Laws Threaten Web Security Researchers

ancientribe writes "A new report from a Computer Security Institute (CSI) working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents explores the effects of laws that might hinder Web vulnerability research. The report, which the group will present on Monday at CSI's NetSec conference, has some chilling findings about how fear of prosecution is muzzling some Web researchers from disclosing to Website operators security holes they find. The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys."

who cares?

[nanosquid]

If society doesn't want this kind of security research, well, they aren't going to get it and will have to deal with the consequences.

In reality

[gmerideth]

A while back, I contacted a major ISP about an opening in their web based mail server system that would potentially expose the email from any account provided you knew the email address you wished to gain access to, not a hard thing to accomplish. I initially contacted the abuse@ department to explain what I found and how I, and here's the kicker, accidentally stumbled upon this. I wasn't looking for it or trying some form of pen-test, it was an accident.

At first I received an email back thanking me for pointing out the issue and a promise it will be resolved. This was then followed up by the busiest conference call I've ever been a participant of in my life where I was all but accused of starting the 1871 Chicago fire.

Thanks turned to anger as the engineers, obviously not wanting to get fired or "blamed" (god forbid anyone in America actually take blame for anything anymore) for this minor yet potentially nasty flaw, swore up and down that there's no way other than "actively attacking" the system could I have exposed this issue and that's when things got nasty.

I was threatened, with federal involvement (they never explained that part), emailed copies of recent arrests of hackers from Australia and told to get a lawyer. Four months later, there has been no follow-up, I've spent only eight-hundred in legal fees (I got lucky there) and the ISP quietly stopped harassing me.

I'm convinced this "attack" against anyone pointing web security flaws is all nested in this deep-rooted fear to admit ones mistakes. Web developers think if they admit a single mistake will never get another web development gig again. Ask yourself, would you hire a company that open admitted to making a security mistake on a website that was discovered? I'm interested in seeing where this goes.

Re:In reality

[packetmon]

Funny you should mention, when I wrote a document on breaking Computrace's so called "LoJack for Laptops, I and my then corporate attorney faced all kinds of legal threats, etc.. At the end of the road, they were offering me a substantial return if I signed an NDA and kept my mouth shut. I didn't sign squat, instead I decided since they weren't going to fix their issues and misrepresent their service, I was going public with it, so I posted their emails alongside a written document of what LoJack was/is, what it did, etc., and cc'd them on it. The way I saw it was, If they're selling this to governments under the guise of security as their site states, those purchasing their product should know its snake oil. I received a few more emails of threat here and there and shrugged it off. Let them spend a kabillion dollars in legal fees debunking me and taking me to court. It would only draw attention in a court of law that I'm correct to post the insecurity of their program 2) they misrepresented it, 3) the media surrounding what's going on would hurt them more then help them.

The fatal flaw

[L0neW0lf]

People who wish to do illegal things will scoff at this law and do what they wish. They aren't concerned with being caught, and have no intention of reporting their findings anyway.

People who wish to do what is right will be prevented from doing so, as disclosure will land them in trouble, rather than fix problems. Soon, no-one will report problems, and those who wish to do what is right may no longer even research security flaws, due to the consequences of reporting their findings.

Tell me how law like this is good for anyone, other than criminals themselves?

Government Intrustion

[packetmon]

"The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding." -Judge Louis Brandeis Should the government attempt to impose legislation to criminalize security research, they'd have to understand they'd be opening a Pandora's box to heavy hitting criminal enterprises... Sound "tagline'ish"? Imagine something similar to TOR where people would be exchanging PoC and exploits for currency. Imagine the amount of administrators trying to run and put out brushfires on their systems because they had no forewarnings. Currently full disclosure and research are the sole mechanisms which a lot of administrators use to secure systems... That's like taking away a tornado early warning system from county that's prone to get hit by tornadoes. You have to love the idiocy of this government at times, hence the quote re-quoted... "insidious encroachment by men of zeal, well-meaning but without understanding. ... "Experience teaches us to be most on our guard to protect liberty when the government's purposes are beneficent." -Judge Louis Brandeis Beneficial to the government here is their own misconception that halting security research will halt attacks and perhaps drive e-crime down. Sure it will go down, only down to the underground were attacks will be more silent and effective and cause more harm then the government understands.

I wrote a law review article on this

[Ethan+Preston]

I wrote a law review article on this here: http://www.eplaw.us/data/ComputerSecurityPublicati ons.pdf

My analysis was pretty economics-based, if I remember correctly (it was published in 2002).

The best First Amendment-side analysis was done by Eugene Volokh. Gene's paper considered much broader issues than our own paper.
http://www.law.ucla.edu/volokh/facilitating.pdf
http://www.law.ucla.edu/volokh/facilitatingshorter .pdf

His paper, if I remember correctly, would expand liability further than I would, but he's a UCLA law prof and I'm a class action attorney, so draw your own conclusions.

Look at it from big business' pov...

[mmell]

Let's say I sell some security-related bit - a firewall, antivirus, whatever . . .

Now, if the thing's busted and somebody get's hacked, well . . . we exercised due diligence in the manufacture, testing and marketing of our product. No problem, as far as I can see.

OTOH, if (for example) some snot-nosed college kids and their dog publish a detailed description of a flaw in our product, we have to either make sure they're wrong or fix it pronto. Else, our fiscal arse is swinging in the breeze, ripe to be violated in court for liability issues. Say, there oughtta be a law making it illegal for mere mortals to figure out how our product works and how to defeat it - that's the ticket! Great! We can push it as being in everybody's best interest, 'cuz it'll be a way to put evil hackers in jail. Yeah, that's it!

Now, have the police pick up those punk kids - they were last seen driving a green van.

An easy fix for this one...

[grapeape]

So you cant personally disclose the vulnerabilities to the site operator...then anonymously offer them up to the public instead. Let the script kiddies and black hats get ahold of them for a couple days. The messsage might get painful but at least they will be made aware of the problem. This hide your head in the sand and pretend everything is ok approach to internet security is both poor and dangerous. Optimally rather than holding white hat's responsible for finding holes there should be regulation not only absolving the white hats but holding the site owner liable if the problem is not fixed. Of course I think ISP's should also share responsibility for zombied PC's on their network as well, but they are paying customers so we just do nothing and whine about the problem instead.

Dadvsi again ?

[Seferino]

This kind of law has been voted in France about one year ago. I've followed that one quite closely as, well, I'm a French researcher in the field of security. So far, the law hasn't been applied, but if it is ever makes it to a court with a judge who decides to apply it literally, I might well:

• Go to jail because I've tinkered with a web site (playing with POST or GET) -- because I've actively been looking for a security breach.
• Go to jail because I've taught my students that things like eval() (in JS or PHP) are unsafe -- this may be assimilated to teaching piracy techniques. Same thing goes for buffer overflows, nm, ldd, gdb, cryptographic attacks...
• Go to jail because I've disassembled a binary, put it through nm, ldd or anything similar to determine if it was safe to run it on my system, as that is reverse engineering. Same thing goes for writing a SELinux policy for a binary. Too bad my job is actually to design and implement tools to perform automatic analysis and/or watchdogging of third-party software.

Etc. As I mentioned, this law hasn't been applied yet, much less tested in court. I believe that, in the case of security researchers, they couldn't hold against a sensible lawyer. But I'm still somewhat anxious whenever I teach something to my students or whenever I write a paper about security analysis.

*sigh*

[jafac]

I know it's a tired and old cliche, but;

If Security Research is outlawed, ONLY OUTLAWS WILL DO SECURITY RESEARCH.

And that's not a desirable state of affairs, when you think about it, really.