Results 1 to 6 of 6

Thread: Security research.

  1. #1
    Join Date
    Jan 2018
    Beans
    51

    Question Security research.

    I was recently reading an article from EFF.org

    As I understand it security researchers are pursued by law enforcement and governments
    Why is this pursuit with security researchers rolling? Since they are working on fixing software and hardware failures that everyone uses?
    As I understand it, they are hackers with a character.
    https://www.eff.org/effector/32/12

  2. #2
    Join Date
    Feb 2010
    Location
    Summerwind
    Beans
    13,734
    Distro
    Ubuntu Budgie Development Release

    Re: Security research.

    Moved to UL&OS Chat.
    “Start where you are. Use what you have. Do what you can".

    Ubuntu Documentation Search: Popular Pages
    Ubuntu: Security Basics
    Ubuntu: Flavors

  3. #3
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Security research.

    Hackers usually don't fix anything. They point out the mistakes made by others. This is often embarrassing, assuming the hacker reporting the problem is correct. Not every report is factual.

    How do you know when someone breaks into your systems if they are a white hat or a black hat? Law enforcement can't tell and many white hat hackers hide their real identities to avoid over zealous prosecution for embarrassing govts, companies and individuals.

    My state tried to pass a law that made changing a URL from HTTPS:// to HTTP:// illegal. I'm 100% serious. To the state attorney general, that was "hacking." The state was embarrassed when they left voting information on a server that was publicly accessible. Instead of fixing the poor management of the data, they decided to go after the "security researcher" who had embarrassed them, fortunately there wasn't a law that could be used. Our local EFF and security vendors (we have some world famous security people and companies here), tried to work with the legislature to craft a bill that would go after people causing harm, but protect people who just didn't want data leaked. The bill being pushed wanted criminal charges for looking even when there wasn't any protective measures in place. Fortunately, the governor at the time rejected the bill, suggesting that the legislature work with white hat hackers and professional security companies to come up with a bill that gets the best from all sides. I know the white hats want to be shielded from lawsuits when they report issues to companies, in good faith, and wait the industry standard time for corrective actions before going public. Without the ability to go public, no company will fix anything. They need to be embarrassed by their lack of reasonable speed for corporate budget to become available for a fix.

    Anyways, as soon as a researcher accesses a computer in a different state, it now becomes a federal or international issue. Which laws apply? The location of the server would normally have jurisdiction, so if you are a white-hat just trying to help out against data leaks, be certain you know where a computer is physically before doing anything.

    And stop putting sensitive information on cloudy storage folks. Please.

  4. #4
    Join Date
    Jul 2019
    Location
    Earth
    Beans
    43

    Re: Security research.

    I am a white hat - I hack for a living but under controlled conditions where the victim knows and approves of my activities. I have to say that it is my opinion hacking is not a crime for those security researchers out there that are providing a valuable service by exposing software and hardware vulnerabilities to the vendor. I don't agree when law enforcement attempts to flag these folks as "nefarious". Law enforcement and lawmakers, probably have no clue what service they provide and simply sees the act itself. TheFu: your comment about your state partnering with white hats is good; it shows they realize they are not the experts.

    Without security researchers, the Internet would be an even more unsecure place than it already is.

    I use cloud storage all the time but take precautions: everything sensitive in a cloud is encrypted by me prior to being stored. 90+% of my data is in my NAS under my desk so I do hold most of it.
    “The meaning of life is to find your gift. The purpose of life is to give it away.”

  5. #5
    Join Date
    Jan 2010
    Location
    Wheeling WV USA
    Beans
    1,196
    Distro
    Xubuntu 18.04 Bionic Beaver

    Re: Security research.

    the security researchers that are pursued are believed to be enabling black-hat hackers by using speech (widely considered a right in the world) to reveal bugs they find in software they have (access to) copies of. these security researchers are not generally exploiting the bugs they find. they do this research within their own facilities. gray-hat hackers (i used to do this many decades ago) do exploits and other break-ins without causing damage or stealing copies of files and data. they often provide information (usually anonymously) to the victim about their exposure.

    security researchers have, in the past, simply announced that certain software had exploitable bugs, but found that these bugs were not being fixed. one reason could legitimately be that the developer could not find the bug. in many cases, the business just denied the bug and made no effort to find it. there really have been people would (usually anonymously) make false announcement of bugs, hoping to either harm the developer, or cause a dip in stock price they could exploit through short sales in the stock market (or buy-in at the lower price).

    security researchers were often asked to prove that these bugs really do exist. even when they did that only through private communication to the developer, it was found that bugs were still not being fixed.

    the public also asked for such proof. so, security researchers said in advance the proof would be made public in the future, after a reasonable time to fix their bug. but the end result was many court orders to block revealing this proof. police pursuit started when these orders were typically violated. it became quite clear that business people (as opposed to individual developers) did not want to make the effort to fix bugs they now knew of.

    today, it is now typical for the proof to accompany the announce or be released at the same time. companies still try to engage police and legal processes to pursue these cases more out of "brand harm" than the worry of zero-day exploitation by others (black-hats that are still referred to as hackers by the public).

    many security researchers operate anonymously. a few others have developed enough reputation that they can be trusted to be truthful in an announcement not accompanied by proof.
    What do you call someone who speaks three languages? Trilingual. Two languages? Bilingual. One language? American.

  6. #6
    Join Date
    Nov 2009
    Beans
    Hidden!
    Distro
    Kubuntu 18.04 Bionic Beaver

    Re: Security research.

    we should have "white hat" law hackers. they would search for loopholes and then unless fixed in timely manner by parliament they would notify the public along with instruction on how to hack the law. right now it seems only the rich with money for lawyers know how to avoid tax, various company theft persecution etc.

    that way maybe the loopholes won't stay open for years with osme people knowing about them and exploiting them, getting rich in the process.
    Easy to understand Ubuntu manual with lots of pics: http://ubuntu-manual.org/
    Do i need antivirus/firewall in linux?
    Disk backup (works on newer PC): Clonezilla

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •