I agree with everything you said completely. I just didn't get that impression reading it. I guess it really comes down to the details of how much he did to find it, and what else he did once he found it. In the scenario where he just typo'd a URL and is now asking if he should do anything further, then yeah, totally. I just saw "hack" and figured he'd either done some multi-step interactive exploit, or at LEAST he was password guessing or something, which is still going a little too far into checking others' business. (as discussed elsewhere, the word 'hack' has a lot more meanings now). If he just noticed it while doing normal business, then by all means he should be protected and free to inform company and others.
Yeah, I guess we need to know more details about what happened before we can judge. As discussed elsewhere in comments, the word "hack" has gotten watered down, when I saw it and the other things he said, my interpretation was that he had done some multi-step interactive exploit on their system, which would be going way too far. If he did actually just typo a URL and fall into somebody else's recoreds, that is entirely different. The law needs to be crystal clear here, unfortunately our techno-illiterate congress doesn't make that any better.
Dude, this is entirely different. If the guy just accidentally fell into the exploit, then fine. Yes, he should be able to annouce this, to help people with their decision about using the business in question. As discussed elsewhere on this thread, a big problem might be the watering down of the word "hack", when I saw "should I hack this company" and so on, I figured that he had already done some interactive process with their servers, which would be going too far. Thats not checking out your neighbor's break lights, thats opening up his hood to look as how his engine is doing because you think he could use a tune up; maybe he doesn't want you messing with his ride that much, maybe there's an extenuating circumstance. You're free to offer him your services, but that is where it ends. If he'd rather have a shop do it then you, and he thinks he can get by for 2 more days, then that is his right, his freedom to decide. Going around poking into everybody's backyards and checking up on them is not doing the right thing, its the sort of big brother behavior we DO NOT want. Absolutely if he just stumbled backwards into a URL exploit, go post that shit, and he should be covered by whistleblower protections. I guess we need more information about how much he did.
So he has every right not to use that bank, and every right to tell other people not to use that bank. But he isn't allowed to break in at night to inspect their locks personally. The key thing here is you said, "scope out with binoculars". Thats fine. If all he did was scope it out, then he's okay. But it sounds to me like he's gone way past that, if he's trying to find exploits and running against their servers, he can cause all kinds of mayhem that isn't fair. For all he knows, the company is in the middle of a security audit of their own; with a company they trust and that THEY selected, not him.
Also, if financial records are held in a bank, and the bank is hacked because it is insecure, obviously people are going to suffer for that. But isn't the bank going to be held responsible? Doesn't the bank have obligations, nay contracts, to fulfill problems like that? I don't think it would be legal for the bank to just go "sorry guys!". If so, THAT is the law that needs to be changed. Then everything works fine, you can use whatever bank you want, and if they have shitty security and refuse to upgrade, you can change banks to somebody else that does. Then the banks with good security will get all the customers, yay capitalism in action! Freedom is good, isn't it? The only problem is if the bank is allowed to screw up, and yet somehow the individual people who trusted that bank have to suffer instead of the bank itself, which is wrong. The bank should be liable, and then everything is fine.
Morally he is obligated to take action since people's personal data is at risk. If someone saw some damage to an aircraft but decided not to report it for fear of being accused of something that would be immoral and could result in them being responsible (in the moral if not legal sense) if there was an accident. This is no different.
Agreed, if by your job or by being a customer riding on an aircraft, you see something but don't report it, then that is bad.
But actively going around breaking into airports without permission so you can perform your own security checks on their airplanes isn't whistleblowing, it doesn't matter if in the end you find a plane that needed a check or not, you're trespassing and whistleblowing shouldn't protect that behavior. If we allow that, if we encourage it, people will be breaking into computers and airports and corporate offices every day looking for some dirt so they can get rich and famous and get away with it. So, you break in, and if you find something, you're okay, but if you don't, then you're guilty?
