undefined | Better HN

0 pointsmacNchz1y ago0 comments

Is there any sort of assurance that this wouldn't turn into a prosecution, though? It's not obvious to me on that site. Perhaps the CISA doesn't want to deter researchers, but do they get to make the final call?

The DoJ announced in 2022 that they would not prosecute "good faith" security researchers, but it's not binding, just internal policy: https://www.scmagazine.com/analysis/doj-wont-prosecute-good-...

The policy (https://www.justice.gov/jm/jm-9-48000-computer-fraud) explicitly states at the end that it's for guidance only / does not establish rights, and it includes a provision for additional consultation on cases involving terrorism or national security–terms which have both been overloaded by the government to justify overreach in the past.

Personally, given the history of the CFAA, I wouldn't want to be in a position to test out this relaxed guidance on prosecuting good-faith researchers, but perhaps I'm unnecessarily averse to the idea of federal prison.

0 comments

woodruffw1y ago

> Is there any sort of assurance that this wouldn't turn into a prosecution, though? It's not obvious to me on that site. Perhaps the CISA doesn't want to deter researchers, but do they get to make the final call?

I don't think any sort of absolute assurance is possible, and if it was given I wouldn't trust it to be permanently binding :-)

This is my intuition from having interacted with CISA, and my impression from talking to policy people: it's not 1993 (or even 2013) anymore, and there's a much better basal understanding of security researchers vs. someone trying to secure a "get out of jail free" card for doing something they shouldn't have. That doesn't mean the government can't mess up here, but I can't remember a prominent example of them throwing the book at a good faith report like this in the past decade.

(Swartz is who I think of as an example of an extreme miscarriage of justice under an overly broad interpretation of the CFAA. And, of course, there could be facts in this situation that I'm not aware of that would motivate a criminal or civil CFAA investigation here. But "pre-dawn raids" aren't really it in situations like this one.)

macNchzOP1y ago

I guess... at the end of the day without some reform to the CFAA I just wouldn't ever feel comfortable using exploits to gain access to a random website–particularly one related to air travel security–that I had no engagement with, even if there are enlightened folks in government who want to protect good-faith research. The downsides are just way too serious in the case someone, somewhere decides there's something worth prosecuting.

The FBI did raid this guy in 2016 after what was seemingly an attempt at responsible disclosure of leaked medical records: https://arstechnica.com/information-technology/2016/05/armed...

And this journalist last year, though the facts of this story are less clear and obviously not responsible-disclosure related: https://www.cjr.org/the_media_today/tim-burke-florida-journa...

dannyw1y ago

Well yeah, I personally don't pen-test random websites without a clear terms or bug bounty program.

Breza1y ago

I generally agree with you, but I would worry that an overzealous agency would be fine with finding and reporting the SQL injection vulnerability but object to the author creating an obviously fake record. It's hard to know exactly where the line is.

j / k navigate · click thread line to collapse