back to article It may be ILLEGAL to run Heartbleed health checks – IT lawyer

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic. Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security …

COMMENTS

This topic is closed for new posts.
  1. Velv Silver badge
    Headmaster

    Authorised

    And is there a definition of "authorised" scanning.

    Just who in a business needs to engage with a third party and authorise them to run the scan. Is it the Head of IT Security. Is it the Head of IT? Is it the CEO who needs to authorise the scan? Is it actually agreed in writing in the job description of each person, or is there a gap which could leave the third party vulnerable to prosecution if it turns out it was the wrong person who request the scan?

    1. Anonymous Coward
      Anonymous Coward

      Re: Authorised

      It's authorised if it's GCHQ doing the scanning. That's all you need to know ;-)

    2. Richard 26

      Re: Authorised

      I believe this is covered by 3.1 (b) "at the time when he does the act he knows that it is unauthorised."

      So I believe the correct answer is 'any of the above'.

      1. h4rm0ny

        Re: Authorised

        The law is an ass. If I'm trusting another party with my details and I have doubts about their security, I'm going to check it.

        I probably wouldn't do that if it involved testing explosives against a safe or something else that caused damage, but if I can inspect without breaking something, I will.

        1. big_D Silver badge
          Facepalm

          Re: Authorised

          I can see it now, standing in front of the court, "yes m'Lud, I was just checking Barclays' security, when I broke into their vault. After all, I wanted to be sure my money was safe."

    3. JeffUK

      Re: Authorised

      I've always wondered that. e.g. If someone called me asking for a penetration test to be performed on their network, signed all the normal contracts etc. Then turned out to be either someone without the proper authorization, or someone completely unrelated to the company .. Who would be liable! IS there a precedent for this sort of thing?

      1. All names Taken
        Paris Hilton

        Re: Authorised

        Due diligence.

        If someone gave you a contract to rob a bank in the high street you would be responsible.

        Someone driving for a living (bus driver, truck driver, taxi driver, ... ) instructed by boss to get there in ten minutes, driver breaks speed limit to get there in 10 minutes, driver broke law, driver (not boss) is responsible.

        1. JeffUK

          Re: Authorised

          Well I can tell you, lots of pen-testing companies don't do due diligence! I don't ever remember a pen testing firm asking me to confirm my identity...

        2. Fred 22

          Re: Authorised

          This maybe the case in the USSA however, in the UK the employer would be guilty of procuring the offence of speeding, and timetables etc can be admitted as evidence to establish that they it would be impossible to complete them without speeding.

        3. Anonymous Coward
          Anonymous Coward

          Re: Authorised

          On the other hand, a member of the secret service hours you to test their security in order to be as prepared as possible but it turns out that member did not have appropriate security clearance, though it seemed to you that he did. He could have documents signed by other secret service agents, maybe signed by a senator or 2. Does your example still hold up?

    4. big_D Silver badge

      Re: Authorised

      The person doing the scanning needs to get the permission of a legal representative of the company - that means somebody who is authorized to speak on behalf of the company, in legal terms, not just any old employee.

      Most companies have such things defined - I'm not sure how it is in the UK, but probably they have to be registered at Companies House as the speaker? Certainly only one of our directors (here in Germany) is allowed to speak "on behalf of the company."

    5. bean520

      There is a definition of "authorised" scanning.

      This is in the case of third party penetration-testers, so they can go about their business without being misidentified as some 'l33t haxxxor' and put in the slammer for it.

    6. Bullseyed

      Re: Authorised

      Would the NSA be authorized to scan? Perhaps we can convert it into something useful... scan the whole world for SSL bugs.

      1. Gerardo McFitzpatrick-O'Toole

        Re: Authorised

        But it would appear that they have been doing this quite effectively - for the last couple of years, in fact. Although they must have forgotten to have put out the press-release about it.

  2. Anonymous Coward
    Meh

    Politicians....