I absolutely agree that people need to feel confident coming forward to whistleblow, they need to be protected. But we can't encourage vigilantism. There is a significant difference between the issues.
Someone who goes out looking for problems is not a whistleblower, they are a vigilante or a bounty hunter. Whistleblowers, who I am all in favor of, are people ALREADY aware of some knowledge, who then break an agreement or contract not to disclose that information, which they are protected against because of the ethical need.
This does not mean you are allowed to break into banks and try to break their safes every day, so long as you don't steal anything and are only there to tell them how good their safe is. That is not acceptable. The bank could not conduct its business. Similarly, a computer cannot conduct its business if people all over the internet are trying to crack your computer and are legally free to do so, free of ramifications. It would be chaos.
You're not allowed to pick the locks to the front of a corporate headquarters, go inside, mess the place up, and then find some file that proves they were doing something illegal and then get whistleblower status. THINK ABOUT THAT. IF THAT WAS OKAY, PEOPLE WOULD BE BREAKING INTO EVERY OFFICE IN AMERICA ON A DAILY BASIS. That CANNOT be allowed. That is COMPLETELY different from whistle-blowing.
The absolute dumbest people ever are the people who condemn others without understanding the complexities of an issue or bothering to think someone else's point out half way.
But having 10,000,000 friendlies that aren't working together and are completely un-coordinated attacking you from completely different regions of the internet isn't going to last very long. See the difference? YOU, the OWNER of the computer should be allowed to decide WHEN it gets tested, WHO does the testing, etc. What if you're in the middle of a computationally complex task and suddenly a bunch of people in say finland decide to test your computer "for you" to be "friendly". Oh no, there goes your service, oh no, there goes your task, oh no, there goes your productivity. Annoying they didn't ask first! And you can't even ask them to stop, because its legal for them to do this!
I am a he so I use he. He/she are interchangeable. Use whichever you want. English does not really have an acceptable gender-neutral way of speaking about a person, "it" is wrong even if the sex of the person is in doubt. I do not feel like typing he/she went down to his/her computer to type up his/her thoughts
Every single time a pronoun is used. Are you trolling? Making sexist issues where there are none doesn't help anybody. Going around making sure that everything that talks about computers includes girls because girls aren't usually involved is practically reverse-discrimination; you're making women look bad by trying so hard to include them, where I just figure everybody is already included.
If he just shuts up hundreds/thousands of people can be victimized, and I know that in his shoes I would feel bad if that happened. Wouldn't you?
For all he knows, the system he was looking at wasn't as important as he thought, maybe its a testing sever.
Or maybe the company is in the middle of a security audit, and they are paying someone right now to fix things, it just takes time.
We don't know. But the point is, you're not the watchdog of the internet. It isn't your place to go snooping around everybody else's computers. If everybody is allowed to freely trespass on anything, if we abandon the idea of ownership, then there are going to be LOTS of big problems. I've discussed it on other comments, so I won't bother copypasta, but this simply is not the way to get things done.
Thats because we reject DRM, defective by design only hurts legitimate owners who have paid and legally own it, the pirates, the criminals who should be punished, are not, and those who shouldn't be punished are. It is entirely pointless, backwards, and annoying.
Similarly piracy, when you really analyze it, is usually a response to a product being sold only at a price point that is above the perceived value of that product. We in America do not haggle, you buy it at the advertised price or you get nothing. There's no telling the manager "hey, I can't pay that, but if you'll sell it to me for 15% less then you can still make a profit and I'll be happy", so your options are pay too much, or pirate. Piracy is often equated to lost sales, and this has been shown time and again to be absolutely incorrect. Most pirates will either buy a product later after testing it (not wanting to buy products that have been marketed to look better than they are) or cannot afford the product at any point. So it does not effect economics and criminally suing these people for hundreds of thousands of dollars is beyond insane.
