Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Is It Illegal To Disclose a Web Vulnerability?

kdawson posted more than 7 years ago | from the responsible-schresponsible dept.

Security 198

Scott writes "I'm submitting my own story on an important topic: Is it illegal to discover a vulnerability on a Web site? No one knows yet, but Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick. She believes the law needs at least to be clarified, and preferably changed to protect those who find flaws in production Web sites — as opposed to those who 'exploit' such flaws. Of course, the owners of sites often don't see the distinction between the two. Regardless of whether or not it's illegal to disclose Web vulnerabilities, it's certainly problematic, and perhaps a fool's errand. After all, have you seen how easy it is to find XSS flaws in Web sites? In fact, the Web is challenging the very definition of 'vulnerability,' and some researchers are scared. As one researcher in the story says: 'I'm intimidated by the possible consequences to my career, bank account, and sanity. I agree with [noted security researcher] H.D. Moore, as far as production websites are concerned: "There is no way to report a vulnerability safely."'"

cancel ×

198 comments

Sorry! There are no comments related to the filter you selected.

It ought to be (0)

Anonymous Coward | more than 7 years ago | (#17635374)

People shouldn't stick their node where it doesn't belong.

What if some Peeping Tom was leering at your daughter through the window, "to check for vulnerabilities in your home security"? It doesn't sound so good now, does it?

Re:It ought to be (4, Insightful)

LiquidCoooled (634315) | more than 7 years ago | (#17635438)

It depends if your daughters bedroom is on a shopfront on Rodeo drive (or wherever).

Expecting privacy on a publicly advertised service is different to people using zoom lenses to peer through the fence of your gated community.

Re:It ought to be (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17635594)

Wait, wait... what you want is right on the tip of your tongue... oh, wait a minute, that's spooge.

The REAL question remains unanswered after all these years: Just why ARE all Macintosh users homosexual? And why DO the authorities decline to prosecute them for homosexual behavior. Hell, if adulterers can get life imprisonment in Michigan, is it so hard to do something similar to the fanboi's who really are dangerous and annoying?

In your heart, you know I'm right.

Re:It ought to be (3, Insightful)

jimlintott (317783) | more than 7 years ago | (#17635892)

It would be perfectly legal to stand on the street and stare at my naked daughter through her bedroom window.

She has drapes for this.

Re:It ought to be (4, Funny)

Anonymous Coward | more than 7 years ago | (#17636016)

Two questions:

Is she cute?
Does she use her drapes?

Re:It ought to be (4, Insightful)

rootofevil (188401) | more than 7 years ago | (#17636602)

in most states it would be illegal for her to stand in view of someone in the street naked. what does that say about website vulnerabilities?

Re:It ought to be (1)

haggie (957598) | more than 7 years ago | (#17637172)

Does the carpet match?

So is it illegal too... (2, Insightful)

DanQuixote (945427) | more than 7 years ago | (#17635400)


paste up a poster in the town square, announcing that the lock is broken on the back of the hardware store?

How is this different?

Re:So is it illegal too... (1)

xENoLocO (773565) | more than 7 years ago | (#17635456)

Paranoia and the DMCA.

Re:So is it illegal too... (2, Informative)

SpaceLifeForm (228190) | more than 7 years ago | (#17635574)

If the poster is not signed, who can be blamed?

The problem is that there are many emperors that want to believe in security by obscurity, and when told they have no clothes, would rather shoot the messenger than face reality.

Re:So is it illegal too... (1)

FormulaTroll (983794) | more than 7 years ago | (#17635628)

Instead of a hardware store, what if it's a bank? What if it's the bank you keep your money in? And what if they ignored you when you brought it to their attention? It's likely you'd put your money in a different bank, but would it be illegal to warn friends and neighbors of the issue?

It is a little different (2, Insightful)

gelfling (6534) | more than 7 years ago | (#17635726)

It's more like advertising that given brand and implementation of a lock is faulty. It may or may not impinge on you but in either case it's general enough to be of benefit to people besides you. Would you like to know that every model of the car you own happens to accidently use the same key? I would.

Re:So is it illegal too... (5, Insightful)

Kadin2048 (468275) | more than 7 years ago | (#17636136)

It's not, except that what gets people in trouble, is when they try to take credit for a vulnerability they've found in a production website.

I doubt that you'd get in trouble -- and how could you? -- if you submitted the vulnerability, or even publicized it, anonymously. There are lots of ways to do this; Mixmaster comes to mind, and is practically invulnerable to tracing, particularly when your potential adversary isn't expecting an anonymous communication to come in.

If you found a problem, realize that no good is ever going to come to you because of it, and don't expect to ever be rewarded or thanked. Once you've acknowledged those things, there's no reason to attach your name to it, when you let them know.

It's when you try to have your cake and eat it too -- point out someone else's problem while getting rewarded for it -- that the problems really begin.

Re:So is it illegal too... (2, Insightful)

kalirion (728907) | more than 7 years ago | (#17637414)

What if you want to let the store owners know that the lock is broken? When they ask "how do you know?" you reply "Well, I touched the lock, and it fell apart." So they turn you in for vandalism and breaking and entering.

Test my house for security vulnerabilities (1)

Timesprout (579035) | more than 7 years ago | (#17635412)

And if I catch you, you are going to get seven shades kicked out of you. Pissing about with what's not yours always has repercussions.

Re:Test my house for security vulnerabilities (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17635584)

Colorful analogy, but most vulerabilities are not specific to one person's machine. Would you go "kick someone's ass" for finding a flaw in their own house's security that just happened to affect you too?

Re:Test my house for security vulnerabilities (4, Insightful)

fireboy1919 (257783) | more than 7 years ago | (#17635600)

Not really a good comparison since your house is private and websites are essentially open to all comers.

It's more like checking the locks on the backside of a Walmart. Suspicious, but not illegal, and not nearly as unethical.

Heck, you may actually have a legitimate reason to be back there - such as offloading goods from a truck.

The same can be said for security vulnerabilities in websites. You can easily stumble across them when you're not even looking in places that you're supposed to be.

Re:Test my house for security vulnerabilities (1)

cptgrudge (177113) | more than 7 years ago | (#17636772)

It's more like checking the locks on the backside of a Walmart.

Even the backside might not be necessary. Who hasn't walked up to a storefront entrance with the intent of going in and been rebuffed by a locked door before seeing the store's hours?

Re:Test my house for security vulnerabilities (4, Insightful)

russ1337 (938915) | more than 7 years ago | (#17635752)

Would you say anything if you were in an airport and noticed a door unlocked and ajar leading from the public area to the tarmac around the aircraft?

