
It’s Finally Legal to Hack Your Own Devices (Even Your Car) - augb
https://www.wired.com/2016/10/hacking-car-pacemaker-toaster-just-became-legal
======
wyldfire
From [1] : "(ii) For purposes of this exemption, “good-faith security
research” means accessing a computer program solely for purposes of good-faith
testing, investigation and/or correction of a security flaw or vulnerability,
where such activity is carried out in a controlled environment designed to
avoid any harm to individuals or the public, and where the information derived
from the activity is used primarily to promote the security or safety of the
class of devices or machines on which the computer program operates, or those
who use such devices or machines, and is not used or maintained in a manner
that facilitates copyright infringement."

So it seems like it's all going to be gauged in how the material is
presented/hosted. The way I read it is "disclose the details of the bug and
source, ok. but once you start hosting an executable like './rootmysystem' or
'./disable_copy_prot' then you're entering the grey area." (Or rather the
decision would probably be made based on whether your website looks like one
that encourages or promotes infringement versus one that promotes security.

[1]
[https://www.federalregister.gov/documents/2015/10/28/2015-27...](https://www.federalregister.gov/documents/2015/10/28/2015-27212/exemption-
to-prohibition-on-circumvention-of-copyright-protection-systems-for-access-
control#p-193)

------
sctb
Previous discussion:
[https://news.ycombinator.com/item?id=12826946](https://news.ycombinator.com/item?id=12826946)

------
6stringmerc
Neat. I like the exemption in principle, and the "Good Faith" condition will
probably be the lynch pin that gets tested in court cases if they come up.
What is Good Faith in security research is not necessarily - I don't think - a
settled issue. Especially in light of the CFAA still on the books. I'd
appreciate more and more clarity coming through (and augmentations to existing
law to make them better) over time.

I wonder how the EFF will respond to this, because I recall one of their
lawsuits (major?) is about DMCA exemption for security research (Plaintiff 1)
but also violating DMCA in a for-profit-enterprise (Bunny).

------
sschueller
Can't they still restrict you? For example Tesla could prevent you from
connecting to their network and being able to use super chargers if you in any
way 'hack' your car.

~~~
jasonkostempski
yeah, but it's best not to buy a car that connects to any type of network for
any purpose.

~~~
kakarot
I agree, but I feel that in our lifetime this will essentially become
impossible, if not downright illegal under the premise of road safety.

------
Shivetya
so not much has truly changed, this is a simple limited time reprieve. based
on wording can you give permission for another party to work on hardware you
have? As in, can a manufacturer still declare that an end user cannot grant
access to another under the idea that the other party does not own the device
and as such is not legally allowed to work on it?

------
gr3yh47
Legal minds of HN: would the Sony vs Hotz case have been thrown out if this
provision was in place at the time?

~~~
raw23
Not a lawyer, but i couldn't see why it wouldn't be thrown out.

Hotz just reversed and found an exploit on his local machine. Seems to be
exactly what these provisions are covering.

------
rajangdavis
Out of curiosity, can this apply to SaaS products at all? It seems like the
provisions are relaxed in general.

I am curious if I could use this to reverse engineer a product that isn't
hardware AND does not have explicit provisions saying that I am not allowed to
reverse engineer the software.

------
inlined
I wonder if this new freedom to do security research can help us discover
vulnerabilities in our IoT devices before they're used in another massive
DDoS.

~~~
thesmok
The vulnerabilities in IP cameras and routers were publicly known long before
the latest massive DDOS. But the manufacturers and users of those devices did
not care, and they still don't.

------
yifanlu
Can someone point me to the actual ruling? The only one I can find was from
last year (2015). Has it even been ruled this year yet?

~~~
Kapow
The ruling was in 2015, there was a year delay before it came into effect.

------
mgrennan
Time to through down on the IOTs.

~~~
benmcnelly
I would, but I have terrible follow threw.

