Feeds

back to article It may be ILLEGAL to run Heartbleed health checks – IT lawyer

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic. Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Headmaster

Authorised

And is there a definition of "authorised" scanning.

Just who in a business needs to engage with a third party and authorise them to run the scan. Is it the Head of IT Security. Is it the Head of IT? Is it the CEO who needs to authorise the scan? Is it actually agreed in writing in the job description of each person, or is there a gap which could leave the third party vulnerable to prosecution if it turns out it was the wrong person who request the scan?

6
7

Re: Authorised

It's authorised if it's GCHQ doing the scanning. That's all you need to know ;-)

22
2

Re: Authorised

I believe this is covered by 3.1 (b) "at the time when he does the act he knows that it is unauthorised."

So I believe the correct answer is 'any of the above'.

3
0

Re: Authorised

I've always wondered that. e.g. If someone called me asking for a penetration test to be performed on their network, signed all the normal contracts etc. Then turned out to be either someone without the proper authorization, or someone completely unrelated to the company .. Who would be liable! IS there a precedent for this sort of thing?

2
0
Silver badge

Re: Authorised

The person doing the scanning needs to get the permission of a legal representative of the company - that means somebody who is authorized to speak on behalf of the company, in legal terms, not just any old employee.

Most companies have such things defined - I'm not sure how it is in the UK, but probably they have to be registered at Companies House as the speaker? Certainly only one of our directors (here in Germany) is allowed to speak "on behalf of the company."

3
0
Bronze badge
Paris Hilton

Re: Authorised

Due diligence.

If someone gave you a contract to rob a bank in the high street you would be responsible.

Someone driving for a living (bus driver, truck driver, taxi driver, ... ) instructed by boss to get there in ten minutes, driver breaks speed limit to get there in 10 minutes, driver broke law, driver (not boss) is responsible.

1
2

Re: Authorised

Well I can tell you, lots of pen-testing companies don't do due diligence! I don't ever remember a pen testing firm asking me to confirm my identity...

0
0
Silver badge

Re: Authorised

The law is an ass. If I'm trusting another party with my details and I have doubts about their security, I'm going to check it.

I probably wouldn't do that if it involved testing explosives against a safe or something else that caused damage, but if I can inspect without breaking something, I will.

10
0
Silver badge
Facepalm

Re: Authorised

I can see it now, standing in front of the court, "yes m'Lud, I was just checking Barclays' security, when I broke into their vault. After all, I wanted to be sure my money was safe."

1
1

Re: Authorised

This maybe the case in the USSA however, in the UK the employer would be guilty of procuring the offence of speeding, and timetables etc can be admitted as evidence to establish that they it would be impossible to complete them without speeding.

0
0

There is a definition of "authorised" scanning.

This is in the case of third party penetration-testers, so they can go about their business without being misidentified as some 'l33t haxxxor' and put in the slammer for it.

0
0
Bronze badge

Re: Authorised

Would the NSA be authorized to scan? Perhaps we can convert it into something useful... scan the whole world for SSL bugs.

0
0
Anonymous Coward

Re: Authorised

On the other hand, a member of the secret service hours you to test their security in order to be as prepared as possible but it turns out that member did not have appropriate security clearance, though it seemed to you that he did. He could have documents signed by other secret service agents, maybe signed by a senator or 2. Does your example still hold up?

0
0

Re: Authorised

But it would appear that they have been doing this quite effectively - for the last couple of years, in fact. Although they must have forgotten to have put out the press-release about it.

0
0
ql
Meh

Politicians....

Politicians and Whitehall wonks - the next thing there'll be a law making Reality illegal when it refuses to conform to their ideas of how things should be. It would be interesting to see an analysis of technology laws in the light of this type of event and to see how much law is there to prevent really bad things from happening and how much is, for example, "rights holders" wishlists or similar results of lobbying.

19
2
Anonymous Coward

Re: Politicians....

"the next thing there'll be a law making Reality illegal"

The next thing? They already do this, all the time, based on their ideas of which particular junta is currently governing our green and pleasant land.

12
0
Bronze badge

Re: Politicians....

You mean, for example, the person who was arrested at the Cenotaph for reading out the names of the war dead?

The Cenotaph was, one would have thought was the appropriate place for this, the names of the fallen were factually correct. No other information was given or implied and it still warranted an arrest.

12
0

Re: Politicians....

"the next thing there'll be a law making Reality illegal"

Can we get this changed:

"the next thing there'll be a law making Reality TV illegal" ?

that'd make today a worthwhile day ...

9
0
Anonymous Coward

Re: Politicians....

@billse10

re: "that'd make today a worthwhile day."

I sincerely hope not. This is (allegedly still) a free country. Just ignore what you don't like.