    Politicians and Whitehall wonks - the next thing there'll be a law making Reality illegal when it refuses to conform to their ideas of how things should be. It would be interesting to see an analysis of technology laws in the light of this type of event and to see how much law is there to prevent really bad things from happening and how much is, for example, "rights holders" wishlists or similar results of lobbying.

    1. Anonymous Coward
      Anonymous Coward

      Re: Politicians....

      "the next thing there'll be a law making Reality illegal"

      The next thing? They already do this, all the time, based on their ideas of which particular junta is currently governing our green and pleasant land.

      1. BongoJoe

        Re: Politicians....

        You mean, for example, the person who was arrested at the Cenotaph for reading out the names of the war dead?

        The Cenotaph was, one would have thought was the appropriate place for this, the names of the fallen were factually correct. No other information was given or implied and it still warranted an arrest.

        1. Anonymous Coward
          Anonymous Coward

          Re: Politicians....

          <quote>"The Cenotaph was, one would have thought was the appropriate place for this, the names of the fallen were factually correct. No other information was given or implied and it still warranted an arrest."</quote>

          Nothing would have stuck in court though. Shame the pigs don't realize this otherwise they themselve wouldn't be wasting police time (another offence) with this.

          1. Yet Another Anonymous coward Silver badge

            Re: Politicians....

            Doesn't matter anymore though - they don't need a conviction.

            They have your DNA and will keep it forever, so a little laboratory mistake down the road and you are a convicted rapist/child abuser.

            The record that you were arrested gets reported everytime you need to apply for permission to work in schools, volunteer with the "vulnerable" or coach a kids soccer team.

            You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted.

            1. This post has been deleted by its author

            2. Anonymous Coward
              Anonymous Coward

              Re: Politicians....

              "Doesn't matter anymore though - they don't need a conviction."

              Yes they do.

              "They have your DNA and will keep it forever"

              Wrong again, they are compelled to remove it after a set duration and then if asked, they have to by law. If it is found that they have lied, they can be done for contempt.

              "so a little laboratory mistake down the road and you are a convicted rapist/child abuser."

              Again, they can be sued for every penny leaving them no resources to police anymore. The police already have a battered reputation, this would finish them off, especially if you're a big name celebrity.

              "The record that you were arrested gets reported everytime you need to apply for permission to work in schools, volunteer with the "vulnerable" or coach a kids soccer team."

              Arrests don't typically get kept 'forever' and even then, they will be grateful not to see an actual conviction come from it, the judge doesn't say "You are free to leave this court without a stain on your character" for no reason. If they still use it against you, they can be sued for defamation of character and other offenses and you'd win.

              "You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted."

              citation badly needed.

              1. 's water music Silver badge

                Re: Politicians....

                >> "You will have to go through a long and complicated visa procedure to visit many countries - even if arrested but not convicted."

                > citation badly needed.

                Here: We recommend that anyone who have ever been arrested and/or convicted of an offense apply for a visa ... The Rehabilitation of Offenders Act does not apply to United States visa law. Therefore, even travelers with a spent conviction are required to declare the arrest and/or conviction

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Politicians....

                  "We recommend that anyone who have ever been arrested and/or convicted of an offense apply for a visa ... The Rehabilitation of Offenders Act does not apply to United States visa law. Therefore, even travelers with a spent conviction are required to declare the arrest and/or conviction"

                  Good job the most corrupt country in the world, the USA, is on my (and countless others) list of never to visit countries, for this and other reasons ;)

                  USA = Land of the Fee and Human Rights be damned.

      2. billse10

        Re: Politicians....

        "the next thing there'll be a law making Reality illegal"

        Can we get this changed:

        "the next thing there'll be a law making Reality TV illegal" ?

        that'd make today a worthwhile day ...

        1. Anonymous Coward
          Anonymous Coward

          Re: Politicians....

          @billse10

          re: "that'd make today a worthwhile day."

          I sincerely hope not. This is (allegedly still) a free country. Just ignore what you don't like.

