[ISN] Guide tells 'grey hats' how to avoid legal pitfalls

From: InfoSec News <alerts_at_private>
Date: Wed, 26 Nov 2008 04:14:44 -0600 (CST)

By Tom Espiner
25 Nov 2008 

The US-based Electronic Frontier Foundation has published a guide on how 
IT professionals can avoid falling foul of the law as a result of 
ethical hacking.

The Electronic Frontier Foundation (EFF) 'Grey Hat' Guide [1] ponders 
such questions as what a security researcher should do if they 
unintentionally "violate the law" in the course of their investigations.

"A computer-security researcher who has inadvertently violated the law 
during the course of her investigation faces a dilemma when thinking 
about whether to notify a company about a problem she discovered in one 
of the company's products," the guide states. "By reporting the security 
flaw, the researcher reveals that she may have committed unlawful 
activity, which might invite a lawsuit or criminal investigation. On the 
other hand, withholding information means a potentially serious security 
flaw may go unremedied."

The EFF said that researchers in this situation could reconstruct 
research using technology they are authorised to use, or report the flaw 
in general terms. However, both of these options are "undesirable", the 
EFF said.

[1] http://www.eff.org/issues/coders/grey-hat-guide


Help InfoSecNews.org with a donation!
Received on Wed Nov 26 2008 - 02:14:44 PST

This archive was generated by hypermail 2.2.0 : Wed Nov 26 2008 - 02:22:08 PST