Hacking of web sites, security researches, disclosure and legislation
Table of contests.
2. Finding of vulnerabilities.
3. Hacking of web sites.
4. Vulnerability disclosure.
5. Examples of laws on this subject.
6. Guidelines for legal security researches.
7. Other interesting aspects of web security and legislation.
I understand position of RSnake (which he shows in his article “Hacking Without All the Jailtime”), Stephan Wehner, Thrynn and Steven M. Christey (which they show during discussion in The Web Security Mailing List) about legal issue of vulnerability discovery and disclosure, but not fully agree with them. I think that cases which were mentioned are limited and mostly these actions are not illegal. So in most cases discovery of vulnerabilities at web sites and their disclosure are legal and I’ll write about that in detail.
In this article I’ll try to answer on many questions concerning legality of different aspects of security researches in Internet (vulnerabilities discovery at web sites, vulnerabilities disclosure and hacking of web sites) and show you full picture of current situation with security-orientated laws in our world. I hope it will be useful for security community and for those people who work on legislation.
First some words about article “The Chilling Effect”, which touches upon this subject.
In the article was only mentioned one case of Dr. Meunier (and his student), where vulnerability finding and disclosure lead to problem with legislation. The author of the article mostly accent only on this case. There were also mentioned some cases of hacking incidents, where people not just found vulnerabilities, but used them to hack and were caught (particularly McCarty, who hacked University of Southern California, was found guilty to unauthorized access). So before saying about illegality of vulnerabilities finding and disclosure, first you need more cases.
Also in the article there is interesting sentence: “No one knows for sure yet if it is, but how the law develops will determine whether vulnerability research will get back on track or devolve into the unorganized bazaar”. People, first find out for sure (i.e. make well-defined law), than tell that it’s legal or illegal (no need to spread this fear in security community).
2. Finding of vulnerabilities.
If finding of vulnerabilities at web sites (and other security researches which connected with sites in Internet) is illegal or legal, it’s fully depend of legislation of researcher’s country. Which means that human who made security researches can be found guilty only when his work fall under his country’s legislation (i.e. legislations of other countries can’t be applied to this human). This concerns both vulnerability discovery and hacking of web sites (about hacking I’ll write latter in the article).
So if researcher found vulnerability at the site and by law of site’s owner he broke the law, but by his country’s law he didn’t break the law, than he is not guilty. Because laws of particular country is applied on citizens of this country and anyone who is located in the country, but because researcher is located in his own country, the laws of other countries not applied to him. So researcher need to take this situation into account, to not be located in that country which has such legislation, where is located the site (server of the site) which he is checking.
Also here is another aspect of international relations in security researches and cybercrime sphere. If human from one country made some action (vulnerability discovery or web site hack) which broke the law of another country, and this action leaded to big damage, and second country will want to catch this human, they can ask first country for extradition (only in case if there is such agreement between these countries). This will be possible only in serious cases, like serious hacking of web sites (as in case of Gary McKinnon who hacked many USA computer networks, including Pentagon’s network), but not in case of security researches, such as finding of vulnerabilities at the sites.
There is also geographical aspect. Even if human from one country (where such actions are illegal by law) make security related actions at site in other country (where such actions are illegal by law), than he can be not guilty, because the law of other country only applied to citizens of that country (and people located in that country) and the law can be applied only for sites of that country. In its part laws of first country which citizen this human is (or where he is located) only applied to the sites of this country, so by making actions (even illegal) against other country’s sites he is not becoming guilty. Yes, owner of web site which received actions from this human, can try to find him guilty (in case where in both countries such actions are illegal), but it will be hard to do. And as I mentioned above, only in serious cases, like serious hacking of web sites (as in case of Gary McKinnon) it will be possible, and in this case not only extradition can be used, but also judgment in this human’s own country.
People often forget (or don’t know) about these aspects. And for this reason sometimes people tell me that I’m breaking some other country law (e.g. USA law) by discovering and disclosing holes. Like in case of comments to my announcement of Month of Search Engines Bugs project.
These people must understand that I don’t care about USA laws and I don’t need to care about them. Because I am citizen of Ukraine and I am located in legislative field of my own country (so restrictions of other countries’ laws are not extend on me). People must observe laws of their own countries (or countries where they are located). In this case I’m talking about good guys and gals, because bad guys don’t observe any laws at all.
Herein lies two consequences:
1. For security researchers (hackers).
Using these legislation aspects good guys can make their security researches without worry and without any legislation problems to them. Just observe laws of your country and don’t hack Pentagon, and everything will be fine.
2. For bad guys (criminals).
Using these legislation aspects bad guys can do bad things (e.g. hacking web sites for malicious purposes) without any fear before the law. This situation leads to problems in cybercrime field (and Internet community constantly deals with such cases). So lawmakers need to improve international legislation in this sphere, but only in context of cybercrime, not in context of security researchers (vulnerability discovery and disclosure must stay legal).