But this is one that SHOULD be. You SHOULDN'T be able to just access and tinker with any computer that is on the internet, just because you can. Not every mom & pop store can afford iron-clad security; that doesn't give you a *right* to break their system just because you can.
If a bank didn't lock its money up, it would still be QUITE ILLEGAL to steal it. It is still very ILLEGAL to walk into somebody's house and watch their television while they are gone, moving their things around or breaking them. It doesn't matter if the front door is locked or not, or how bad the lock is, or how good you are at lockpicking. It is a non-issue, the fact is you just can't do that. We can't keep peace otherwise, everything would be chaotic. There are no possessions, so I can take things right out of your hand, even while you're in the middle of using them? Production would grind to a halt.
I don't blame the submitter for being ignorant, we are all born ignorant. But you need to be aware of your ignorance, and stop yourself and do research before you go an break laws. This is how people get hurt, when you don't think things through, when you don't consider the implications and the consequences.
As much as I may feel that people should get a few mistakes before they're judged too harshly, in the United States Legal System, ignorance of the law is not and has never been an excuse.
Maybe, but I don't think they'd want to have anything to do with this. They have a hard enough time protecting people that should be protected, much less people who are just straight criminals.
A hacker is not a whistleblower. A whistleblower is someone who has access to something but is not supposed to share it, who chooses to violate that policy / contract because of ethical needs to inform. But that does not cover people who go out LOOKING for things to whistleblow. You couldn't use whistle-blower protections to protect yourself picking locks and breaking into a company's headquarters, EVEN if you found all sorts of atrocities. (AFAIK) Thats the difference here, the proactive searching instead of having already come across something as part of your day or your job. If this is acceptable, then it will create all sorts of hacking vigilantes / bounty hunters who will spam every corporate server they can get their hands on in the hopes that they'll find something.
Don't get me wrong, I'm ALL FOR whistleblower protections. I just don't think this counts at all, different issue.
This, times a million. Source: Many previous stories of people who notified organizations about security issues and were rewarded with a lawsuit.
And in those cases once those people discovered a hole they continued to exploit it.
Actually, not all of those arrested for violating the Computer Fraud and Abuse Act were selling the information for profit or repeatedly broke in. Especially during the early days of the internet, there were plenty of curious hackers who didn't actually do anything malicious, and they still got jailtime.
Lets say you have a company. Lets say you have some servers. Lets say the world works the way YOU say it should.
Now, every day, you're going to get every script kiddie in the internet trying to poke holes in your network. In fact, if they get in, thats fine. They're allowed to look at everything your'e doing (trade secrets) and they can copy user data, since this is legal. You're going to be in hot water with your customers, fast.
Also, you're getting DDoS'd now because of all these people hitting your computer at random times for fun, to "test" against that "vulnerability". Good luck dealing with that too.
Yes, in a perfect world everybody would always have iron-clad security. But if you think that is remotely how this world works, you're missing so many details which are fundamental. Not everybody needs to be like that.
What about a mom & pop store that has a small website for a few customers? Now, EVERYBODY EVERYWHERE has to ALWAYS have 100% perfect security. Its that or just DO NOT offer computer services. There is no inbetween allowed.
That is the world you are advocating. Instead of, let people be free, let people do what they want. If a company wants to spend X money on X level of security, they can do that. If you find them to be not concerned enough about security for your tastes, go to company Y which spends Y to get Y security. Thats how it goes, its a money balancing game. The more you spend on advertising, the less you spend on products. The more you spend on development, the less you spend on something else. If more people like a certain company's policy, they'll make more profit, and then they can afford more security.
But to just say that you ALWAYS, ALWAYS have to be up-to-date with 100% security or you can't own a computer is laughable. If that was the standard, there would be, what, a handful of websites on the internet? Google and a few banks? Comeon. Think it through.
there are plenty of insecure servers out there, we don't need heroes to come along and save us from them.
Seriously.