Re:Test my house for security vulnerabilities (1)

Timesprout (579035) | more than 7 years ago | (#17636428)

No and I would not say anything and I would just laugh if I saw you checking if these airport doors were locked and several heavily armed men drag you off for a little question and rectal examination time.

Re:Test my house for security vulnerabilities (1)

russ1337 (938915) | more than 7 years ago | (#17637060)

>>>"No and I would not say anything and I would just laugh if I saw you checking if these airport doors were locked and several heavily armed men drag you off for a little question and rectal examination time."

I wouldn't try the doors either. But, if I saw one open then I'd tell someone, just the same as when I've baggage unattended for a suspiciously lengthy period.

But relating this to the article, and this is where the contention starts: The web doesn't easily discriminate between 'seeing the door ajar' vs 'checking to see if the door is unlocked'. And one takes risks when bringing either to the attention of the 'authorities'. Thus my analogy falls down as I'm not about to raise a broken website with anyone (its not like I'm going to wait on their 1-800 number for 45 minutes) - I'll just carry on with my day.

Re:Test my house for security vulnerabilities (1)

gaspar ilom (859751) | more than 7 years ago | (#17636910)

No, it's more like identifying that Walmart, Sears, Target and others use a particular brand + model of lock -- one that is basically defective because anyone can open them in some trivial manner.

(say, by jiggling the door handle a certain way.)

Re:Test my house for security vulnerabilities (2, Interesting)

Impy the Impiuos Imp (442658) | more than 7 years ago | (#17637586)

It's not illegal to stand on the corner and say, "That house over there is selling cocaine for $10."

It is illegal to stand on the corner and say, "That house over there is selling cocaine for $10." when you are hired by the cocaine house.

So are these people saying, "Product X sux because of this vulnerabily xyz here, exploitable via abc", and that's that, or are they saying, "Product X sux because of blah blah blah, and company X, could you pay me $10 or I'll release the info?"

Moot issue? (0)

Anonymous Coward | more than 7 years ago | (#17635420)

Why not just disclose them anonymously through tor or the like? Nobody can prosecute you then.

Re:Moot issue? (0)

Anonymous Coward | more than 7 years ago | (#17635524)

Because the type of ppl who publish these security holes mainly do it for the glory of being the one to discover the flaw. If it's published anonymously then they get no credit.

Re:Moot issue? (1)

fishbowl (7759) | more than 7 years ago | (#17635740)

Well, if the "credit" reward is worth the risk to them, there is clearly no problem.

Re:Moot issue? (1)

russ1337 (938915) | more than 7 years ago | (#17635830)

Or put it up for Auction on a Russian hacker site with a reserve for $5k, and use the money to flee the country....

Re:Moot issue? (0)

Anonymous Coward | more than 7 years ago | (#17636724)

I don't know what your standard of living is, but it would take a hell of a lot more that US$5,000 for me to flee the country and set up somewhere else.

Re:Moot issue? (4, Informative)

wizzard2k (979669) | more than 7 years ago | (#17635840)

You could report it through a 3rd party like The Zero Day Initiative [zerodayinitiative.com] , a division of 3com's Tipping Point [tippingpoint.com] intrusion prevention service.

That gives small time security experts a platform of anonymity to disclose vulnerabilities to anyone (not just 3com's customers) while retaining the possibility of a reward.

no good deed (1)

User 956 (568564) | more than 7 years ago | (#17635428)

Eric McCarty's pleading guilty to hacking USC's web site was 'terrible and detrimental,' according to tech lawyer Jennifer Granick.

No good deed goes unpunished. The lesson here is, lett the poor bastards find out about the problem after it's too late.

Re:no good deed (2, Funny)

DrugCheese (266151) | more than 7 years ago | (#17635510)

That's where it's headed probably. White hats will be forced to keep their mouth shut and giggle to themselves.

Re: No good deed goes unpunished (2, Informative)

nadamsieee (708934) | more than 7 years ago | (#17635532)

In the interest of full disclosure, Clare Boothe Luce said that [brainyquote.com] . :)

Boo! (0, Offtopic)

Karganeth (1017580) | more than 7 years ago | (#17635440)

Shameless self promotion!

Discover, or try to discover? (5, Interesting)

gstoddart (321705) | more than 7 years ago | (#17635444)

Is this about discovering a vulerability, or trying to discover a vulnerability?

If I click a link, and something breaks, and I've 'discovered' a problem, I've probably not done anything. It just broke, and I was the one who was there.

If I try to find a problem, and do (even if I don't exploit it), then I might have been doing something I shouldn't.

A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.

As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.

Just my 2 cents, anyway.

Re:Discover, or try to discover? (1)

Chapps (1037508) | more than 7 years ago | (#17635672)

The problem I find with that, is that it leaves room for somebody who was purposely trying to find security flaws to go about and say, "But I found it on accident!"

It sounds like a nice defense to say you found it on accident (even if you actually did), but in the end, it won't make a difference.

Re:Discover, or try to discover? (3, Interesting)

gstoddart (321705) | more than 7 years ago | (#17635866)

The problem I find with that, is that it leaves room for somebody who was purposely trying to find security flaws to go about and say, "But I found it on accident!"

Well, I guess, like any legal matter, one hopes there is a threshold of evidence to indicate one way or the other, and that people are looking at it on a case-by-case basis.

If I bump into an owie on someone's site, send them a friendly "hey, did you know this", and the logs don't indicate that I spent a few hours entering in junk, then, maybe, I need the benefit of the doubt and I was a nice guy who told them of something unusual as soon as it happened.

If I spent hours putting in malformed urls, experimenting with SQL injection, XSS stuff, and the logs show it, then maybe you need to look at me a little closer as someone who was specifically trying to breach their security.

Like any such thing, I would hope it's not a truly black or white distinction -- I would hate to think that accidentally discovering a bug on a web page, which was a vulnerability, was a crime. That would mean that you were guilty of comitting a crime, when in fact, you found a bug in someone's software. And *that* is scary indeed!!

You do raise a good point; but sometimes it's better that the law use our nice little presumption of innocence and we miss people, as opposed to a presumption of guilt, and we arrest innocent people.

Cheers

Re:Discover, or try to discover? (2, Insightful)

haddieman (1033476) | more than 7 years ago | (#17635702)

I would have to agree with you on this. The problem is that, with the internet, it is a lot easier for people to do this and not "feel" like they are doing anything wrong. Sure, most people aren't going to risk being caught trying to pick someone's lock when it's on their back door, but when you are sitting in your room at your computer it is much easier to feel that you either won't get caught or that people will appreciate your "helpfulness" even though, in real life people will still feel like their privacy has been violated, regardless of whether your intentions were good or not.

