It is now legal to hack into any company or government institution in Belgium, but only under certain circumstances.
That's the result of a new law on whistleblower protection that came into effect on February 15. Under the law, any citizen with the Belgian nationality is allowed to breach networks of Belgian legal entities without any previous notification or consent, provided he/she describes and reports the breach to the Centre for Cybersecurity Belgium within 72 hours, and does not request a reward for it.
This new framework allows any natural or legal person, acting without fraudulent or malicious intent, to investigate and report existing vulnerabilities in networks and information systems located in Belgium, provided that certain conditions are strictly respected (see detailed explanations).
Do you think those hacking misfits should have any protection at all? Which legal framework exists for hackers in your country?
[Editor's Comment: The new law is specifically targeted at pen testers or 'ethical hackers' - it applies only to those acting "without fraudulent or malicious intent". There are specific "obligations in the context of the search for and reporting of a vulnerability" which are fully explained in the linked article. Whether or not such obligations will be abused or ignored is yet to be seen. --JR]
(Score: 4, Insightful) by Runaway1956 on Sunday February 19, @06:32AM (15 children)
Seriously, if any corporation leaves it's data exposed to the internet, then it's fair game. The devil take TOS agreements and all that jazz, if the data is exposed, it is exposed. There have been more than one "vulnerabilities" published, in which all you had to do was edit a valid URL for your own account to gain access to other people's accounts. That one can't even be called a vulnerability - the idiots just put everyone's information up for the public to browse!
Fix the system, incorporate reasonable security, before anyone can be accused of "hacking" your systems!
That said, white hat pen testers should be welcome everywhere. How do you tell a white hat from a black hat? That's really freaking simple. The white hat tells YOU about your vulnerabilities. The black hat sells that information to the highest bidders, unless he is after the data for himself. The white hat may or may not accept a reward, that's between you and him, but if he tells you first, then he's either white, or at least a light gray.
Good for Belgium. The rest of the world needs to follow suit.
Abortion is the number one killed of children in the United States.
(Score: 3, Insightful) by driverless on Sunday February 19, @09:14AM (13 children)
Yup. This is what's possible in a country where lawmaking isn't being run by vested interests and it's still possible to pass laws pro bono publico rather than pro bono corporations.
(Score: 2, Disagree) by Ingar on Sunday February 19, @10:09AM (10 children)
You obviously have no clue about Belgian politics.
All in all, this is a bad idea. It just gives the Chinese hackers a free pass to slurp up that corporate data and get away with it.
If you have some real balls: NATO headquarters is in Belgium.
(Score: 3, Touché) by driverless on Sunday February 19, @10:13AM (8 children)
[Citation needed].
(Score: 3, Touché) by Frosty Piss on Sunday February 19, @10:31AM (3 children)
They need only to hire a Belgian to do their dirty work.
(Score: 2) by Ingar on Sunday February 19, @10:37AM (2 children)
Make me an offer I can't refuse.
(Score: 1) by jelizondo on Sunday February 19, @06:38PM (1 child)
I guess you didn’t see the movie [wikipedia.org]…
Corleone is a mafia boss, when he makes you an offer, you can’t refuse; if you do, you’re dead.
So please don’t go around asking people to make you offers you can’t refuse, it’s bad for your health.
(Score: 0) by Anonymous Coward on Monday February 20, @04:16AM
Perhaps closer to home is https://en.wikipedia.org/wiki/In_Bruges [wikipedia.org]
Filmed in Bruges, Belgium, all about pointless violence (my impression after seeing the film).
(Score: 3, Touché) by Ingar on Sunday February 19, @10:34AM (3 children)
"Hi, I'm a (Chinese) ethical hacker and I breached your system. As required by law, my front cover organization will inform you within 72 hours. I swear I did not make extra copies of the data I found."
The reasoning this won't happen is that black hats don't want to attract attention.
I'll keep you informed.
Fun fact: in 1988 two men were convicted for hacking the govt's BISTEL system. The prime minister hadn't changed his default password.
(Score: 4, Insightful) by driverless on Sunday February 19, @10:42AM (2 children)
What Chinese, or Russian, or North Korean, hacker would actually do this? They break in, they steal everything, they leave quietly and you never even know it happened. Why would they draw attention to what they've done? That makes no sense whatsoever.
(Score: 2) by Ingar on Sunday February 19, @11:09AM (1 child)
Maybe, but what does make sense is that the past weeks companies have been scrambling to do PEN tests.
Now I understand why. Good times to be a PEN tester.
I admit, I'm too lazy too look up this bill's history and who sponsored it and all that. But our current government are a bunch of squabbling toddlers
and I have zero confidence this bill won't have unintended consequences, not to mention glaring holes.
For my current job, I had to sign a stack of confidentiality agreements, provide proof of a spotless criminal records and even with that I'm not allowed
to actually look at the data I can access (literally). But an ethical hacker can now?
As a private person, I also run a number of web servers. Is it legal to hack those?
The real life equivalent of this would be coming home and finding the LockPickingLawyer in your living room after he PEN tested your front door lock.
(Score: 1) by Runaway1956 on Sunday February 19, @04:08PM
I don't even know what LockPickingLawyer drinks. Hope it's coffee, because right after he explains who he is, I'll be making a cup, then picking his mind. It's not every day a celeb comes to my house.
