Bug hunters face online apps dilemma (via Joris Evers from CNET)
"Security holes in online applications may go unfixed because well-intended hackers are afraid to report bugs. Web applications pose a dilemma for bug hunters: how to test the security without going to jail? If hackers probe traditional software such as Windows or Word, they can do so on their own PCs. That isn't true for Web applications, which run on servers operated by others. Testing the security there is likely illegal and could lead to prosecution."
We've all debating the legal and ethical issues, but it doesn't change the fact that we're going to lose the canary-in-the coal-mine aspect of information security. Does that mean we're going to have to rely on compliance rather than community peer review? Eeesh!
I also just caught Alan Shimel's follow-up on the article, he comments on one of my quotes:
"Jeremiah Grossman of White Hat Security (and a past guest on our podcast) is quoted as saying that: "We're losing the Good Samaritan aspect of security". He uses the gun law analogy that if we make it illegal to find vulnerabilities in web sites, only bad guys will find them. Sort of like if it is illegal to own guns, than only bad guys will own guns. I disagree with the gun analogy and I disagree with Jeremiah on this one. I just think there is too much room for abuse to allow condone people hacking into web sites. Who really knows what their motives are."
Let me clarify because I still stand by the statement as what will inevitably happen should Good Samaritans be routinely prosecuted. But, I don't think Alan and I fundamentally disagree on the next step of the legal matters. Pen-testing websites without consent is and should be illegal (we can debate proper penalties later). There is just too much risk otherwise. What we do have is a catch-22 situation.