Re:Discover, or try to discover? (1)

Daemonstar (84116) | more than 7 years ago | (#17635792)

Exactly. This is the crux of the issue: intent. Almost all crimes must have an actus reus (act) and mens reus (mental state), depending on the law/state. If the mental state (including criminal neglegence) doesn't fit with the crime, then there is no crime to prosecute (see your state's penal code for definitions for "culpable mental states"; in the Texas penal code it's Title 2 Chapter 6).

This, however, is different in civil courts.

Re:Discover, or try to discover? (3, Interesting)

ACMENEWSLLC (940904) | more than 7 years ago | (#17636028)

This is a gray area.

One of my network magazines that I get at no charge by filling out survey information had expired. I got a phone call and the person on the line asked me to renew. She provided a generic website address, and then a unique ID.

The problem was that the Unique ID was not random. It was something like 123456. When I put this in, it wasn't just a questioner. It had my personal information. I could put in 123457 or 123455 and bring up the personal information of someone else.

It is a web vulnerability, imo, caused by improper security on my personal data.

This doesn't match up with your simile of picking a lock.

I did report this, and the company did change their website. I reported it on the phone as I was talking to the person, as well as by e-mail.

Re:Discover, or try to discover? (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17636112)

A real world example would be, if you get caught outside of a door, trying to pick the lock, and then claim you were trying to ensure their locks were safe, you might get charged bith attempted B&E. You don't get to do a security audit on people's front doors.

I don't buy that analogy. Breaking and entering is a crime. Theft is a crime. Exploiting computer vulnerabilities is a crime. I'm not sure finding computer vulnerabilities is or should be a crime. I could just as easily use the analogy, "looking at the windows of houses to see if they are open or unlocked is not a crime, but climbing through a window is."

I think laws that rely upon somehow knowing the intent of the person performing an act are pretty poor laws. If I go tell you your locks are really old and can be opened with a plastic fork because I noticed it while walking by, and you happen to run a store I do business with and hence have my CC# on file, that sure shouldn't be a crime. If I write a letter to the editor of the newspaper saying the same, it should not be a crime. If I notice on your Web site the same level of e-security, I don't see how it is qualitatively different.

Re:Discover, or try to discover? (2, Insightful)

gstoddart (321705) | more than 7 years ago | (#17636410)

I think laws that rely upon somehow knowing the intent of the person performing an act are pretty poor laws. If I go tell you your locks are really old and can be opened with a plastic fork because I noticed it while walking by, and you happen to run a store I do business with and hence have my CC# on file, that sure shouldn't be a crime.

I'm gonna divide that into two halves ... the one that makes sense, and the other.

If you truly 'walked by' and noticed the windows, and told me about it, that's like notifying the site owner -- it's a nice thing to do, the site/business owner may not immediately act upon it, but they know; and they presumably rely on the fact that it's not widespread information. If you were going house to house trying to open windows, I bet you'd be in a different legal position. If you then went to a known burglar with the information, well, you're no longer just doing something nice and innocent now, are you??

For the second half ... WTF does having, or not having, your credit card # on file apply to this?? It seems a bit spurious to the conversation at hand, and I'll treat it as such. :-P

If I write a letter to the editor of the newspaper saying the same, it should not be a crime. If I notice on your Web site the same level of e-security, I don't see how it is qualitatively different.

Hmmmm .... you 'discover' (either by playing or quickly deducing) a vulerability. You write a letter to the editor saying that someone windows are faulty, or they hide their spare key under the plant on the porch, or the combination to their security system is 1234 .... I don't think you've idly done nothing. You've made available to people the means to commit and illegal act. The fact that it was just there for anyone to see (or you spent three hours trying to find it) doesn't mean you wouldn't have anything to do with them getting robbed.

That's very naive -- "I can tell everyone how to break into your house, and I have no consequences" -- just doesn't sit well with me. I would say if you are going around telling people exactly what they need to do to break into my house, you have the happy fun of being an accessory, or a party to a conspiracy to commit a crime. You haven't done some public service.

I realize people figure that white hats should scream really loud so everyone knows the vulerability, because the black hats wouldn't. But, telling the black hats how to do it, you no longer get to say you're better than they are. In fact, you're probably worse, because you were the one casing the joint, as it were.

Telling about exploits, especially in open forums where people with less honourable intentions might be, isn't necessarily a noble thing. You don't have an obligation to ensure that everyone in the world knows how to open every unsecured lock.

Cheers

Re:Discover, or try to discover? (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17637302)

If you then went to a known burglar with the information, well, you're no longer just doing something nice and innocent now, are you??

Yes, but no one is claiming you should be able to find vulnerabilities and give or sell them to blackhats, merely make them public or inform the site operator without worrying about being sued.

or the second half ... WTF does having, or not having, your credit card # on file apply to this?? It seems a bit spurious to the conversation at hand, and I'll treat it as such.

No it isn't. If they have your credit card on file (as many e-businesses might) then you have a business relationship with them and a vested interest in their security. It is perfectly legal and sometimes industry practice to hire private investigators to look into the security of current or proposed business partners.

I don't think you've idly done nothing.

You've done something, but nothing illegal.

You've made available to people the means to commit and illegal act. The fact that it was just there for anyone to see (or you spent three hours trying to find it) doesn't mean you wouldn't have anything to do with them getting robbed.

So what if the local bank, where the whole town keeps their money, tends to leave the back door propped open and the safe unlocked? Should it be illegal for me to tell the paper or the paper to write an article letting everyone know they should take their money out? Should you have to be concerned about being sued if you write the bank manager and let him know what is going on?

I realize people figure that white hats should scream really loud so everyone knows the vulerability, because the black hats wouldn't. But, telling the black hats how to do it, you no longer get to say you're better than they are. In fact, you're probably worse, because you were the one casing the joint, as it were.

Not at all. Whitehats do not profit from illegal actions and are aiming to improve overall security. Full disclosure is not always the best way to go about improving security, but sometimes it is. Why you think only in terms of full disclosure, however, is a mystery to me. Even the summary specifically mentions people being sued for just telling the Web service provider that the service has vulnerabilities in it.

You don't have an obligation to ensure that everyone in the world knows how to open every unsecured lock.

No, but sometimes telling the public how to open a particular lock is the best way to improve security. If Diebold starts selling a new combination bike lock, and I discover 1.2.3.4 always opens it, and I know at least one gang of thieves is already looking for these locks and stealing bikes via this method... I should 100% have no fear that I will suffer legal repercussions if I tell the support guys at Diebold. If Diebold refuses to acknowledge the problem I should likewise have no fear that my exercising my freedom of expression and telling the local newspaper will result in my being prosecuted for some crime. The same goes for software and services on computers.

