Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Researchers Threatened With US Cybercrime Laws

Soulskill posted about 4 months ago | from the building-inspectors-threatened-with-arson-laws dept.

Security 156

An anonymous reader writes "The Guardian reports that many of the security industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure. 'HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by U.S. law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet. ... Zach Lanier, senior security researcher at Duo Security, said many of his team had "run into possible CFAA issues before in the course of research over the last decade." Lanier said that after finding severe vulnerabilities in an unnamed "embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."

cancel ×

156 comments

Sorry! There are no comments related to the filter you selected.

OK, Whatever... (-1)

Frosty Piss (770223) | about 4 months ago | (#47131061)

industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure.

Yes, it's surprising when companies get bent out of shape when random "security researchers" hack into their systems uninvited.

Sure, it's nice to know if you are vulnerable, but still, it is difficult to take at "face value" when some random "security researcher" claims to have altruistic aimes when caught hacking your network...

Times change. (3, Funny)

Anonymous Coward | about 4 months ago | (#47131113)

1990 - 2000 - "Script Kiddie"
2014 - "Security Researcher"

Re:OK, Whatever... (0)

Anonymous Coward | about 4 months ago | (#47131139)

You didn't read the article.

Re:OK, Whatever... (4, Insightful)

sinij (911942) | about 4 months ago | (#47131149)

Not "caught hacking", this implies you know about the problem or had a way to detect this post-fact. Most of the times it is "hey you have a problem" followed by OMGLAWYERS idiotic response. Last time I checked lawyers were rather ineffective at patching vulnerabilities, doing root cause analysis, or improving your organization's security posture and/or practices.

Re:OK, Whatever... (-1, Troll)

Frosty Piss (770223) | about 4 months ago | (#47131197)

Most of the times it is...

No, that's not so, and you know it. Usually it's some basement dweller who hacks into some system, downloads a shit-ton of data, and after getting no response from the bottom tier Help Desk, publishes it in the Intertubes in an attempt to get "street cred" as a "security researcher".

Re:OK, Whatever... (1)

sinij (911942) | about 4 months ago | (#47131315)

First, if anyone can get to your "shit-ton of data" you are not doing it right, and in your organization's CIO is a honorary title.

Second, the act of publishing is problematic, maybe even the act of downloading, no the act of accessing your system in proof-of-concept.

Third, if someone trying to report a problem to your organization and does not have an easy way to do so, then it is yet another failure that you should address.

Re:OK, Whatever... (1)

MightyMartian (840721) | about 3 months ago | (#47131503)

Remember the old days when motive was a substantial part of a court's consideration of an alleged illegal act.

But that was in the days before lawyers became gods on earth.

Re:OK, Whatever... (3, Interesting)

LifesABeach (234436) | about 3 months ago | (#47131879)

"...embedded device marketed towards children" and reporting them to the manufacturer, he received calls from lawyers threatening him with action."

It's OK, it's for the children!.

Re:OK, Whatever... (1)

Anonymous Coward | about 3 months ago | (#47131559)

These are all business decisions. Fact of the matter is that every business owner needs to make a calculated decision on whether or not to fix a known security problem (or any bug for that matter) based on the cost/benefit. They may decide that the likelyhood of being attacked, cost of damage, value of data that could be stolen, or otherwise is simply too low in comparison to the cost of fixing the issue. This may or may not be true, but any ethical "security researcher" should allow that company to make that decision without holding them hostage with the damaging information. Every system is vulnerable. It's aways a question of how much money is it worth spending to make it less vulnerable.

Re:OK, Whatever... (3, Insightful)

sinij (911942) | about 3 months ago | (#47131643)

All of this is valid, but also myopic In most vulnerability situations, especially involving data at rest, you have costs to the business and costs to general public that usually exceeds first figure. Just because your organization is not held financially liable for compromise, does not mean that such compromise did not cause significant damage to third-party.

For example, a SCADA system that your organization maintains got compromised. Fixing such system vulnerability will be inevitably expensive, and simply sending out a technician to reset it would generate billable hours. Your business interest are to ignore this problem, but imagine if this system is part of water treatment system for large residential neighborhood.

Business needs worship is a flavor of 'market will fix it' fallacy. It only works if all players are forced into making moral decisions.

Re:OK, Whatever... (1)

Anonymous Coward | about 3 months ago | (#47131681)

Your business interest are to ignore this problem, but imagine if this system is part of water treatment system for large residential neighborhood.

This was exactly my point. It is a business decision of cost/benefit. If that SCADA system is just part of your office building's HVAC control, you would probably be wise to leave it be since the likelyhood of anyone attacking your air conditioning is low and any fallout cost would be relatively low. If it's controlling a nuclear power plant, that's another story. It is the responsibility of the business to make that call.
Let me put it another way. If you tell a homeowner that their front door lock is unusually vulnerable to being picked, first of all they should sock you in the face for trying to pick their lock (before they call the police), and second you should not go publishing that information if they choose to not fix it.

