[Buttons840]

There's 2 things when it comes to security:

Companies are responsible for their own security. You cannot try to hack them without their permission. Security researchers who do something like test the security of a car without the permission of the car manufacturer (like in this post) are committing a felony.

Also, companies are not responsible (liable) for their own poor security. If they do something like leak the private data of half the nation--shrug--what can you do?

How convenient for companies. It's literally a matter of national security; our national security is made worse by this status-quo, but at least companies aren't bothered by unwanted security researchers.

We need to pick a lane.

If companies want to be solely responsible for their own security, then they should also be solely reliable for any damages done by their own poor security.

Or, we can recognize that security is really hard and make it a team effort and setup laws to protect security researchers, and then special "events" wouldn't be needed for security research; anyone could test the security systems at any time, and especially people would be able to test the security of devices they own.

[ycombinatrix]

>Security researchers who do something like test the security of a car without the permission of the car manufacturer (like in this post) are committing a felony.

citation needed

[Buttons840]

> No person shall circumvent a technological measure that effectively controls access to a work

Source: DMCA: https://www.law.cornell.edu/uscode/text/17/1201

I'm sure that spending a few hundred thousand dollars on lawyers might find a legal loophole, but I wouldn't count on it.

Why is it illegal to break the encryption of video game consoles? Whatever the answer is, the same can be applied to breaking the encryption of a car.

[godelski]

It's not clear DMCA applies in this setting. I'm neither a lawyer nor a "hacker", but reading through the whole page you linked I can't figure out what part implies cars are covered? If they were, then it seems like it would put mechanics at best in a gray area.

  > Why is it illegal to break the encryption of video game consoles? 

Is it? I know it is illegal to strip a game and upload it to the internet. But is it illegal to save your own digital copy? I was under the impression that this violates terms of use, but isn't illegal. That the legality was focused around distribution.

IIRC Sony lost that court case where the Navy turned their Playstations into a supercomputer.

I'm not trying to argue, but I'm trying to state my understanding so someone can better help me understand. I really do want to know how many crimes I've committed lol

[makeitdouble]

It would need to be handle significantly different from lock picking, which is legal. I assume one could craft an argument to shove DMCA in it, but that doesn't sound clear cut.

To your point, would most researchers want to spend lawyer money to test that ? Surely not.

[Buttons840]

I'm also saying the law doesn't matter to an extent.

Remember this? https://www.vice.com/en/article/this-is-the-hacking-investig...

A reporter pressed F12 to view the source of a web page and the Missouri governor spent months trying to charge him with a crime as part of a "felony investigation". Full weight of the state on his shoulders because he revealed something embarrassing about the state.

In practice if you embarrass a company, they will crush you legally. And sure, after you spend a few hundred thousand dollars on legal fees you'll probably win, and the company will have to say "our bad lol", but you'll still be out the legal fees.

[andrewmcwatters]

> Companies are responsible for their own security. You cannot try to hack them without their permission. Security researchers who do something like test the security of a car without the permission of the car manufacturer (like in this post) are committing a felony.

Not a single sentence here is correct.

[bigfudge]

I think you need to expand here. My understanding is that there is a lot of law you can fall foul of pen testing and sharing vulns on products of companies you don't work for.

[jfyi]

It's phrased weirdly, but the op is describing an idealized status quo as would be seen from a corporate standpoint. It was meant to contradict itself and thus:

>We need to pick a lane.

I imagine op would likely agree it isn't actually that monotoned and this was done for rhetorical purposes.