Re:Discover, or try to discover? (2, Interesting)

zero-one (79216) | more than 7 years ago | (#17636154)

A few years ago, I applied for a job at a well known company using their online application site. When I finished filling in the form, the site redirected to a page with a URL like https://www.example.com/viewapplication.asp?applic antid=12345 [example.com] that displayed all of my details.

I wondered what would happen if I changed the number in the URL and found that the site would happily show me the details for all the other applicants (including quite sensitive information).

Was changing the URL "trying to discover a vulnerability" or "discovering a vulnerability"?
What if the values had been sent using a HTTP POST (so I couldn't see them or edit them by just changing a URL)? What if they had been lightly encrypted or included a check-digit?

Re:Discover, or try to discover? (1)

ArsenneLupin (766289) | more than 7 years ago | (#17636390)

A few years ago, I applied for a job at a well known company using their online application site. When I finished filling in the form, the site redirected to a page with a URL like https://www.example.com/viewapplication.asp?applic antid=12345 [example.com] that displayed all of my details.

I wondered what would happen if I changed the number in the URL and found that the site would happily show me the details for all the other applicants (including quite sensitive information).

Was changing the URL "trying to discover a vulnerability" or "discovering a vulnerability"?
What if the values had been sent using a HTTP POST (so I couldn't see them or edit them by just changing a URL)? What if they had been lightly encrypted or included a check-digit?
A truely devious mind would have entered https://www.example.com/viewapplication.asp?applic antid=12345 %3B update applicants set photo_url='http://goat.ca/hello.jpg' %3B-- or something equally funny.

Re:Discover, or try to discover? (0)

Anonymous Coward | more than 7 years ago | (#17636160)

then I might have been doing something I shouldn't.

So you might. Do you really believe that a person should be sent to prison because that person might have been "doing something [he] shouldn't"?

It's really about being a vigilante (1)

EmbeddedJanitor (597831) | more than 7 years ago | (#17636566)

People who actively go out searching & snooping are being vigilantes (rather than "concerned citizens" who just happen to notice something and report it).

Re:Discover, or try to discover? (1)

Jerf (17166) | more than 7 years ago | (#17637504)

A real world example would be
No! No metaphors!

Computer networks aren't neighborhoods, superhighways, or libraries. Trying to shoehorn the metaphors onto a reluctant reality just means people endlessly argue about the metaphor and not the question at hand.

The question is, "is it illegal to disclose a web vulnerability?" You also ask "What are the boundaries of permitted probing?"

I don't have an answer, but I'll give you one aspect that is not covered by any real-world metaphor, yet is very important: If I go to a website and give it my credit card number, I have no assurance that they aren't doing stupid things with it. They aren't supposed to store it, but many sites, even large ones, have in the past and continue to do so. How much right do I have to poke around the website to at least try to gather some data about how secure the site is before (or after) I trust them with some of my most sensitive information?

That's an interesting question, but there's almost no real-world analog with modern credit card systems that don't have to record the full number. And please, don't try to shoehorn a metaphor onto this. Deal with the problem at hand, not a made up problem substituted for it, that "conveniently" happens to make the exact point you wanted to make...

Re:Discover, or try to discover? (2, Interesting)

DamnStupidElf (649844) | more than 7 years ago | (#17637562)

As much as we like to separate people into black hats and white hats, if you were trying to jimmy the lock, for whatever reason, you were probably doing something you shouldn't have been.

If I store my stuff in a storage locker and have to use a lock the storage company provides, can I test its security?

If I live in an apartment building, can I check the lock on my door to make sure it's not easy to pick?

In reality, all locks are pretty easy to pick. Locksmiths and law enforcement have tools that can open most locks within minutes or seconds, and anyone with an interest can buy or fashion their own lockpicks relatively easily. On the Internet, security is supposed to mean more than just an easily defeated mechanical lock because the attack surface is world-wide and difficult to monitor. You can't hire cheap security guards to keep hackers out of websites like you can to protect locked doors. Computer and Internet security rely on vigilant eyes finding vulnerabilities in the system and fixing them, and since most companies don't seem to take security very seriously, it makes sense that people should be able to gauge the security of any system they are going to store information in, or in the general case just inspect any Internet host they want for vulnerabilities. As a shared medium, every host connected to the Internet can have a large impact in terms of DoS, worm, or spam attacks. If anything, the problem is that companies and individuals connect their systems to the Internet without realizing this, and want laws to protect them from things that the law can do essentially nothing about.

The way I see it, if a host on the Internet has an open known port (it shows up in /etc/services) that doesn't require authentication (unless one is authorized), it's perfectly legal and ethical to connect to the port to see what services it actually offers, and the terms of service if any. HTTP(S) is such a protocol, and so long as httpd serves pages without a 403 response and robots.txt doesn't exclude certain files to all agents, it's perfectly legal and ethical to browse the entire site, including submitting POSTs and GETs to apparent CGIs. Attempting to discover vulnerabilities is really just a guess at what the host administrator wants the system to do, and using common sense. In general, if a vulnerability can be tested against a honeypot or other test system, that's the ethical way to do it. If that's not possible, preliminary testing should lead to a vulnerability report to the administrator of the site. Using the vulnerability to access other people's data or modify the system is a bad idea, and possibly illegal, even if just as a demonstration. There are usually ways to demonstrate bugs without exposing anything but the bug itself.

The Internet requires smart people looking for vulnerabilities and reporting them in order to function securely. Most companies do not have the money to pay smart people to do nothing but find vulnerabilities, which is unfortunate. The fact that people do it for free or for recognition should be recognized as the useful service that it is. Black hat crackers will always be interested in finding vulnerabilities and exploiting them in secret, or selling them to someone who can exploit them. It's exactly like an immune system that must be trained by infections in order to combat them in the future. Without knowing what attacks look like and how they work, there's no way to defend against them, short of rewriting all the software and proving the Internet and computer systems are perfectly secure by design.

Lack of qualifications ... (1)

Infernal Device (865066) | more than 7 years ago | (#17635468)

One problem is the lack of qualifications to call oneself a legitimate security researcher. Every two-bit script kiddy hacker in the world is a "security researcher" by the current definition. Unfortunately, many of the current actually-qualified security researchers have some sort of black-hatting in their background, which, to my mind, makes them suspect in the first place.

It's an issue of trust. If you sit outside the system and make pronouncements, it's difficult to trust what you say. If you break into a system, then it's even more difficult to trust what you say, since, of course, you've been in there, maybe rummaged around, broken who know's what, etc.