There are always good and bad sides of the medal.
3. Hacking of web sites.
Hacking of web sites can lead to damages (in most cases) so it will be considered as illegal in all countries which have appropriate legislation. There is such in Ukraine, USA and other countries.
But note, that not only bad web sites hacking exists, but also good one. Which I called kind hack. Where no damages was did to the site so it’d not fall under the law. For example sometimes I hack the sites, which admins totally ignoring warnings (about vulnerabilities), and make a news at those sites where I write about holes at these sites (or in webapps). This is example of kind hack (which I began using from beginning of 2005) and it intends for informing admins, developers and users (and visitors) of these sites or webapps about danger of vulnerabilities in them.
There are many other variants of kind hack (which I use), but all of them are harmless, not do any damages, and so are legal by design. But legislation can to not understand this difference between kind and bad hack. I called this lack of legislation. So everyone who decided to hack some site (for good purposes) need to be careful and learn legislation (on this subject) of his country and take it into account.
In hacking of web sites there is the same situation as in finding of vulnerabilities (which I wrote in detail above).
1) Human who made hacking of web site can be found guilty only when his work fall under his country legislation (i.e. legislations of other countries can’t be applied to this human).
2) Aspect of international relations (extradition).
3) Geographical aspect (hard to find guilty human from other country).
Herein lies consequences similar to mentioned above for vulnerability discovery:
Good guys can hack sites which are located in other countries for good purposes (aka kind hack) with no (in most cases) legal consequences. Bad guys can do whatever they want also with almost no legal consequences (it will be hard to catch them and hard to find them guilty).
Here is one example from real life: Turkish hackers who are hacking Ukrainian sites.
In my researches of hackers activity in Uanet (which I do from 2006 and post reports), I write about all web sites attacks (hacking and DDoS) which I found in Ukrainian part of Internet. In 2008 there were 151 attacks (mostly hacks), as you can see from my article with charts for 2006-2008, and there are a lot sites hacked in 5 months of 2009. Most Ukrainian sites in 2008 and in 5 months of 2009 were hacked by Turkish hackers.
Ukrainian government do nothing about this (they don’t care), special services also do nothing about this (they cannot and/or don’t care), and owners of web sites in Ukraine in 99% don’t care to security (at all or don’t attend enough). So web sites are hacked (more and more every year), including hacked by Turkish hackers. From its part Turkey also do nothing about this.
Here I must note, that when Turkey some time ago arrested Ukrainian hacker Maksim Yastremskiy they condemned him (it was in March 2009), and when it comes to their own hackers they just ignore existence of the problem and allow them to do their attacks on Ukrainian sites (which is not serious). So as you see there are problems with finding guilty and even catching of bad guys when they are from another country (and even some countries can connive bad guys at doing their actions).
4. Vulnerability disclosure.
Disclosing of vulnerabilities at web sites (like in web apps) is not a crime, even if by the law of this country vulnerability discovery is illegal. Because disclosing it’s not the same as finding of vulnerability (and these actions can be done by different people). And I didn’t hear about any country where disclosing itself was illegal.
So security researcher can disclose vulnerability found by other human without worry about that. And if in his country finding of vulnerabilities is legal, than he can disclose his own vulnerabilities, i.e. he can find and disclose vulnerabilities at web sites.
In case if vulnerability disclosure is illegal in your country and you still want to disclose some vulnerabilities found at some web sites (to improve their security), you can use protection techniques which I described in item 6 of this article (see guidelines 5.2.1 - 5.2.4 for finding of vulnerabilities at web sites).
There are next variants of disclosure: responsible disclosure, full disclosure and advanced responsible disclosure. There are also other modifications of responsible disclosure (similar to my advanced responsible disclosure), one of which was mentioned in the article “The Chilling Effect”, which I talked about earlier.
Responsible disclosure - it’s such disclosure, when no details are made public (details of vulnerabilities are privately reported to developer or web site owner). This type of disclosure is often used for desktop software and web applications, and can be used for web sites (but as my experience shows it’s not suit for web sites).
Full disclosure - it’s such disclosure, when all details are made public. This type of disclosure is often used for desktop software and web applications, and can be used for web sites (and for last years it’s very popular with disclosing of vulnerabilities at web sites). I recommend to use it not for all web sites (and web apps), but only for those ones, whose owners (developers) are ignoring warnings about holes at their web sites (webapps) for long time.
There is also interesting version of full disclosure (which I use and with every year I use it more often) - responsible full disclosure (it’s a mix of first two types of disclosure). In this case all details are made public, but after that these details are also sent to web site owner (webapp developer). Unlike to standard full disclosure where all details is made public without informing of web site owner (webapp developer).
