Closing the Schism Between Hackers and the Law
This is an article in response to the one written by Scott Arciszewski (30:4), where he suggests that the only thing good hackers can do is go dark in order to help the world without getting hurt for doing so. He denigrates the concept of being a White Hat, comparing us to condoms (either useful or disposable).
What he fails to recognize is that he didn't function as a White Hat, and he was screwed badly as a result.
Let me elaborate here. There were no winners in his story, or the ones like it. And, Scott received a severe punishment that was not warranted. Had he been rewarded rather than punished for what he tried to do, I would have personally felt that all was right in the world. However, there were other ways for him to do what he wanted to do and, had he done them, he would have endured no punishment and gotten his noble goal achieved. Had he not gotten his noble goal achieved, at least he wouldn't have amplified the problem he found.
While this article does not constitute legal advice, I would love to have some of our lawyers chime in on my opinion to see if it holds legal water.
If I found an InfraGard website with a vulnerability, I would consider writing a letter that went as follows:
To Whom It May Concern:
While doing research for a project on Internet vulnerabilities, I have accidentally stumbled across a vulnerability on your website. I have not disclosed this vulnerability to anyone, nor have I exploited it. I have no interest or desire to exploit this vulnerability, or reveal it to anyone that would have bad intent. However, I do realize that by disclosing it to a responsible party, the vulnerability can be mitigated or eliminated, which would be a benefit to you and your organization.
I am not seeking compensation for doing so. I am simply seeking to do the right thing and be helpful as a good Samaritan. Please advise me as to whom I should contact within your organization as a responsible party. To that person or to those people I will provide the information required so they may appraise my finding.
If you are not interested in pursuing a remedy for any vulnerability I may have located, please let me know within 30 days so I may know that I should not pursue any further actions on your behalf.
Thank you for your attention.
Scott could have sent a letter like this to the Tampa InfraGard chapter and, if no response was received after two weeks, could have sent this letter directly to the local FBI field office in reference to the InfraGard site.
Please note what this letter does and, more importantly, what it does not do. It makes clear that no harm, blackmail, or extortion is intended. It makes clear that the sole intent is to help close the vulnerability in a responsible manner. It only asks for contact information, and states that nothing will be done until that contact information is returned. Also note that when I say send a letter, I do not mean send an email. I mean send a letter. It doesn't have to be registered or certified, but keeping a copy of all correspondence would be a good thing to do, and you would be better to do that on paper than as a recording.
One of four things can be expected from sending this kind of letter.
The best hope is that they will call or write and say "Yes, thank you for letting us know we have a problem. Give Mr. John Smith a phone call at 321-555-1234 to discuss this matter further." I wouldn't call except to say that you'd like the address to send the information to, and then submit it by postal mail again. Send the information on the vulnerability. By constraining your substantive conversation to written correspondence, you can't be accused of saying anything you didn't say. Get your correspondence in writing, and consider that to be your engagement letter.
Another response you may get is going to be akin to "go away kid, you bother us." At that point, do so with a clear conscience. Don't do more.
The third thing that may happen is that you will get no response at all from all the proper channels. At that point, having made a proper effort, you too might think this was horrible, but you would have your hands tied unless you can get someone in power to respond. That would depend on how many letters you would want to write.
While I think it is highly unlikely that you will get the kind of response where people are threatening you with legal action, you have only written correspondence that says you've done nothing wrong, intend on doing nothing wrong, and are simply asking for a proper way to respond to this find. In Scott's article, he refers to this being the equivalent of knocking on the door, having it swing open, leaving after looking around inside, and then getting in trouble for breaking and entering. What I am suggesting is that what Scott should have done once he had the door swing open is to not go inside, but instead report it to the police.
If you were going to a friend's house and you found the place open and unsecured, looking abandoned, would you go on your merry way or would you call the police to at least keep an eye on the place until the owner could be found? Maybe it is because of where I grew up, but I'd call the police. I sure as heck wouldn't yell out in the streets "Hey everybody, look here, an open house." When Scott blew the whistle on Twitter and through other public media, that is exactly what he did, which is what put the site in more danger. To me, that turned Scott from a White Hat to a Gray Hat. If you think I believe he got what he deserved, please reread my second paragraph.
The Hippocratic Oath states "first do no harm." If Scott and the other bright folks like him who also have good moral intent state "I found something - someone come please talk to me so I can show you where to go fix it," no one can state that a law has been broken. If the vulnerability is revealed publicly before giving the proper authorities a chance to fix it (no matter how stupid or slow they are about it), then harm is done by revealing that information, and the White Hat nature of the intent can then be called into question.
Here's one final example to drive the point home, and to reference the point of not helping commercial enterprises.
The nature of my music business (I don't just do IT security) doesn't require me to have a website, let alone use online transactions for what I do. I music is for sale on iTunes, and I let them carry the load regarding security. But, let's fictionalize here and say that I had my own website www.ThePianoGuyIsSellingHisMusicOnline.com with its own shopping cart, user database, and such. Because I'm totally clueless (remember, this is a fictional story), I insist on people creating an account with me before I sell them my music, and I collect Personally Identifiable Information (birth dates, SSN, what have you). And, because this is totally fictional, there are people out there who are stupid enough to provide me with that information because my music is that good (O.K., the story isn't 100 percent fictional).
Scott comes onto my website, finds a problem with how my shopping cart is set up, and alerts me to that. He doesn't tell anyone else, doesn't tell me to pay him in order to have him reveal the problem, and in no way jeopardizes my business or my clients. He is trying to help me. I might not be happy to hear that I have a problem, but as long as he hasn't put me in jeopardy himself, I'm not going to be inclined to attack him. However, if he tells everyone else first, my perspective is that he didn't try hard enough to let me know that there was a problem, or that his intent was to hurt me, and I'll come down on him like a ton of bricks. If I don't respond to him, he has the option to tell people to not do business on my website, or at least to not provide unneeded Personally Identifiable Information (PII) on any web site. I'd be really peeved with him, but I'd have nothing that was prosecutable. Scott is entitled to free speech and his opinion. He could also tell people that my music was bad, but then he would be wrong.
To sum up, first get the contact information of the proper point of contact. Do not move forward with any revelation of a vulnerability to anyone prior to doing so. The harm done by it being there is already done. Once you finally have the proper point of contact and they say they want your information, then reveal the information in writing. They may hire you for other gigs, ask you to do a pen-test, give you a reference letter you can use while seeking other clients, or they may do nothing. But, they are highly unlikely to try to prosecute you if they are so stupidly inclined, and highly unsuccessful if they are that stupid.