So if I build a computer at home, and I install an old, unpatched OS for fun, somebody is legally allowed to hack me? The implications of this would be devastating. Even if they aren't vulnerable, businesses could be DDoS'd without recourse on the grounds "we're testing you for vulnerabilities". People simply do not think things through fully.
I guess IANAL, but it seems to be (again, at least in the US) that even whistle-blower protections wouldn't cover this. That is more meant for someone on the inside, aware of some detail, sharing the detail that they aren't supposed to share because it needs to be shared ethically. It does not AFAIK, give protections to proactively LOOKING for details to share. And hell, whistle-blower protections aren't even that strong to begin with. If it did protect this sort of action, it would create an awkward double-standard where if you thought there was a vulnerability, and so you hacked it to test it, you would be covered if you were right, but you would be in violation of a law if you were wrong. It seems wonky.
Or there's the guy who stole the Half-Life 2 source code, and then when Valve said "come to America and we can talk about it and offer you a job for your sweet hax0ring skillz" and he fell for it. FBI was waiting for him. Smooth.
Maaaaaybe. Thats a big stretch though, it sure doesn't sound like he discovered some 0-day in proprietary software that he can test a custom hack software against. It sounds more like he discovered an easily guessable password, or an SQL injection opening or something like that. Where there is a known solution, but this particular company hasn't been very careful. Maybe I'm just getting that out of nowhere, but if that is the case, then there really isn't a "proof of concept" to be made at all. I'd like to hear what he was thinking of doing for that proof of concept. Hacking somebody's financial records isn't a just a concept;p
Slashdot Mirror
I agree with everything you said completely. I just didn't get that impression reading it. I guess it really comes down to the details of how much he did to find it, and what else he did once he found it. In the scenario where he just typo'd a URL and is now asking if he should do anything further, then yeah, totally. I just saw "hack" and figured he'd either done some multi-step interactive exploit, or at LEAST he was password guessing or something, which is still going a little too far into checking others' business. (as discussed elsewhere, the word 'hack' has a lot more meanings now). If he just noticed it while doing normal business, then by all means he should be protected and free to inform company and others.
Yeah, I guess we need to know more details about what happened before we can judge. As discussed elsewhere in comments, the word "hack" has gotten watered down, when I saw it and the other things he said, my interpretation was that he had done some multi-step interactive exploit on their system, which would be going way too far. If he did actually just typo a URL and fall into somebody else's recoreds, that is entirely different. The law needs to be crystal clear here, unfortunately our techno-illiterate congress doesn't make that any better.
Dude, this is entirely different. If the guy just accidentally fell into the exploit, then fine. Yes, he should be able to annouce this, to help people with their decision about using the business in question. As discussed elsewhere on this thread, a big problem might be the watering down of the word "hack", when I saw "should I hack this company" and so on, I figured that he had already done some interactive process with their servers, which would be going too far. Thats not checking out your neighbor's break lights, thats opening up his hood to look as how his engine is doing because you think he could use a tune up; maybe he doesn't want you messing with his ride that much, maybe there's an extenuating circumstance. You're free to offer him your services, but that is where it ends. If he'd rather have a shop do it then you, and he thinks he can get by for 2 more days, then that is his right, his freedom to decide. Going around poking into everybody's backyards and checking up on them is not doing the right thing, its the sort of big brother behavior we DO NOT want. Absolutely if he just stumbled backwards into a URL exploit, go post that shit, and he should be covered by whistleblower protections. I guess we need more information about how much he did.
So he has every right not to use that bank, and every right to tell other people not to use that bank. But he isn't allowed to break in at night to inspect their locks personally. The key thing here is you said, "scope out with binoculars". Thats fine. If all he did was scope it out, then he's okay. But it sounds to me like he's gone way past that, if he's trying to find exploits and running against their servers, he can cause all kinds of mayhem that isn't fair. For all he knows, the company is in the middle of a security audit of their own; with a company they trust and that THEY selected, not him.