Re:OK, Whatever... (2)

sinij (911942) | about 3 months ago | (#47131757)

What happens if lock picking the front door in your hypothetical example also has a chance to unlock everybody's front door or would make it harder to lock all neighbor's door? Should the homeowner in such scenario be allowed to make decisions for the rest of the neighborhood?

Flaw in your examples and analysis is that you view each individual networked system in isolation. This is not how Internet works. Every compromised system makes it less safe for the rest of us.

Fix it or take it offline.

Re:OK, Whatever... (0)

Anonymous Coward | about 3 months ago | (#47131823)

If you set up your door to be potentially unlocked by mine, that's your problem. And it is definitely not the problem of some stranger. If I set up my door to unlock yours without asking, you should sue me. If I did it with your permission, you're foolish if you didn't require that you would be allowed to audit me regularly and cancel the agreement whenever. Now get off my lawn.

Re:OK, Whatever... (1)

Scarletdown (886459) | about 3 months ago | (#47132359)

Let me put it another way. If you tell a homeowner that their front door lock is unusually vulnerable to being picked, first of all they should sock you in the face for trying to pick their lock (before they call the police), and second you should not go publishing that information if they choose to not fix it.

Who says you actually tried to pick their lock. There is a decent chance that your house has the same make and model of lock that theirs does, and when you accidentally locked yourself out, you discovered how easy that particular lock was to pick. Wouldn't warning them about the risk be the right thing to do?

Re:OK, Whatever... (2)

sehlat (180760) | about 3 months ago | (#47131863)

Consider that lovely phrase cost/benefit. We're talking *perceived* cost/*perceived* benefit.

As far as TEPCO executives were concerned, the cost of protecting Fukushima Daichi
was enormous, while they could pooh-pooh the possibility of an earthquake which might
need such protection.

Such costs can be reasonably estimated, so perceived cost closely equals actual cost.
However, earthquake probabilities are much easier to dismiss, so it is easy to have
perceived benefit MUCH lower than actual benefit when the earthquake shows up.

Security costs have much the same problem. You can't say for certainty that someone
WILL find a way in if there is one,, so...

"Son, the guards we hire for our caravans look like a loss on the books. But the books
don't show the losses we'll take if we're hit by bandits."

Re:OK, Whatever... (3, Funny)

ArhcAngel (247594) | about 3 months ago | (#47132109)

First, if anyone can get to your "shit-ton of data" you are not doing it right

Then my company is doing it right...Not even the employees can access their own data.

Re:OK, Whatever... (5, Insightful)

Jason Levine (196982) | about 3 months ago | (#47131697)

Last time I checked lawyers were rather ineffective at patching vulnerabilities, doing root cause analysis, or improving your organization's security posture and/or practices.

They're very effective. To paraphrase Futurama:

Documentary Narrator: Fortunately, our most expensive lawyers sued the security researchers and shut them up. Of course, the security holes are still there, we just sue anyone who talks about them. Thus solving the problem once and for all.
Suzie: But...
Documentary Narrator: Once and for all!

Sadly, too many companies don't see this as a joke, but as a valid security vulnerability response strategy.

Re:OK, Whatever... (1)

NatasRevol (731260) | about 3 months ago | (#47131799)

And by companies, you mean the US gov't in this case.

Re:OK, Whatever... (4, Insightful)

thaylin (555395) | about 4 months ago | (#47131273)

So you should have to be invited to test to ensure that the systems are secure from exploits? Under that philosophy the black hats will win almost every time.

Re:OK, Whatever... (0)

Anonymous Coward | about 3 months ago | (#47131595)

So you should have to be invited to test to ensure that the systems are secure from exploits?

Do you really need to ask? Should I need to be invited to find out if the locks on your front door are sufficienty resistant to being picked? The door is locked. Leave it alone.

Re:OK, Whatever... (2)

clovis (4684) | about 3 months ago | (#47132023)

I think it is OK if someone drives down the street and identifies houses that leave the front door open and report on what they see.
That is, so long as they do not go through the door. That would be a crime.

People who leave the door open are enabling and encouraging criminal activity. Oddly enough, I was in a museum just this morning reading some translated Sumerian cuneiform. It was some laws that addressed just this problem. If someone leaves a property unmaintained and it attracts criminals, then that property owner becomes responsible for any thefts occurring next door.

People who have vulnerable systems on the Internet similarly are responsible in some degree to the huge botnets that are often such a plague.
People who identify vulnerable systems are doing us all a favor, and as far as I can tell, they are not committing a crime. The law has a concept called "mens rea", which I do not fully understand, but the concept seems to be that if you do not intend harm and do no harm, then there is no crime.