          Unfortunately, the politicians have the ability to outlaw what THEY (or the Daily Fail) don't like, which, with the current crop of robber barons in power, is quite scary.

          Despite their stated desire for smaller government, they want just the opposite. After all, Nanny knows best.

  3. NogginTheNog

    Users?

    "The mega-vulnerability was patched earlier this week but to resolved the problem users* need to get a new public/private key pair and update SSL certificates before requesting that users change every potentially compromised password."

    Don't you mean *site admins?

    1. diodesign (Written by Reg staff) Silver badge

      Re: NogginTheNog and Destroy All Monsters

      I've tweaked that par – don't forget to email corrections@thereg if you spot any weirdness so things can be quickly fixed.

      C.

  4. Destroy All Monsters Silver badge
    Headmaster

    "Just phone up your friendly Romanian"

    lift anything from the memory of a secure server

    Actually randomly lift 64K from the process answering the SSL heartbeat.

  5. N2 Silver badge

    Thats the problem

    With laws

    They tell you what you can't do, not what you should do

    & are enforced by a pack of grossly overpaid people

    1. Stretch

      Re: Thats the problem

      They aren't overpaid the are just evil and on the take

    2. h4rm0ny

      Re: Thats the problem

      >>"They tell you what you can't do, not what you should do"

      Actually I'm fine with laws being based around forbidding certain things, rather than forcing new behaviour. All else being equal, the latter has far more potential for abuse and is a lot of coercive.

    3. ecofeco Silver badge

      Re: Thats the problem

      Any law that does not protect the people, is tyranny.

      1. Anonymous Coward
        Anonymous Coward

        Re: Thats the problem

        Do you mean all of the people, most of the people, some of the people, a few of the people or just a couple of individuals?

      2. Bullseyed

        Re: Thats the problem

        "Any law that does not protect the people, is tyranny."

        Unless the law protects people from themselves, then it is also tyranny.

        /eat your vegetables citizen

        /don't smoke or drink citizen

    4. P. Lee Silver badge

      Re: Thats the problem

      > With laws

      In England, the set up is that everything not forbidden is allowed, though I understand its often the other way around in foreign parts.

      Actually the UK is getting much worse with overly broad laws apparently specifically designed to ensure that everyone breaks the law and then the powers that be can just pick and chose whom to prosecute.

      I guess it goes back to "is it a feature or a bug?" It looks like a deliberate breach of privacy policy to me! ;)

      1. Bullseyed

        Re: Thats the problem

        "I guess it goes back to "is it a feature or a bug?" "

        If we made companies liable for bugs instead of users, we'd have much better quality software out there.

        1. Anonymous Coward
          Anonymous Coward

          Re: Thats the problem

          > If we made companies liable for bugs instead of users, we'd have much better quality software out there.

          If you did that then there would be more lawyers than software developers. There would be very little software out there and what there was would be prohibitively expensive.

          Oh, and users are not liable for bugs.

  6. MontyMole

    You don't need to set the payload length to 64k to test a server. Setting the length to 2 bytes would do for server testing, so all you would be getting back is one extra byte.

    1. Bullseyed

      Couldn't you go short a byte too? I'll admit, I'm going based on the XKCD explanation here... but if you were requesting lets say 10 bytes, but set the length to 5 bytes, you'd know the bug works, right?

  7. alain williams Silver badge

    What is the purpose of checking another site ?

    The recommendations appear to be to change passwords but not bother until the site(s) have patched the problem. As a result I have changed many passwords in the last few days, I have often used one of these vulnerability checkers to see if the site was no longer vulnerable (or maybe never was).

    The intention is to protect my security, not to try to break in somewhere. Also scanning implies testing many machines, usually at random - I have done targetted testing of sites where I have accounts.

    So, PC Plod: if I have done wrong email me via el-Reg and come to arrest me. My conscience is clear.

    Disclaimer: I did not read the relevant acts before writing this.

    1. Anonymous Coward
      Anonymous Coward

      Re: What is the purpose of checking another site ?

