responsibility for zombied PC's on their network as well, but they are paying customers so we just do nothing and whine about the problem instead.