Re:OK, Whatever... (0)

Anonymous Coward | about 3 months ago | (#47132201)

mens rea: "of a/having a guilty mind", it is a sad state of affairs but mens rea is only required for conviction of some crimes. Much of the criminal code requires no mens rea for being guilty (I heard the percetage of crimes requiring mens rea for guilt was only 40% a few years ago, I've no idea if that's true or even verifiable), this is a real problem, because things like intent don't matter for things like possession of child porn, people are literally serving time for downloaded something that was not what it purported to be, immediately deleting it, and in some cases reporting it to the authorities, all because mens rea wasn't required to convict them. It's asinine.

But you're right, intent should matter, and in cases where a judges' hands aren't tied by how the statute is written, will often come into play. Too many "tough on crime" legislators simply don't care though, they're buying votes at the price of gross miscarriages of justice.

Re:OK, Whatever... (0)

Anonymous Coward | about 3 months ago | (#47132141)

Do you really need to ask? Should I need to be invited to find out if the locks on your front door are sufficienty resistant to being picked? The door is locked. Leave it alone.

Then it becomes a question of practicality. There are people out there who will probe your vulnerabilities (oo-er) for fun and profitssss, and others for the Kudos of finding the vulnerability.

The latter will tell you about it (and possibly attracting the negative attention of the law) and the former will take your database to bed without first buying it dinner, and probably try and make it do the dishes on the way out (if it can still walk).

So, persecute the thrill-seekers and you will fall foul of the pleasure-takers.

Just because something is illegal, doesn't make it wrong and vice versa - there is such a thing as uncommon sense*.

*re-named for the 21st Century

Re:OK, Whatever... (1)

pr0fessor (1940368) | about 3 months ago | (#47131811)

If you want to research how a deadbolt fails buy one test it and send the results to the manufacture. If you break into the manufactures warehouse to test the deadbolts or someone's house you are going jail.

Yes, either you are invited as a consultant or you do your research in a controlled environment but not on someone else equipment without permission.

Re:OK, Whatever... (0)

Anonymous Coward | about 3 months ago | (#47131961)

Incorrect analogy.

More like only one of these locks was ever produced. You're not invited to test it or make suggestions about it or even see it but it's used to lock up a warehouse that contains copies of your financial records and naked pictures of your mom. The lock happens to be a broken off twig shoved through a shackle.

Re:OK, Whatever... (2)

NatasRevol (731260) | about 3 months ago | (#47131821)

Black hats are always ahead already.

Everyone else is just trying to keep up, or at least not drown.

Re:OK, Whatever... (0)

Anonymous Coward | about 4 months ago | (#47131283)

Putting scare quotes around "security researcher" or adding the adjective "random" does nothing to convert first class security researchers such as H. D. Moore into a script kiddy. Seems to me that reporting a discovered vulnerability to the manufacturer is pretty good evidence that the researcher's motives are pure.

You learn a lot about people and organizations when you point out their own fuckups to them.

Re:OK, Whatever... (0)

Anonymous Coward | about 4 months ago | (#47131433)

Maybe he should get a few babies killed instead - anonymously of course. Maybe they'll listen then.

Re:OK, Whatever... (1)

geekmux (1040042) | about 3 months ago | (#47131547)

industry's top researchers are being threatened by lawyers and law enforcement over their efforts to track down vulnerabilities in internet infrastructure.

Yes, it's surprising when companies get bent out of shape when random "security researchers" hack into their systems uninvited.

Sure, it's nice to know if you are vulnerable, but still, it is difficult to take at "face value" when some random "security researcher" claims to have altruistic aimes when caught hacking your network...

Why, because it's so difficult to believe these days that any system would have vulnerabilities that need to be addressed?

Perhaps I would question the source a bit, but being alerted via email isn't exactly the standard Way of the Black Hat. They prefer you find out the hard way, and given that fact alone, I'd probably put some value on the face of the notification.

The legal reaction described is quite pathetic. Hiding behind your lawyers instead of trying to look into an identified problem isn't going to bode well long-term. And hiring a dozen more of them isn't going to get customers to buy your shitty, broken product you refuse to fix.

Re:OK, Whatever... (1)

Jawnn (445279) | about 3 months ago | (#47131553)

but still, it is difficult to take at "face value" when some random "security researcher" claims to have altruistic aimes when caught hacking your network...

Why bother? The script kiddies are rattling the doors all day, every day. That noise is always there. One more visitor, or ten, isn't going to make a difference in our threat posture. And if one of those visits results in a discovery that we all benefit from, so much the better.

Re:OK, Whatever... (1)

Cammi (1956130) | about 3 months ago | (#47132207)

AKA Script Kiddy AKA Bubba's Toy (as they deserve).

As it should be (0)

Anonymous Coward | about 4 months ago | (#47131079)

Break the law then pay the price.

Re:As it should be (0)

Anonymous Coward | about 4 months ago | (#47131191)

Except they aren't breaking any laws.

