tag:blogger.com,1999:blog-13756280.post1221061897032877669..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Moving Forward: CSI Working Group on Web Security Research LawJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-13756280.post-87947854336667028482007-08-28T14:03:00.000-07:002007-08-28T14:03:00.000-07:00Jeremiah: I wish to offer another comment about t...Jeremiah: I wish to offer another comment about the Report. I do this not to throw stones at the Working Group, for which I have much respect. Instead, I seek to foster public dialog about the important topic the Report addresses. The Report says, "It is true that software security researchers can get tangled in legal snares if their research methods brazenly defy copyright law or the software vendor’s end-user licensing agreement. Yet those are not criminal offenses." Although I understand the educated spirit behind that statement, I'm uncomfortable with it. A EULA for a desktop application in fact might support a criminal prosecution. For example, the EULA for Adobe Reader says, "The structure, organization and code of the Software are the valuable trade secrets and confidential information of Adobe Systems Incorporated and its suppliers." Further, the Adobe EULA authorizes only limited uses of the software, and security testing is not one of them. California Penal Code Section 499c(b)(1) essentially says it is a crime to use a trade secret without authorization. I suspect a prosecutor could build a case that a tester who (with evil intent) probes deep into the Adobe code is using a trade secret without authority and therefore committing a crime under 499c. Now, I don’t think California prosecutors will commonly go after responsible security researchers investigating Adobe Reader installed on their own machines. However, I argue that the primary things that protect responsible security researchers (whether they are inspecting applications installed on their own machines or Web 2.0 applications installed on other peoples' servers) are their intent, motives and methods and their carefulness to avoid hurting other people. I argue the protection for respected security researchers does not come so much from a legal distinction based on who owns the hardware on which the application being tested is installed. . . . I am interested to hear what you and others think ('cause I don't know everything!). –Ben Wright, <A HREF="http://hack-igations.blogspot.com" REL="nofollow">hack-igations.com</A>Benjamin Wrighthttps://www.blogger.com/profile/11543639411820745571noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-44093604279398865392007-08-24T05:28:00.000-07:002007-08-24T05:28:00.000-07:00I posted your words to the group. Full credit cite...I posted your words to the group. Full credit cited of course. At the moment there is no publicly available text from the group. I double checked. We use grouphub to communicate. Though I can see if we can open this up a bit.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-83229287143140965182007-08-23T11:56:00.000-07:002007-08-23T11:56:00.000-07:00Yes, Jeremiah, you are completely free to repost m...Yes, Jeremiah, you are completely free to repost my words. The Report grabbed my attention when it came out in June. I am very interested in learning more about this field of law. Does the Working Group have a public blog?<BR/><BR/>--Ben Wright, <A HREF="http://hack-igations.blogspot.com" REL="nofollow">hack-igations.com</A>Benjamin Wrighthttps://www.blogger.com/profile/11543639411820745571noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2551247584589549482007-08-23T09:12:00.000-07:002007-08-23T09:12:00.000-07:00Hi Ben,I really liked the way you drafted this up....Hi Ben,<BR/><BR/>I really liked the way you drafted this up. It makes some good points and presents the scenario in a way I hadn't seen before. The others in the CSI working group might benefit from this PoV. You mind if I post it to the group?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-6013494324040875442007-08-23T08:05:00.000-07:002007-08-23T08:05:00.000-07:00Hello, Jeremiah. This is a complex and important s...Hello, Jeremiah. This is a complex and important subject, and I salute you and the Working Group for taking it on. When I say a web researcher can change the complexion of his case by notifying people before he acts, I'm not necessarily saying he gets consent. Giving someone notice of what one plans to do is not the same as getting their <I>consent</I>. <BR/><BR/>One example: Suppose a respected group of researchers, acting with support of a responsible group like EFF, is concerned about a vulnerability common to major web sites. Imagine the group sends a message to the sites in question (and they publicize the message), saying a. we intend to inspect your site under these controlled parameters; b. we will publish our results; c. the reason we are doing this is to promote the public interest, consistent with the long-standing tradition of respected, independent security experts testing software applications; d. the identity and contact information for each one of us is XYZ. <BR/><BR/>If the group sends this notice and then acts, it does not have explicit consent from the web site owners.<BR/><BR/>However, advance notice like this makes the situation for these white hat researchers very different from the situtation for Cuthbert and McCarty (the two examples of convictions in this area).<BR/><BR/>--Ben Wright, <A HREF="http://hack-igations.blogspot.com" REL="nofollow">hack-igations.com</A>Benjamin Wrighthttps://www.blogger.com/profile/11543639411820745571noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-25214709733703008052007-08-23T07:58:00.000-07:002007-08-23T07:58:00.000-07:00This comment has been removed by the author.Benjamin Wrighthttps://www.blogger.com/profile/11543639411820745571noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-79199642027923654992007-08-22T10:33:00.000-07:002007-08-22T10:33:00.000-07:00Hi Ben, thank you for the comment and I agree with...Hi Ben, thank you for the comment and I agree with you in practice. In today’s environment it’s best not to test any system you don’t own without consent. However, the key point of the CSI discussion was one set beyond that. With normal desktop software, researchers don’t need to ask for permission to find vulnerabilities. In many ways consumers are dependent upon that work because it helps to ensure vendors are shipping “secure” software. However in the case of Web-based software, where the software industry is heading, we’re losing the visibility researchers provide for reasons we’re both familiar with. I think its unlikely that website owners will grant explicit permission to just anybody to test their security. That’s typically restricted to paid professionals. That also mean it won’t see the unrestricted testing of the masses as desktop software does.