Re:Lack of qualifications ... (1)

Intron (870560) | more than 7 years ago | (#17636872)

Which is why the legitimate security professional testing an active website has a letter signed by a company officer allowing them to do so.

In fact, I plan to send a large number of emails to security professionals hiring them to hack my website and send me a report of what they find.

-- sincerely,
    Charles Prince
    Chairman & CEO
    citigroup

Anonymizers? (4, Insightful)

tfinniga (555989) | more than 7 years ago | (#17635480)

So, this might not be relevant, but once I reported a cross-site scripting to a website by using a web anonymizer to create a hotmail account, sending exactly one message, and then never using the email account again.

Anonymizer tools have improved since then, especially for combating censorship. Would you be able to use TOR or something similar to report vulnerabilities without exposing your identity?

Re:Anonymizers? (1)

fishbowl (7759) | more than 7 years ago | (#17635788)

You could just send a US snail mail with no return address. What would be nice, would be an single-blind return receipt.

Re:Anonymizers? (0)

Anonymous Coward | more than 7 years ago | (#17636040)

Anonymity is the obvious answer. But his real question is "how can I report a vulnerability safely AND get the credit for discovering it?"

Re:Anonymizers? (1)

tfinniga (555989) | more than 7 years ago | (#17636826)

Well, I guess what kind of credit you're looking for.

One option would be to use cryptography creatively, so you could authoritatively reveal yourself at any time. However, if you're trying to get a legitimate job from doing something illegal, yeah, that seems like a lost cause.

I guess it depends on the business model of independent security researchers, which is somewhat of a mystery to me.

Re:Anonymizers? (1)

Beryllium Sphere(tm) (193358) | more than 7 years ago | (#17637490)

The banner that appears when you start TOR says it's experimental software and that you shouldn't rely on it for strong anonymity.

Re:Anonymizers? (0)

Anonymous Coward | more than 7 years ago | (#17637582)

That's because if you did, and it didn't work, you could sue them.

So don't. (1)

loraksus (171574) | more than 7 years ago | (#17635560)

Sooner or later, they will learn that they need to secure their site after they get hacked, used for a warez dump and find out that they have to pay (literally) for using 8x the bandwidth they paid in advance for.
Expensive lesson usually means lesson learned.

Why are we supposed to help the stupid? Let them continue doing stupid things until they get pwnt and it costs them their business.

Re:So don't. (2, Insightful)

haddieman (1033476) | more than 7 years ago | (#17636134)

Why are we supposed to help the stupid? Let them continue doing stupid things until they get pwnt and it costs them their business.

Making mistakes != being stupid. If someone found a vulnerability in your site wouldn't you want them to let you know about it? On the other hand, if you had already been warned about this vulnerability and done nothing about it then yes, that would be very stupid.

Re:So don't. (1)

businessnerd (1009815) | more than 7 years ago | (#17636268)

How about if this is a business that affects your life in some way? For instance, what if the New York Stock Exchange had a vulnerability it didn't know about, but you do (not gonna ask how you found it)? Now think about what could happen if the NYSE got hacked. Worst case scenario, the US economy collapses. Now how does this affect you? Well, your job could be in jeaopardy, hyper-inflation could make the cost of living to sky rocket. Happy times are not in the cards for you. This is a pretty extreme example, but still, it's something to think about.

A less extreme example could involve the bank that you use. But maybe it's not just your bank, but it affects almost every bank. It's not longer a matter of switching banks, and your money is at stake.

Re:So don't. (0)

Anonymous Coward | more than 7 years ago | (#17637242)

"Why are we supposed to help the stupid?"

Because those hacked sites are now hammering MY server 24/7.

It should be handled like every other related act (2, Insightful)

MikeRT (947531) | more than 7 years ago | (#17635566)

It should depend on how you do it, and why you do it. If you do it with good faith intentions, it should be considered a good samaritan work. If they have not touched it after a while, you should be able to reveal its existence.

Re:It should be handled like every other related a (1)

westlake (615356) | more than 7 years ago | (#17637502)

If you do it with good faith intentions, it should be considered a good Samaritan work.

"The road to hell" and all that.

No can be compelled to believe in your good intentions.

Your actions were disruptive, possibly hostile, and that is all anyone will ever need or want to know.

There is one way... (0, Redundant)

fishbowl (7759) | more than 7 years ago | (#17635572)

"There is no way to report a vulnerability safely."

Re:There is one way... (1)

fishbowl (7759) | more than 7 years ago | (#17635678)

Oops. Stupid preview/submit buttons.

So there are ways to report vulnerabilities safely:

1. Do it completely anonymously. Not only shouldn't you try to take credit for the discovery, but you should do it in such a way that you are completely disassociated with the report, personally. Have the report made by a person in your corporation or organization who has a PR/spokesperson role. Or have your attorney make the report.

2. Make the report as the person responsible for security on that system. (Being the target of litigation for doing something that is literally in your job description ought to be very lucrative when you countersue and win.)

But don't just make the report with your name on it, at random. Obviously that may not work out the way you'd like.

Easy (0)

Anonymous Coward | more than 7 years ago | (#17635602)

If the intent is malice, then it's wrong.

If a vuln. is disclosed on a major site, and there is proof that the finder of the vulnerability took reasonable steps to report it to the operator .. then I don't see why a vuln can't be disclosed.

Because that would simply be informing the public that website is insecure. Real World example, if security guards from a security contracting company were always sleeping on the job .. you'd want the right to tell your friends about it .. correct. I should have the right to tell my friends anything that may protect them from harm.

Second, maliciously probing a site with the expressed purpose of finding a vulnerability should be treated the same as someone trying to break into some place. However, genuinely accidentally (via a typo or something) stumbling upon an issue should not be prosecutable. There is a gray line with this of course, because sometimes acting on moderate curiosity should not be frowned upon.

What's the problem? (3, Interesting)

gravesb (967413) | more than 7 years ago | (#17635612)

What's the problem with sending info to a webmaster? And what's the point of doing anything else? If you post it publicly, you've created a race condition between script kiddies and the site admin, and should be punished. If you send it to the webmaster, you are doing a service, and shouldn't be punished. As long as you don't exploit it, you should be ok.