Do you think Google was breaking the law when they found the Heartbleed bug? No? Then shut the fuck up and read the article for once.

Re:As it should be (3, Insightful)

Opportunist (166417) | about 4 months ago | (#47131257)

Now try to explain why it was A-OK for the border patrol to kill the people trying to flee from East Germany because it was the law.

Re:As it should be (0)

Anonymous Coward | about 3 months ago | (#47131581)

Wasn't it OK? Is it any different than USA killing afgans with drones? Will you convict the operator?

Double standards, how nice and comfy they are.

Re:As it should be (1)

just_another_sean (919159) | about 3 months ago | (#47131739)

Where did he say it was OK? I'm an American, and no, I don't think what we're doing with drones is OK. Just because it's a law doesn't make it right.

Re:As it should be (0)

Anonymous Coward | about 3 months ago | (#47131963)

Where did he say it was OK? I'm an American, and no, I don't think what we're doing with drones is OK. Just because it's a law doesn't make it right.

As an American, if it was the law, I'd like to see it on unredacted paper. The reasoning and methods for such action, specifically for the US Citizen that was struck, has always been under a veil of vagueness. At least during war time it makes sense, but we haven't officially declared war (done by Congress) since something like WW2.

A nation is (read "should be") formed under the pretense of protecting its members, or citizens. Everyone else comes second. The death or attack on a foreign enemy is just that, as a nation it does not matter internally and falls into the sphere of foreign politics. A citizen, that has not renounced their citizenship, should have an open court session and best attempts to contact if over seas for court summons. If this had happened and then they declared a death sentence on the person, then the drone strike would be fine. Vagueness can only mean a desire to circumvent the law.

Re:As it should be (0)

Anonymous Coward | about 3 months ago | (#47131689)

Death penalty?

This is what happens... (4, Insightful)

Ynot_82 (1023749) | about 4 months ago | (#47131111)

...when ill thought out laws are passed.

In the UK, it is a crime (under the computer misuse act) to test a 3rd party system for vulnerabilities.

The Heartbleed incident caused a lot of people to break the law testing whether websites were affected.

Re:This is what happens... (-1, Troll)

Frosty Piss (770223) | about 4 months ago | (#47131141)

In the UK, it is a crime (under the computer misuse act) to test a 3rd party system for vulnerabilities.

As it should be. You have no right to hack systems that don't belong to you unless you are asked to do so by the owner.

Re:This is what happens... (4, Insightful)

sinij (911942) | about 4 months ago | (#47131207)

If I have no right to access your public-facing system via public channels, then you have no right to be absolved of responsibility of how your system is used by malicious hackers.

When your infrastructure spams me, or get zombied into DDoSing me, you will be held responsible for spamming and DDoSing me.

Now, would you like to reconsider your position?

Re:This is what happens... (1)

plover (150551) | about 4 months ago | (#47131251)

Look who you replied to. YHBT. HTH.

Re:This is what happens... (2)

sinij (911942) | about 4 months ago | (#47131383)

Yes. I invoke Poe's lawn in my defense.

Re:This is what happens... (0)

Anonymous Coward | about 3 months ago | (#47131505)

You are an unethical "I Got Mine" tea begging Libertarian, obviously. Fuck You.

Re:This is what happens... (0)

Anonymous Coward | about 3 months ago | (#47131721)

You are not allowed to deface public-facing buildings either - not all uses of the system is equal.

You are not allowed to go vigilante on people in meatspace even if they hurt your feelers - two wrongs do not make a right.

No. why?

Re:This is what happens... (0)

Anonymous Coward | about 3 months ago | (#47131935)

Can you afford to get into a legal battle with the companies spamming you? No? How shocking.

It's not about right or wrong or the morality of it all. But simply if it's legal or not. If it were illegal, then Microsoft would've went bankrupt ages ago ...

Re:This is what happens... (5, Insightful)

Opportunist (166417) | about 4 months ago | (#47131237)

So security researchers and/or security reporters in the UK cannot warn about a lot of unpatched webpages in the UK, but hackers all over the globe can hack and abuse them.

Yeah, makes a damn lot of sense.

Re:This is what happens... (0, Interesting)

Anonymous Coward | about 4 months ago | (#47131417)

"Researchers" are generally just dicks looking to make a name for themselves or can't get gigs.
I work as a penetration tester in the UK. if someone pays me and signs an authorization for me to attack their systems then fair play. if there is no authorization it is against the law full stop.

These muppets will end up having us licensed. There is no justification for scanning the internet for vulnerabilities on systems you have no authorization. It is not their job. They are NOT the internet police!

Re:This is what happens... (1)

thaylin (555395) | about 4 months ago | (#47131473)

There is plenty of justification, such heartbleed and other vulnerabilities that pop up all the time. It is your job so you are biased against these people from the start because it takes POTENTIAL revenue from your company, but to claim it is not their job is a load of BS.

