Reg meets 'Lokihardt', quite possibly the world's best hacker

Friday 11th November 2016 21:40 GMT Anonymous Coward

Can I ask a stupid question?

Kudos to JHL, we need more talent in this space. But I'm curious what the legal rules of engagement are around this sort of research.

If I install VMW Workstation, there's going to be some long EULA that prohibits me from picking apart the software, using a debugger/disassembler on it, etc. So if I do that, and find a zero-day, aren't I exposed to VMW coming after me?

If I poke at a web site because they offer a bug bounty, and succeed in having their IT systems do something they shouldnt, can't the owner come after me? Does the presence of a bug bounty competition automatically insulate me from claims?

I'm curious whether the rules of hacking have really been tested in the courts. Until then, it all seems highly dependent on whether the target organization decides to be nice to a hacker, or throw the book at them.

3 0 Reply
1. Saturday 12th November 2016 02:25 GMT Grade%
  
  Re: Can I ask a stupid question?
  
  IANAL, but "intent" would come into play -- I believe there is dispensation for being a security "researcher. Elimination of that allowance by the DMCA has proven to be problematic for American academics. https://www.theguardian.com/technology/2016/jul/21/digital-millennium-copyright-act-eff-supreme-court
  
  Not a complete answer to your question, a place to start.
  
  3 0 Reply
  1. Saturday 12th November 2016 04:29 GMT Yet Another Anonymous coward
    
    Re: Can I ask a stupid question?
    
    Sensible companies find it cheaper to pay and get the vulnerability fixed than have the scene go underground and have the bugs sold to the bad guys.
    
    0 0 Reply
  2. Saturday 12th November 2016 12:52 GMT bombastic bob
    
    Re: Can I ask a stupid question?
    
    I was under impression that the DMCA has been modified in that regard. Or, at least it SHOULD be.
    
    Maybe that's why a guy from S. Korea is doing the research?
    
    In any case, I say 'welcome aboard' to someone who makes his living by acting *LIKE* a bad guy, and not *being* one.
    
    3 0 Reply
2. Saturday 12th November 2016 13:55 GMT PyLETS
  
  Re: Can I ask a stupid question?
  
  Good question as I wish more IT people knew the answer. In general it makes sense to think of the difference between buying a padlock from a hardware shop and trying many different ways to break it or saw or drill it open in your own workshop. It's your lock and so you're entitled to test it. If the lock is on your neighbour's shed and you test it without authorisation of the system owner, this becomes an offence based upon who owns the lock or property its protecting. The UK Computer Misuse Act makes the correct distinction here.
  
  As you suggest there are possible exceptions to this general analogy. If the software being tested isn't fully "yours" e.g. if it is leased together with some kind of support agreement, rather than purchased outright, then your security testing of it on your own system may invalidate the support part of the deal, depending upon the license small print you agreed to but, probably didn't read.
  
  George Hotz discovered a futher risk when Sony went after him , and though their case may not have succeeded, Sony's persuance of this probably cost them a lot more in reputation than it cost Geohotz. However, Sony's claims of Digital Millennium Copyright Act infringement against Geohotz were more threatening. This was potentially a criminal complaint. Sony's copyright infringement blustering would more probably have come under civil law, concerning which you may lose money but you don't go to jail. It may be that Sony's case was badly flawed, but it's an unfair playing field when a big corporation which can spend millions on lawyers can tie up an individual based on a dodgy case where the corporate can force the individual to make many journeys of thousands of miles to a jurisdiction of Sony's choosing.
  
  So if you want a clearer boundary between what's "yours" and what isn't, then you're better off choosing open source in preference to licensing copyright restricted products under one sided terms which prohibit testing and subsequent speech concerning what you've discovered on your part. The DMCA and equivalent legislation this side of the pond attempts to deny you your fundamental human rights of freedom of expression here - and this denial is as yet untested in the highest courts such as SCOTUS or the ECHR.
  
