Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
worthless-trash 5 days ago

This is a horrifically bad take, I know you probably see it this way because you can't imagine how easy some of these mistakes are, however I can assure you that there are MANY TIMES that I've accidentally found issues with systems.

I do work in security, the average person would write this off as "oh just shitty software" and do nothing about it, however when one know what the error means and you know how the software works, errors are easy to turn into exploitable systems.

I once had a bank account that fucked up data validation because i had '; in the transfer description of 120 characters. Immediately abusable sql injection.

After my first time reporting this OBVIOUS flaw to a bank along with how it can be abused in both database modification and xss injection, I had to visit the local law enforcement with lawyers because they believe that 'hacking' had taken place.

I now report every vuln behind fake emails, on fake systems in non extradition countries accessed via proxy on vpn. Even then I have the legal system attempting to find my real name and location and threaten me with legal action.

Bad actors come from non extradition countries which wouldnt even TALK to you about the problem, You'd just have to accept you get hacked and that is the end of the situation.

Its people like yourself who can't see past the end of their nose to realise where the real threats are. You don't have "it straight".

wahern 4 days ago | parent | next [-]

> This is a horrifically bad take

I took it as a take on the face of the proposal: "hackers should have strong legal protections so long as they report any security vulnerabilities that they find."

As stated, it's ripe for abuse. Perhaps they could have been more charitable and assumed some additional implicit qualifiers. But defining those qualifiers is precisely the difficult part, perhaps intractably difficult.

In the US private investigators often require a license to work, but AFAIU that license doesn't actually exempt them from any substantive laws. Rather, it's more a mechanism to make it easier for authorities and citizens to excuse (outside the legal process) otherwise suspicious behavior.

Rather than give special protections to a certain class of people, why not define the crimes to not encompass normal investigative behaviors typical in the industry. In particular, return to stronger mens rea elements rather than creeping in the direction of strict liability. Adding technical carveouts could end up making for a harsher system; for example, failing to report in an acceptable manner (when, what, where, how?) might end up sealing the fate of an otherwise innocent tech-adept person poking around.

worthless-trash 4 days ago | parent [-]

> Rather than give special protections to a certain class of people, why not define the crimes to not encompass normal investigative behaviors typical in the industry.

This would be an acceptable alternative, and may even be workable.

> failing to report in an acceptable manner (when, what, where, how?) might end > up sealing the fate of an otherwise innocent tech-adept person poking around.

You've hit exactly the problem, I feel like you too might be working in this area. Not many people come to this kind of logical conclusion.

pengaru 4 days ago | parent | prev [-]

Companies will care about securing their systems and paying for these services if it costs them Real Money when they neglect to do so.

Until then, they'll continue to not care. The solution is not a legal framework presuming good samaritans will secure the networks and systems of the world.