I would be willing to bet when you penetration test you use known vulnerabilities and not zero day vulnerabilities, after all it is your job to test, not to research. And that right there would be why your statement is flawed. If they wanna license, go for it, but done block what the researchers are doing.

Re:This is what happens... (1)

Opportunist (166417) | about 4 months ago | (#47131485)

Wonder what that license would be like. Think my CISSP cert would do as a stand in?

Gagging people has never really been the solution to anything. Especially not in a world where your local laws mean jack. Unless you can not only get every government on the planet to agree with some kind of law concerning the internet AND get them to actually care to enforce it (good luck trying to get a malware server shut down somewhere in east Asia...), whatever law you conjure is pointless and will ONLY affect and limit the ability of your own people.

Re:This is what happens... (0)

Anonymous Coward | about 3 months ago | (#47131671)

I do pen testing and the AC above does not speak for me. What we do relies on good will and effort of white hat researchers.

Re:This is what happens... (1)

NatasRevol (731260) | about 3 months ago | (#47131837)

There is no justification for scanning the internet for vulnerabilities on systems you have no authorization.

Other than to see what hackers are trying to do.
Or see how secure your personal data is on someone else's site.
Or curiosity.
Or learning.
Or lots of other reasonable justifications.

Re:This is what happens... (1)

arshat (3675763) | about 3 months ago | (#47132273)

These muppets will end up having us licensed. There is no justification for scanning the internet for vulnerabilities on systems you have no authorization. It is not their job. They are NOT the internet police!

By the same token doesn't that call into question the legality of honey-pots to assess current attack trends? Surely that's entrapment? One day (I'm ever hopeful) people will realise that words on a piece of paper do not make things either right or wrong. Moral judgements trump laws every day all over the world, yet the persecution continues - I wonder why (well, I don't wonder; I know why, and so do you).

Re:This is what happens... (2)

kwiecmmm (1527631) | about 4 months ago | (#47131275)

As it should be. You have no right to hack systems that don't belong to you unless you are asked to do so by the owner.

And what happens if that system has some of your personal information from a previous order or interaction?

I guess we should just throw all of these "security researchers" in jail and anytime an internet vulnerability is announced everyone should just get new logins, new credit cards and just reinvent themselves online. That sounds like the best plan.

Re:This is what happens... (2)

thaylin (555395) | about 4 months ago | (#47131307)

And why should it be that way? The owner is not the only person who uses that system, every person with an account uses it. If you cannot find out if there is a security hole in the system then it leaves everyone open to a black hat wanting to steal stuff. It should be illegal to steal data while doing so, or to ransom said bug, both of which are already crimes. It should not be illegal to hack to find and report vulnerabilities.

Re:This is what happens... (1)

jedidiah (1196) | about 4 months ago | (#47131359)

> As it should be. You have no right to hack systems that don't belong to you unless you are asked to do so by the owner.

Sure you do. You have a right to ensure your own safety. You have a right to know whether a device is likely to harm you. Doesn't matter if this is a physical thing or something mostly governed by software.

This includes things "hosted in the cloud".

Re:This is what happens... (2)

Travis Mansbridge (830557) | about 4 months ago | (#47131379)

"Hack" is a pretty ambiguous term. If I discovered that I could log into any account on your service with the password 12345, would it be amoral to report this? Would it be amoral to have even discovered this? Personally, I would say it was only amoral if exploited for one's own gain or to others' detriment.

See... (2)

bbroerman (715822) | about 4 months ago | (#47131117)

This is why we can't have nice things. Companies won't audit themselves, and they get bent out of shape if others do it for them...

Re:See... (0)

Frosty Piss (770223) | about 4 months ago | (#47131155)

This is why we can't have nice things. Companies won't audit themselves, and they get bent out of shape if others do it for them...

You discovered my credit card number. You think it is now OK to run a program to try random PINs until you find the correct one?

Why would you do that?

Re:See... (2, Insightful)

Anonymous Coward | about 4 months ago | (#47131243)

I would say that this is more like:

You leave your credit card on a table under a wet napkin. I look at the napkin and think I can read the number. I look closer and can indeed read the number and exp date. I tell you that your credit card is easily readable, and you should probably do something about it. You then report me to the police for stealing your credit card number.

Re:See... (1)

Anonymous Coward | about 3 months ago | (#47131637)

If you are reading my credit card number while it is under a wet napkin on a table inside my house then you can be sure I will call the police.

Re: See... (1)

Simon Brooke (45012) | about 3 months ago | (#47131767)

That's a really bad analogy. Peering at someone's credit card - even if it is under a napkin - is quite obviously very bad manners indeed. If you're saying unauthorised penetration testing is like peering at someone's credit card, then it's clearly wrong.

And speaking as someone who has his own little toy server out in the cloud, I'd very much prefer to do my own damn penetration testing, thank you.