  3 0 Reply
  1. Monday 14th November 2016 07:53 GMT Anonymous Coward
    
    Re: Can I ask a stupid question?
    
    EULAs are full of terms that aren't worth the paper they're written on and the companies in question would rather not have to try them under unfavorable circumstances. In the case of modifying the code they'd much rather use it to try cases against people they believe have stolen parts of their code or broken DRM then people testing for vulnerabilities. While both using similar techniques one set of those looks better in the news paper and jury box than the other.
    
    Some companies will go after you regardless and it tends to look pretty bad for them. Much like some companies will always try and steal your youtube revenue even if it's within fair use (oddly often a similar set of companies) oh well.
    
    1 0 Reply
Saturday 12th November 2016 02:29 GMT Will Godfrey

I think you'll find these contests are sponsored by the 'victims'

2 0 Reply
Saturday 12th November 2016 19:55 GMT YARR

If they've got that kind of money to throw at hacker competitions, why don't they employ someone full time to find vulnerabilities in their own products? That way they'd uncover way more vulns much sooner.

0 1 Reply
1. Saturday 12th November 2016 20:23 GMT goldcd
  
  They do
  
  and they don't find them.
  
  Mainly as they won't pay the internal staff to the levels they will external folks, so it follows the better folks go external.
  
  1 0 Reply
2. Saturday 12th November 2016 23:19 GMT patrickstar
  
  Many of the companies relevant here have very good in-house and/or contracted staff. They have found and eliminated a lot of bugs - not just these particular ones. Even long after release, it's actually not very common that two third party researches find the same stuff.
  
  1 0 Reply
3. Sunday 13th November 2016 20:59 GMT Unbelievable!
  
  To quote Pratchett "million to one shots always pay off"
  
  Anywhere is never the same as anywhere else. Mix into that availability, skillsets and budget... you'd never cover the expanse or expense. Real world is the ONLY way to beta test. Take a look at M$ then look at MS *SP1 uptake necessity.. even perfect labs don't come close to real world.
  
  0 0 Reply
  1. Monday 14th November 2016 07:57 GMT Anonymous Coward
    
    $150,000 what's that, 1 good corporate security expert for a year? Probably demotivated from years in the corporate world?
    
    You do it to get fresh sets of eyes that come at a problem from a completely different angle.
    
    1 0 Reply
Saturday 12th November 2016 23:06 GMT Destroy All Monsters

He discovered it by deleting a single line of code from a Microsoft patch.

I don't understand how this leads to an exploit?

3 0 Reply
1. Sunday 13th November 2016 00:45 GMT John H Woods
  
  Enquiring minds ...
  
  "I don't understand how this leads to an exploit?" --- Destroy All Monsters
  
  I concur. For a moment I thought that he took a patch and modified it so that it actually introduced a vulnerability, but surely that would break the signing and the patch would be rejected.
  
  3 0 Reply
2. Sunday 13th November 2016 13:31 GMT g00se
  
  ... plus, i thought that exploitation began after patching had been done, so why are patches coming into the exploits at all?
  
  1 0 Reply
  1. Sunday 13th November 2016 13:37 GMT patrickstar
    
    I read this as the "inspiration" coming from the patch, and then the explanation getting mangled in reporting.
    
    Possibly that there was a certain buggy code pattern repeated across several exposed paths and the patch didn't fix all of them. Also would account for the short time needed to develop a working exploit.
    
    2 0 Reply
Sunday 13th November 2016 13:53 GMT Steve Goodey

Lee says laughing. "I worked for Samsung for a little while, but not anymore."

Was he their battery guru and they let him go?

1 0 Reply
Monday 14th November 2016 07:01 GMT Sam Paton

Of course he hasn't got a job. He tried but none of the recruitment consultants called him back as he didn't have a degree or 5 years experience.

2 0 Reply
Monday 14th November 2016 07:59 GMT Anonymous Coward

Someone said computers, competition and money and he was like "Is that an e-sport? My APM is well low but we can't have an e-sport without a top Korean this sounds like the game for me!"

0 0 Reply