      Disclaimer: I did not read the relevant acts before writing this.

      Ignorance of the law is no excuse, especially when there are targets to be met.

  8. Anonymous Coward
    Anonymous Coward

    Dodgy website admins

    If I'm driving along Her Maj's tarmac in a dodgy car (I don't know the brakes fail doing over 50), I'm still liable because it's my car that's at fault.

    Surely the website admins are running dodgy vehicles on the super highway and should be treated the same?

    1. Anonymous Coward
      Anonymous Coward

      Re: Dodgy website admins

      "Surely the website admins are running dodgy vehicles on the super highway and should be treated the same?"

      An interesting analogy, but how far do you take it and where does it end? With you, because your home PC is an unwitting member of a Botnet after you neglected to install those updates after the last patch Tuesday? Extraordinary rendition for Windows XP users, maybe?

      1. TRT Silver badge

        Re: Dodgy website admins

        If you are going to cruise the information superhighway, do it in style and wind down the windows.

      2. All names Taken
        Paris Hilton

        Re: Dodgy website admins

        The computer provider should provide the means or the information for a computer owner to keep kit free from malware and not free.

        Analogy: car, driver, car owner

        Car owner has a duty to make sure car is roadworthy.

        Oh! Bloop!

        Here in the UK that might mean annual computer worthiness checks with MOT certificate

        Bloop bloop de-bloop!

      3. Anonymous Coward
        Anonymous Coward

        Re: Dodgy website admins

        @Andrew Fernie

        re: "Extraordinary rendition for Windows XP users, maybe?"

        If it's good enough for people who haven't been convicted of anything, then why not?

        /sarcasm off.

        1. Destroy All Monsters Silver badge
          Pint

          Re: Dodgy website admins

          From the BSD license:

          THIS SOFTWARE IS PROVIDED BY [COPYRIGHT HOLDER] ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL [COPYRIGHT HOLDER] BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

    2. big_D Silver badge

      Re: Dodgy website admins

      Certainly under German law, if your serverhas poor security and somebody uses it to cause damage on other servers / PCs, then the server owner is responsible for reimbursing for the damage caused. You can only hope that you can prove you aren't the end of the chain...

    3. 's water music Silver badge

      Re: Dodgy website admins

      If I'm driving ... a dodgy car...I'm ... liable...Surely the website admins are running dodgy vehicles on the super highway and should be treated the same?

      If I kill a person, I could be guilty of murder. If I kill, a process...

      What's the tarriff for flogging an analogy?

      1. ecofeco Silver badge

        Re: Dodgy website admins

        "What's the tarriff for flogging an analogy?"

        Marathon reality TV.

        Off you go.

        1. Anonymous Coward
          Anonymous Coward

          Re: Dodgy website admins

          You monster!...

    4. Phil W

      Re: Dodgy website admins

      IANAL but.....

      To answer this in terms of your analogy. If your brakes fail because you have mistreated them or not maintained them then that is your fault. However if your brakes fail due to a design flaw from manufacture then really it is the manufacturers fault.

      Server operators were using OpenSSL in good faith, they had no reason to expect this vulnerability.

      Of course now they are aware of it, it becomes their responsibility.

      Also, liability prior to the fault being known will likely vary by jurisdiction and by whether the claim is criminal or civil. In some cases particularly civil ones the owner of the faulty equipment would be liable, and then in turn have to sue to the provider of the faulty component, in other cases the owner may be able to pass liability directly off to the supplier.

      Also in another quirk of law, if for instance you killed someone in your car due for example the brakes failing and the throttle locking full open due to an unannounced manufacturing fault, you would in most jurisdictions I believe be open to a criminal prosecution for murder/manslaughter/causing death by dangerous driving (depending on particular local statutes). However if it was known to be caused by a manufacturing fault the authorities would likely not pursue a prosecution or if it went to trial you might find a judge would give a directed verdict of not guilty.