Also, if financial records are held in a bank, and the bank is hacked because it is insecure, obviously people are going to suffer for that. But isn't the bank going to be held responsible? Doesn't the bank have obligations, nay contracts, to fulfill problems like that? I don't think it would be legal for the bank to just go "sorry guys!". If so, THAT is the law that needs to be changed. Then everything works fine, you can use whatever bank you want, and if they have shitty security and refuse to upgrade, you can change banks to somebody else that does. Then the banks with good security will get all the customers, yay capitalism in action! Freedom is good, isn't it? The only problem is if the bank is allowed to screw up, and yet somehow the individual people who trusted that bank have to suffer instead of the bank itself, which is wrong. The bank should be liable, and then everything is fine.
Morally he is obligated to take action since people's personal data is at risk. If someone saw some damage to an aircraft but decided not to report it for fear of being accused of something that would be immoral and could result in them being responsible (in the moral if not legal sense) if there was an accident. This is no different.
Agreed, if by your job or by being a customer riding on an aircraft, you see something but don't report it, then that is bad.
But actively going around breaking into airports without permission so you can perform your own security checks on their airplanes isn't whistleblowing, it doesn't matter if in the end you find a plane that needed a check or not, you're trespassing and whistleblowing shouldn't protect that behavior. If we allow that, if we encourage it, people will be breaking into computers and airports and corporate offices every day looking for some dirt so they can get rich and famous and get away with it. So, you break in, and if you find something, you're okay, but if you don't, then you're guilty?
I absolutely agree that people need to feel confident coming forward to whistleblow, they need to be protected. But we can't encourage vigilantism. There is a significant difference between the issues.
Someone who goes out looking for problems is not a whistleblower, they are a vigilante or a bounty hunter. Whistleblowers, who I am all in favor of, are people ALREADY aware of some knowledge, who then break an agreement or contract not to disclose that information, which they are protected against because of the ethical need.
This does not mean you are allowed to break into banks and try to break their safes every day, so long as you don't steal anything and are only there to tell them how good their safe is. That is not acceptable. The bank could not conduct its business. Similarly, a computer cannot conduct its business if people all over the internet are trying to crack your computer and are legally free to do so, free of ramifications. It would be chaos.
You're not allowed to pick the locks to the front of a corporate headquarters, go inside, mess the place up, and then find some file that proves they were doing something illegal and then get whistleblower status. THINK ABOUT THAT. IF THAT WAS OKAY, PEOPLE WOULD BE BREAKING INTO EVERY OFFICE IN AMERICA ON A DAILY BASIS. That CANNOT be allowed. That is COMPLETELY different from whistle-blowing.
The absolute dumbest people ever are the people who condemn others without understanding the complexities of an issue or bothering to think someone else's point out half way.
But having 10,000,000 friendlies that aren't working together and are completely un-coordinated attacking you from completely different regions of the internet isn't going to last very long. See the difference? YOU, the OWNER of the computer should be allowed to decide WHEN it gets tested, WHO does the testing, etc. What if you're in the middle of a computationally complex task and suddenly a bunch of people in say finland decide to test your computer "for you" to be "friendly". Oh no, there goes your service, oh no, there goes your task, oh no, there goes your productivity. Annoying they didn't ask first! And you can't even ask them to stop, because its legal for them to do this!
Think about it.
I am a he so I use he. He/she are interchangeable. Use whichever you want. English does not really have an acceptable gender-neutral way of speaking about a person, "it" is wrong even if the sex of the person is in doubt. I do not feel like typing he/she went down to his/her computer to type up his/her thoughts
Every single time a pronoun is used. Are you trolling? Making sexist issues where there are none doesn't help anybody. Going around making sure that everything that talks about computers includes girls because girls aren't usually involved is practically reverse-discrimination; you're making women look bad by trying so hard to include them, where I just figure everybody is already included.
