1

As I'm sure most people here are aware, there has been quite a lot of attention brought to the USA's Computer Fraud and Abuse Act (CFAA) recently. Brief back story: A security researcher discovered that a cell phone carrier made email addresses of their customers available through a non-authenticated service. He pointed it out and now could spend several decades behind bars. More Info: http://www.f-secure.com/weblog/archives/00002460.html

Without getting into "#FreeWeev" craze, I'm curious about how security minded folks are processing this information and whether it would deter you from reporting a legitimately identified security concern. Obviously people in the USA will have a bit more context on the issue but I openly welcome all points of view on the issue.

Will these rulings keep you from your work, or change it? If so, how?

Thanks!

grauwulf
  • 955
  • 5
  • 10
  • 1
    This question is probably not a good fit for this site, as it appears to be more of an open-ended poll. This is a question-and-answer site, not a discussion site or forum. The site is best-suited for specific technical questions with an objectively definable correct answer. Chatty, open-ended questions, or subjective questions where every answer is equally valid, are off-topic. I encourage you to read through [the FAQ](http://security.stackexchange.com/faq) for more, especially the section labelled [What kind of questions should I not ask here?](http://security.stackexchange.com/faq#dontask). – D.W. Nov 22 '12 at 00:48

2 Answers2

1

With respect to how (and whether) to disclose vulnerabilities, that subject has been covered extensively already on this site.

With respect to dealing with a potentially-embarrassing flaw with a powerful organization, remember this little gem:

Powerful organizations do not like to be embarrassed. And one way for them to save face is to incriminate the messenger ("see, we're not irresponsible, he's a terrorist"), and so when doing so, some certain amount of self-protection is in order. Perhaps you should remain anonymous. Perhaps you should seek legal counsel. Perhaps you should work through a third party (e.g. security firm).

Certainly what you should not do is flaunt the vulnerability in a spectacle of sarcastic derision and self-promotion. It may be safe to poke the bear with a long enough stick, but the only way to know for certain is in a post-mortem analysis of the events. Probably best not to poke the bear if you want to stay on the safe side.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • Sound advice. I usually disclose to the vendor anonymously, then disclose it publicly under my own name if it goes well. – Polynomial Nov 22 '12 at 08:59
0

This general topic area has been covered at At what point does "hacking" become illegal? (US), which includes references to other security professionals who were affected by these laws.

See also Found security vulnerability, what should I do?, which covers a related area.

Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
D.W.
  • 98,420
  • 30
  • 267
  • 572