> The hackers with the skills to break into software and networks, who choose to come forward with their knowledge and share their findings, should be legally exempt from criminal prosecution under laws designed to punish crime.
I know this is an unpopular opinion here, but I personally think that you shouldn't mess with people's shit unless they invite you to (e.g. by having a bounty, research partnership program, etc.). Yes, some organizations will be less secure because of it. Similarly, some houses are less secure because the locks are low quality. It isn't up to you to decide how thoroughly said locks should be checked.
>I know this is an unpopular opinion here, but I personally think that you shouldn't mess with people's shit unless they invite you to
Here's the problem:
Last job I had, I was told I had to open a google account, because the company used google docs.
Mandatory, I was told. Company policy. I passive-aggressively opened one called <company name>_temp, and deleted it when I finished the job, but I wasn't going to risk the job itself by flat out refusing.
Does a company have the legal authority to compel it's employees to open accounts that require third party agreements? Don't know, not a lawyer, probably country specific, but it's not relevant because even if the legal answer is no, you can't start a lawsuit against your own employer.
Now, Google does have a bounty program, but we used dozens of pieces of software at that company from small providers who did not. As luck would have it, none of them were account based information vacuums, but they could have been, and if they had been, I'd have been at their mercy when it came to security. It would have been that or my job.
My unpopular opinion is that the software industry needs way more regulation. We crash-test cars, we should crash-test software. I definitely support impromptu third party pentesting, because it's currently the only way I find out about lazy companies who don't take my security seriously, particularly ones that I am compelled to use.
They sure as hell never call themselves out on it.
The stance you take is harmful when said organizations are responsible for the stewardship of the data of others, and being "less secure" places the general public at risk. The true impact of a breach is rarely limited to a single organization.
It is even further harmful when the laws are aggressively applied to prevent research into personal property, especially when your personal safety may depend upon it. For example, your car: https://twitter.com/0xcharlie/status/600729130355666944
I don't make a habit of storing assets in banks that fail to insure me against a total loss of those assets. That insurance just happens to require extensive third-party verification of security practices that may be publicly audited upon request.
The analogy doesn't hold when applied to the digital services we all depend upon as such assurances are impossible.
> The analogy doesn't hold when applied to the digital services we all depend upon as such assurances are impossible.
Rather than allowing anyone to try to crack a server as long as they claim to be a white hat, I'd much rather require corporations to go through a standard, "extensive third-party verification of security practices that may be publicly audited upon request" and default cracking attempts to "illegal."
I may be misunderstanding something in what you're saying, though -- if I am, could you clarify that for me?
As a researcher, it's always safer to only test online services that have a bounty program and/or researcher amnesty program in place. By virtue of having those programs, however, those companies are demonstrating a certain level of information security maturity. If your interest is in warning users of risks to their privacy, the greatest risks to it are most often found in companies who haven't quite gotten there yet. By finding the issues and reporting them to the company, they may spur them to improve. If the company is unresponsive, disclosing the issues publicly instead may motivate them to respond. We don't want that response to be a lawsuit or criminal charges when the researcher is performing a public service.
Security researchers try to call attention to security and privacy risks early. They aren't always right, but even when they're wrong, it's still beneficial for the rest of us to have them sounding their warning calls.
Is the key term here. What counts as people's shit? If I, as a customer of a company, find out my shit (lets say personal information) is insecure because a security researcher investigated a security flaw in a company's API: Is that ok?
This gets even more blurred when lets say my shit (house) is in imminent threat of destruction because the chemical plant 1 mile away can easily be explosively sabotaged remotely, releasing toxic chemicals, due to shoddy SCADA security. Don't I and my shit deserve to be protected?
We are getting into the whole "Greater good / public interest" here where such a simple definition as you specified is no longer applicable I think.
In the same way a chemical plant might be required to enforce certain physical security requirements, it seems reasonable they might be required to enforce certain digital security requirements. But that's for legislation and government audits to determine, not random people breaking in or hacking in.
I think governments (and humanity in general) are MUCH better at physical security that digital.
The idea that government regulations could cover digital security is something that I do not believe possible. The whole history of SCADA is a pretty good example.
Regardless of where the line is, there needs to be some standard of ethical behaviour for both researchers and industry in general. Medicine already has these rules. Moreover without a viable code of ethics, Congress is just going to do what the first corporate lobbyist suggests.
Houses also don't contain the private information of countless other people. Any company with users will be constantly under attack by the bad guys so it's in everyone's best interest that those companies have strong locks in place.
IMO, security researchers have the legal and moral obligation to contact their research target before conducting research. If said target refuses their request, the security researcher should have the legal right and moral obligation to publicly disclose that their request to conduct research was refused. And that's it.
Not so easy to do. As usual, there is a risk that such legislation will be abused to let people who are trying to break in to a system for malicious reasons, claim later it was research. A decent law would require researchers to register with police/whatever before they start researching. Which then excludes researching government/police systems (because they would know up front). etc. Not so easy!
Let's imagine a decent law that would require people to register what kinds of information they are protecting, from what kinds of use.
One kind of security researcher we would want to protect is the one who finds out they can get information, but doesn't get everything, or doesn't keep what they get, or doesn't get anything really sensitive. Or who establishes that they can modify a system, but doesn't change anything important.
If someone gets my credit card number, and doesn't use it, and points out the problem, I want to thank them.
We make the analogy of breaking into houses, but bad information security is more like someone putting up a post-it note that says "This is a lock."
Sometimes just looking past the lock violates the letter of the law.
I know this is an unpopular opinion here, but I personally think that you shouldn't mess with people's shit unless they invite you to (e.g. by having a bounty, research partnership program, etc.). Yes, some organizations will be less secure because of it. Similarly, some houses are less secure because the locks are low quality. It isn't up to you to decide how thoroughly said locks should be checked.