Re:What's the problem? (4, Insightful)

fractalus (322043) | more than 7 years ago | (#17636044)

Simple: sometimes such information gets lost, or doesn't get acted on, and the bug persists. That bug could be exposing thousands (or hundreds of thousands) of users of that site to risks they're not aware of. If one person found it, another surely can, so it's a reasonable assumption that someone else other than the site owner could know about the bug and be exploiting it for personal gain. At that point, being aware of the bug but not informing the users is allowing them to be exposed to unnecessary risk. Businesses are often reluctant or slow to fix problems because they assume nobody knows about them or they're costly to fix (just like auto companies hate to have to recall cars to fix problems). Sometimes, the only way to get the problem fixed is to announce it publicly and give the company a bit of a black eye.

Re:What's the problem? (3, Informative)

Jussi K. Kojootti (646145) | more than 7 years ago | (#17636106)

That may be a race, but a race condition is something else...

Re:What's the problem? (1)

linuxmop (37039) | more than 7 years ago | (#17637364)

You assume too much. Consider:

1. Script kiddies may already know about the vulnerability. There is no reason to believe that you are the first to discover the exploit.

2. The webmaster might not fix the issue before harm is done to the users. If the script kiddies already know about the vulnerability, they will likely exploit it before the webmaster has time to react.

As a user, I want to know immediately when a vulnerability is discovered. It gives me an opportunity to stop doing business with a website before my credit card number is stolen. It also gives me the opportunity to double-check credit card statements and the like; if a security hole is covered up, I may never notice the $200 charge.

Since we can never be sure who knows about a vulnerability, it is best to let the users know about it as soon as possible.

Re:What's the problem? (1)

grege222 (995375) | more than 7 years ago | (#17637516)

While I think that works in theory, what somebody else independently discovers the same vulnerability you reported and exploits it. How do they know that you did not exploit it? If reporting it was all that was needed to remove your name from the list of suspects taking advantage of an exploit, wouldn't all blackhats report their vulnerabilities after exploiting?

Report it anonymously... (1)

ZwJGR (1014973) | more than 7 years ago | (#17635738)

If you want to report a bug, and your not sure if it'll go down well with the fat cats at the top, post it anonymously.
Anyone who is clever enough to find a bug ought to be clever enough to notify those who should be informed without leaving oobvious traces as to who they are.
You can't be sued if you don't exist...
That doesn't stop people trying though...

damn litigious assholes (1)

pestilence669 (823950) | more than 7 years ago | (#17635878)

If disclosure of vulnerabilities stops, exploits will still occur... only no one will know how they work or how to stop them. yeah, this is progress.

Similar (1)

sven_kirk (562794) | more than 7 years ago | (#17635884)

I had a similar experience. I was doing some research on a cell phone that I was going to purchase. I wandered onto a poorly written blog/website. He was a "professional" webmaster. He had random screen shots posted up on his site. He had a webmail service that he ran. Had user names, real names, AND passwords all in one pic. Not to mention he had a few sensitive cell phone network plans unsecured. Scary

Finally! (1)

Rob T Firefly (844560) | more than 7 years ago | (#17635894)

Armed with this fair and just legal precedent, we can finally put all those scheming hoodlums from Bugtraq in Federal PMITA Prison where they belong.

stupid question (0)

Anonymous Coward | more than 7 years ago | (#17635906)

i can't believe people actually ask such IDIOTIC questions.
offcourse it's illegal.
if you don't report it anonymously ONLY TO THE OWNER OF THE SITE and instead do it publicly you should be arrested and locked up with no questions asked.
in fact i'd consider doing the same even if you did it anonymously if the owner didn't actually ask you to find bugs on the site.

every thing has bugs.exploiting them doesn't take a genius.

It's been ok for me (4, Interesting)

nicpottier (29824) | more than 7 years ago | (#17636074)


A few years ago I was renewing my car tabs on the WA state's site and they had a box for 'donations to DOT' or somesuch. For kicks I tried putting in a negative value, and sure enough it reflected the total for my tabs as less. I went ahead and submitted things with a dollar taken off the value, just to see if it would actually go through. Sure enough, a week later I received my tabs, and the mathematically correct but embarrassing negative donation on my receipt.

I ended up calling them and letting them know about the bug. They were nice about it, and the next year at least it was fixed.

-Nic

There's two types of people in the world.... (1, Insightful)

QuantumG (50515) | more than 7 years ago | (#17636094)

those that ask *best whiny voice* "Is it ok if I do this? Will I get arrested? Is it illegal to do this?"
and those that proudly proclaim "I am doing this and no-one can stop me. If you think you can arrest me for this, YOU ARE WRONG."

The first kind of people contribute nothing to our freedoms. They are crippled by uncertainty and their annoying whining makes people think that, hey, maybe there is something to fear. The second kind of people challenge the norms and make that which was uncertain clearly not illegal. Hey, if they can get away with it, maybe I can too!

So my advice: stop whining and grow a backbone.

Re:There's two types of people in the world.... (0)

Anonymous Coward | more than 7 years ago | (#17636498)

Interesting. I didn't know you could find a geek redneck. But there you go.

Re:There's two types of people in the world.... (1)

QuantumG (50515) | more than 7 years ago | (#17637166)

If you think I'm a redneck, you haven't met my good friend [catb.org] .

Re:There's two types of people in the world.... (1)

gad_zuki! (70830) | more than 7 years ago | (#17636794)

>The first kind of people contribute nothing to our freedoms. They are crippled by uncertainty and their annoying whining makes people think that, hey, maybe there is something to fear. The second kind of people challenge the norms and make that which was uncertain clearly not illegal.

Youre advocating vigilantism. The history of vigilantism proves your narrow assumption about 'badasses' very wrong. [ncwc.edu]
American vigilantism arose in the Deep South and Old West during the 1700s when, in the absence of a formal criminal justice system, certain volunteer associations (called vigilance committees) got together to blacklist, harass, banish, "tar and feather," flog, mutilate, torture, or kill people who were perceived as threats to their communities, families, or privileges (Karmen 1968). By the late 1700s, these committees became known as lynch mobs because almost all the time, the punishment handed out was a summary execution by hanging. In some states, like South Carolina, these mobs had exotic names like the Regulators. During the 1800's, most American towns with seaports had vigilante groups that worked to identify and punish suspected thieves, alcoholics, and gamblers among recently arrived immigrants. The state of Montana, however, holds the record for the bloodiest vigilante movement from 1863 to 1865 when hundreds of suspected horse thieves were rounded up and killed in massive mob action. Texas, Montana, California, and the Deep South, especially the city of New Orleans, were hotbeds of vigilante activity in American history.

Re:There's two types of people in the world.... (1)

QuantumG (50515) | more than 7 years ago | (#17636956)

Right, yes, that's a logical conclusion that one. People who are not feared by uncertainty and instead stand up to be counted, those people are vigilantes. Black people sitting at the front of the bus? Damn vigilantes.
 

