DOJ Says It Won't Prosecute White Hat Security Researchers (vice.com) 38
The Department of Justice announced today a policy shift in that it will no longer prosecute good-faith security research that would have violated the country's federal hacking law the Computer Fraud and Abuse Act (CFAA). Motherboard: The move is significant in that the CFAA has often posed a threat to security researchers who may probe or hack systems in an effort to identify vulnerabilities so they can be fixed. The revision of the policy means that such research should not face charges.
"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good." The policy itself reads that "the Department's goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems."
"Computer security research is a key driver of improved cybersecurity," Deputy Attorney General Lisa O. Monaco said in a statement published with the announcement. "The department has never been interested in prosecuting good-faith computer security research as a crime, and today's announcement promotes cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good." The policy itself reads that "the Department's goals for CFAA enforcement are to promote privacy and cybersecurity by upholding the legal right of individuals, network owners, operators, and other persons to ensure the confidentiality, integrity, and availability of information stored in their information systems."
Baby Steps (Score:4, Insightful)
Re: (Score:3)
DOJ not prosecuting is one thing. That's doesn't mean that Apple, MS, Alphabet won't come after you with civil litigation that will destroy your life and career when you have to defend it. Will they be grateful you came forward? All signs point to "no".
I was from the generation that had latchkey kids. That was followed by the one with helicopter parents. Is baby's first corporate lawsuit is a thing now?
If not, the metaphor is lost on me.
Re: (Score:2)
Re: (Score:2)
It's worse than that. This is a policy shift, not a legal shift, and policies can change again without notice.
Re: (Score:1)
The reality is, at least in the US you never really needed the the extra push from the DOJ as the laws, licenses, state laws,... made it possible to do "anything" at all, anything meaning "something" constructive. The incentive is now for employees to do "something" while being under contract when the trend was to do "nothing" and get paid to complain about "nothing" at all....
Tell Edward Snowden about it (Score:5, Interesting)
And Phil Zimmerman. The DoJ has a very poor history of accusing white-hat researchers of treason, especially when they publish their work.
Re:Tell Edward Snowden about it (Score:5, Interesting)
Re: (Score:2)
I know you may be too old for this, but no he used rewritable CD-RWs which were this crazy plastic spinning disc that can be burned not once, but multiple times.
Do you read?
Re: (Score:2)
You're thinking of Bradley Manning. Snowden was employed as a sysadmin/project manager for the CIA and NSA.
Re: (Score:1)
Most of snowden's disclosure was publicly available information. So he didn't have to steal the data then run to Russia. He could have found a project to contribute to while making the same claims. The problem was he likely would have do so on his own time and would have likely left his government job eventually to continue his work if he was worth a damn... Manning was in the same position I think.
Re: (Score:2)
And saying that they won't isn't remotely the same as fixing the law to disallow for prosecution and setting some standards as to what 'what hat' hacking actually is. It also doesn't stop everyone else from suing under the law either, because since the law isn't changing, they can say, "you broke this law and caused us financial harm". Nor does it stop them from ignoring this policy and rationalizing why after the fact.
Re: (Score:2, Insightful)
Yeah the announcement is that they're not going to go after white hat hackers who breach the Computer Fraud and Abuse Act (CFAA.) Neither of the examples you give are of either "white hat hacking" - doing something illegal for the right reason only counts as "white hat hacking" if, you know, computer hacking is involved, nor do they concern the Computer Fraud and Abuse Act (CFAA): one was accused, but ultimately not tried, of violating laws on exporting munitions, and the other leaked massive amounts of of
Re: (Score:3)
Neither Zimmerman nor Snowden... and if we're including the latter, let's add Chelsea Manning as well... were white-hat hackers. I'm not even sure what to call Zimmerman. Building a tool that makes it harder for the government to to spy on us might count as "hacking" under the old-school MIT definition. But that was neither a white nor black hat "hack" under the current vernacular. All he ever did is annoy and make a fool of some crooks who had enough power to bring grief upon him for doing so. Nor wer
Re: (Score:1)
let's add Bradley Manning as well...
FTFY.
Chelsea was Bradley at the time. So it's fully appropriate in this case to use her deadname when speaking of a time before she was Chelsea.
Re: (Score:1)
No. You can fuck right off with that bullshit. You didn't "fix" anything. If you want to hate on her for being trans, that's 100% on you. Grow a pair, log in, and post your hate under your own name. Don't try to put your words in my mouth.
Re: (Score:2)
For older colleagues or supporters of transgender people, it's an acknowledgement of the difference in personality and identity. For some trans activists who claim that transgender treatment is not "transformation", it's "confirming" the gender the people have always been, it's deadnaming and considered a form of assault, though finding a court to convict anyone for "assault" for using their old name would be difficult. It's a sensitive subject.
bad faith vrs. good faith (Score:1)
How we subjectively interpret your actions will still be decided along party lines. Trust us.
Not good enough (Score:3, Insightful)
Congress has to rewrite the law, or the next prez is just going to order the DOJ to go after them again
Re: (Score:3)
No one need fear the DOJ! (Score:2)
Re: (Score:2, Insightful)
Or you speak up at a school board meeting.
Dangerous, welcome to ransoms (Score:3)
This makes sense for large tech companies that serve millions of customers; certainly. If there's a bug in iOS, apple wants to know.
But there's a problem with this: it's the definition of "white-hat".
If you're probing a small-business, as a "white-hat", and you find a hole (which is obviously very likely), there's a great chance that the small company can't do anything to fix it. I don't mean they aren't capable, I mean they don't have the resources.
Most small businesses operate with very little security, because they aren't big-enough to be targets in the first place.
So, if you're a "white-hat", and you probe a small business, and you find a hole, and you report to that small business: "pay me for finding it, or I'll report you to your insurance company", well, that's a pretty tidy ransom scheme.
Long ago, we had something called a Private Investigator's licence. It meant that you were trusted (like any other licenced professional) to act in the best interest of not yourself. Like with all licences, it was something that you would lose if you held people for ransom.
This is the equivalent of letting me throw rocks at your windows, just to check to see if they break -- which would be a huge security hole.
Again, for public services, common carriers, and any equivalently-mass-market company, that's one thing. But for small business, and for personal security, it's permission to extort.
Re: (Score:2)
Re: (Score:2)
Well, that's exactly what I said. If the ruling doesn't include an adequate definition of "white-hat", it doesn't matter what anyone in their right mind would do. It matters what the law says. It doesn't even matter what a judge would do -- just getting to the judge is already enough to destroy a small business. The extortion comes long before the courtroom.
And don't forget, extortion needn't be explicit: "Hi, White-Socks Manufacturing. I found a bug in your e-mail software. Just so you know, it's my
Re: (Score:3)
Re: (Score:3)
It's not "extortion" if I'm not asking you for your money. If I'm just telling you my policy, it's not extortion.
That's why pay paying me is a bribe, not a ransom.
No idea why you're talking about shooting up malls. But there's absolutely no way that a small business is going to report a pseudo-extortion threat. That's the very point of black-mail.
And, when it comes to government, law, and by-laws, enforcement policies are integrated under "common-law" -- so yes, absolutely, "policy" becomes "law" very qu
So Everyone Is A White Hat (Score:3)
Glad we got that all sorted out.
Why, yes, I WAS looking for vulnerabilities in your data folder!
not prosecuting white hat researchers (Score:2)
Re: (Score:3)
That would be Mike Parson. Worse, the person was actually also a journalist and should be even more protected in their speech about the flaw.
https://www.stltoday.com/news/... [stltoday.com]
weev (Score:2)
Gotta wonder where they think weev falls on this new spectrum. That guy is a complete douche, but he didn't actually hack ATT he only used a public interface. So does exposing data cross the line here?
No important... (Score:2)