18

I was reading another question which mentions a site that had a page inviting people to try to hack it, and it made me wonder.

Lets assume, for the sake of this rather hypothetical question, that a site has a page asking people to hack it, and that the page did not specify which kind of hacking was or wasn't acceptable.

Does placing such a page provide a legally/ethically sufficient indication that this site is really expecting to be hacked? Are there any legal/contractual/ethical requirements to be set before publishing or executing those kind of challenges?

Does it really mean all bets are off and any kind of attack is acceptable?

This question was IT Security Question of the Week.
Read the Apr 6, 2012 blog entry for more details or submit your own Question of the Week.

Community
  • 1
Yoav Aner
  • 5,299
  • 3
  • 24
  • 37
  • 5
    I would recommend a signed and written statement, as you are entering a field where high criminal charges do occur. This is how it is often done with professional penetration tests. – Legolas Apr 02 '12 at 08:55

2 Answers2

10

This is a very interesting area, and I don't think anyone has raised a legal case yet to gain a decision one way or the other.

In various jurisdictions, you could still be prosecuted for criminal activity, despite there being an approval note on the website.

As an example, when a penetration testing company does some work for you, the terms and conditions may include limitation of liability clauses, expectation of behaviour, contact and escalation protocols and contacts and so on, and we still work with an element of risk that if we break something the client may take legal action. So when you start attacking a website be very aware that as there is no signed contract they may not need to hold to the contract implied on the website.

So at the very least, follow the guidelines, but in addition, log everything you do just in case something bad happens and you need to prove it wasn't you, or wasn't deliberate!

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 1
    +1 Good answer. I wonder about a couple of things (out of scope of the question though): 1. How do you log *everything* (when using so many different tools)? 2. Couldn't this actually play against you if it does somehow come to a legal action? – Yoav Aner Apr 02 '12 at 20:29
9

I'll start with the obligatory I'm not a lawyer, and lawyers are the only ones who can give proper legal advice :)

That said there's a number of factors to consider here. First up, there are some sites who explicitly allow security testing (a recent list on Dan Kaminskys blog). From what I've seen these sites provide rules of engagement (eg, No DDoS attacks). If you follow those guidelines for a large company like Google, I'd be surprised if they took legal action against you. Of course I guess you could still theoretically be breaking a local law against hacking even so..

Outside that list or other very well known companies I'd be somewhat leery of a page which said "it's OK to hack this site". For example on a site where user-generated content is allowed, how do you know that the person who created the page has authority to make that decision?

In any case I'd be surprised to see a site say "no holds barred" attacking is OK. Ultimately even if it's just a Denial of Service almost all sites have some level of vulnerability..

Andrew Ferrier
  • 144
  • 8
Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • Do lawyers *ever* answer those kind of questions?? Good pointer to Kaminsky's blog. I wasn't aware of that and not even that some sites do publish some kind of a security-research policy. Interesting that most of those are worded something like 'if you do this and tell us nicely, we won't sue you'... – Yoav Aner Apr 02 '12 at 20:31