Next you're going to tell me "why isn't my hello world program working?" or "what does this syntax error mean?" are legitimate /. stories.
If he just shuts up hundreds/thousands of people can be victimized, and I know that in his shoes I would feel bad if that happened. Wouldn't you?
For all he knows, the system he was looking at wasn't as important as he thought, maybe its a testing sever.
Or maybe the company is in the middle of a security audit, and they are paying someone right now to fix things, it just takes time.
We don't know. But the point is, you're not the watchdog of the internet. It isn't your place to go snooping around everybody else's computers. If everybody is allowed to freely trespass on anything, if we abandon the idea of ownership, then there are going to be LOTS of big problems. I've discussed it on other comments, so I won't bother copypasta, but this simply is not the way to get things done.
I can't help thinking how a real criminal would have proxied, and sold the code rather than published it, but to the FBI it's all the same.
Yeah, he clearly wasn't of a criminal mindset as much as a curious and possibly playful attitude. But sealing HL2 source is stealing HL2 source :P
Thats because we reject DRM, defective by design only hurts legitimate owners who have paid and legally own it, the pirates, the criminals who should be punished, are not, and those who shouldn't be punished are. It is entirely pointless, backwards, and annoying. Similarly piracy, when you really analyze it, is usually a response to a product being sold only at a price point that is above the perceived value of that product. We in America do not haggle, you buy it at the advertised price or you get nothing. There's no telling the manager "hey, I can't pay that, but if you'll sell it to me for 15% less then you can still make a profit and I'll be happy", so your options are pay too much, or pirate. Piracy is often equated to lost sales, and this has been shown time and again to be absolutely incorrect. Most pirates will either buy a product later after testing it (not wanting to buy products that have been marketed to look better than they are) or cannot afford the product at any point. So it does not effect economics and criminally suing these people for hundreds of thousands of dollars is beyond insane.
But this is one that SHOULD be. You SHOULDN'T be able to just access and tinker with any computer that is on the internet, just because you can. Not every mom & pop store can afford iron-clad security; that doesn't give you a *right* to break their system just because you can. If a bank didn't lock its money up, it would still be QUITE ILLEGAL to steal it. It is still very ILLEGAL to walk into somebody's house and watch their television while they are gone, moving their things around or breaking them. It doesn't matter if the front door is locked or not, or how bad the lock is, or how good you are at lockpicking. It is a non-issue, the fact is you just can't do that. We can't keep peace otherwise, everything would be chaotic. There are no possessions, so I can take things right out of your hand, even while you're in the middle of using them? Production would grind to a halt.
I don't blame the submitter for being ignorant, we are all born ignorant. But you need to be aware of your ignorance, and stop yourself and do research before you go an break laws. This is how people get hurt, when you don't think things through, when you don't consider the implications and the consequences.
As much as I may feel that people should get a few mistakes before they're judged too harshly, in the United States Legal System, ignorance of the law is not and has never been an excuse.
Maybe, but I don't think they'd want to have anything to do with this. They have a hard enough time protecting people that should be protected, much less people who are just straight criminals.
A hacker is not a whistleblower. A whistleblower is someone who has access to something but is not supposed to share it, who chooses to violate that policy / contract because of ethical needs to inform. But that does not cover people who go out LOOKING for things to whistleblow. You couldn't use whistle-blower protections to protect yourself picking locks and breaking into a company's headquarters, EVEN if you found all sorts of atrocities. (AFAIK) Thats the difference here, the proactive searching instead of having already come across something as part of your day or your job. If this is acceptable, then it will create all sorts of hacking vigilantes / bounty hunters who will spam every corporate server they can get their hands on in the hopes that they'll find something.
Don't get me wrong, I'm ALL FOR whistleblower protections. I just don't think this counts at all, different issue.
This, times a million. Source: Many previous stories of people who notified organizations about security issues and were rewarded with a lawsuit.