Re: See... (5, Insightful)

arshat (3675763) | about 3 months ago | (#47132373)

That's a really bad analogy.

It is. It's more like the wet napkin has retained an imprint of the credit card and you have left the napkin behind on the bar. Someone then takes the napkin, hands it to you and says "you want to be careful with these wet napkins, look". You call the police because someone you don't know has your credit card details.

Re:See... (1)

thaylin (555395) | about 4 months ago | (#47131381)

That is in no way what is being reported here. Possibly the initial discovery of the number because of a poorly designed application, but not the trying pins.. Do you like to come up with fallacies?

Fuck America (1)

Anonymous Coward | about 4 months ago | (#47131119)

In America any good intentions are met by defensive idiots

fuck them don't even try to help them anymore use your research to secure the rest of the world and let them rot in the festering cesspool they created

Re:Fuck America (0)

Anonymous Coward | about 3 months ago | (#47131751)

Because america is full of offensive idiots pretending to have good intentions.

Re:Fuck America (1)

NatasRevol (731260) | about 3 months ago | (#47131847)

And that's not just the government!

This is the problem with the CFAA. (0)

Anonymous Coward | about 4 months ago | (#47131129)

First weev, now this.

NSA (5, Insightful)

BradMajors (995624) | about 4 months ago | (#47131133)

The NSA and other security services will not want security researchers to find and fix vulnerabilities the security services are exploiting.

Re: NSA (2)

ComputerKarate (659776) | about 4 months ago | (#47131185)

That was my initial reaction. It is not a secret the NSA has a database of ready made exploits that would be thwarted if people fixed their broken gear.

Re:NSA (1)

stewsters (1406737) | about 4 months ago | (#47131195)

+1 Sad But True.

Re:NSA (0)

Anonymous Coward | about 4 months ago | (#47131215)

"That's our turf."

Yep, like usual (0)

Anonymous Coward | about 4 months ago | (#47131475)

The NSA are a bunch of jealous, obsessive, insecure bitches.

Typical, and yet so predictable.

Makes sense... (0, Redundant)

Anonymous Coward | about 4 months ago | (#47131147)

Authorities don't wanting them finding all their backdoors.

Company Assets (3, Informative)

just_another_sean (919159) | about 4 months ago | (#47131181)

Yeah how dare they ask these companies to take their heads out of the sand and do something about their customer's security/privacy!

I'm appalled at the amount of "Good, they broke the law" comments in this thread...

Good bye US, hello Russia! (2)

Opportunist (166417) | about 4 months ago | (#47131199)

Odd as it may sound, for security research, you have WAY more liberties there.

An odd idea. (0)

Anonymous Coward | about 4 months ago | (#47131223)

From what I understand the primary way they can prosecute under the CFAA is a device is being used other then the manner in which it is intended.

Why not have the companies liable for releasing a device that has undocumented exploitable features that fall outside the realm of intended use?

My plan won't work (For anyone thinking logically), but it'd shut up the CFAA lawyers.

Re:An odd idea. (0)

Anonymous Coward | about 3 months ago | (#47132181)

From what I understand the primary way they can prosecute under the CFAA is a device is being used other then the manner in which it is intended.

Why not have the companies liable for releasing a device that has undocumented exploitable features that fall outside the realm of intended use?

My plan won't work (For anyone thinking logically), but it'd shut up the CFAA lawyers.

Hey, that would be the final nail in IE's coffin.

No good deed (2)

Kevin Fishburne (1296859) | about 4 months ago | (#47131239)

Why, with all the plenty of cheap resources, technology, entertainment and knowledge, are people still complete assholes? There must be an asshole gene that natural selection has yet to make dormant.

Good (4, Funny)

nurb432 (527695) | about 4 months ago | (#47131321)

Everything is going according to plan.

There are no white hats (3, Interesting)

russotto (537200) | about 4 months ago | (#47131337)

And it's about time the so-called "ethical security researchers" got off their high horses and realized that. There are far too many laws for there to be white hats. If you want to do useful research into vulnerabilities other than those of the company you are a security researcher for, you're going to have to put on the black hat.

Re:There are no white hats (3, Interesting)

MightyMartian (840721) | about 3 months ago | (#47131533)

Which is the technical equivalent of allowing only researchers in the employ of the tobacco industry to research the risks of smoking.

Here's my reply to the lawyers... (0)

Anonymous Coward | about 4 months ago | (#47131363)

You were given notice that your product has vulnerabilities. I had no intention of letting others know about these vulnerabilities until they were fixed.

I did not have to do this and could have anonymously released the vulnerabilities into the wild.

Unfortunately, after your stupid-assed fucktard move of sending me this threatening letter, it seems that the Anonymous group has hacked into the device of yours that I was using to store all of the exploitable vulnerabilities and have released them into the wild.

Maybe next time you'll pull your head out of your ass before sending stupid assed shit like this.

