Security Researchers Threatened With US Cybercrime Laws 156
An anonymous reader writes "The Guardian reports that many of the security industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure. 'HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by U.S. law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet. ... Zach Lanier, senior security researcher at Duo Security, said many of his team had "run into possible CFAA issues before in the course of research over the last decade." Lanier said that after finding severe vulnerabilities in an unnamed "embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."
There are no white hats (Score:4, Interesting)
And it's about time the so-called "ethical security researchers" got off their high horses and realized that. There are far too many laws for there to be white hats. If you want to do useful research into vulnerabilities other than those of the company you are a security researcher for, you're going to have to put on the black hat.
Re:This is what happens... (Score:0, Interesting)
"Researchers" are generally just dicks looking to make a name for themselves or can't get gigs.
I work as a penetration tester in the UK. if someone pays me and signs an authorization for me to attack their systems then fair play. if there is no authorization it is against the law full stop.
These muppets will end up having us licensed. There is no justification for scanning the internet for vulnerabilities on systems you have no authorization. It is not their job. They are NOT the internet police!
Re:There are no white hats (Score:4, Interesting)
Which is the technical equivalent of allowing only researchers in the employ of the tobacco industry to research the risks of smoking.
Re:OK, Whatever... (Score:4, Interesting)
It's OK, it's for the children!.
Re:OK, Whatever... (Score:5, Interesting)
First, if anyone can get to your "shit-ton of data" you are not doing it right
Then my company is doing it right...Not even the employees can access their own data.
Heh. That doesn't even mean you're safe. I recall a project back in the late 1980s, when I was part of a team hired by a big company (who shall remain unnamed so you'll suspect it was your company ;-). We'd had a few discussions with "top management" who'd hired us, about their problems with the DP department. Their computer folks effectively owned the data, and all access was mediated by the DP department. There was a lot of information that was there, but management couldn't get at it, because the DP folks feigned an inability to provide it.
One evening, a bunch of us decided to stay around after hours. We went to work on their big (IBM of course) mainframe, and in the morning, we demoed to management that we could read any file on their machine. Our demo included a few reports we'd printed out that got wide-eyed reactions. We'd given them access to all of their own data, and they were very happy with us. We stuck around and provided them with a lot more reports ("over the dead bodies" of some of the DP department ;-).
Some time later, we discussed in private the question of what we should tell the IBM folks about what we'd done. Our decision was essentially "Nah; they'll just block our current clients' access to their own data and give control back to the DP priesthood. And we have other customers who'll pay us to similarly break into their own data."
The fact that your own employees can't access their own data doesn't necessarily mean it's safe from outsiders.
(We never did discuss with them the implication that other outsiders might as easily access their data, if they happened to know the things we did. In the late 1980s, managers at corporate computer installations generally had no concept of a "network" other than as a way to connect remote terminals to the mainframe. There's no way we could have got them to understand the wider implications of the security holes we knew about and exploited for their benefit. It's not obvious that most of today's "management" class has such understanding, either. The current story pretty much demos the extent that understanding. ;-)