Advanced responsible disclosure - it’s my version of disclosure, which combines all benefits of responsible disclosure and full disclosure. I created it at 18th July 2006, when opened my web site. The concept of advanced responsible disclosure (which I use for almost three years after I created it) is the next:
1) First I made announcement at my web site about vulnerability at web site (webapp) without details.
2) Then I send letter with details to web site owner (webapp developer) and give him some time to fix.
3) After time is up, I disclose all details of vulnerability in post at my site (below the announcement).
4) I always give enough time to fix, but when for developer there is not enough time and he asks for additional time, then I’ll give him additional time to let him fix vulnerability before the disclosure.
5) The announcement and time for fix (before details will be posted) are the stimulus for web site owners (webapp developers) to fix the holes. It’s main reason why I created this type of disclosure.
After I begun working in web security field in 2005 and begun informing web site owners about holes at their sites, I found that responsible disclosure not works. Due to ignorance (or didn’t thank and didn’t fix, or thanked but not fixed, because they don’t care) of web site owners. They don’t attend to security of their sites and if you said them about holes using responsible disclosure, they continue to do the same (and lame). In beginning of 2006 I saw the same situation and I decided that there need to be another method of disclosing (which will be using a site to make public disclosures to make a stimulus for web sites owners to fix the holes). And after I opened my site at 18th July 2006, I begun using this new method of disclosing of vulnerabilities at web sites. It’s how advanced responsible disclosure was born. And I called this work of finding of vulnerabilities at web site and informing their admins as social security audit.
Does it work? This article is not about social security audit and advanced responsible disclosure (separate article about them is required and I planned to make such article already in 2006, and also another article about social aspects of them), so I’ll not be telling much about it. Just will say, that it works, not always, but still works. There are some positive effects of my work on which I spent a lot of time from middle of 2006 (and also some time from beginning of 2005 till middle of 2006).
So there is a sense in advanced responsible disclosure and I recommend to use it when disclosing holes at web sites and in webapps. And in case if admin of web site (developer of webapp) is too lame, than responsible full disclosure can be used, which I talked about before (or in case if vulnerability is too small). Standard full disclosure better to use only in rare and hard cases.
5. Examples of laws on this subject.
Let’s look on Ukrainian and USA computer-related laws. Laws (computer-related) of other countries can be similar to these ones.
In Ukrainian criminal code there is item #361, which describes crimes on this subject. This item and other items of criminal code about computer crime you can found at web site. This text is on Ukrainian, so you can use Google Translate if you want to read it.
Item 361. Unauthorized interference in work of computers, automated systems, computer networks or telecommunication networks.
I’ll not be translating the whole text of the item, but say that main sense of it lie in that only such unauthorized interference is crime, when there is a damage (list of such damages given in this item, such as information disclosure, information loss and others). And because finding of vulnerabilities and disclosing of them will not lead to damage of web site (or server), than it’s not a crime, so these actions are legal.
What is about laws in USA. Here is quote from Thrynn’s message.
The truth is, several states have laws that make it illegal to perform certain acts on computers, programs or network that you do not own. For example, in Georgia, USA (as found by this interesting resource: http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws):
First about this paragraph. The law about “Altering, damaging…” is only in Georgia, USA (as found at that resource), so it’s only one state with such law (possibly there are other similar laws in other states - there are a lot of laws allocated on that resource). And the more important, that in USA there are no cross-states computer-related legislation and as Thrynn said, only several states have such laws.
This situation leads to such cases, when hack of the site (or other security-related activity in Internet) will be crime in one state, but not in another state. So people can move to other state, where these actions are legal, and do them there . Which make regional aspect (which I told about before) applied only to USA (inner regional aspect). It’s like Abuse of Functionality hole in the law (laws also have holes).
So it’s better to have such laws in all states of USA and I recommend to have cross-states computer-related legislation (single for whole country).
And now about concrete USA’s law (of state Georgia).
(3) Altering, damaging, or in any way causing the malfunction of a computer, computer network, or computer program, regardless of how long the alteration, damage, or malfunction persists shall be guilty of the crime of computer trespass.
The keywords of this law are: altering, damaging, malfunction. If you will not do these actions during you security researches, than you will be not guilty. So don’t do these things and your actions will be legal.
Because finding of vulnerabilities (in most cases, no need to do DoS attacks, particularly via SQL Injection) and disclosing them will not do any altering, damaging, malfunction, then these actions are exclusively legal. For example, XSS (especially reflected) will not do these things, it’ll just make some action in researcher’s browsers (like showing alert box), so it’ll be legal action.
6. Guidelines for legal security researches.
These guidelines can be useful for security researchers.