Re:There's two types of people in the world.... (1)

CaffeineAddict2001 (518485) | more than 7 years ago | (#17637182)

There's a third kind: The thoughtful person. They realize that there *IS* something to fear, that society is something you need to treat with respect and that you need to plan accordingly.

Think about this: Would anybody care about Rosa Parks if she wasn't a little old lady? How many hundreds of black men tried the same thing and only ended up in prison?

You need more than just a backbone.

Re:There's two types of people in the world.... (1)

QuantumG (50515) | more than 7 years ago | (#17637462)

Yeah, the third kind is this freakin' "middle way" of wishy washy compromise. I'm not a fan. If you think you have a right to do something, do it. If no-one cares, great you set a precedent that others can follow. If someone makes a stink fight. Don't ask permission, and don't go "testing the water" by half doing it. These middle way people, they only get half the job done and end up making it worse for everyone else because they go in timidly, and back off as soon as they hit resistance.

Jen Granick (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17636108)

This is the first time the Slashdot main page has mentioned someone that I've had sex with! (She's cute and gives *really* good head.)

Look who will argue, write and advocate the law. (3, Insightful)

Protonk (599901) | more than 7 years ago | (#17636176)

this is an issue that simply must not be decided by the people whom it has been entrusted to. In this case, the vested interests that will lobby congress, pay for legal teams, and write friend of the court briefs are not the whisleblowers and the security researchers. There are HUGE industries where the economic incentive is to ignore problems, rely on obscurity for security, and prosecute those who would expose vulnerabilities.

Each time an exploit comes out, the pattern is the same. the company doesn't announce it, anti-virus makers are either paid off (as in 'approved' spyware and/or rootkits) or not kept informed, and once the story breaks, the public relations machine starts. The researcher is vilified as a hacker, the problem is denied or minimized, and the prospect of a patch is left moot because this would require accepting that a huge problem exists. Most of us scream that this is ridiculous, companies should tell everyone when an exploit shows up, and patch it as soon as possible. More to the point, they should expose their source code to scrutiny in order to better provide services to their customers.

Are you sitting down? good. They won't and they don't care. The first rule in the PR handbook is to deny and put off realization. If the big front is that there isn't a problem, or that a crack of a voting machine can only be done in a lab, and months down the road, the company quietly sues the researcher or releases a patch, they win. People have a limited attention span and fatigue quickly in the face of fear and hysteria. As long as your company's admission of guilt comes well after the original problem, or not at all, people are happy.

With this in mind, let's look at the law. thankfully, whistleblowers have some protection, and some internal voices about code might not be silenced, especially if the review takes place within the judicial system, and not through a new law. Of course, corporate secrecy, as in the case of Apple and HP, is pretty extreme, and most employees wouldn't risk the civil consequences of voicing a problem that doesn't rise to the level of a public safety hazard.

Outside researchers are in more and more trouble, and this really only leads to problems for the customer base as a whole. We rely on sites like MOAB [info-pull.com] to shame companies into action. We also rely on OSS competition in order to make products like IE better--Firefox gives an economic incentive to Microsoft to improve their product, otherwise, security development would have languished.

Very few analogues exist in the places where this is critically important: commercial and banking software. CITIbank [boingboing.net] suffers a classbreak and doesn't bother informing their customers. Security conscious customers can voice their discontent and move to another bank, but we have to trust that the new bank is as averse to security breaches as we are. For the rest of the millions of customers, security will not improve. Since identity theft costs are largely borne by the customers, the banks don't care. because the banks don't care, it is much easier, and better in their eyes, to make publishing voulnerabilities like this one [eweek.com] illegal and trust that their customers will never be the wiser.

check out this article:
[PDF] Why information security is hard [google.com]

"There is no way to report a vulnerability safely. (1)

iminplaya (723125) | more than 7 years ago | (#17636190)

"
No? Does the word anonymous ring a bell?

Re:"There is no way to report a vulnerability safe (1)

Vexorian (959249) | more than 7 years ago | (#17636880)

And it is also getting harder and harder to do stuff anonimously... Governments are even planning to forbid anonimous usage of the web.

It may not be illegal... (2, Insightful)

gillbates (106458) | more than 7 years ago | (#17636400)

But then, it's not your business, either.

Should you discover a security vulnerability, the correct response is to forget it. Here's why:

  • No one likes the bearer of bad news - not the website owner, not the vendor who sold the software, not the consultant who coded the website. They have lawyers; their interest is in making money, not necessarily in creating secure software. Keep this in mind. If they can find a cause for libel, they will. If they can deflect blame (stupid hackers are at it again!), they will.
  • Why would you expose yourself to potential legal problems, especially considering that you aren't getting paid for your efforts
  • If they were truly concerned about security, they would have hired an audit firm.
  • Getting hacked is perhaps the best teaching experience regarding security. Let another hacker expose their vulnerability in a way they can't deny. Then they will take security seriously.
  • Do the security industry a favor: why would anyone hire a security specialist when good samaritans on the internet (aka whitehats) will audit their website for free? Don't undermine your fellow workers.
  • No one has ever been brought to trial or sued for failure to disclose a security vulnerability. You stand nothing to lose by quietly taking your business elsewhere; let the company figure out that the public wants secure web sites.

Naturally, we might feel a sense of duty to help someone out - if they have an exposed security flaw, we naturally want to help them. But first consider how it will be received. Most companies would rather produce software with publicly unknown flaws than to produce perfect software, websites, etc... at a much higher cost.

And, if you feel that the website owner would appreciate knowing, you might at least disclose it from an anonymous email address.

vulnerability disclosure (1)

a149 (1052120) | more than 7 years ago | (#17636462)

Like others, Meunier ended up with a "don't tell" policy...these sorts of happenings bode ill for all of us, all of whom have information vulnerabilities in more ways/places than we care to think about.

How to safely report a vulnerability (1)

knifeyspooney (623953) | more than 7 years ago | (#17636502)

Step one: Access the internet where you're practically untraceable, such as at an internet cafe or with an AnonDSL [bway.net] account.

Step two: Open and use an anonymous e-mail account.

Step three: Report the vulnerability.

So tonight... (1)

Osrin (599427) | more than 7 years ago | (#17636556)

... I intend to smash a window in the back of my neighbours house, then stick a postit note on his front door letting him know that I have discovered a potential problem with his home security.

Researchers (1)

burnunit0 (630935) | more than 7 years ago | (#17636560)

What is the framework of the researchers in question? If a person is an academic studying the field of network security or whatnot, they can probably give a reasonable justification for doing this sort of snooping as research. If I were advising a person in that position, I'd suggest to them maybe asking permission first-- how hard is it to write a letter to another university and inform them that you are a student who is going to look for (but not break/exploit) security flaws, then report them in the course of reporting your research to your own university.

