

FBI Pays Visit to Researcher Who Revealed Yahoo Hack - AdmiralAsshat
http://www.wired.com/2014/10/shellshockresearcher/

======
realusername
I don't really know what will happen with this case but cases like this are
the reason I never try to contact anyone on security flaws.

Sometimes just when browsing the web, I click on a wrong link or a button in
an unexpected way and I see what must be security flaw. When you studied a bit
in this domain, you _know_ that there is something. I never tried to contact
anyone anyway because I have absolutely nothing to win. After all, if their
server is exploited I'm not liable in any ways but they can try to sue me if I
contact them.

~~~
tptacek
You're right not to. In the absence of a published policy implying permission
to test, it's illegal to intrusively test someone else's servers for security
vulnerabilities.

~~~
sarciszewski
I've found SQLi vectors by filling out job applications online, when they have
a free-form text field and I use a contraction. (See also: the preceding
sentence.)

I usually just close the window and apply somewhere else. Don't need the
trouble.

------
praneshp
He cc-ed the FBI, and they followed up with a courtesy call. There is nothing
in the article that suggests anything more than that.

------
sarciszewski
I really hope they don't arrest him.

But at the same time, I hope they do and then he fights the CFAA and kills
that stupid law once and for all.

~~~
Someone1234
You can tell that the CFAA got created during a period of moral panic about
computer crimes (e.g. "a single hacker could take over our nuclear warheads
and start WWIII" which is actually what the movie War Games (1983 Vs 1984 for
the CFAA) is based upon).

The crimes are vague and the prison terms are absolutely bonkers. You can
literally go hit someone over the head with a 2x4 and get less prison time
than you could get for breaking into their iPhone.

The fact that a lot of courts are completely ignorant about technology in
general and will eat up whatever junk a company tells them (e.g. "this XSS
exploit cost us $50K in wages to repair!") is also a huge problem.

~~~
declan
There's an excellent article written by some journalist (now ex-journalist, I
suppose) on that point:

[http://www.cnet.com/news/from-wargames-to-aaron-swartz-
how-u...](http://www.cnet.com/news/from-wargames-to-aaron-swartz-how-u-s-anti-
hacking-law-went-astray/)

 _the CFAA 's punishments, drafted during a post-WarGames computer hacking
scare and designed to deter intrusions into NORAD, threatened Swartz with
stiffer penalties than if he had been convicted of assault with an actual
crowbar...

"WarGames" inspired these extra-long prison terms. As soon as it was released
in June 1983, the movie, starring Matthew Broderick as a teenage hacker who
broke into NORAD's mainframe and nearly ignited World War III, electrified
Capitol Hill and kicked off an anti-hacker panic...

No fewer than six different anti-hacking bills were introduced that year, and
Congress convened its first hearings as soon as politicians returned from
their summer recess. Rep. Dan Glickman, a Kansas Democrat, opened the
proceedings by saying: "We're gonna show about four minutes from the movie
'WarGames,' which I think outlines the problem fairly clearly." A House
committee report solemnly intoned: "'WarGames' showed a realistic
representation of the automatic dialing and access capabilities of the
personal computer."..._

~~~
A_COMPUTER
On the positive side, I was a kid and I watched some of those news reports on
TV and begged for a computer because the idea of hacking into government
computers looked so cool. That's what started my interest in programming.

------
joshribakoff
He justifies his actions by comparing them to walking into a house with an
open door[1]. Since when is it socially or legally acceptable to walk into
stranger's houses? Last time I checked, that will get you shot. [1] -
[http://www.futuresouth.us/wordpress/?p=52](http://www.futuresouth.us/wordpress/?p=52)

~~~
nacs
Not only walked in to the house but moved things around (killed running
processes, added another backdoor and gave himself shell access).

------
penprog
I really don't know what he was thinking. How many times have we heard the
story of the hacker that does something and is asked by law enforcement to
work for them. Or the student that gets arrested or expelled when he discovers
a vulnerability in some school software.

He should have expected this and taken precautions against it. Or not reveal
himself at all.

------
crazypyro
I feel like a major problem is that companies blame security researchers when
their stock price inevitably takes a fall after a major breach. When you start
messing with big money, the Feds come calling.

~~~
idissentdotnet
Who does number 2(Feds) work for? :)

------
piratebroadcast
"Hall’s server got attacked, but the attack was coming from an unlikely place,
a server that belonged to WinZip."

He should sue WinZip or report them for the same exact "crime."

~~~
anigbrowl
He could have if he had observed it passively rather than trying to get
control of the remote server. As it is he has set himself up for a counter-
suit.

~~~
fnordfnordfnord
For a criminal case, where is the mens rea?

For a civil case, what quantifiable damage has been done?

~~~
anigbrowl
You should be asking the GP, not me.

------
chatmasta
I guess I was wrong... [1]

[https://news.ycombinator.com/item?id=8416798](https://news.ycombinator.com/item?id=8416798)

------
pdeuchler
The author of the original disclosure states on his blog that this is no big
deal, in fact he's been asking for a visit for a while and if anything is
upset that it took so long

>
> [http://www.futuresouth.us/wordpress/?p=52](http://www.futuresouth.us/wordpress/?p=52)

------
beedogs
All these people here defending the CFAA, as if it's good law or something.
"How dare he connect on that host on that port! He should've known better! He
got exactly what he deserved!"

It would be funny if it weren't so sad.

------
nacs
Shouldn't he have been expecting this?

He CC'd the FBI in his email to Marissa Mayer..

------
totony
Would this be analogous to self-defense? A server was trying to hack into his
computer (his honeypot). Logically, taking measures to stop the intruder would
be legally acceptable. Yes, the server could just have been blacklisted, but
stopping the problem at its source is more effective imo.

Would this be a valid defense if he ever gets accused? Is hacking into the
server of a hacker who is hacking you to stop the hack legally acceptable?

------
code_chimp
This is why we can't have secure things.

------
drivingmenuts
> Hall says examining and then killing the malicious code was a kind of
> justified trespass, much like removing a child from an overheating car.

The difference being: no one was in immediate danger of dying. The two
situations are not equivalent at all and I cannot figure out any way to make
them so.

~~~
rbcgerard
Maybe that analogy is not perfect, perhaps one that is more property damage
related would be more apt?

"It's like breaking into an upstairs apartment to turn off the water that is
flooding your apartment below"

Are you allowed to do that? Probably not?

~~~
bostonpete
The problem is that you could come up with all sorts of analogies of
justifiable/unjustifiable trespassing to justify your argument. What about
breaking into an upstairs apartment because they left their TV on too loud?

The owner of the "apartment" (WinZip in this case) probably would have taken
action without the need for any "trespassing" if he'd just alerted them.

------
ppereira
I'd love to see a development of the law that aligns with Blackstone's
Commentaries on trespass and ravenous beasts of prey: it is justifiable to
enter another's servers in order to hunt and kill worms because destroying
such creatures is profitable to the public.

