dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1880

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

1 edit

antdude

Premium Member

It may be ILLEGAL to run Heartbleed health checks -- IT lawyer

»www.theregister.co.uk/20 ··· illegal/ from »www.linuxsecurity.com/co ··· w/161294

"Do the right thing, earn up to 10 years in clink -- Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic.

Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of third-party websites without permission..."

Oops?
SAtLan
join:2014-04-11

SAtLan

Member

Re: It may be ILLEGAL to run Heartbleed health checks 150; IT lawyer

Not worried. Defense counsel will ask the jury, "Folks, do you think it is wrong to call attention to an elementary school that lacks lacks smoke detectors, exit signs, or fire alarms? Because that's what we're talking about here."

Drunkula
Premium Member
join:2000-06-12
Denton, TX

1 recommendation

Drunkula to antdude

Premium Member

to antdude
The only things I've tested are MY devices.

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

1 edit

1 recommendation

NOYB to antdude

Premium Member

to antdude

Define "third-party" please.

Being that that is probably from a legal document, does it define "third-party"?

If I use a internet site to check my online banking for Heartbleed vulnerability, am I not the first-party and the bank the second-party?

It could be argued that every time one logs in to a site using SSL/TLS they are testing the security of the site.
SAtLan
join:2014-04-11

1 recommendation

SAtLan

Member

Another thing.... other material I have read from the Register - material in my area of expertise - is utterly unimpressive, at least to me, in terms of its rigor, fact checking, and spin. So that's another reason to doubt this particular tabloidish rumor

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to antdude

MVM

to antdude
wrong thread sorry.

Blake
dave
Premium Member
join:2000-05-04
not in ohio

dave to NOYB

Premium Member

to NOYB
The website that you are talking to is the 'second party'. It then probes the bank -- the 'third party' -- on your behalf.

Consider this: when you connect to the testing web site, there are two parties involved: you and the testing web site, first and second. When you press the 'test my bank' button, a third party is added to the mixture.
SAtLan
join:2014-04-11

SAtLan

Member

The legal definition of "first party" and "second party" etc has nothing to do with the order in which they are "added to the mixture".

If me, as bank customer or even as prospective bank customer, have the legal right to verify the bank's security measures

And if I have the legal authority to ask my 10 year old wizard to do it on my behalf (acting as my legal agent); or even pay a professional security guru to do so on my behalf (acting as my legal agent), there is no problem, eh?

So when I use a for-free website in my view they're letting me run their script on their hardware on my own behalf, so this is a non-issue. But if that is legally wrong.... i.e., if they are in fact running their script on my behalf instead of me running it for myself, then it still seems like they're just acting as my legal agent. Which is no different than me hiring a PC forensics/security expert to do all this stuff for me.

So this second party / third party stuff seems unpersuasive to me. It should really come down to whether I myself have the legal right to verify XYZ site's security measures myself, whether or not I have the necessary techy chutzpa.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

Sorry, I was perhaps unclear. Ordering is not really the issue, though my 'afterthought' paragraph made it look like it was.

The issue is that the initial transaction (i.e., the web site 'offering' to do the test on the bank, and you requesting the test be done) did not involve the bank. The bank did not assent to the test.

I believe the same is true if you unilaterally decide to test the bank's web site. You don't have the legal right. The bank does not become a 'second party' in this scenario, because they have not agreed to the transaction.

Where I think the legal situation is decidedly wooly is that a web browser with SSL client will automatically determine whether the heartbeat protocol is supported, and presumably the software identification will also tell you what they're running. How is this different from 'testing' their security? And of course the bank assents to you connecting to their web site -- it's why it exists! So you're allowed to 'connect' but not 'test', but what if there is no technical difference between the two?

I suppose it gets less wooly if you involve a web site that proclaims that they are doing it to 'test'.

