Hacker News new | ask | show | jobs
by Buttons840 1204 days ago
> There's no law that just "makes security happen"

In another thread I proposed making white-hat hacking legally protected, even without permission from the company. If your system is constantly being tested by mostly white-hat hackers seeking their next responsible disclosure and bounty, then that's something.

Bug bounties already exist, but they're opt-in, and companies that need them the most are not opting-in. We also see the people who do things like press F12 get legally bullied[0].

Changing the laws to protect white-hats and responsible disclosure would help. This would be a law that "just makes security happen".

[0]: https://www.youtube.com/watch?v=lSsvzBV0tyI or https://arstechnica.com/tech-policy/2021/10/missouri-gov-cal...
1 comments
clintonb 1204 days ago
Legalizing hacking seems like a large loophole that will backfire. Where is the line between white-hat and black-hat?
link
Buttons840 1204 days ago
Did you download 10 gigabytes of personal data and sell it? Or did you responsibly report the vulnerability once it was apparent? There would have to be some guidelines and some attacks like DDoS might still be illegal, etc.

Certainly a risk of this proposal is that some black-hats would get away, but that is already happening, so it's not really a problem of this proposal. This law wont affect black-hats because they already operate outside the law.

The problem is nobody can investigate the security of a company without facing major legal risks. As I linked above, a researcher pressed F12 and next thing he knew the Governor was threatening to prosecute him, and that's just one example. I believe it is a felony if I want to investigate for myself how secure T-Mobile's systems are, because they have not explicitly invited me to do so.

About 10 years ago I was doing some web scraping and came across a website that was exposing PPI (SSNs and more) of thousands of people. It was in an API JSON response, the JavaScript only displayed part of the data though. I just closed the site and never touched it again. I'm not a security researcher, I don't know how to safely report what I saw. It all seems personally risky for little personal gain. So I closed the site and let it go. My attitude has long been that if society wants to offer me some strong legal protections then I'll do the right thing, otherwise, society can burn. Half the nation's personal data can get stolen twice a month, as is already the case. When society cares enough to do something about it maybe I'll change my attitude.

link