I am releasing a public announcement with full data, full vulnerabilities as well as the full context of your letter(s) and threats to let the world know that you prefer to threaten people who try to help you rather than fixing your problems.

Way to go retards.

BTW - you cannot touch me in any way shape or form as your laws do not apply to me,as I am a citizen of Moldavia and sit on the Mutant Jedi Council and have full diplomatic immunity.

So go fuck yourself

Yours truly,

Anon Y Mous

No Knock Flash Bang for Bayb's FACE (-1)

Anonymous Coward | about 4 months ago | (#47131395)

And WHY do they spy, so they can....
Throw Stun Grenade into Baby's Face.
http://www.activistpost.com/2014/05/swat-throws-stun-grenade-into-toddlers.html

For each incident, the problem reaction, solution applied.
Boston Marathon = Gun Ban Bills
San Diego College = GUN BAN Bills

But, if you step back, might this be an opportunity as well?
Baby's face burned off = Flash Bang Ban Bill, or The Actually Get a Warrant Bill, or the Actually know your target bill, or the Obey your Oath vs Life in Ft Leavenworth bill... I can think of a lot of things, and I am just a dummy.

So instead, let the Corporate Media Steer this issue again? Maybe more bills to crack down on the guy they were after? Ignore accountability, responsibility?

And instead, in the Alternative we can talk about how we have prepared and hardened our homes for Civil War?

I got to tell ya, I'd rather Go Experiment with my solar panels and Hydrogen Generation/Use/Heating/Cooking that to spend more time on this. It's what I should be doing, instead of wasting years of life reading all the bad news the oath breakers actions have caused. Getting stressed by it and then labelled ODD and lose all your firearms via the Obamacare+DSM 5+NCIC database+SPIES breaking the Oath and targeting Americans business.

Cause See, maybe there is something to Browns Gas... Maybe there is a new field of energy. I heard last year a lot of cold people (ya know global warming and all like poor economy bla bla.) What if that guy that shows us we could heat strips of tungsten or a Catalytic converter to generate heat, or re-purpose some of the Propane powered ones that already exist as camping space heaters.

I can generate Hydrogen and electricity ALL DAY, Every Day. You can too! But for every moment I WASTE HERE, is one moment I can't do any experiments.

If your not goin to make the future have new things, at LEAST -- Start correcting the media!

When they say things like maybe another smart gun control bill, counter it with "You mean you want anti-Flash Bang and Anti-No Knock bill"

When they repeat their steering, interrupt, and say NO and propose a Anti-Flash Bang bill. And Anti-No Knock bill" (I know that's a double negative, but actually it can be a POSITIVE if everyone had no tolerance for this tyranny .)

We can throw this damned Rothchild / Zionist crap off, but you have to be responsible for your own LIFE! Obamacare.. DSM-5.. Good God...
Aren't you sick of Dual Israel/US Citizens trashing the Bill of Rights and Constitution yet?!
Or your still PC?? e.g. It's just coincidence, all jews controlling all the main things, finance, spying, security, dhs, on and on.

I say there ought to be a bill to remove all DUAL CITIZENS from intelligence commitee, and hold Office in the US. Until they DROP the non US country. And even then I still don't trust em to hold Senate Seats, Congress Seats. I base my Security model starting there. But, they'll whip out that I am anti-semite
Look at Feinstein.... Good god. She hates the Constitution.

the way it should be for TOFC type stuff (1)

RobertLTux (260313) | about 4 months ago | (#47131407)

mock up a few copies and then dare folks to hack it (sort by remote and physical access type hacks)

when you get something that can stand up to a decent number of hacks (remote hacks that require you to be on the same subnet on a blue moon with Big$ tool between the hours of 22:00 and 23:59 and the product needs to be in mode X and physical hacks that would be obvious don't count) then you as a last check put up a BIG$ bounty on hacks.

Then you can release a cyber product targeting children.

In an unrelated story, (4, Funny)

idontgno (624372) | about 3 months ago | (#47131541)

the mayors of several crime-plagued cities release a joint announcement that reporting apparent crimes in progress to police would result in the arrest and summary punishment of the person making the police report.

"If you losers would stop reporting crimes, we wouldn't have so much crime," one prominent mayor stated to this reporter. "We're going to push down crime rates the only way that works: make it impossible to report a crime."

When asked for a comment, the aforementioned mayor's Chief of Police muttered "Whaddyawant, I'm busy here" through a mouthful of donut while pocketing a thickly-stuffed brown paper envelope proffered by an unidentifed man flanked by several apparent bodyguards.

Re:In an unrelated story, (1)

Joe_Dragon (2206452) | about 3 months ago | (#47131607)

sounds like a chief wiggum move.

Lawyer point of view (2)

ArcadeMan (2766669) | about 3 months ago | (#47131579)

I suppose lawyers don't have locks on their homes because there's laws about illegal entry.

