[Buttons840]

Do you believe that your proposal increases the cybersecurity of society as a whole?

You focus a lot on the rights and conveniences of a company, but the rights of a company are not more important that the security of society as a whole.

There are good guys and bad guys out there looking for vulnerabilities. What you propose reduces the number of good guys more than it reduces the number of bad guys (since bad guys are less likely to follow the law). What you propose shifts the balance towards the bad guys and makes it more likely that vulnerabilities will be discovered first by the bad guys. You also propose security through ignorance; security via hoping that nobody notices.

Again, I would really like to hear you assert that your proposal would increase the cybersecurity of society as a whole. I did not clearly see such an assertion in your comment. I want to see an argument focused on the security of society as a whole.

I assert that we currently reduce our national security for the convenience of companies.

[EricMausler]

I proposed a preference for systemic solutions over building a soft dependence on white hat hackers.

This benefits society as a whole because it clearly delineates actions with intent. If doing X is always not allowed, then all you need to do is find people doing X and you can hold them accountable.

If you allow or disallow the same activity based on merit of intent, then you increase the level of plausible deniability to everyone who gets caught.

I am not proposing security through ignorance. I am proposing security through consent. Nowhere did I say anything about not allowing research, I only said that if you do it unsolicited then it should be considered a threat.

So, we could systemically allow for a right to research that involves notice to the company and their consent for you to test. It would not hinder white hat at all. If businesses resist for selfish reasons we can expand the law to prevent them from denying requests without a legitimate reason. For example, maybe it is okay for them to deny a request from an ex-employee with a grudge who has sent the company aggressive emails. Idk, maybe there are no valid reasons to deny. The point is we can create a framework that promotes security development above the table with all parties involved. And my proposition is that if that is possible then it should be preffered.

[Buttons840]

You attempt to solve the problem of chaos (think grey-hat) by expanding law enforcement--by enforcing order on every internet user world wide. That's going to require a lot of boots to squash a lot of faces. Curious kids who run port scans will stand before judges, journalists who press F12 will face the ire of the most powerful and decades in prison[0]. This will probably require some national firewalls as well. This will continue the status quo where companies leak the private information of countless millions and nothing happens, while individuals must be careful what they do with their own computer and their own physical devices.

I attempt to solve the problem by embracing chaos and empowering those who seek to do good in the chaos. I'd like to see our IT systems become so hardened that no amount of chaos can harm them. Let the grey-hats and black-hats run wild, it is possible to build our technology well enough that they can do no harm. This would require those with the most wealth and power in our society to do a little more, to take on some additional responsibility and demonstrate they are worthy of the trust and power we have given them. Let individuals be free and make the creators of our technology responsible for their own creations.

What you have proposed is what we already have, it is the status quo. When you hear about a major breach every other week, ask yourself whether or not it's working.

[0]: https://techcrunch.com/2021/10/15/f12-isnt-hacking-missouri-...

[EricMausler]

The status quo is not sufficiently codified. I am suggesting we codify it so that we can look at the rules and change them so that they make sense.

I also think it would be a good thing to have a legally protected avenue for people to declare their intent before checking for unlocked doors and such.

Imo I think a lot of the problems are coming from companies feeling like they are getting fleeced by security experts. If a company has acknowledged you as a researcher beforehand, then you have a pretty strong legal defense if they decide later that they don't like what you find.

I am not suggesting a new world order over everyone that uses the internet. People who stumble upon vulnerabilities without looking for them, or through incredibly basic means like a port scan, can be protected. We can feasibly list enough ways someone can uncover a security hole without a direct effort to do so such that the spirit of the law is sufficiently obvious to any judge to include any new ways that pop up on a case by case basis.

However, we cannot currently offer any protection to people directly trying to find vulnerabilities when such actions are identical to people who are trying to abuse it. The only possible differentiating action would be someone to announce beforehand that they are aware what they are doing looks like criminal activity and to request permission to proceed.

The argument that we have the technology to make in infeasible to hack systems is moot and imo naive. There is cost, significant cost, to maintaining the highest level of cybersecurity. Cybersecurity experts are some of the highest paid IT professionals on the market right now.

So I do not see how educating people who want to look for vulnerabilities to reach out for approval on what they are doing is too much order, but requiring everyone who creates anything that uses the internet to successfully implement state of the art cybersecurity defenses is not