Slashdot Mirror
Security Researchers Threatened With US Cybercrime Laws
An anonymous reader writes "The Guardian reports that many of the security industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure. 'HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by U.S. law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet. ... Zach Lanier, senior security researcher at Duo Security, said many of his team had "run into possible CFAA issues before in the course of research over the last decade." Lanier said that after finding severe vulnerabilities in an unnamed "embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."
...when ill thought out laws are passed.
In the UK, it is a crime (under the computer misuse act) to test a 3rd party system for vulnerabilities.
The Heartbleed incident caused a lot of people to break the law testing whether websites were affected.
1990 - 2000 - "Script Kiddie"
2014 - "Security Researcher"
This is why we can't have nice things. Companies won't audit themselves, and they get bent out of shape if others do it for them...
Logic is the beginning of reason, not the end of it.
The NSA and other security services will not want security researchers to find and fix vulnerabilities the security services are exploiting.
Not "caught hacking", this implies you know about the problem or had a way to detect this post-fact. Most of the times it is "hey you have a problem" followed by OMGLAWYERS idiotic response. Last time I checked lawyers were rather ineffective at patching vulnerabilities, doing root cause analysis, or improving your organization's security posture and/or practices.
Yeah how dare they ask these companies to take their heads out of the sand and do something about their customer's security/privacy!
I'm appalled at the amount of "Good, they broke the law" comments in this thread...
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Odd as it may sound, for security research, you have WAY more liberties there.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Why, with all the plenty of cheap resources, technology, entertainment and knowledge, are people still complete assholes? There must be an asshole gene that natural selection has yet to make dormant.
Buy your next Linux PC at eightvirtues.com
Now try to explain why it was A-OK for the border patrol to kill the people trying to flee from East Germany because it was the law.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So you should have to be invited to test to ensure that the systems are secure from exploits? Under that philosophy the black hats will win almost every time.
When you cant win, ad hominem.
Everything is going according to plan.
---- Booth was a patriot ----
And it's about time the so-called "ethical security researchers" got off their high horses and realized that. There are far too many laws for there to be white hats. If you want to do useful research into vulnerabilities other than those of the company you are a security researcher for, you're going to have to put on the black hat.
the mayors of several crime-plagued cities release a joint announcement that reporting apparent crimes in progress to police would result in the arrest and summary punishment of the person making the police report.
"If you losers would stop reporting crimes, we wouldn't have so much crime," one prominent mayor stated to this reporter. "We're going to push down crime rates the only way that works: make it impossible to report a crime."
When asked for a comment, the aforementioned mayor's Chief of Police muttered "Whaddyawant, I'm busy here" through a mouthful of donut while pocketing a thickly-stuffed brown paper envelope proffered by an unidentifed man flanked by several apparent bodyguards.
Welcome to the Panopticon. Used to be a prison, now it's your home.
I suppose lawyers don't have locks on their homes because there's laws about illegal entry.
Get free satoshi (Bitcoin) and Dogecoins
All of this is valid, but also myopic In most vulnerability situations, especially involving data at rest, you have costs to the business and costs to general public that usually exceeds first figure. Just because your organization is not held financially liable for compromise, does not mean that such compromise did not cause significant damage to third-party.
For example, a SCADA system that your organization maintains got compromised. Fixing such system vulnerability will be inevitably expensive, and simply sending out a technician to reset it would generate billable hours. Your business interest are to ignore this problem, but imagine if this system is part of water treatment system for large residential neighborhood.
Business needs worship is a flavor of 'market will fix it' fallacy. It only works if all players are forced into making moral decisions.
They're very effective. To paraphrase Futurama:
Documentary Narrator: Fortunately, our most expensive lawyers sued the security researchers and shut them up. Of course, the security holes are still there, we just sue anyone who talks about them. Thus solving the problem once and for all.
Suzie: But...
Documentary Narrator: Once and for all!
Sadly, too many companies don't see this as a joke, but as a valid security vulnerability response strategy.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
What happens if lock picking the front door in your hypothetical example also has a chance to unlock everybody's front door or would make it harder to lock all neighbor's door? Should the homeowner in such scenario be allowed to make decisions for the rest of the neighborhood?
Flaw in your examples and analysis is that you view each individual networked system in isolation. This is not how Internet works. Every compromised system makes it less safe for the rest of us.
Fix it or take it offline.
Black hats are always ahead already.
Everyone else is just trying to keep up, or at least not drown.
There are two types of people in the world: Those who crave closure
Consider that lovely phrase cost/benefit. We're talking *perceived* cost/*perceived* benefit.