I am, of course, not a lawyer.
graniterock
Premium Member
join:2003-03-14
London, ON

graniterock

Premium Member

I wonder who would be found at greater liability. The website visitor asking that site X be probed. Or the site that is actually doing the probing.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

From a brief glance at links in the Reg article to UK case law examples, I'd guess the site doing the probing.

(Makes sense too: the law apparently talks about probing, not about asking someone to do probing).

NOYB
St. John 3.16
Premium Member
join:2005-12-15
Forest Grove, OR

1 recommendation

NOYB to antdude

Premium Member

to antdude

My view is that since there is an established vendor customer relationship between the bank and myself, there is no "third-party". Using a website hosted tool, is still me using the tool. Now if the website operator went and did a bunch of probes on their own of sites they have no established relationship with to provide a report to the public. That would to me be "third-party".

I should absolutely have the right to verify the security of those with whom I transact business. Especially regarding transactions that include personal and financial details.
NOYB

NOYB to antdude

Premium Member

to antdude

Perhaps there is a distinction between verifying the presence or absents of a known security flaw prior to transacting business with a vendor and probing to discover new as of yet unknown flaws.
SAtLan
join:2014-04-11

SAtLan

Member

How is that different than personally walking in to assess your confidence in the institution, and looking around to see if they have guards, detectors, and cameras?

Anon1
@verizon.net

Anon1 to antdude

Anon

to antdude
The guy isn't even a lawyer. He's simply a security researcher. How is this any different from a basic port scan, which scans ONE port, versus the whole 64K, e.g. port 80.

He needs to cite which CFAA provision, he thinks that is being violated. The CFAA may suck, but in my opinion it's not so broad, that it makes everything basically illegal. Almost all provisions look either at the intention of the accused, or looks at the effects of the use.

For analogies to port scanning, here's a couple of cases to look at.

Scott Moulton and Network Installation Computer Services, Inc. v. VC3
»www.internetlibrary.com/ ··· se37.cfm

UNITED STATES OF AMERICA v. HERBERT PIERRE-LOUIS
»pub.bna.com/eclr/00434.htm

The only provision I can think applies is CFAA sec. 1301(a)(2)(C), which states " intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— information from any protected computer", but that depends on how you interpret several key terms, such as exceeding authorization, information, protected computer.

If I as a user of the website want to access the website because I have an account on that website, decide to first test to see if it's ok, by checking the lock to see if it's still working fine, does that mean that I have accessed the computer without "authorization", or "exceeded authorization", or obtained "information", or from a "protected computer"?

Note that under US v. Lori Drew, the cyberbullying case, breaching TOS was not a violation of 1301(a)(2)(C), stating that this would make the provision too broad.

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

Cartel to antdude

Premium Member

to antdude
NSA can do it, but you can't.

MaynardKrebs
We did it. We heaved Steve. Yipee.
Premium Member
join:2009-06-17

1 recommendation

MaynardKrebs to antdude

Premium Member

to antdude
The 'third party' is acting as my proxy (first party) with my permission to test the bank server (second party) on my behalf.

Nothing illegal about that as long as the third party is doing it with your explicit permission (you did click the "Go/Submit/Test Now" button after all, didn't you?). Think of it as you granting the third party a limited 'power of attorney' for this purpose only since I/you do not have the expertise/tools to do it ourselves.

If a court/law is going to say that this is not permissible - ie. customers and/or their agents cannot take simple steps to assure themselves that the systems they interact with are reasonably secure, and that we MUST accept the assertions of the owner of the 2nd party system that it is secure, then both the law & the courts are fucked - and e-commerce as a whole goes down the shitter for good.
iknow_t
join:2012-05-03

iknow_t to antdude

Member

to antdude

Re: It may be ILLEGAL to run Heartbleed health checks -- IT lawyer

I don't think any site would allow you to attempt to hack it's site without permission.. that IS what would be done in doing this.. even though the motive is a good one, it's still an attempt at hacking.. that being said, the site would go after the site running the test, rather than the person that clicked the button.