Before making security researches (such as finding of vulnerabilities at web sites and their disclosure), to make sure that you are doing in legal field, you need to follow these guidelines.
1) You always can check security of your own web sites (webapps).
2) Learn computer-related laws of you country.
3) Read this my article to know about all aspects of this subject.
4) If you are completely sure that your action are legal then do them (e.g. find vulnerability at web site and disclose it).
5) If you are not sure completely (or see that it’s illegal) you can do the next:
5.1) Not do these actions and better go to check your own web sites (webapps).
5.2) If you still want to check this web site (webapp), i.e. want to help admin with his security, then:
5.2.1) You can use proxy to decrease possibility of finding you and catching you.
5.2.2) You can use pseudonym to hide you identity (to decrease possibility of finding and catching you).
5.2.3) You can use anonymous email address to contact admin of web site.
5.2.4) Better use jointly proxy, pseudonym and anonymous email.
5.2.5) You also can use the “silent approach”: find vulnerability and move forward (without contacting admin and/or disclosure of vulnerability). When nobody will know about your actions (very peaceful), then nobody will tell you anything (especially about legal aspects). Particularly this approach can be used when you just want to check your skills.
5.3) Also don’t forget about engines. If you found that some site use some engine, you can setup this engine at localhost and found vulnerabilities there. And these holes most probably will be at this concrete site. After that you can inform admin of the site that you found holes in engine which he is using at his site.
6) Note, that disclosing of vulnerabilities at web sites is not a crime, even if in this country vulnerability discovery is illegal. So if you’re just disclosing vulnerability found by other human, than you don’t need to worry about that.
In case if you decided to hack some site (only kind hack which I wrote about before), you need to follow these guidelines.
1) You always can hack your own web sites.
2) Read this my article to know about all aspect of this subject.
3) If you still want to hack some site, i.e. want to help admin with his security, then:
3.1) Better hack foreign web sites (not from your country).
3.2) You can use proxy to decrease possibility of finding you and catching you.
3.3) You can use pseudonym to hide you identity (to decrease possibility of finding and catching you).
3.4) Better use jointly proxy and pseudonym (especially if you are hacking web site from your country).
3.5) You also can use the “silent approach”: hack the site (e.g. login into admin account) and move forward (without leaving any signs of the hack). When nobody will know about your actions (very peaceful), then nobody will tell you anything (especially about legal aspects). Particularly this approach can be used when you just want to check your skills.
7. Other interesting aspects of web security and legislation.
There are interesting aspects about security scanners and search engines concerning corresponding with legislation.
There are different security scanners out there, desktop and online, which used for checking security of web sites. And how using of this scanners corresponding with legislation? When you scan your own site, or site which you have permission to scan, then there are no problems. But when you scan not your own web site which you have no permission to scan, then this can be illegal, if there is such law in your country.
And even using of security scanners can lead to real attacks on the site, like Insufficient Anti-automation and DoS attacks, when scanner will do a lot of such actions. This can lead to a large amount of automated requests which will create such problems for the site as spam or even DoS (due to server’s resources consumption).
I have own experience when funky dudes used funky security scanners (I know it from scanners’ footprints) to check security of my sites (potentially to find holes for further attacks). I do security audit of my sites by my own, so these guys can’t find anything, but they disturb me with such lame actions (because of lame scanners’ behavior). Because these actions obstruct my logs too much (including security related logs) and also make many spam in those forms, where no captcha is used (on some sites I don’t use captcha - it’s know behavior of these sites). Also don’t forget about server overload due to these lame scanning actions. For these reason, even if legislation is not strict, and scanning itself is not prohibited in this country, but due to making of damages to web site (server) with these actions, they are illegal (it concerns the laws which I mentioned in item 5 of this article).
And here is a question. Did you hear any complaint about legality of security scanners? I heard no such one, but for many years there were complaints about vulnerability finding (and disclosure), that they were illegal (I’m talking about security researches without using any security scanner). And as you can see from what I mentioned above, security scanners can be used for illegal purposes (by lamers or bad guys). So think about that.
Another interesting case it’s search engines. Which can find malware at web sites.
There are few of such engines: Google, Yahoo and Yandex (from May it also shows infected status of sites in result page). And in context of strict legislation, where vulnerability discovery is illegal, actions of these engines can be also illegal, because if they are looking for malware, then they mediately looking for holes (because malware was placed after web site was hacked due to holes at it). So these search engines are doing illegal actions in case of such strict legislation.
Besides, even for not strict legislation, concerning of information disclosure and making of damage, these search engines make information disclosure (about private statuses of these sites, that they have viruses - it’s their private information). And also they make damage for the sites, when they block access to them from result pages (sites lose their visitors). So search engines also do many illegal actions . And you never heard about any complaints about these issues to any of these search engines. So think about that.