As far as TEPCO executives were concerned, the cost of protecting Fukushima Daichi
was enormous, while they could pooh-pooh the possibility of an earthquake which might
need such protection.
Such costs can be reasonably estimated, so perceived cost closely equals actual cost.
However, earthquake probabilities are much easier to dismiss, so it is easy to have
perceived benefit MUCH lower than actual benefit when the earthquake shows up.
Security costs have much the same problem. You can't say for certainty that someone
WILL find a way in if there is one,, so...
"Son, the guards we hire for our caravans look like a loss on the books. But the books
don't show the losses we'll take if we're hit by bandits."
"...embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."
It's OK, it's for the children!.
I work for a company that does a lot of forensics work, including collections activities and incident response. The company has to be licensed as a "private investigator" in all of the states that our employees do collections in.
It seems like a similar licensing regime would be a good place to start for computer security researchers.
It might also be worth considering making the researchers or their employer carry a bond as collateral against any potential damage that they might inadvertently cause.
It has been my experience that when people and organizations have something to lose (like forfeiture of a bond or loss of a license / ability to do business), they tend to act in a more predictable manner, and within well established guidelines.
There might also be some lessons to be learned from maritime law. In a way, researchers are sort of like privateers on the digital oceans. (So yes, once again, pirates ARE better than ninjas. Just in case there was ever any doubt.)
I think it is OK if someone drives down the street and identifies houses that leave the front door open and report on what they see.
That is, so long as they do not go through the door. That would be a crime.
People who leave the door open are enabling and encouraging criminal activity. Oddly enough, I was in a museum just this morning reading some translated Sumerian cuneiform. It was some laws that addressed just this problem. If someone leaves a property unmaintained and it attracts criminals, then that property owner becomes responsible for any thefts occurring next door.
People who have vulnerable systems on the Internet similarly are responsible in some degree to the huge botnets that are often such a plague.
People who identify vulnerable systems are doing us all a favor, and as far as I can tell, they are not committing a crime. The law has a concept called "mens rea", which I do not fully understand, but the concept seems to be that if you do not intend harm and do no harm, then there is no crime.
First, if anyone can get to your "shit-ton of data" you are not doing it right
Then my company is doing it right...Not even the employees can access their own data.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
Let me put it another way. If you tell a homeowner that their front door lock is unusually vulnerable to being picked, first of all they should sock you in the face for trying to pick their lock (before they call the police), and second you should not go publishing that information if they choose to not fix it.
How about if I owned the lock and found it was easy as pie to pick, then went to your place and said "oh hey, this is easy to pick, see", pulled my front door out of my pocket and demonstrated to you how easy it was to pick.
Would you still punch me in the face and call the police on me?
And how about I then tell the lock maker, give them six months to fix their locks so people have an alternative to upgrade to and then publish my paper I was writing for university (I was doing a thesis on how shitty locks on every day homes are), which, while highlighting the problem, doesn't give exact details on how to take advantage of said shitty lock, would it be fair for the lock company to sue the pants off me instead of fixing the locks to make everyone safer?
First, if anyone can get to your "shit-ton of data" you are not doing it right
Then my company is doing it right...Not even the employees can access their own data.
Heh. That doesn't even mean you're safe. I recall a project back in the late 1980s, when I was part of a team hired by a big company (who shall remain unnamed so you'll suspect it was your company ;-). We'd had a few discussions with "top management" who'd hired us, about their problems with the DP department. Their computer folks effectively owned the data, and all access was mediated by the DP department. There was a lot of information that was there, but management couldn't get at it, because the DP folks feigned an inability to provide it.
One evening, a bunch of us decided to stay around after hours. We went to work on their big (IBM of course) mainframe, and in the morning, we demoed to management that we could read any file on their machine. Our demo included a few reports we'd printed out that got wide-eyed reactions. We'd given them access to all of their own data, and they were very happy with us. We stuck around and provided them with a lot more reports ("over the dead bodies" of some of the DP department ;-).
Some time later, we discussed in private the question of what we should tell the IBM folks about what we'd done. Our decision was essentially "Nah; they'll just block our current clients' access to their own data and give control back to the DP priesthood. And we have other customers who'll pay us to similarly break into their own data."
The fact that your own employees can't access their own data doesn't necessarily mean it's safe from outsiders.
(We never did discuss with them the implication that other outsiders might as easily access their data, if they happened to know the things we did. In the late 1980s, managers at corporate computer installations generally had no concept of a "network" other than as a way to connect remote terminals to the mainframe. There's no way we could have got them to understand the wider implications of the security holes we knew about and exploited for their benefit. It's not obvious that most of today's "management" class has such understanding, either. The current story pretty much demos the extent that understanding. ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.