Laws Threaten Web Security Researchers

ancientribe writes "A new report from a Computer Security Institute (CSI) working group of Web researchers, computer crime law experts, and U.S. Department of Justice agents explores the effects of laws that might hinder Web vulnerability research. The report, which the group will present on Monday at CSI's NetSec conference, has some chilling findings about how fear of prosecution is muzzling some Web researchers from disclosing to Website operators security holes they find. The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys."

who cares?

[nanosquid]

If society doesn't want this kind of security research, well, they aren't going to get it and will have to deal with the consequences.

Re:

[56ker]

It's not society that decides it's their elected representatives. However, most - 99% of people don't know the actual texts of the laws surrounding what they're doing. If you look at the actual laws you'll find all sorts of caveats and safeguards that unfortunately when implemented by bureaucrats disappear.

A lot of laws are generally ignored and not particularly well enforced anyway - for instance speed limits here in the UK.

Re:

[lgarner]

However, it's society that elects those representative. Like it or not, a society will get the government that it deserves.

Re:

[beyondkaoru]

unfortunately in a democracy (or democratic republic, or whatever you want to call it), a minority can be controlled by a (often misinformed and/or ignorant) majority. so the majority of the public will get the government they deserve, but what about the other folks? if the minority doesn't like the result of an election, they have to hope next election will turn out better or protest or just leave.

Re:

[56ker]

It's usually not a majority that elected the elected representatives either. In the local government elections here only 13.3% of those who could vote voted for the winning candidate (which with a turnout of 22.4% was enough).

The majority don't vote at all.

Re:

[nanosquid]

Well, then 99% of the people shouldn't complain about the laws and representatives they are getting.

If you look at the actual laws you'll find all sorts of caveats and safeguards that unfortunately when implemented by bureaucrats disappear.

It's my experience that those bureaucrats are usually actually trying quite hard to do something reasonable with the laws they're asked to implement. The laws themselves, however, are often ambiguous because they are political compromises designed not to offend a lot of

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Spazntwich]

I told my kids to stay away from the clock, but it keeps pushing its ignorant linear 24-hour day on them.

Not a problem at all...

[SpzToid]

All we gotta do is outlaw the holes as they become known. And to reduce this so-called zero-day effect, we'll look to the free-market to improve efficiency.

Microsoft One-Care Live (or whatever it is called) sound like a nice name for the service, doesn't?

Re:

[Nullav]

I'm assuming you were trying to be funny, but just in case, I feel like ranting for a few paragraphs.

All we gotta do is outlaw the holes as they become known. And to reduce this so-called zero-day effect, we'll look to the free-market to improve efficiency.

Do you have any idea how long it takes to pass a law, how bloated the books would become with such specific legislation, and how many people would lose sleep over working on this every time someone found a new hole in IE? All we need is legislation that o

In reality

[gmerideth]

A while back, I contacted a major ISP about an opening in their web based mail server system that would potentially expose the email from any account provided you knew the email address you wished to gain access to, not a hard thing to accomplish. I initially contacted the abuse@ department to explain what I found and how I, and here's the kicker, accidentally stumbled upon this. I wasn't looking for it or trying some form of pen-test, it was an accident.

At first I received an email back thanking me for pointing out the issue and a promise it will be resolved. This was then followed up by the busiest conference call I've ever been a participant of in my life where I was all but accused of starting the 1871 Chicago fire.

Thanks turned to anger as the engineers, obviously not wanting to get fired or "blamed" (god forbid anyone in America actually take blame for anything anymore) for this minor yet potentially nasty flaw, swore up and down that there's no way other than "actively attacking" the system could I have exposed this issue and that's when things got nasty.

I was threatened, with federal involvement (they never explained that part), emailed copies of recent arrests of hackers from Australia and told to get a lawyer. Four months later, there has been no follow-up, I've spent only eight-hundred in legal fees (I got lucky there) and the ISP quietly stopped harassing me.

I'm convinced this "attack" against anyone pointing web security flaws is all nested in this deep-rooted fear to admit ones mistakes. Web developers think if they admit a single mistake will never get another web development gig again. Ask yourself, would you hire a company that open admitted to making a security mistake on a website that was discovered? I'm interested in seeing where this goes.

Re:In reality

[packetmon]

Funny you should mention, when I wrote a document on breaking Computrace's so called "LoJack for Laptops [infiltrated.net], I and my then corporate attorney faced all kinds of legal threats, etc.. At the end of the road, they were offering me a substantial return if I signed an NDA and kept my mouth shut. I didn't sign squat, instead I decided since they weren't going to fix their issues and misrepresent their service, I was going public with it, so I posted their emails alongside a written document of what LoJack was/is, what it did, etc., and cc'd them on it. The way I saw it was, If they're selling this to governments under the guise of security as their site states, those purchasing their product should know its snake oil. I received a few more emails of threat here and there and shrugged it off. Let them spend a kabillion dollars in legal fees debunking me and taking me to court. It would only draw attention in a court of law that I'm correct to post the insecurity of their program 2) they misrepresented it, 3) the media surrounding what's going on would hurt them more then help them.

