Home > Blogs > If a person steals a car and calls it Research?

If a person steals a car and calls it Research?

Computer law is difficult to understand.  Failure to understand may get you in a lot of trouble.

You dart into a service station to buy a soft drink.  It's hot; so you leave the car running, keys in the ignition.  As you exit the building, you notice your car is gone!  Later, you notice your car is a half block away, stopped by law enforcement for speeding.  You rush to reclaim your car.

Do you care that the thief is a self-proclaimed automotive security researcher?  Does it matter when the thief places the responsibility for the crime on you, blaming you for your security negligence creating an attractive nuisance?  What matters more--the person's intentions or the actions s/he performed when driving your car?

I'm not sure why, but computer rules seem to allow behavior we'd normally see as crime.  If someone breaks into your home and takes/copies financial information, is that a crime or "your fault"?  After all, you installed breakable windows in your home, and that's a security vulnerability.

There will never be unbreakable computer security.  There will never be a car or home that can't be broken into.  Why those people who break into homes are considered thieves, while others who ransack websites are considered noble security heros--I don't know. 

I think the Auernheimer conviction and amicus brief filings show the mixed feelings in the security community.  Hacking is no longer a philosophical exercise.  Many systems are worth thousands of dollars an hour, making downtime to hacking, er, testing, a difficult expense.  I think security professionals need to study the laws carefully and ensure that their pasttime isn't an unknowing mistake into doing time. 

Hacking--it's not a game; it's not a harmless bit of research; and you are likely to be held accountable for what you might consider harmless testing of system security. 

But what about all the corporate sites that are unsecure? 

How do you know that those aren't honeypots?  How many would-be car thieves find themselves locked in a bait car that crawls to a stop, thanks to law enforcement deactivation?  Does anyone really think that all the ISP monitoring doesn't reveal Internet user actions and website visits?  Unless hired to do a security study--leave it alone.  Unless you're an organization's security staff member--don't test.