Slashdot Mirror
Security Researchers Threatened With US Cybercrime Laws
An anonymous reader writes "The Guardian reports that many of the security industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure. 'HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by U.S. law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet. ... Zach Lanier, senior security researcher at Duo Security, said many of his team had "run into possible CFAA issues before in the course of research over the last decade." Lanier said that after finding severe vulnerabilities in an unnamed "embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."
...when ill thought out laws are passed.
In the UK, it is a crime (under the computer misuse act) to test a 3rd party system for vulnerabilities.
The Heartbleed incident caused a lot of people to break the law testing whether websites were affected.
The NSA and other security services will not want security researchers to find and fix vulnerabilities the security services are exploiting.
Not "caught hacking", this implies you know about the problem or had a way to detect this post-fact. Most of the times it is "hey you have a problem" followed by OMGLAWYERS idiotic response. Last time I checked lawyers were rather ineffective at patching vulnerabilities, doing root cause analysis, or improving your organization's security posture and/or practices.
So you should have to be invited to test to ensure that the systems are secure from exploits? Under that philosophy the black hats will win almost every time.
When you cant win, ad hominem.
Everything is going according to plan.
---- Booth was a patriot ----
the mayors of several crime-plagued cities release a joint announcement that reporting apparent crimes in progress to police would result in the arrest and summary punishment of the person making the police report.
"If you losers would stop reporting crimes, we wouldn't have so much crime," one prominent mayor stated to this reporter. "We're going to push down crime rates the only way that works: make it impossible to report a crime."
When asked for a comment, the aforementioned mayor's Chief of Police muttered "Whaddyawant, I'm busy here" through a mouthful of donut while pocketing a thickly-stuffed brown paper envelope proffered by an unidentifed man flanked by several apparent bodyguards.
Welcome to the Panopticon. Used to be a prison, now it's your home.
They're very effective. To paraphrase Futurama:
Documentary Narrator: Fortunately, our most expensive lawyers sued the security researchers and shut them up. Of course, the security holes are still there, we just sue anyone who talks about them. Thus solving the problem once and for all.
Suzie: But...
Documentary Narrator: Once and for all!
Sadly, too many companies don't see this as a joke, but as a valid security vulnerability response strategy.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
That's a really bad analogy.
It is. It's more like the wet napkin has retained an imprint of the credit card and you have left the napkin behind on the bar. Someone then takes the napkin, hands it to you and says "you want to be careful with these wet napkins, look". You call the police because someone you don't know has your credit card details.
First, if anyone can get to your "shit-ton of data" you are not doing it right
Then my company is doing it right...Not even the employees can access their own data.
Heh. That doesn't even mean you're safe. I recall a project back in the late 1980s, when I was part of a team hired by a big company (who shall remain unnamed so you'll suspect it was your company ;-). We'd had a few discussions with "top management" who'd hired us, about their problems with the DP department. Their computer folks effectively owned the data, and all access was mediated by the DP department. There was a lot of information that was there, but management couldn't get at it, because the DP folks feigned an inability to provide it.
One evening, a bunch of us decided to stay around after hours. We went to work on their big (IBM of course) mainframe, and in the morning, we demoed to management that we could read any file on their machine. Our demo included a few reports we'd printed out that got wide-eyed reactions. We'd given them access to all of their own data, and they were very happy with us. We stuck around and provided them with a lot more reports ("over the dead bodies" of some of the DP department ;-).
Some time later, we discussed in private the question of what we should tell the IBM folks about what we'd done. Our decision was essentially "Nah; they'll just block our current clients' access to their own data and give control back to the DP priesthood. And we have other customers who'll pay us to similarly break into their own data."
The fact that your own employees can't access their own data doesn't necessarily mean it's safe from outsiders.
(We never did discuss with them the implication that other outsiders might as easily access their data, if they happened to know the things we did. In the late 1980s, managers at corporate computer installations generally had no concept of a "network" other than as a way to connect remote terminals to the mainframe. There's no way we could have got them to understand the wider implications of the security holes we knew about and exploited for their benefit. It's not obvious that most of today's "management" class has such understanding, either. The current story pretty much demos the extent that understanding. ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.