Slashdot Mirror
Laws Threaten Web Security Researchers
ancientribe writes "A new report from a Computer Security Institute (CSI) working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents explores the effects of laws that might hinder Web vulnerability research. The report, which the group will present on Monday at CSI's NetSec conference, has some chilling findings about how fear of prosecution is muzzling some Web researchers from disclosing to Website operators security holes they find. The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys."
If society doesn't want this kind of security research, well, they aren't going to get it and will have to deal with the consequences.
A while back, I contacted a major ISP about an opening in their web based mail server system that would potentially expose the email from any account provided you knew the email address you wished to gain access to, not a hard thing to accomplish. I initially contacted the abuse@ department to explain what I found and how I, and here's the kicker, accidentally stumbled upon this. I wasn't looking for it or trying some form of pen-test, it was an accident.
At first I received an email back thanking me for pointing out the issue and a promise it will be resolved. This was then followed up by the busiest conference call I've ever been a participant of in my life where I was all but accused of starting the 1871 Chicago fire.
Thanks turned to anger as the engineers, obviously not wanting to get fired or "blamed" (god forbid anyone in America actually take blame for anything anymore) for this minor yet potentially nasty flaw, swore up and down that there's no way other than "actively attacking" the system could I have exposed this issue and that's when things got nasty.
I was threatened, with federal involvement (they never explained that part), emailed copies of recent arrests of hackers from Australia and told to get a lawyer. Four months later, there has been no follow-up, I've spent only eight-hundred in legal fees (I got lucky there) and the ISP quietly stopped harassing me.
I'm convinced this "attack" against anyone pointing web security flaws is all nested in this deep-rooted fear to admit ones mistakes. Web developers think if they admit a single mistake will never get another web development gig again. Ask yourself, would you hire a company that open admitted to making a security mistake on a website that was discovered? I'm interested in seeing where this goes.
Why do overlook and oversee mean opposite things?
People who wish to do illegal things will scoff at this law and do what they wish. They aren't concerned with being caught, and have no intention of reporting their findings anyway.
People who wish to do what is right will be prevented from doing so, as disclosure will land them in trouble, rather than fix problems. Soon, no-one will report problems, and those who wish to do what is right may no longer even research security flaws, due to the consequences of reporting their findings.
Tell me how law like this is good for anyone, other than criminals themselves?
Never look down your nose at others. Someday, someone is bound to see your boogers.
So you cant personally disclose the vulnerabilities to the site operator...then anonymously offer them up to the public instead. Let the script kiddies and black hats get ahold of them for a couple days. The messsage might get painful but at least they will be made aware of the problem. This hide your head in the sand and pretend everything is ok approach to internet security is both poor and dangerous. Optimally rather than holding white hat's responsible for finding holes there should be regulation not only absolving the white hats but holding the site owner liable if the problem is not fixed. Of course I think ISP's should also share responsibility for zombied PC's on their network as well, but they are paying customers so we just do nothing and whine about the problem instead.