Unfortunately, the politicians have the ability to outlaw what THEY (or the Daily Fail) don't like, which, with the current crop of robber barons in power, is quite scary.

Despite their stated desire for smaller government, they want just the opposite. After all, Nanny knows best.

4
1
Anonymous Coward

Re: Politicians....

<quote>"The Cenotaph was, one would have thought was the appropriate place for this, the names of the fallen were factually correct. No other information was given or implied and it still warranted an arrest."</quote>

Nothing would have stuck in court though. Shame the pigs don't realize this otherwise they themselve wouldn't be wasting police time (another offence) with this.

0
0
Silver badge

Re: Politicians....

Doesn't matter anymore though - they don't need a conviction.

They have your DNA and will keep it forever, so a little laboratory mistake down the road and you are a convicted rapist/child abuser.

The record that you were arrested gets reported everytime you need to apply for permission to work in schools, volunteer with the "vulnerable" or coach a kids soccer team.

You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted.

1
8

This post has been deleted by its author

Anonymous Coward

Re: Politicians....

"Doesn't matter anymore though - they don't need a conviction."

Yes they do.

"They have your DNA and will keep it forever"

Wrong again, they are compelled to remove it after a set duration and then if asked, they have to by law. If it is found that they have lied, they can be done for contempt.

"so a little laboratory mistake down the road and you are a convicted rapist/child abuser."

Again, they can be sued for every penny leaving them no resources to police anymore. The police already have a battered reputation, this would finish them off, especially if you're a big name celebrity.

"The record that you were arrested gets reported everytime you need to apply for permission to work in schools, volunteer with the "vulnerable" or coach a kids soccer team."

Arrests don't typically get kept 'forever' and even then, they will be grateful not to see an actual conviction come from it, the judge doesn't say "You are free to leave this court without a stain on your character" for no reason. If they still use it against you, they can be sued for defamation of character and other offenses and you'd win.

"You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted."

citation badly needed.

3
0
Bronze badge

Re: Politicians....

>> "You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted."

> citation badly needed.

Here: We recommend that anyone who have ever been arrested and/or convicted of an offense apply for a visa ... The Rehabilitation of Offenders Act does not apply to United States visa law. Therefore, even travelers with a spent conviction are required to declare the arrest and/or conviction

0
0
Anonymous Coward

Re: Politicians....

"We recommend that anyone who have ever been arrested and/or convicted of an offense apply for a visa ... The Rehabilitation of Offenders Act does not apply to United States visa law. Therefore, even travelers with a spent conviction are required to declare the arrest and/or conviction"

Good job the most corrupt country in the world, the USA, is on my (and countless others) list of never to visit countries, for this and other reasons ;)

USA = Land of the Fee and Human Rights be damned.

1
0
Bronze badge

Users?

"The mega-vulnerability was patched earlier this week but to resolved the problem users* need to get a new public/private key pair and update SSL certificates before requesting that users change every potentially compromised password."

Don't you mean *site admins?

0
0
(Written by Reg staff) Silver badge

Re: NogginTheNog and Destroy All Monsters

I've tweaked that par – don't forget to email corrections@thereg if you spot any weirdness so things can be quickly fixed.

C.

2
0
Silver badge
Headmaster

"Just phone up your friendly Romanian"

lift anything from the memory of a secure server

Actually randomly lift 64K from the process answering the SSL heartbeat.

11
2
N2
Bronze badge

Thats the problem

With laws

They tell you what you can't do, not what you should do

& are enforced by a pack of grossly overpaid people

4
3
Bronze badge

Re: Thats the problem

They aren't overpaid the are just evil and on the take

1
1
Silver badge

Re: Thats the problem

>>"They tell you what you can't do, not what you should do"

Actually I'm fine with laws being based around forbidding certain things, rather than forcing new behaviour. All else being equal, the latter has far more potential for abuse and is a lot of coercive.

4
0
Silver badge

Re: Thats the problem

Any law that does not protect the people, is tyranny.

1
0
Bronze badge

Re: Thats the problem

Do you mean all of the people, most of the people, some of the people, a few of the people or just a couple of individuals?

1
0
Silver badge

Re: Thats the problem

> With laws

In England, the set up is that everything not forbidden is allowed, though I understand its often the other way around in foreign parts.

Actually the UK is getting much worse with overly broad laws apparently specifically designed to ensure that everyone breaks the law and then the powers that be can just pick and chose whom to prosecute.

I guess it goes back to "is it a feature or a bug?" It looks like a deliberate breach of privacy policy to me! ;)

2
0
Bronze badge

Re: Thats the problem

"Any law that does not protect the people, is tyranny."

Unless the law protects people from themselves, then it is also tyranny.

/eat your vegetables citizen

/don't smoke or drink citizen

0
0
Bronze badge

Re: Thats the problem

"I guess it goes back to "is it a feature or a bug?" "

If we made companies liable for bugs instead of users, we'd have much better quality software out there.