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-23167804761849346892007-08-21T20:24:00.000-07:002007-08-21T20:24:00.000-07:00Jeremiah: For responsible security professionals,...Jeremiah: For responsible security professionals, a general way to avoid appearance that their assertive actions are criminal is to notify people BEFORE they act. Before they act, professionals can explain the justification for their action. Cuthbert and McCarty (the Report's two sad examples of convictions) acted surreptitiously. Their cases could well have turned out differently if, in advance, they told the web site owners (or hosters) what they intended to do and why.<BR/><BR/>-Ben Wright, Hack-igations.comBenjamin Wrighthttps://www.blogger.com/profile/11543639411820745571noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-19793126119512522222007-06-19T00:41:00.000-07:002007-06-19T00:41:00.000-07:00Hello Jeremiah,I'm very new to the Web-App Sec bus...Hello Jeremiah,<BR/>I'm very new to the Web-App Sec business, and as an outsider, the first thing that struck me is the need for legislature.<BR/>I'd like to offer a couple more points. The law needs to be comprehensive. Right now, it's the Researchers vs. The Corporations - "Clash of the Titans"-mode. There are a couple of other things to bring under the umbrella of the law, perhaps borrowing from other industries (I come from telecom, so I'll lean on them):<BR/>1) Do Not Call - telemarketers keep a Do Not Call list where you can sign up to not get disturbed. A central registrar could be made where each company's WebApp policy should be clearly stated.<BR/>2) "How is my Driving" - in Israel a company with a fleet of cars must keep a complaint hot-line, and each car must display the number. Force WebApp providers to do the same. Security warnings by researchers may be reported to a third party that could check the validity and report back (new industry in the making!).<BR/>3) Tapping standards - in telecom, standards for connecting tapping equipment exist (CALEA, for example). Where and how a call may be recorded, and how to insure the validity of the recorded data (anti-tamper measures). In WebApps, such standards may define which pen-tests may be safely done and which kind of "fingerprints" a researcher must leave.<BR/>4) Enablers Liability/Protection - access service providers such as Coffee houses and airports might also face liability in the future for providing untraceable and unidentifiable house for malicious attackers. These attackers are the real reason why legitimate research sounds like a contradiction in terms to lawmakers and enforcers. A law enabling research must deal with these issues as well.<BR/><BR/>That's all I can think of right now, but I believe that a law must encompass a wider range of elements in order to obtain legitimacy and, most importantly, interest.<BR/>Aside from that - keep up the good blog, I'm learning a lot!sperlishttps://www.blogger.com/profile/12777473649075845242noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-10635516863924509582007-06-18T11:43:00.000-07:002007-06-18T11:43:00.000-07:00Excellent piece Jememiah, just a couple of points ...Excellent piece Jememiah, just a couple of points i wish to raise.<BR/><BR/>Quote:<BR/><BR/>"Conversely, the Web researcher, in most cases, must perform his activity on a server owned by someone else."<BR/><BR/>I know you (or whoever) says "in most cases" but i feel this is not true, well at least not in my case and in the case of a few other of my associates as i always download the app i am auditing to my local system and run my probes from there and have never once had to run it on another site.<BR/><BR/>Another thing, i saw a lot of legal stuff in there and also some stuff about the laws here in the UK but one law that would've been good for you guys to include was the petty law they introduced last year:<BR/><BR/>http://www.publications.parliament.uk/pa/cm200506/cmbills/119/06119.27-33.html#j383A<BR/><BR/>This basically say something along the lines of "If you write a whitepaper informing the general community on the types of attacks an attacker could use against you & your system...you could face 12 months in prison".<BR/><BR/>Pathetic really...Silentzhttps://www.blogger.com/profile/12191465102936712887noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-1960224857752603312007-06-18T07:44:00.000-07:002007-06-18T07:44:00.000-07:00Thanks Ronald, though I don't think its proactive ...Thanks Ronald, though I don't think its proactive really, not much in the infosec industry is. We're also reacting to something it seems. For my part at least both sides of the conversation are now being heard for those who choose to listen. We're going to have to figure out a way to balance the legalities and ethics with pen-testing web-based software.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-12260238478740067532007-06-16T13:44:00.000-07:002007-06-16T13:44:00.000-07:00Sounds very good Jeremiah, the webappsec disclosur...Sounds very good Jeremiah, the webappsec disclosure is still some renegade business now. Would be great to see some changes, I'm glad you're one of those who would like to change it and pro-actively trying to accomplish this. Good work.<BR/><BR/>Ronald van den Heetkamp<BR/>0x000000.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-76097707675613362792007-06-14T16:15:00.000-07:002007-06-14T16:15:00.000-07:00hahahahahahaAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-48938345174505579932007-06-14T09:28:00.000-07:002007-06-14T09:28:00.000-07:00HAHAHA, now THATs funny! :)HAHAHA, now THATs funny! :)Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-29625344826434727852007-06-14T09:26:00.000-07:002007-06-14T09:26:00.000-07:00Asking Jeremiah a windows browser question is a bi...Asking Jeremiah a windows browser question is a bit like asking a fish about air pollution.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-40670043722458329972007-06-14T09:06:00.000-07:002007-06-14T09:06:00.000-07:00Sounds like a bug, but I really don't know.Sounds like a bug, but I really don't know.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-22511809138647967112007-06-14T09:02:00.000-07:002007-06-14T09:02:00.000-07:00Hey Jeremiah,Kind of unrelated question, I've been...Hey Jeremiah,<BR/>Kind of unrelated question, I've been playing around with the safari browser for windows. We run through a squid proxy here and everytime I go to a site it prompts to enter credentials for the proxy, If i enter anything it crashes the browser. Would this just be a bug, or classified as a dos? Ive tried fuzzing the user/pass parameters but I can't overwrite anytihng on the stack.<BR/><BR/>Thanks for the 'noob' question :p<BR/>-EricAnonymousnoreply@blogger.com