    5. Number6

      Re: Dodgy website admins

      If it turns out that your car, along with others of the same model, have a hidden design fault that causes brake failure then you're probably OK provided you don't know about it until after the event. Once you know it might be a problem, liability is yours if you don't get it fixed pronto.

  9. heyrick Silver badge

    I used an online scanner on some of the sites that I visit - because I don't necessarily trust them to come clean about what they were using and if it is/was vulnerable...

    1. Pete 2 Silver badge

      Trusting trust

      > I don't necessarily trust them to come clean

      Yet you trust the results of some website's online scanner - that checks a third party's website and tells you it's clean (or not)?

      The basic problem is that you can never tell what someone else's scanner will actually do. If it does find a vulnerability, will it truthfully notify you, or will it say "yup, that's fine" and as soon as you log in, run the hack and snarf your login details - or add that site to a list of known vulnerable sites and then sell it on?

      The only people who have a genuine interest in securing a site is the site owners. So provided they can supply the requisite credentials to demonstrate they are "clean", there should be no reason to run your own tests. Especially when you cannot be sure the tests are valid, or legitimate.

      as Alan Parsons once wrote:

      If we call for the proof and then question the answers, only the doubt will grow

      1. Steve Knox

        Re: Trusting trust

        @Pete 2 - Agreed. +1 for the Ammonia Avenue reference.

        @heyrick - if you don't trust them to provide you with accurate and necessary information regarding the security of your data on their server, why are you trusting them with your sensitive data at all?

  10. Crisp Silver badge

    Would it contravene the Computer Misuse Act?

    AFAIK, and IANAL: There is precedent set for using the function of a system, even though such a function may not be intended behaviour. (Old Bailey trial 3 Oct. 1973)

    However, taking the information gained and using that to circumvent a security measure would be contravening the act.

    Disclaimer: The above is pure speculation. Again, IANAL.

    1. big_D Silver badge

      Re: Would it contravene the Computer Misuse Act?

      Unfortunately that case law predates RIPA.

  11. Anonymous Coward
    Anonymous Coward

    We'll be needing more prisons, then

    Because a good fraction of the internet-using population will probably be visiting these scanning sites.

    1. Cameron Colley

      Re: We'll be needing more prisons, then

      It will just be used when the police cock up. If they arrest somebody because they believe they have pirated software or child pornography and it turns out they don't a quick internet history search will give them something to prosecute for so they don't look bad.

      As I understand it that's why laws are left nice and loose and open to interpretation -- so that everyone is guilty of something if needs be.

  12. Mark #255

    Section 3?

    Section 3 covers intent to impair.

    But seeing if Heartbleed is fixed or not (AFAIAA) does not (a) impair the operation of the computer; (b) prevent or hinder access; or (c) impair program operation or data reliability.

    It just gets back random data; so I don't see how S3 applies here. *.

    Section 1 (unauthorised access to computer), probably (but IANAL).

    * For other types of penetration testing, eg SQL injection, I could see how it could apply.**

    ** Would changing your name as per little Bobby Tables be an offence under the CMA, I wonder.

    1. big_D Silver badge

      Re: Section 3?

      Do they actually need to run the exploit? Is the information not in the SSL headers? Just look at the Calomel plugin, that pulls all sorts of information back about the server's SSL behaviour. Whether the SSL library version is returned, I don't know.

      Although some checkers are lazy / not checking properly, LastPass reports Microsoft's servers as unkown SSL library, could have been affected.

      Edit: Thinking about it, if they get that it is 1.01 to 1.01f, they might have to test to see if the heartbeat is switch on.