0
0
Bronze badge

Re: Thats the problem

> If we made companies liable for bugs instead of users, we'd have much better quality software out there.

If you did that then there would be more lawyers than software developers. There would be very little software out there and what there was would be prohibitively expensive.

Oh, and users are not liable for bugs.

0
0

You don't need to set the payload length to 64k to test a server. Setting the length to 2 bytes would do for server testing, so all you would be getting back is one extra byte.

5
0
Bronze badge

Couldn't you go short a byte too? I'll admit, I'm going based on the XKCD explanation here... but if you were requesting lets say 10 bytes, but set the length to 5 bytes, you'd know the bug works, right?

0
0
Silver badge

What is the purpose of checking another site ?

The recommendations appear to be to change passwords but not bother until the site(s) have patched the problem. As a result I have changed many passwords in the last few days, I have often used one of these vulnerability checkers to see if the site was no longer vulnerable (or maybe never was).

The intention is to protect my security, not to try to break in somewhere. Also scanning implies testing many machines, usually at random - I have done targetted testing of sites where I have accounts.

So, PC Plod: if I have done wrong email me via el-Reg and come to arrest me. My conscience is clear.

Disclaimer: I did not read the relevant acts before writing this.

4
2
Silver badge

Re: What is the purpose of checking another site ?

Disclaimer: I did not read the relevant acts before writing this.

Ignorance of the law is no excuse, especially when there are targets to be met.

22
0
Anonymous Coward

Dodgy website admins

If I'm driving along Her Maj's tarmac in a dodgy car (I don't know the brakes fail doing over 50), I'm still liable because it's my car that's at fault.

Surely the website admins are running dodgy vehicles on the super highway and should be treated the same?

3
1
Anonymous Coward

Re: Dodgy website admins

"Surely the website admins are running dodgy vehicles on the super highway and should be treated the same?"

An interesting analogy, but how far do you take it and where does it end? With you, because your home PC is an unwitting member of a Botnet after you neglected to install those updates after the last patch Tuesday? Extraordinary rendition for Windows XP users, maybe?

6
0
TRT
Silver badge

Re: Dodgy website admins

If you are going to cruise the information superhighway, do it in style and wind down the windows.

6
0
Silver badge

Re: Dodgy website admins

Certainly under German law, if your serverhas poor security and somebody uses it to cause damage on other servers / PCs, then the server owner is responsible for reimbursing for the damage caused. You can only hope that you can prove you aren't the end of the chain...

4
0
Bronze badge

Re: Dodgy website admins

If I'm driving ... a dodgy car...I'm ... liable...Surely the website admins are running dodgy vehicles on the super highway and should be treated the same?

If I kill a person, I could be guilty of murder. If I kill, a process...

What's the tarriff for flogging an analogy?

4
0
Bronze badge
Paris Hilton

Re: Dodgy website admins

The computer provider should provide the means or the information for a computer owner to keep kit free from malware and not free.

Analogy: car, driver, car owner

Car owner has a duty to make sure car is roadworthy.

Oh! Bloop!

Here in the UK that might mean annual computer worthiness checks with MOT certificate

Bloop bloop de-bloop!

0
1
Bronze badge

Re: Dodgy website admins

IANAL but.....

To answer this in terms of your analogy. If your brakes fail because you have mistreated them or not maintained them then that is your fault. However if your brakes fail due to a design flaw from manufacture then really it is the manufacturers fault.

Server operators were using OpenSSL in good faith, they had no reason to expect this vulnerability.

Of course now they are aware of it, it becomes their responsibility.

Also, liability prior to the fault being known will likely vary by jurisdiction and by whether the claim is criminal or civil. In some cases particularly civil ones the owner of the faulty equipment would be liable, and then in turn have to sue to the provider of the faulty component, in other cases the owner may be able to pass liability directly off to the supplier.

Also in another quirk of law, if for instance you killed someone in your car due for example the brakes failing and the throttle locking full open due to an unannounced manufacturing fault, you would in most jurisdictions I believe be open to a criminal prosecution for murder/manslaughter/causing death by dangerous driving (depending on particular local statutes). However if it was known to be caused by a manufacturing fault the authorities would likely not pursue a prosecution or if it went to trial you might find a judge would give a directed verdict of not guilty.

0
1
Silver badge

Re: Dodgy website admins

If it turns out that your car, along with others of the same model, have a hidden design fault that causes brake failure then you're probably OK provided you don't know about it until after the event. Once you know it might be a problem, liability is yours if you don't get it fixed pronto.

1
0
Silver badge

Re: Dodgy website admins

"What's the tarriff for flogging an analogy?"

Marathon reality TV.

Off you go.

0
0

Page:

This topic is closed for new posts.