from the I-wasn't-hacking...-I-was-*testing* dept.
In the cybersecurity world, the law doesn't always treat the good guys like good guys.
As Harley Geiger put it in a talk titled, "Fighting for Legal Protection for Security Researchers" at UNITED2016, the Rapid7 Security Summit, the vast majority of independent research into the security of consumer and commercial products, "doesn't seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm."
Yet laws at both the federal and state level, "tend to undermine that," he said.
Geiger, director of public policy at Rapid7, cited laws like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA), which he said in crucial areas fail to allow for a distinction between researchers, who are simply trying to improve cybersecurity, and criminal hackers.
The story goes on to reference how the Librarian of Congress has allowed a temporary reprieve (as we covered in It's Finally Legal to Hack Your Own Devices (Even Your Car).) But, as much as that may improve things for the time being, it falls short of what is really needed for security professionals to examine and test systems.
So, how can a white hat work in a responsible way that is distinguishable from a black hat who, when caught, only claims he is a white hat?
Related Stories
You may have thought that if you owned your digital devices, you were allowed to do whatever you like with them. In truth, even for possessions as personal as your car, PC, or insulin pump, you risked a lawsuit every time you reverse-engineered their software guts to dig up their security vulnerabilities—until now.
Last Friday, a new exemption to the decades-old law known as the Digital Millennium Copyright Act quietly kicked in, carving out protections for Americans to hack their own devices without fear that the DMCA's ban on circumventing protections on copyrighted systems would allow manufacturers to sue them. One exemption, crucially, will allow new forms of security research on those consumer devices. Another allows for the digital repair of vehicles. Together, the security community and DIYers are hoping those protections, which were enacted by the Library of Congress's Copyright Office in October of 2015 but delayed a full year, will spark a new era of benevolent hacking for both research and repair.
Unfortunately, the exemptions are only temporary and will need to be re-approved the next time the Copyright Office reviews its exemptions, in 2018.
https://arstechnica.com/tech-policy/2024/03/charges-against-journalist-tim-burke-are-a-hack-job/
Caitlin Vogus is the deputy director of advocacy at Freedom of the Press Foundation and a First Amendment lawyer. Jennifer Stisa Granick is the surveillance and cybersecurity counsel with the ACLU's Speech, Privacy, and Technology Project. The opinions in this piece do not necessarily reflect the views of Ars Technica.
Imagine a journalist finds a folder on a park bench, opens it, and sees a telephone number inside. She dials the number. A famous rapper answers and spews a racist rant. If no one gave her permission to open the folder and the rapper's telephone number was unlisted, should the reporter go to jail for publishing what she heard?
If that sounds ridiculous, it's because it is. And yet, add in a computer and the Internet, and that's basically what a newly unsealed federal indictment accuses Florida journalist Tim Burke of doing when he found and disseminated outtakes of Tucker Carlson's Fox News interview with Ye, the artist formerly known as Kanye West, going on the first of many antisemitic diatribes.
[...]
According to Burke, the video of Carlson's interview with Ye was streamed via a publicly available, unencrypted URL that anyone could access by typing the address into your browser. Those URLs were not listed in any search engine, but Burke says that a source pointed him to a website on the Internet Archive where a radio station had posted "demo credentials" that gave access to a page where the URLs were listed.The credentials were for a webpage created by LiveU, a company that provides video streaming services to broadcasters. Using the demo username and password, Burke logged into the website, and, Burke's lawyer claims, the list of URLs for video streams automatically downloaded to his computer.
And that, the government says, is a crime. It charges Burke with violating the CFAA's prohibition on intentionally accessing a computer "without authorization" because he accessed the LiveU website and URLs without having been authorized by Fox or LiveU. In other words, because Burke didn't ask Fox or LiveU for permission to use the demo account or view the URLs, the indictment alleges, he acted without authorization.
(Score: 4, Insightful) by RedGreen on Saturday November 05 2016, @03:34PM
"So, how can a white hat work in a responsible way that is distinguishable from a black hat who, when caught, only claims he is a white hat?"
