Hacker News new | comments | show | ask | jobs | submit login

> so just tip off a foreign national who already lives in Russia or whatever, and they can do it.

That's ends up being conspiracy to commit the crime, which hits you just about as hard as the crime itself. You better be _very_ confident that the FBI/NSA won't be able to intercept your communications or tie you to the foreign national who commits the crime.




Or... just be a foreign national who discovers this in the first place?


You're literally suggesting that a researcher should go to Russia so that they can exploit the vulnerability before disclosing it to the people of the United States. I have a feeling that wouldn't fly well in court.


Errr, no... I meant that there would be effectively no consequences if, instead of a US-born security researcher discovering this, a Russian-born Russian-citizen security researcher discovered this. It's a counterfactual, not a suggestion.

A suggestion would be: if you want to research vulnerabilities without the possibility of prosecution, why not research other countries' companies' vulnerabilities, where those countries have no treaty criminal-deportation agreement with your home country? Such companies can still pay you if they appreciate what you've done, but they can't sue you if they don't; and even complaining to their government about what you've done won't really amount to anything in the end.

This, I think, solves the problem, at the cost of raising two other problems:

• Your own government might not appreciate you improving the security of [essential industries of] its enemies;

• the foreign government might interpret the vulnerability research as an act of cyberwar (much like, say, flying your own drones over a foreign military installation as a private citizen would be interpreted as an act of regular war), and your own government might have to trump up some domestic charge to pin on you in order to appease them.

The first factor is more important in time of war (you might be branded a collaborator!); while the second is more important in time of peace (you might be branded an instigator!) So there's probably very few "exactly right" times to do this where you'd likely get away with doing it scot-free.


Whoosh? It's pretty obvious who derefr is talking about.

EDIT: I can't tell if you're being sarcastic or not


Apparently this is going over my head. Who is derefr talking about?


WannaCry


Or he probably meant sending an anonymous tip, if that is even possible..




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: