Jeremiah Grossman has long stopped looking for vulnerabilities in specific websites, and even if he suspects a site to have a critical flaw that could be compromised by an attacker, he's decided to keep quiet. The silence weighs heavily on the web security researcher. While ideally he would like to find flaws, and help …
calling yourself a white hat doesn't make what you do ethical
It is generally accepted as being a good idea that it should be legal to go out and buy an instance of a padlock, be able to test it to destruction or see how easily it can be picked and then publish a report on your findings. This is also true of computer programs, other than to the extent the DMCA has been allowed to muddy this water.
It is also generally accepted that if you spot a door unlocked on your neighbour's garden shed in passing, that you can legally knock on his front door and tell him about it. Again, the same is true of computer programs.
But it is not generally accepted that you can legally test the padlock on your neighbour's garden shed with lockpicks to see how long it takes to get in. Nor should it be. And yet again, exactly the same is true of computer programs.
So in what sense can we consider a group of ethically-challenged fools who don't understand this "a group of experts" whatever their technical credentials ?
Calling yourself a Secure Website doesn't make your web site secure either
It's generally accepted that if you pass by the bank after hours and you see the door wide open and money scattered all over the floor, that it's all right for you to telephone the "emergency contact number" posted on the door and let them know about it, without risking any legal liabilities. If the bank operates like that, the bank's officers will be facing legal charges themselves.
Yet a Web site operator who carelessly exposes customer data, including credit card numbers, social security numbers, names, address, and dates of birth, risks absolutely no criminal charges under existing law. And a security researcher who sees that they have dones so *is highly likely* to be brought up on charges if he tells the site operator without remaining anonymous.
I believe we need laws that specifically exempt security researchers from liabilities, provided they register with their local police departments, and disclose any vulnerabilities found to both the police and the site operator. At the same time, there should be criminal penalties for site operators who are notified (which is now documented by the researchers' notification to the police) and who do not take action to secure the data within 24 hours (weekends and holidays *not* excepted). Fines of US$10,000 per user exposed would not be unreasonable.
Kay vs. Dotes
I think Mr. Kay's analogy is the more credible.
And we certainly don't need laws to protect uninvited snoops and criminalize webmasters who don't respond quickly enough to the claims, real or otherwise, of 3rd party intruders.
Webmasters, and their employers, already have considerable legal and financial incentive to provide adequate site security. If they fail, they'll usually have far more to worry about than some silly $10,000 fine.
Great Train Robbery Revealed to be a Security Survey
A method crooks use is to go down hotel hallways checking for unlocked doors. If a door is unlocked they enter. If someone is in the room, they just claim to be good samaritans doing a security check.
If someone is a security professional, they should be doing what professionals do, and sett up a contract with the client before they do the work.
Passing by a bank after hours and noticing an unlocked door and money loose inside would be analogous to casually visiting a website normally and noticing a security problem in the normal process of using the website.
Clearly you have committed no crime. And, if you quietly report the problem to the site's webmaster, you are committing no crime.
If you see a "closed", "private", or "no trespassing" sign and enter a bank (without authorization) to look at what is available inside to steal, you are committing a crime even if you you tell police you are a good samaritan doing a security survey.
Likewise with websites. Entering areas posted as off-limits should be illegal.
If, to enter the bank, you use impersonation, stolen or guessed lock codes, a pry bar, etc., you are breaking the law, and claiming to be a good samaritan doing a survey won't stop you being arrested.
Using hacking tools, stolen passwords, guessed passwords, etc. to enter a website should likewise be against the law.
If you publicize how to enter a bank illegally you are aiding someone else in the commission of a crime as an accomplice, conspirator or accessory, and it should be the same with websites and other cyber facilities.
These amateurs, joyriders, vandals and extortionists are a real problem for IT professionals. The justice system needs to deal with them much more harshly.
If it were a journalist checking for unlocked doors at the bank, or testing their security checks, then bringing it up with the bank and publishing it if they refused to acknowledge it, I doubt there'd be many people, apart from the bank, who'd be criticising the journalist for the situation.
Re: Great Train Robbery Revealed to be a Security Survey
The real problem in security is not people who test the security of websites(even illegally) it is the lazy, careless and negligent webmasters and so-called IT professionals and the way security is dealt with in general. I will take an example from a close but different field to illustrate, cryptography.
A cryptographic algorithm is not considered secure if its inner workings are unknown and are just claimed to be secure by their creators. It is especially not secure if its security relies on its workings being secret. An algorithm is only considered to be secure if its working is fully public and it has been tested by professionals and non-professionals alike for flaws and none have been found.
The same is true of websites. A web site's security should not rely on the inner workings of the website remaining secret and it being untested by anyone other than the creators and contracted professionals. Having that would be irresponsible as any flaw that was not spotted by them could be spotted by a malicious person and exploited.
If the "amateurs" and "joyriders" as you call them test a website's security it shouldn't be a problem to your "IT professionals" in fact unless their intent is to harm or is malicious in any way(and we are not talking about those kinds of hackers are we?) then they are a great asset to webmasters. Indeed non-malicious hackers don't publish flaws immediately, they contact the webmaster and warn them. If the webmaster doesn't take action then it is their own fault and publishing the results is very ethical since it would help warn unsuspecting users that their information is potentially at risk(And has probably been compromised) and that they should take whatever actions they deem necessary.
Webmasters should respond quickly to warnings about their security especially if they have sensitive information about users(credit card numbers, social security numbers, etc...). They should be grateful for the amateurs who find flaws and warn them about them since that helps them fix those flaws so that they are not exploited by malicious attackers.
I am sorry that this turned into an unplanned rant... I just hate it when somebody bring such stupid sentences out of their asses and cite them as fact: "These amateurs, joyriders, vandals and extortionists are a real problem for IT professionals."
And there I was thinking that the real problems were the script kiddies, spammers, bot-net owners, worm makers and malicious attackers.... But no, no, the real problem was those people looking for security flaws in websites and reporting them to the webmasters.