And in those cases once those people discovered a hole they continued to exploit it.
Actually, not all of those arrested for violating the Computer Fraud and Abuse Act were selling the information for profit or repeatedly broke in. Especially during the early days of the internet, there were plenty of curious hackers who didn't actually do anything malicious, and they still got jailtime.
They'll pay attention long enough to tell your name to the FBI and smile while you're cop-walked off your front porch in handcuffs.
Great advice.
Why is the internet ruled by morons?
Maybe you're the moron, and you're concluding others are morons on a false assumption. Hm...
Lets say you have a company. Lets say you have some servers. Lets say the world works the way YOU say it should.
Now, every day, you're going to get every script kiddie in the internet trying to poke holes in your network. In fact, if they get in, thats fine. They're allowed to look at everything your'e doing (trade secrets) and they can copy user data, since this is legal. You're going to be in hot water with your customers, fast.
Also, you're getting DDoS'd now because of all these people hitting your computer at random times for fun, to "test" against that "vulnerability". Good luck dealing with that too.
Yes, in a perfect world everybody would always have iron-clad security. But if you think that is remotely how this world works, you're missing so many details which are fundamental. Not everybody needs to be like that.
What about a mom & pop store that has a small website for a few customers? Now, EVERYBODY EVERYWHERE has to ALWAYS have 100% perfect security. Its that or just DO NOT offer computer services. There is no inbetween allowed.
That is the world you are advocating. Instead of, let people be free, let people do what they want. If a company wants to spend X money on X level of security, they can do that. If you find them to be not concerned enough about security for your tastes, go to company Y which spends Y to get Y security. Thats how it goes, its a money balancing game. The more you spend on advertising, the less you spend on products. The more you spend on development, the less you spend on something else. If more people like a certain company's policy, they'll make more profit, and then they can afford more security.
But to just say that you ALWAYS, ALWAYS have to be up-to-date with 100% security or you can't own a computer is laughable. If that was the standard, there would be, what, a handful of websites on the internet? Google and a few banks? Comeon. Think it through.
Psh, semantics! You're just a dork !
there are plenty of insecure servers out there, we don't need heroes to come along and save us from them.
Seriously.
So if I build a computer at home, and I install an old, unpatched OS for fun, somebody is legally allowed to hack me? The implications of this would be devastating. Even if they aren't vulnerable, businesses could be DDoS'd without recourse on the grounds "we're testing you for vulnerabilities". People simply do not think things through fully.
I guess IANAL, but it seems to be (again, at least in the US) that even whistle-blower protections wouldn't cover this. That is more meant for someone on the inside, aware of some detail, sharing the detail that they aren't supposed to share because it needs to be shared ethically. It does not AFAIK, give protections to proactively LOOKING for details to share. And hell, whistle-blower protections aren't even that strong to begin with. If it did protect this sort of action, it would create an awkward double-standard where if you thought there was a vulnerability, and so you hacked it to test it, you would be covered if you were right, but you would be in violation of a law if you were wrong. It seems wonky.
Or there's the guy who stole the Half-Life 2 source code, and then when Valve said "come to America and we can talk about it and offer you a job for your sweet hax0ring skillz" and he fell for it. FBI was waiting for him. Smooth.
Maaaaaybe. Thats a big stretch though, it sure doesn't sound like he discovered some 0-day in proprietary software that he can test a custom hack software against. It sounds more like he discovered an easily guessable password, or an SQL injection opening or something like that. Where there is a known solution, but this particular company hasn't been very careful. Maybe I'm just getting that out of nowhere, but if that is the case, then there really isn't a "proof of concept" to be made at all. I'd like to hear what he was thinking of doing for that proof of concept. Hacking somebody's financial records isn't a just a concept ;p
You and me, Zero Cool!
Found a link to the original script, although reading scenes with both BLADE and DADE gets pretty annoying: Hackers
Love your signature. :)