Re:Lawyer point of view (0)

Anonymous Coward | about 3 months ago | (#47132085)

there's laws about illegal entry.

What do locks have to do with rape?

Outsource Security Research Now (0)

Anonymous Coward | about 3 months ago | (#47131659)

We should totally leave our vulnerability research up to professionals and foreigners. Our government has teams and teams of computer scientists working to make the world a better place who will tell us if there is a problem we should know about. And China, North Korea, Iran, and Russia will let us know if they find problems on their end so they won't recieve so much SPAM.

Solution is Transparency? (1)

silvermorph (943906) | about 3 months ago | (#47131665)

Identifying the good guys is a question of trust, so you can imagine why lawmakers are hesitant to throw trust around willy-nilly. Building a system that shows how that trust is reciprocated and enforced would be a good start.

Seems like there could be a law that tries to differentiate "Research Hacking" by setting requirements to qualify as a researcher. They must provide full transparency to prove they have no malicious intent. They inform law enforcement authorities of their activities before and after the exercise and constantly upload logs of their actions and any data transactions they execute. Maybe on a virtual "research sandbox" machine that deletes itself at the end of the session as an added layer of protection. Then if the vulnerability gets out before it's been reported, maybe that researcher (or people with access to their machine) is a good place to start the investigation, so there's incentive to report vulnerabilities quickly. Overly simplistic, probably not quite workable as-stated, but you get the idea.

Re:Solution is Transparency? (0)

Anonymous Coward | about 3 months ago | (#47131965)

They should sell them to third parties directly, it's probably less hassle, easier to defend in court and probably more profitable.

Is this like picking random locks? (0)

Anonymous Coward | about 3 months ago | (#47131667)

I don't understand what the security researchers are doing. It sounds like they're doing something analogous to physically picking random locks that don't belong to them. It should not be surprising that the lock owners would be annoyed.

Re:Is this like picking random locks? (1)

sinij (911942) | about 3 months ago | (#47131713)

Yes and no. This analogy only holds if unlocking random lock also has a chance to unlock your front door.

Finding and reporting vulnerability is one thing (1)

Stan92057 (737634) | about 3 months ago | (#47131909)

Finding and reporting vulnerability is one thing, making working programs to exploit the vulnerability to the mass public is the main problem. They don't belong in the public domain. If a hairdresser needs to get a license to cut hair why in hell do we not demand security researchers be licensed as well?? the answer they should be required to get one and making of tools to exploit vulnerabilitys should only beavailable to licensed researchers. Stop handing over tools to the criminals and stupid teens. That is IMO

Naturally (1)

PopeRatzo (965947) | about 3 months ago | (#47131921)

Of course security researchers are being targeted by US cybercrime laws.

Who do you think they were designed to stop? Security researchers, whistleblowers and anyone who wants to see the nation's security apparatus held accountable were always the intended targets of these laws. And anyone who believes the Internet should be free and research that impacts the public welfare should be readily available to all.

You didn't think these laws were about Estonian hackers, did you?

License researchers like investigators (3, Insightful)

dave562 (969951) | about 3 months ago | (#47131983)

I work for a company that does a lot of forensics work, including collections activities and incident response. The company has to be licensed as a "private investigator" in all of the states that our employees do collections in.

It seems like a similar licensing regime would be a good place to start for computer security researchers.

It might also be worth considering making the researchers or their employer carry a bond as collateral against any potential damage that they might inadvertently cause.

It has been my experience that when people and organizations have something to lose (like forfeiture of a bond or loss of a license / ability to do business), they tend to act in a more predictable manner, and within well established guidelines.

There might also be some lessons to be learned from maritime law. In a way, researchers are sort of like privateers on the digital oceans. (So yes, once again, pirates ARE better than ninjas. Just in case there was ever any doubt.)

NO, treat researchers like experimenters (0)

Anonymous Coward | about 3 months ago | (#47132165)

If they "act in a more predictable manner, and within well established guidelines", then how do do they find the vunerabiities? Unpredictable behavior tests the system.

Well that's ironic... (1)

Anonymous Coward | about 3 months ago | (#47132317)

I'm a student at Naval Postgraduate School, and every single "cyber" security course taught here could be renamed to "How to use Metasploit to [blank]". There are all of a half dozen of the CS students here that came from any kind of background involving coding, making it necessary to dumb things down to "How to be a script kiddie".

So the makers of the primary tool taught to service members from all branches (Air Force, Marines, etc all attend there), many of which are absolutely dependent upon it, are also one of our law enforcement agency's take-down targets (or, to a lesser degree, is being told at least to not do the very thing that makes them useful to so many). Go figure.

What's the issue here? (1)

PPH (736903) | about 3 months ago | (#47132351)

Law enforcement doesn't want researchers uncovering their backdoors put into consumer products? Or some sleazy manufacturer with defective crap getting a buddy in the FBI to lean on people who might go public?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?