  13. JeffUK

    Section 3 of the computer misuse act relates to impairing the operation of a computer. I'd have thought section 1 would be more relevant:

    "he causes a computer to perform any function with intent to secure access to any program or _data_ held in any computer " Bang to rights imho

    1. AlanB

      It is possible to scan for Heartbleed without accessing anyone else's data:

      https://twitter.com/ivanristic/status/454515948553129984

      1. AlanB

        And https://blog.mozilla.org/security/2014/04/12/testing-for-heartbleed-vulnerability-without-exploiting-the-server/

  14. intlabs

    Amazon have performed bulk testing of their customers EC2 instances, which is great: but I'd be really interested to know how this fits in with the current legal framework? They have provided me with a list of all of my instances that are vulnerable, so must have performed a health check... (resubmitted and cut down as my last post was rejected for some reason?)

    1. Stretch

      re: Amazon

      Almost certainly there is something in the contract along the lines of "we are not liable for anything ever, even if we haven't though of it yet, and any laws don't apply to us, so there".

      1. Anonymous Coward
        Anonymous Coward

        Re: re: Amazon

        @Stretch:

        "We are a huge US-base corporation which probably makes large donations to both US political parties, so no laws of nations outside the US apply to us (and we probably won't be prosecuted if we break any US laws, and if we are we certainly won't be punished)".

    2. big_D Silver badge

      Probably like renting property, the landlord reserves the right to check the building from time to time, to ensure it isn't being used for illegal activity or that you aren't lighting bonfires in the middle of the lounge (yes, I have seen that in some rented properties!).

  15. Wensleydale Cheese Silver badge
    Stop

    software should be updated to use the new version, 1.0.1g.

    "The mega-vulnerability was patched earlier this week, and software should be updated to use the new version, 1.0.1g."

    Pray do tell what folks are going to tell the PHBs who take that statement at face value?

    1. The patch has been back-ported to previous versions

    2. Any sysadmin with the right skills can simply recompile their version of openssl with the heartbeat module disabled.

    1. Number6

      Re: software should be updated to use the new version, 1.0.1g.

      Why couldn't they have bumped it to 1.0.2 to make it clearly a new version?

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: software should be updated to use the new version, 1.0.1g.

        I don't even know why they use the lettering in the first place.

  16. BongoJoe
    Big Brother

    We're all guilty

    So if hundreds of thousands of people run these sites at the same time and slow down the tested servers are we not guilty of a DDOS attack?

    If so, my mother-in-law did it

  17. All names Taken
    Alien

    Maybe?

    I was due to make an online payment so I diligently checked that the website I need to use for said online payment was secure before making payment.

    My online payment was conditional on due diligence check of the payment website?

    No?

    1. 's water music Silver badge

      Re: Maybe?

      I was due to make an online payment so I diligently checked that the website I need to use for said online payment was secure before making payment.

      My online payment was conditional on due diligence check of the payment website?

      No?

      As any fule kno you have to append #innocent face to the packet headers for that defence to work

      1. All names Taken

        Re: Maybe?

        True, true and doubleplus goodly of you to state so and trebleplus due diligence should determine first whether it was legal or illegal to make the test?

  18. Anonymous Coward
    Anonymous Coward

    First, get a lawyer

    If you're a security consultant either you or your company need to discuss this kind of thing with counsel who are versed in this area of law. Really. Seriously.

    For example, as a general rule those with the title of Vice President in US companies, or Director in Europe, should have authority to bind their employer in giving permission for you to conduct a pen test. But there are exceptions to every rule, and local law can vary widely from what might be considered a regional norm. Most importantly, it's usually it's not wise to trust what's printed on someone's business card.

    As for the basic proposition that doing this at all, even with permission, could be a violation of law keep in mind that there are a lot of unreasonable restrictions on technology that have been legally enacted over the years. Just because it's unreasonable, even unworkable, doesn't mean that the law can't be enforced.

  19. This post has been deleted by its author

  20. Henry Wertz 1 Gold badge

    No kidding...

    Honestly, no kidding. Can this really be a surprise? I know the result is legitimate but they are after all exploiting a flaw to return 64KB of unauthorized data in the reply.

    Do I expect people running security vulnerability scans against world & dog to be prosecuted? Nope. Do I expect most people (including site owners) to even care? No (since it's not a targeted attack but a internet-wide scan... oh and since the ones actually being penetrated are already those who don't keep up on security 8-).

