It may be ILLEGAL to run Heartbleed health checks – IT lawyer Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic. Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security …
And is there a definition of "authorised" scanning.
Just who in a business needs to engage with a third party and authorise them to run the scan. Is it the Head of IT Security. Is it the Head of IT? Is it the CEO who needs to authorise the scan? Is it actually agreed in writing in the job description of each person, or is there a gap which could leave the third party vulnerable to prosecution if it turns out it was the wrong person who request the scan?
The law is an ass. If I'm trusting another party with my details and I have doubts about their security, I'm going to check it.
I probably wouldn't do that if it involved testing explosives against a safe or something else that caused damage, but if I can inspect without breaking something, I will.
I've always wondered that. e.g. If someone called me asking for a penetration test to be performed on their network, signed all the normal contracts etc. Then turned out to be either someone without the proper authorization, or someone completely unrelated to the company .. Who would be liable! IS there a precedent for this sort of thing?
Due diligence.
If someone gave you a contract to rob a bank in the high street you would be responsible.
Someone driving for a living (bus driver, truck driver, taxi driver, ... ) instructed by boss to get there in ten minutes, driver breaks speed limit to get there in 10 minutes, driver broke law, driver (not boss) is responsible.
On the other hand, a member of the secret service hours you to test their security in order to be as prepared as possible but it turns out that member did not have appropriate security clearance, though it seemed to you that he did. He could have documents signed by other secret service agents, maybe signed by a senator or 2. Does your example still hold up?
The person doing the scanning needs to get the permission of a legal representative of the company - that means somebody who is authorized to speak on behalf of the company, in legal terms, not just any old employee.
Most companies have such things defined - I'm not sure how it is in the UK, but probably they have to be registered at Companies House as the speaker? Certainly only one of our directors (here in Germany) is allowed to speak "on behalf of the company."
Politicians and Whitehall wonks - the next thing there'll be a law making Reality illegal when it refuses to conform to their ideas of how things should be. It would be interesting to see an analysis of technology laws in the light of this type of event and to see how much law is there to prevent really bad things from happening and how much is, for example, "rights holders" wishlists or similar results of lobbying.
You mean, for example, the person who was arrested at the Cenotaph for reading out the names of the war dead?
The Cenotaph was, one would have thought was the appropriate place for this, the names of the fallen were factually correct. No other information was given or implied and it still warranted an arrest.
<quote>"The Cenotaph was, one would have thought was the appropriate place for this, the names of the fallen were factually correct. No other information was given or implied and it still warranted an arrest."</quote>
Nothing would have stuck in court though. Shame the pigs don't realize this otherwise they themselve wouldn't be wasting police time (another offence) with this.
Doesn't matter anymore though - they don't need a conviction.
They have your DNA and will keep it forever, so a little laboratory mistake down the road and you are a convicted rapist/child abuser.
The record that you were arrested gets reported everytime you need to apply for permission to work in schools, volunteer with the "vulnerable" or coach a kids soccer team.
You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted.
This post has been deleted by its author
"Doesn't matter anymore though - they don't need a conviction."
Yes they do.
"They have your DNA and will keep it forever"
Wrong again, they are compelled to remove it after a set duration and then if asked, they have to by law. If it is found that they have lied, they can be done for contempt.
"so a little laboratory mistake down the road and you are a convicted rapist/child abuser."
Again, they can be sued for every penny leaving them no resources to police anymore. The police already have a battered reputation, this would finish them off, especially if you're a big name celebrity.
"The record that you were arrested gets reported everytime you need to apply for permission to work in schools, volunteer with the "vulnerable" or coach a kids soccer team."
Arrests don't typically get kept 'forever' and even then, they will be grateful not to see an actual conviction come from it, the judge doesn't say "You are free to leave this court without a stain on your character" for no reason. If they still use it against you, they can be sued for defamation of character and other offenses and you'd win.
"You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted."
citation badly needed.
>> "You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted."
> citation badly needed.
Here: We recommend that anyone who have ever been arrested and/or convicted of an offense apply for a visa ... The Rehabilitation of Offenders Act does not apply to United States visa law. Therefore, even travelers with a spent conviction are required to declare the arrest and/or conviction
"We recommend that anyone who have ever been arrested and/or convicted of an offense apply for a visa ... The Rehabilitation of Offenders Act does not apply to United States visa law. Therefore, even travelers with a spent conviction are required to declare the arrest and/or conviction"
Good job the most corrupt country in the world, the USA, is on my (and countless others) list of never to visit countries, for this and other reasons ;)
USA = Land of the Fee and Human Rights be damned.
@billse10
re: "that'd make today a worthwhile day."
I sincerely hope not. This is (allegedly still) a free country. Just ignore what you don't like.
Unfortunately, the politicians have the ability to outlaw what THEY (or the Daily Fail) don't like, which, with the current crop of robber barons in power, is quite scary.
Despite their stated desire for smaller government, they want just the opposite. After all, Nanny knows best.
> With laws
In England, the set up is that everything not forbidden is allowed, though I understand its often the other way around in foreign parts.
Actually the UK is getting much worse with overly broad laws apparently specifically designed to ensure that everyone breaks the law and then the powers that be can just pick and chose whom to prosecute.
I guess it goes back to "is it a feature or a bug?" It looks like a deliberate breach of privacy policy to me! ;)
> If we made companies liable for bugs instead of users, we'd have much better quality software out there.
If you did that then there would be more lawyers than software developers. There would be very little software out there and what there was would be prohibitively expensive.
Oh, and users are not liable for bugs.
The recommendations appear to be to change passwords but not bother until the site(s) have patched the problem. As a result I have changed many passwords in the last few days, I have often used one of these vulnerability checkers to see if the site was no longer vulnerable (or maybe never was).
The intention is to protect my security, not to try to break in somewhere. Also scanning implies testing many machines, usually at random - I have done targetted testing of sites where I have accounts.
So, PC Plod: if I have done wrong email me via el-Reg and come to arrest me. My conscience is clear.
Disclaimer: I did not read the relevant acts before writing this.
"Surely the website admins are running dodgy vehicles on the super highway and should be treated the same?"
An interesting analogy, but how far do you take it and where does it end? With you, because your home PC is an unwitting member of a Botnet after you neglected to install those updates after the last patch Tuesday? Extraordinary rendition for Windows XP users, maybe?
The computer provider should provide the means or the information for a computer owner to keep kit free from malware and not free.
Analogy: car, driver, car owner
Car owner has a duty to make sure car is roadworthy.
Oh! Bloop!
Here in the UK that might mean annual computer worthiness checks with MOT certificate
Bloop bloop de-bloop!
From the BSD license:
THIS SOFTWARE IS PROVIDED BY [COPYRIGHT HOLDER] ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL [COPYRIGHT HOLDER] BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
If I'm driving ... a dodgy car...I'm ... liable...Surely the website admins are running dodgy vehicles on the super highway and should be treated the same?
If I kill a person, I could be guilty of murder. If I kill, a process...
What's the tarriff for flogging an analogy?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