Oh - I'm far more likely to recognize LockPickingLawyer than any movie actor or sports star. And, far more likely to be interested in whatever he has to say.
Abortion is the number one killed of children in the United States.
(Score: 3, Insightful) by Anonymous Coward on Sunday February 19, @12:18PM
What are you on about? Bad actors won't report anything and will grab whatever they can. This way locals can try to make sure the local systems are better armored without being afraid of wasting their lives in prison for the good they've done. You know the saying "no good deed goes unpunished"? This is to fix that.
(Score: 3, Informative) by quietus on Sunday February 19, @12:37PM
Actually, the United States is a bit of a frontrunner in all this -- since March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) vulnerability disclosure platform is active. The goal there is to improve the security of federal agencies' internet-accessible systems. As long as you do your hacking attempt in 'good faith', you're protected by Binding Operational Directive 20-01 [cisa.gov], which states 'good faith' as:
(Score: -1, Troll) by crafoo on Sunday February 19, @01:00PM
What does that even mean? Politics exists because a group of people want government: they want someone to keep things protected and organized to further their "vested interests".
I think what you mean is that the government is serving someone else's interests and not yours, which you don't like, but you aren't all that self-reflective about.
Also, the problem with your lawmakers isn't that they aren't serving your particular interests, it's that they are (in all modern western countries) serving foreign international interloping middle eastern coin clipping camel fuckers.
(Score: 0) by Anonymous Coward on Monday February 20, @01:04AM
But...but..but...if someone exposes a a vulnerability, especially one created through incompetence could, (gasp!) negatively affect the stock price! Even worse, it could negatively affect C-suite bonuses!
And that, of course, is just unacceptable. Much better to harass, via civil suit and encouragement of criminal prosecution, anyone who might dare to "expose" some minor (more likely non-existent) flaw that certainly isn't the fault of those who get hurt -- no, not the cattle^W^W our customers, our executives!
We are the face of capitalism and must be shown to be superhuman titans of industry (a fanfare [wikipedia.org] must be included when saying such a phrase!), incapable of error or misjudgement!
We have one duty, to protect value (in the form of stock prices) for the shareholder. No other activity is this important. Medicine? Useless! Education Only for the pool of self-entitled sociopaths -- like me! -- who really need to understand how to fleece^W serve our vassals^W valued customers. For anyone else? A waste of time and money!
But we do know how to deal with such things quietly and efficiently. Whether that requires cash payouts or tragic auto accidents, muggings gone wrong and/or being vanished from the face of the Earth.
Quarterly earnings and stock prices must be protected at all costs. So what if we pay the lawyers even a few million to make these worthless busybodies realize they're out of their league (or likely to die soon)? That's chump change when a $0.50 shift in the stock price represents tens of millions in "value".
Those responsible for this outrage will be dealt with quickly, harshly and permanently, with no hint that a practiced hand is guiding it all.
If you have any doubts about this, I suggest you educate yourself [wikipedia.org]. You've been warned!
(Score: 2, Insightful) by bzipitidoo on Sunday February 19, @11:03AM
Well, I still won't be trying to hack into anything anywhere. One of the best protections I had, being a minor, is long gone. Look at what was done to Aaron Swartz. Some of law enforcement were stupid bastards letting their fears of hackers run amok, and some were scumbags looking to score kudos for being tough on crime, exploiting public fears of hackers, and still others believe in terrorizing to stop crime. For all those reasons, they went nutso on him. They didn't press a knee into his neck until he died, but they may as well have. Then there's the case that lead to the launch of the EFF, in which law enforcement went way overboard against Steve Jackson Games because they didn't get that this was a gaming company that had made a game about hacking. They thought the game was real.
Even being a minor doesn't assure complete safety, just consider what DVD Jon had to go through. Though he was acquitted, he was facing the threat of 2 years in prison, all because a group of business idiots willed that the universe work in a way that it does not, but nevertheless tried to make it so with the force of human law, and blamed him for exposing that it didn't work. They knew they were full of crap. They wanted to make an example of him, to scare all the other geeks away from hacking.
This law is at least a recognition that such activities can be helpful, but I think it isn't enough.
(Score: 3, Interesting) by quietus on Sunday February 19, @01:00PM (2 children)
It's a matter of nuance, ofcourse, but I do not completely agree with the wording of the Editor's comment i.e. the "specifically targeted at pen testers or 'ethical hackers'" bit. There's no requirement to be registered as a security company or ethical hacker.
This is important, as it opens an interesting career pathway.
Imagine you are a software developer or network engineer with some years of experience, wanting to move into the security business. Previously, you had the legal [and hence, income] risks, as well as the question of how to build a client portfolio, blocking you.
Now those legal risks have gone, and you can gain practical experience, while discovering market potential.
(Score: 2) by janrinok on Sunday February 19, @06:43PM (1 child)
That's a fair point and I accept the criticism.
(Score: 3, Insightful) by quietus on Monday February 20, @04:23PM
No criticism. You do an excellent job in editing stories/writing them up.
It is generally better, or at least more interesting, to wait a few days until a story is posted at soylentnews, and discover the real issue, than to follow the news cycle at other tech sites -- apart from El Reg. And that is thanks to you, and hubie.
You have my respect.
(Score: 2) by istartedi on Sunday February 19, @08:00PM
Just don't skateboard all over their data.
Appended to the end of comments you post. Max: 120 chars.