Re:

[JasonBee]

You shoudl go sell that knowledge to heckers from Russia for 800.00 nd recoup your losses. Make them sign an NDA and use a pseudonym.

If they choose to look a gift-horse in the mouth then fie on them.

You should have tried the emails of the president. That would have been useful.

JB

Re:

[Nullav]

I think that anyone who knowingly disregards a security hole which compromises the privacy of a customer should be treated the same way as a company that gives away the same information without explicitly stating such.
What do you think would happen to a phone company that posted several TB of recorded conversations online? Should it be any different for an ISP that knowingly leaks e-mail correspondences?

The fatal flaw

[L0neW0lf]

People who wish to do illegal things will scoff at this law and do what they wish. They aren't concerned with being caught, and have no intention of reporting their findings anyway.

People who wish to do what is right will be prevented from doing so, as disclosure will land them in trouble, rather than fix problems. Soon, no-one will report problems, and those who wish to do what is right may no longer even research security flaws, due to the consequences of reporting their findings.

Tell me how law like this is good for anyone, other than criminals themselves?

Government Intrustion

[packetmon]

"The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding." -Judge Louis Brandeis Should the government attempt to impose legislation to criminalize security research, they'd have to understand they'd be opening a Pandora's box to heavy hitting criminal enterprises... Sound "tagline'ish"? Imagine something similar to TOR where people would be exchanging PoC and exploits for currency. Imagine the amount of administrators trying to run and put out brushfires on their systems because they had no forewarnings. Currently full disclosure and research are the sole mechanisms which a lot of administrators use to secure systems... That's like taking away a tornado early warning system from county that's prone to get hit by tornadoes. You have to love the idiocy of this government at times, hence the quote re-quoted... "insidious encroachment by men of zeal, well-meaning but without understanding. ... "Experience teaches us to be most on our guard to protect liberty when the government's purposes are beneficent." -Judge Louis Brandeis Beneficial to the government here is their own misconception that halting security research will halt attacks and perhaps drive e-crime down. Sure it will go down, only down to the underground were attacks will be more silent and effective and cause more harm then the government understands.

simple solution

[Anonymous Coward]

inform the systems admin anonymously and tell them they will be watched and if the security hole is not patched soon you will go public with the info...

i am posting this comment anonymously to protect my identity ;p

Re:

[Anonymous Coward]

...and you could involve a 419 style extortion scheme where you involve an intermediary to help transfer funds for a certain percentage. Demanding payment in order to keep the flaw secret. But really, all this secrecy just means less secure systems and more people will get victimized in the long run. Full disclosure is the way to go, and embarrassing the companies that refuse to fix their broken systems is totally fair. Pretending we're perfect and don't make mistakes just makes us deluded idiots. Better to

Inadvertently?

[ScrewMaster]

The bad news is the laws may inadvertently hurt the ethical researchers and help the bad guys.

Inadvertently? I don't think so. This kind of stuff is often done on purpose, and not always for the stated reasons.

I wrote a law review article on this

[Ethan Preston]

I wrote a law review article on this here: http://www.eplaw.us/data/ComputerSecurityPublicati ons.pdf [eplaw.us]

My analysis was pretty economics-based, if I remember correctly (it was published in 2002).

The best First Amendment-side analysis was done by Eugene Volokh. Gene's paper considered much broader issues than our own paper.
http://www.law.ucla.edu/volokh/facilitating.pdf [ucla.edu]
http://www.law.ucla.edu/volokh/facilitatingshorter .pdf [ucla.edu]

His paper, if I remember correctly, would expand liability further than I woul

Re:

[account_deleted]

Comment removed based on user account deletion

just web?

[delirium of disorder]

The article summery mentions "web" or "website" five times. I expect the corporate media to confuse http with the whole Internet, but slashdot should be better. Don't these laws impact security researchers investigating POP, SSH, SMTP, IMAP, various game services, various chat services, and etc other Internet protocols just as much as http? Why only point out the impact on the web in that case?

An easy fix for this one...

[grapeape]

So you cant personally disclose the vulnerabilities to the site operator...then anonymously offer them up to the public instead. Let the script kiddies and black hats get ahold of them for a couple days. The messsage might get painful but at least they will be made aware of the problem. This hide your head in the sand and pretend everything is ok approach to internet security is both poor and dangerous. Optimally rather than holding white hat's responsible for finding holes there should be regulation not only absolving the white hats but holding the site owner liable if the problem is not fixed. Of course I think ISP's should also share responsibility for zombied PC's on their network as well, but they are paying customers so we just do nothing and whine about the problem instead.

