Forgot your password?
typodupeerror
Security Government Your Rights Online

Security Researchers Threatened With US Cybercrime Laws 156

Posted by Soulskill
from the building-inspectors-threatened-with-arson-laws dept.
An anonymous reader writes "The Guardian reports that many of the security industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure. 'HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by U.S. law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet. ... Zach Lanier, senior security researcher at Duo Security, said many of his team had "run into possible CFAA issues before in the course of research over the last decade." Lanier said that after finding severe vulnerabilities in an unnamed "embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."
This discussion has been archived. No new comments can be posted.

Security Researchers Threatened With US Cybercrime Laws

Comments Filter:
  • by Ynot_82 (1023749) on Friday May 30, 2014 @03:21PM (#47131111)

    ...when ill thought out laws are passed.

    In the UK, it is a crime (under the computer misuse act) to test a 3rd party system for vulnerabilities.

    The Heartbleed incident caused a lot of people to break the law testing whether websites were affected.

  • NSA (Score:5, Insightful)

    by BradMajors (995624) on Friday May 30, 2014 @03:22PM (#47131133)

    The NSA and other security services will not want security researchers to find and fix vulnerabilities the security services are exploiting.

  • Re:OK, Whatever... (Score:5, Insightful)

    by sinij (911942) on Friday May 30, 2014 @03:24PM (#47131149) Journal
    Not "caught hacking", this implies you know about the problem or had a way to detect this post-fact. Most of the times it is "hey you have a problem" followed by OMGLAWYERS idiotic response. Last time I checked lawyers were rather ineffective at patching vulnerabilities, doing root cause analysis, or improving your organization's security posture and/or practices.
  • by sinij (911942) on Friday May 30, 2014 @03:30PM (#47131207) Journal
    If I have no right to access your public-facing system via public channels, then you have no right to be absolved of responsibility of how your system is used by malicious hackers.

    When your infrastructure spams me, or get zombied into DDoSing me, you will be held responsible for spamming and DDoSing me.

    Now, would you like to reconsider your position?
  • by Opportunist (166417) on Friday May 30, 2014 @03:33PM (#47131237)

    So security researchers and/or security reporters in the UK cannot warn about a lot of unpatched webpages in the UK, but hackers all over the globe can hack and abuse them.

    Yeah, makes a damn lot of sense.

  • Re:See... (Score:2, Insightful)

    by Anonymous Coward on Friday May 30, 2014 @03:33PM (#47131243)

    I would say that this is more like:

    You leave your credit card on a table under a wet napkin. I look at the napkin and think I can read the number. I look closer and can indeed read the number and exp date. I tell you that your credit card is easily readable, and you should probably do something about it. You then report me to the police for stealing your credit card number.

  • Re:As it should be (Score:4, Insightful)

    by Opportunist (166417) on Friday May 30, 2014 @03:34PM (#47131257)

    Now try to explain why it was A-OK for the border patrol to kill the people trying to flee from East Germany because it was the law.

  • Re:OK, Whatever... (Score:5, Insightful)

    by thaylin (555395) on Friday May 30, 2014 @03:35PM (#47131273)
    So you should have to be invited to test to ensure that the systems are secure from exploits? Under that philosophy the black hats will win almost every time.
  • Re:OK, Whatever... (Score:4, Insightful)

    by sinij (911942) on Friday May 30, 2014 @04:13PM (#47131643) Journal
    All of this is valid, but also myopic In most vulnerability situations, especially involving data at rest, you have costs to the business and costs to general public that usually exceeds first figure. Just because your organization is not held financially liable for compromise, does not mean that such compromise did not cause significant damage to third-party.

    For example, a SCADA system that your organization maintains got compromised. Fixing such system vulnerability will be inevitably expensive, and simply sending out a technician to reset it would generate billable hours. Your business interest are to ignore this problem, but imagine if this system is part of water treatment system for large residential neighborhood.

    Business needs worship is a flavor of 'market will fix it' fallacy. It only works if all players are forced into making moral decisions.
  • Re:OK, Whatever... (Score:5, Insightful)

    by Jason Levine (196982) on Friday May 30, 2014 @04:22PM (#47131697)

    Last time I checked lawyers were rather ineffective at patching vulnerabilities, doing root cause analysis, or improving your organization's security posture and/or practices.

    They're very effective. To paraphrase Futurama:

    Documentary Narrator: Fortunately, our most expensive lawyers sued the security researchers and shut them up. Of course, the security holes are still there, we just sue anyone who talks about them. Thus solving the problem once and for all.
    Suzie: But...
    Documentary Narrator: Once and for all!

    Sadly, too many companies don't see this as a joke, but as a valid security vulnerability response strategy.

  • by dave562 (969951) on Friday May 30, 2014 @05:01PM (#47131983) Journal

    I work for a company that does a lot of forensics work, including collections activities and incident response. The company has to be licensed as a "private investigator" in all of the states that our employees do collections in.

    It seems like a similar licensing regime would be a good place to start for computer security researchers.

    It might also be worth considering making the researchers or their employer carry a bond as collateral against any potential damage that they might inadvertently cause.

    It has been my experience that when people and organizations have something to lose (like forfeiture of a bond or loss of a license / ability to do business), they tend to act in a more predictable manner, and within well established guidelines.

    There might also be some lessons to be learned from maritime law. In a way, researchers are sort of like privateers on the digital oceans. (So yes, once again, pirates ARE better than ninjas. Just in case there was ever any doubt.)

  • Re: See... (Score:5, Insightful)

    by arshat (3675763) on Friday May 30, 2014 @05:57PM (#47132373)

    That's a really bad analogy.

    It is. It's more like the wet napkin has retained an imprint of the credit card and you have left the napkin behind on the bar. Someone then takes the napkin, hands it to you and says "you want to be careful with these wet napkins, look". You call the police because someone you don't know has your credit card details.

"Love your country but never trust its government." -- from a hand-painted road sign in central Pennsylvania

Working...