    Bad analogy time... I wouldn't expect directly testing these vulnerabilities in the wild (as opposed to just checking the OpenSSL version in the connect string) to be legal any more than I would expect it to be legal to go up an down the street popping people's car doors open and testing the car alarms (as opposed to just gettng the year, make, and model and looking up if they came with a good factory lock and alarm or not). Both can provide useful info -- it'd be a wakeup call to see "x% of cars weren't even locked, y% could be picked in under 30 seconds, and z% did not have an alarm even go off", just as it's useful to know "x% of OpenSSL servers have this vulnerability still." But nevertheless I don't expect it to be made legal.

    1. Pookietoo

      Re: they are after all exploiting a flaw to return 64KB of unauthorized data

      There's no need to access more than a few bytes of data to check if the vulnerability is present.

  21. Anonymous Coward
    Anonymous Coward

    Modern British legalities

    "The law means just what I choose it to mean."

    (paraphrasing Humpty Dumpty).

  22. Barry Rueger Silver badge

    Anyone heard from a server admin anywhere yet?

    admins of at-risk servers should generate new public-private key pairs, destroy their session cookies, and update their SSL certificates before telling users to change every potentially compromised password

    Anyone heard from a server admin anywhere yet? I have logins at probably 50 to 75 sites of various sizes and shapes, at least some of which should have been hit by Heartbleed.

    To date I have not heard from a single one of them to say that they've fixed things up, or telling me to update passwords.

    1. Cpt Blue Bear

      Re: Anyone heard from a server admin anywhere yet?

      Yes, several. Colour me pleasantly surprised.

      The first I actually heard of this was from a charity book store run by the Brotherhood of St Lawrence*. Over 24 hours I got a warning that the server was going down for patching, an explanation of what was patched and finally a suggestion that I change my password ASAP.

      My bank had a notice at log in with 24 hours of the announcement explaining why it wasn't an issue for them - and in surprisingly technical terms, clearly not written by the PR department (no crayon or drool in sight).

      A couple of "community" type forums. I suspect they all run the same version of vBulletin.

      But notably missing in action are any of the household names.

      * I was going to make a joke about molesting little boys but removed it as I think they are to be commended on this one.

    2. Martin
      Happy

      Re: Anyone heard from a server admin anywhere yet?

      Score points for LastPass here.

      If you run their "security tester" which checks your passwords for duplicates and strength, they also give you a list of the people you are connected to who may be vulnerable, and what to do.

      "What to do" was basically "WAIT" if the company had the vulnerability, but hadn't patched; "Change your password now" as the company had finished patching; and "You are now OK" once you'd changed your password.

  23. Anonymous Coward
    Anonymous Coward

    Focus

    If traffic is routed through EVEN ONE corrupt server, we're screwed. As in, passwords stolen.

    Right?

    Next thought. Can the law require the net be vulnerable? Even if it is the NSA we are talking about, and not Joes' Boiler Room. Is there a right to listen? Or is the right privacy and if so, how does a law require privacy violation?

    Last thought for now, if 'everyone' does it how does anyone get accused?

    1. Destroy All Monsters Silver badge
      Big Brother

      Re: Focus

      if 'everyone' does it how does anyone get accused?

      Listen buster, we are not putting a sizeable percentage of the population in jail for loong stretches because they took a puff or two so that you can go about muddying the waters!

      Your papers, PLEASE!

  24. Jim McCafferty

    In my defence

    To be honest your Honour,

    I wasn't aware that issuing the Ping command 5 times in a row against Google.co.uk would be considered a denial of service attack.

  25. PeterM42
    FAIL

    Oh Dear!

    "Computer Misuse Act is badly written."

    GOOD HEAVENS! - surely not?! Don't our wonderful lawmakers take great pains to ensure our laws are right and proper?!?!?!??!?!? (Or are they a bunch of morons who could not organise.......etc.)

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019