(no title)
arcwhite | 4 years ago
If you're going to go hack on a company, make sure you have some legal protection first. Check disclose.io or the company's website (look for a security.txt!) to make sure there's some sort of safe harbor provision, or a pre-existing vulnerability disclosure program or bug bounty program that allows you to do this kind of testing.
If you're not going to do that, then disclose the vulnerability anonymously and cover your ass while you're testing, or just don't.
Meanwhile if you're an American please write your local representative and express your displeasure with the antiquated, overly-simplistic CFAA and ask them to support initiatives to have it replaced or removed.
mmaunder|4 years ago
> If you're not going to do that, then disclose the vulnerability anonymously and cover your ass while you're testing, or just don't.
No. Just don’t. Know that video about not talking to the police because they interrogate people all day long and you’re an amateur in a pro fight? Same thing with infosec. We attribute IOCs to noobs all day long.
You don’t need a criminal record. It’ll ruin many parts of your life. I have friends who can confirm that the record they got in their late teens or early 20s closed many doors. Join a formal bug bounty platform and find legitimate work there.
arcwhite|4 years ago
There's some pretty concerted efforts in play to at least have it updated and tempered, which could have legs. I don't hold much hope it'll go away but I do think some of these efforts to have it replaced could have legs.
> No. Just don’t.
Yeah, fair, I mean I'm all too aware of the consequences myself, but within this setting telling a bunch of people "thou shalt not" seems almost more harmful (IMO it's akin to saying "never roll your own crypto" which someone inevitably ends up taking as a challenge)
erosenbe0|4 years ago
Espionage would include things like illegally surveilling the competitor's networks, bribing their employees for information and credentials, using malware to create backdoors, social engineering, blackmail, poaching their talent and incentivizing unethical disclosure of trade secrets, and cracking systems that explicitly bar access.
Reverse engineering their product through public IPs is legally acceptable up to CFAA boundaries, which are fuzzy, and it's not clear what kind of exploits were involved in this situation. They may have been relatively benign reverse engineering, or they may have been something associated with civil and criminal penalties.
tptacek|4 years ago
There is a lot of authoritative writing about the legality of reverse engineering (long story short: reverse engineering is mostly fine, legally) --- but that writing covers reverse engineering stuff running on your own computer. It categorically does not extend to reverse engineering software running on other people's computers without their permission. You'd easily get into a bunch of trouble assuming otherwise.
A lot of terrifying stuff on this thread! It's good this person already has a lawyer.
tsimionescu|4 years ago
You releasing a competing product after having personally worked on reverse engineering someone's product is a lot murkier, and easily opens you up to copyright lawsuits, which you'll have a hard time fighting if you do happen to have similar code, since in copyright it matters not just if the code was similar, but also whether it's likely that you actually copied it (unlike patent law).
This can and has been done, but normally you want a very clear firewall between the reverse engineering team and the dev team, with lots of paperwork proving that no-one on the dev team ever saw a line of code from the reverse engineering team - they were only told concepts and ideas, which are not copyrightable. This is how the first free Unix was created, for example.
arcwhite|4 years ago
gameswithgo|4 years ago