OTOH if you're a private security firm I think you absolutely must request permission from the owner of a potentially insecure network, otherwise you're just a squeegee guy at the stoplight, only you know, with data.

But if you're in the wild, and you're just "trying the locks" hoping they'll snap open, you're on your own. And God have mercy on your soul. How's that different from walking through your neighborhood jiggling doorknobs? It's very easy for a person to fix their neighbor's unlocked-door-problem, if they have an old fashioned door that can be hand locked and closed. Well in the neighbor's house analogy, the law doesn't give a crap if you lock the door behind you and don't touch anything, you're still technically guilty of B&E. Yes, you could get away with it because you can at least do the favor of locking it and choosing not to touch anything. But what if they have a deadbolt? The only way to fix that problem is to let them know so they can use the key or lock it from the inside, but the route to making the discovery that their house is unlocked is already covered by the B&E law.

Network security is all deadbolts, right? You can't quite lock the door behind you (fix their code) if you find an exploit. If you get in, even if you don't take anything, you're breaking and entering. In that case, if you publish the fact you got in by active means, you're taking a grave risk--maybe if you could somehow demonstrate that you "just found it," then maybe you can expect to get away with reporting it. But if the only way to find it is to be actively looking, the risk is yours as well, since if you know so dang much about network security, you probably should know they're not using the old knob-based locks anymore. Are they? I don't know from network security, but I know you can't wander around fiddling with locks on houses, many of which don't contain nearly half the sensitive info that computers do.

Getting your vulnerability published... (0)

Anonymous Coward | more than 7 years ago | (#17636760)

...is a suitable punishment for putting it there in the first place.

Hey Buddy! (1)

JoshDM (741866) | more than 7 years ago | (#17637012)

Your fly is open.

Terms of Use (0)

Anonymous Coward | more than 7 years ago | (#17637156)

IMO that depends on the Terms & Conditions for the particular site. In most cases they outline the "legal" uses, and probably the "illegal" ones, warning you that you might get sued.

Users are prohibited from violating or attempting to violate the security of the Web Site, including, without limitation:

* accessing data not intended for such user or logging into a server or account which the user is not authorized to access
* attempting to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without proper authorization
* attempting to interfere with service to any user, host or network, including, without limitation, via means of submitting a virus to the Web Site, overloading, "flooding", "spamming", "mail bombing" or "crashing"
* sending unsolicited e-mail, including promotions and/or advertising of products or services
* forging any TCP/IP packet header or any part of the header information in any e-mail or newsgroup posting

Violations of system or network security may result in civil or criminal liability.

Pay the price (1, Insightful)

madsheep (984404) | more than 7 years ago | (#17637248)

As someone who researches vulnerabilities and does IT Security for a living I do not find this too hard of an issue to deal with. If you are poking around someone else's website to look for a vulnerability, flaw, or bug, then you should be prepared to deal with the consequences. It is your choice whether or not to start testing for various things that could lead to a SQL injection, XSS issue, directory traversal, authentication bypass, file inclusion, or whatever the vulnerability or issue might be. If the site happens to be running some free or commercially available software, guess what you can do? Get a copy of it yourself and test it. Alternatively, guess what else you can do? GET PERMISSION. If you aren't authorized to start snooping then you deserve to be punished, embarassed, prosecuted, and smacked down.

I did vulnerability research on server at my university when I was starting out. I went out and got authorization to do so. In most instances they have a test/dev server they permitted me to test on. I published these vulnerabilities in the form of an advisory publicly after contacting the vendors. You do not have the right to decide to do whatever else you want on someone else's website.

Should you be allowed to try and steal stuff from a store just to see if they're vulnerable to being robbed? Can you break into that same store to see if your sledge hammer breaks their glass? What if you were doing all this just to show them it could be done and not to rob/harm them? So what.. your ass is getting arrested. I think this is the same point posts above had made and it is 100% valid.

Security by obscurity does not work (1)

Opportunist (166417) | more than 7 years ago | (#17637346)

NOT exposing an insecurity in any application only helps the true criminals. Or does anyone here (or anywhere) doubt that this information is readily available to those that cause the real harm, those that hack for profit?

An insecure webserver is becoming one of the cornerstones of phishing attacks. Today, ISPs routinely block access to those servers the attackers setup in some countries that have more pressing problems than finding criminals that do damage in other countries. We can't grab those servers, but at least ISPs are becoming more and more helpful in shutting down the routes to those servers.

This is impossible with "legit" servers. In other words, insecure web servers are becoming the cornerstones of very profitable attacks. And those attackers routinely use and have 0day exploits avilable to them. Does anyone think they rely on published security holes?

If there is one group who would benefit from obscured security holes, it's the true criminals. Because web admins would not even know what hits them. They don't have access to the information.

Don't be a fool (0)

Anonymous Coward | more than 7 years ago | (#17637376)

Do you personally gain anything from disclosing a vulnerability? No. And no matter how stupid it is, the reality is, you can be criminally prosecuted for disclosing it, no matter how you choose to do it. You risk hundreds of thousands of dollars in legal bills and a conviction.

This is like a bet. If someone offered to make a bet with you, "if you win, you don't get anything. If you lose, I will amputate your left arm." Would you take that bet? Probably not, and when you disclose a vulnerability, that's the bet you're taking.

Opposite Effect (1)

sameeer (946332) | more than 7 years ago | (#17637596)

I think this kind of hounding of people not only not deter others, but leads to more exploitation of such vulnerabilities.

Assume someone comes across such a vulnerability, maybe by accident, maybe deliberately. Now if he doesn't intend to exploit it, there are two choices for him. 1) contact the sysadmin/company and explain what he did, and how it can lead to problems, in which case he'll be prosecuted, or 2) do nothing about it. Now the second option is not really a realistic one, chances are he's going to be posting the info somewhere online, or might be tempted to exploit it himself, knowing every waking day of his life that there's this door he can walk-in.

For people who give the argument that he shouldn't be snooping around in the first place, and that its same as someone checking the locks in my house. No its not same. There is no educational value in checking random locks. There is nothing to learn, and no motive other than ulterior. So if someone is snooping around in my house, its almost always for the wrong reasons, which is not the case online.

This kind of behavior from people making these laws is caused by laziness. They know if they come up with these stricter laws, they will be able to save on the implementation, i.e. save on proving whether someone intended to exploit or not. But by trying to save on the complicated court proceedings, they create a law which labels even the innocent as guilty.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?