EFF Coder’s Rights Project | SYS-CON EN ESPANOL

EFF Coder’s Rights Project

Public Service Announcement

Apr. 20, 2009 12:18 PM

I ran across this today, and thought it was just too valuable to not make mention of. The EFF has a "Coder's Rights Project" that includes FAQs and guides related to the legalities of security disclosure, reverse engineering, and ethical hacking/testing for security vulnerabilities. They are absolutely fantastic layman summations of all the legal nuances (US-centric) that you should be aware of while pursuing any of these legally grey endeavors. The FAQs and guides concisely lay out how the various US laws, such as DMCA, copyright, and Computer Fraud and Abuse Act can come into play during security testing, disclosure and reverse engineering efforts. The EFF material also provides very good advice regarding how to reduce/limit your risk.

If you had any doubt, it should be thoroughly dispelled by the time you are finished reading the material on EFF: testing software and web sites for vulnerabilities is NOT a legally granted right. The law does NOT recognize the concept of "ethical" hacking. As such, the true key to ethical hacking is the confidence that the person you are hacking is not going to legally pursue you after your activities. Hack only when you have permission to do so. Without permission, you are putting yourself legally on the hook regardless of your morals and non-malicious intentions.

If you are still steadfast in your desire to perform security tests without explicit permission in a manner that you feel is morally clean, then you need to ensure that you keep all your actions above board and follow through on your non-malicious intentions. If you do find a problem, report it immediately. Taking the time, for example, to dump the entire user database along with passwords and play around with it for a few weeks before you finally disclose the problem is not going to be seen as aligned with best intentions. Also keep in mind that law enforcement agencies are very keen on people trying to hide their identities while undergoing these types of activities; using anonymizers and the like is not looked upon favorably and as such could push your activities to the ‘blackhat' end of the spectrum rather than the ‘whitehat'. If your intentions are good and you have nothing to hide, then don't hide it.

Above all else, if there is any doubt, then just don't do it.

Jeff Forristal

Senior Security Engineer, Zscaler

About Jeff Forristal
Jeff is a professional technology architect, strategist, and visionary with over a decade of experience in the security industry.

He dually functions in both a technical contributor role and a strategic business role. Throughout his professional career he has been responsible for conceiving new service offerings, developing industry-first and market-leading product features, and driving research into new industry areas.

Jeff is an accomplished writer having written multiple features and cover-story articles for Network Computing and Secure Enterprise magazines; He is also a contributing author to multiple books (with the next one due out in late 2009).

Under the pseudonym “Rain Forest Puppy,” he has been recognized as an industry expert in web application security and was responsible for noted industry landmarks including the first responsible security disclosure policy and the first intelligent web application scanner. He has presented my research in many forums, from established security events like BlackHat and CanSecWest to smaller regional conferences around the world, often with exceptional reviews.

He is now Senior Security Engineer at Zscaler.