Re:

[Chandon Seldon]

If private disclosure is illegal, then anonymous public disclosure is absolutely the right plan.

Personally, as a web service provider, I would post a relatively prominent policy on my site that "security related bug reports are happily accepted, we won't sue you for being neighborly and helping us". I'm all for full disclosure, but I have no interest in turning down a free pre-notification of my security issue.

Dadvsi again ?

[Seferino]

This kind of law has been voted in France about one year ago. I've followed that one quite closely as, well, I'm a French researcher in the field of security. So far, the law hasn't been applied, but if it is ever makes it to a court with a judge who decides to apply it literally, I might well:

• Go to jail because I've tinkered with a web site (playing with POST or GET) -- because I've actively been looking for a security breach.
• Go to jail because I've taught my students that things like eval() (in JS or

Re:

[I)_MaLaClYpSe_(I]

I felt very sad when FrSirt [frsirt.com] pulled their PoC exploits off the net. It's a shame!

Generally, the whole European Cybercrime Convention is very sad. I for one do not welcome our new data retention legislation overlords, they shall go to hell!

I think it's time for someone to found a new resistance movement leading us to the revolution that will not be televised. Anyone willing to apply for the job? No? Oh, you mean, because fighting is useless as we do not have any rights anymore protecting our privacy?

Rig

FYI, 31!73 ethics is not law based.

[OldHawk777]

Render to Caesars' what is Caesar's, render to others, as a ghost, what should be done.

When crucified by Caesars' laws, hope it is not due to a sin of pride or self-exposure.
Elite defense is always that pseudo-proof can only be spun-truths by Caesars' minions.
Also, Caesars' minions can create (never prove) spun-truths, except in witch-hunt courts.

When in the world/lands of Caesars always hide and lie to avoid fry and die legal services.
Witch-hunt forensics are for criminal persecution of heroes and innocent

Re:

[Chandon Seldon]

tomorrow will be better.

Legally, things tend to get worse rather than better. There is economic reinforcement of bad legal policies, and there's no motivation for lawmakers to fix them.

Re:

[Oswald]

Dude. Your homepage: no Steppenwolf [steppenwolf.com]?

Oh, and I think your post might be one of those things like Eliot's The Wasteland, where it takes a book six times as long as the original to explain it (cause I'm well and truly lost). Or else you're high.

Re, Whoops:FYI, 31!73 ethics is not law based.

[OldHawk777]

We must be fair to each other; can we agree, that if we are real and truly wasted in a Tough Shit Eliot Wasteland, that it is somehow appropriate that we are here/there together, 'knowing the place for the first time' after all is wasted and lost. All, humanity more than, I 'fear in a handful of dust." maybe a few more, but all wasted together of no great cosmic consequence. Boy; dude, this is a bummer trip I hope we all get off quite soon, with morphine there is less pain, and we can still fain as if human

Details about the report

[__aapopf3474]

PR News Wire Article [prnewswire.com] has more details on the report:

CMP Technology's Computer Security Institute Creates Cross-Disciplinary Group of Web Security Researchers, Computer Crime Law Experts and Agents From the U.S. Department of Justice to Discuss Web 2.0 Research Roadblocks

Group's Initial Report to Be Released at Computer Security Institute's NetSec Conference on June 11

SAN FRANCISCO, June 4 /PRNewswire-USNewswire/ -- The Computer Security Institute (CSI) today announced it has formed a cross-discipli

Inadvertently?

[HiThere]

Sorry, this doesn't look inadvertent to me. It looks like the people in charge of various systmes don't like being told that they aren't doing their jobs properly, so they are arranging to "shoot the messenger".

In such circumstances, it doesn't pay to be a messenger. If you are one, the only sane thing to do is to lie, and report only good news. Then it comes as a totally unexpected surprise to the ones in power that they have lost whatever they were trying to defend. Totally unexpected. At this point

ObParaphrase

[idontgno]

When exploits are outlawed, only outlaws will have exploits.

Of course it will help the bad Guys

[JohnnyGTO]

When ever a government gets involved they make things worse. Thats why the old joke "We're from the government, we're here to help" is so funny!

Re:just web?

[LittleDobbs]

I think the answer to this is who the researcher is contacting. If I find a flaw in HTTP I would not be contacting Joe Smoe's website developer company, I would be contacting other research groups W3C etc and the OS providers. Linux, Microsoft, Apple etc. The later group would be more likely to look at you as a researcher while the former assumes you are a thug. At that point the law doesn't matter. I seriously doubt OpenBSD group is going to prosecute if you find a flaw in SSH.

*sigh*

[jafac]

I know it's a tired and old cliche, but;

If Security Research is outlawed, ONLY OUTLAWS WILL DO SECURITY RESEARCH.

And that's not a desirable state of affairs, when you think about it, really.

First Rule

[StikyPad]

The first rule of web security research is that you do not discuss web security research.