How many angels can dance on the head of a pin or if a tree falls in the forest and no one is there does it make a sound? In short it is impossible to make that distinction you cannot know the thoughts in a persons head while doing it. I suppose you could go with their past/present actions for determining the outcome of charges being laid for misuse. If the person never tries to seek a gain from their actions then there are no charges that can be brought but that will never happen because that would make sense and very few things the law does make sense. The bean counter mentality present in so much of it will get in the way every time.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by Runaway1956 on Saturday November 05 2016, @05:27PM
There probably aren't a lot of "white" hat hackers. Most of them are gray. For that matter, there are probably fewer black hats than people think. (first we have to discard the public perception that all hackers are evil - FFS the media has gone crazy with that) Some are just darker gray, others are lighter gray.
The need to distinguish between those various shades is a real need. But gubbermint isn't interested in making any such distinction. If you do ANYTHING the government dislikes, you're facing eons in prison - like ten thousand consecutive life sentences.
Just the threat is enough to make a reasonably light shade of gray to commit suicide.
http://www.zdnet.com/article/hacker-activist-aaron-swartz-commits-suicide/ [zdnet.com]
(Score: 0) by Anonymous Coward on Saturday November 05 2016, @05:14PM
Anti-hacking laws only work against the white hat law abiding hackers that seek to stop the black hat hackers. The black hat hackers are going to break the laws anyways.
(Score: 0) by Anonymous Coward on Saturday November 05 2016, @06:36PM
We should just ban all hacking, and make everyone take a full battery of psych tests every year to have a computing license. Ya that's the ticket!
(Score: 0) by Anonymous Coward on Saturday November 05 2016, @08:40PM
So the question was "So, how can a white hat work in a responsible way that is distinguishable from a black hat who, when caught, only claims he is a white hat?"
Change careers.
(Score: 0) by Anonymous Coward on Saturday November 05 2016, @09:21PM
"So, how can a white hat work in a responsible way that is distinguishable from a black hat who, when caught, only claims he is a white hat?"
Have some professional certification and oversight?
(Score: 2, Insightful) by Anonymous Coward on Saturday November 05 2016, @10:15PM
So, how can a white hat work in a responsible way that is distinguishable from a black hat who, when caught, only claims he is a white hat?
Uh. What's so difficult about that? White hats don't break the law. Only hack stuff legally. If DMCA applies to you, get official permission first if you're going to do any DMCA applicable stuff. If there's no permission leave it to the black hats.
Speaking of only hacking other people's devices with permission, when is Microsoft getting prosecuted for unauthorized modification of computer systems? I'm pretty sure there were very many people who didn't want their computers upgraded to Windows 10.
http://www.pcworld.com/article/3073457/windows/how-microsofts-nasty-new-windows-10-pop-up-tricks-you-into-upgrading.html [pcworld.com]
https://www.extremetech.com/extreme/229040-microsofts-latest-trick-clicking-x-to-dismiss-windows-10-upgrade-doesnt-stop-upgrade-process [extremetech.com]
Would it be legal for malware/spyware authors or hackers to do similar things to get their "upgrades" installed?
(Score: 0) by Anonymous Coward on Sunday November 06 2016, @02:55AM
"doesn't seek to undermine IP (intellectual property) or safety of products. It helps us keep ahead of those who do seek to do harm."
They are clearly referring to the intellectual property that corporations 'posses'.
This just shows how spoiled corporations are with their expectations that they get to decide, for government, how important intellectual property is. They are the arbitrators of how much government values 'their' intellectual property.
This is supposed to be a democracy and my vote is that intellectual property is not that important. I want the government to represent me no less than it represents business interests or anyone else.
(Score: 2) by rob_on_earth on Monday November 07 2016, @12:59PM
making hacking a part of everybody's everyday responsibilities and charge institutions and companies when they get hacked.
Watch "Hackers" again at the weekend, that really is my best film ever.