Slashdot Mirror
Laws Threaten Web Security Researchers
ancientribe writes "A new report from a Computer Security Institute (CSI) working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents explores the effects of laws that might hinder Web vulnerability research. The report, which the group will present on Monday at CSI's NetSec conference, has some chilling findings about how fear of prosecution is muzzling some Web researchers from disclosing to Website operators security holes they find. The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys."
A while back, I contacted a major ISP about an opening in their web based mail server system that would potentially expose the email from any account provided you knew the email address you wished to gain access to, not a hard thing to accomplish. I initially contacted the abuse@ department to explain what I found and how I, and here's the kicker, accidentally stumbled upon this. I wasn't looking for it or trying some form of pen-test, it was an accident.
At first I received an email back thanking me for pointing out the issue and a promise it will be resolved. This was then followed up by the busiest conference call I've ever been a participant of in my life where I was all but accused of starting the 1871 Chicago fire.
Thanks turned to anger as the engineers, obviously not wanting to get fired or "blamed" (god forbid anyone in America actually take blame for anything anymore) for this minor yet potentially nasty flaw, swore up and down that there's no way other than "actively attacking" the system could I have exposed this issue and that's when things got nasty.
I was threatened, with federal involvement (they never explained that part), emailed copies of recent arrests of hackers from Australia and told to get a lawyer. Four months later, there has been no follow-up, I've spent only eight-hundred in legal fees (I got lucky there) and the ISP quietly stopped harassing me.
I'm convinced this "attack" against anyone pointing web security flaws is all nested in this deep-rooted fear to admit ones mistakes. Web developers think if they admit a single mistake will never get another web development gig again. Ask yourself, would you hire a company that open admitted to making a security mistake on a website that was discovered? I'm interested in seeing where this goes.
Why do overlook and oversee mean opposite things?
Now, if the thing's busted and somebody get's hacked, well . . . we exercised due diligence in the manufacture, testing and marketing of our product. No problem, as far as I can see.
OTOH, if (for example) some snot-nosed college kids and their dog publish a detailed description of a flaw in our product, we have to either make sure they're wrong or fix it pronto. Else, our fiscal arse is swinging in the breeze, ripe to be violated in court for liability issues. Say, there oughtta be a law making it illegal for mere mortals to figure out how our product works and how to defeat it - that's the ticket! Great! We can push it as being in everybody's best interest, 'cuz it'll be a way to put evil hackers in jail. Yeah, that's it!
Now, have the police pick up those punk kids - they were last seen driving a green van.