Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.

Find a bug. Report it. Have the U.S. Attorney claim in court that you are liable for the costs associated with fixing the bug. Go to Jail. Dave Aitel has it right... Retarded...

Breach case could curtail Web flaw finders

dc0de has posted a what-if scenario which may pose a very serious problem with this bill. Are there any lawyers paying attention who can comment on this?

Here's a what if scenario if the GA HR 1259 get's passed...

1. I am asked to go to a friends house to look at something odd on his VPN connnection.

2. I discover that he is witnessing someone steal Intellectual property from the company HE works for.

3. He turns the thief into the his company, and explains that I identified the network traffic that brought this to their attention.

4. They take the thief to court, and I am called as a witness.

5. I am asked what I did to identify the traffic, and at this point, I'm in a Catch22.

Do I explain what I did and risk being charged with a FELONY as having performing forensics without a P.I. license?

-Or-

Do I plead the 5th Ammendment, and allow the thief to go free?

Also, what if I am "compelled" to give my testimony? What if the company makes a sworn statement that I was the one that helped identify the thief? Wouldn't I still be liable for performing forensics without a license?

Wow...I can't even HELP people anymore?

Now that's messed up.

Forensic felonies - continued

A new law in Georgia on private investigators now extends to computer forensics and computer incident response, meaning that forensics experts who testify in court without a PI license may be committing a felony.

Coverage at Security Focus.

Forensic felonies

New York's Westchester County has enacted a law designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers' credit card numbers or other financial information.

The law also requires that businesses offering Internet access -- coffeehouses and hotels, for example -- post signs warning that users should have firewalls or other security measures.

As he signed the bill, County Executive Andrew Spano said the county had been unable to find any law like it in the country and had received inquiries about the legislation from other states and from Great Britain, South Korea and the Czech Republic.

CNN.com - N.Y. county mandates wireless security - Apr 21, 2006

dc0de wrote:

For those of you who care about Computer Forensics, please see the current situation in Georgia.

There is a bill before the GA Legislature -- HB 1259

If passed, it will make it a Felony to perform and testify in a State Court about any computer forensics performed, unless you are a licensed Private Investigator.

This law will put honest, local companies out of business, unless they go and get licensed. Note, the GA requirements for a Private Investigator have NO REQUIREMENTS to have ANY computer forensics expertise, nor is there any training regarding how to collect the evidence.

Several other states already have these laws, which only allows Licensed private investigative services company to perform and testify to any computer forensics related evidence. (Note, this would also include any IT Audit records, not specifically limited in any way to performing "Encase" like hard drive forensics.)

If you live in GA, please contact the Govenor and ask that he VETO HB1259.

I have not been following this issue or had a chance to look into it in any depth.. I look forward to more information getting posted. This is something computer security professionals should pay attention to.

Update: Here is some more information. dc0de posted up an email he got from John Roberson of The Georgia Association of Professional Private Investigators, Inc. (GAPPI) (BYLAWS) (BoD) (CoE)

dc0de makes two observations which I find to be very accurate:

1. The fact that I have this email shows how little these people know about computer security and forensics.

2. The fact that they use a "secure" Yahoo Group to keep their members up to date, makes me chuckle as to what LITTLE prowess they have on the entire topic of Computer Security.

Again, I have not looked into this subject any length, so I can play the open minded guy, even though I'm pretty much positive which way this one is going to go. I see an attempted power grab taking place by some folks not worthy of that power. Locking the people who understand computer security out of the court system is not going to play over well with anyone who is has the ability to take a top down look at the situation from the perspective of global, national, state, or corporate security.

Update2: Read this about becoming a private investigator in Georgia, as compared to getting certified CISSP or EnCE. Ask yourself what is more relevant in a court situation, as it is the discourse which should be taking place.

Georgia Law to put Computer Forensics experts in Jail -- HB 1259

Brokers that disclose bugs to their selected list of subscribers are necessarily withholding important information from the rest of the public. Brokers may eventually issue public advisories, but in the meantime, only the vendor and subscribers know about the problem.

An interesting discussion of bug brokers.

Wired News: Bug Bounties Exterminate Holes

In January, a vulnerability in WMF surfaced that let attackers use the Windows' graphics rendering engine that handles WMF images to launch malicious code on users' computers via these images. A number of security researchers posted information about the vulnerability to their mailing lists. Within a few hours, researcher H.D. Moore posted a working example of a WMF exploit--a piece of code written to take advantage of a software flaw--on his Metasploit Web site. Some defended the action, saying it offered insight into the rules security pros needed to put on intrusion-detection systems to avoid getting hit. Others argued that what Moore did enabled the average hacker to more easily exploit the flaw.

Information Week published a long, sensational, and patently dishonest article on security research today. This text makes it seem as if malware authors used the information H.D. Moore published. The fact is that this vulnerability was being exploited by criminal organizations in the wild before anyone in the security research community knew about it. The article fails to make this fact clear because it doesn't fit into the narrative that the reporter is aiming for and undermines the questions the reporter is raising. Would any major news media organization be interesting in a peice that discusses whether intentially dishonest reporting is good or bad for society?

InformationWeek | Security | The Fear Industry | April 17, 2006

You know that scene in Die Hard when Alan Rickman and crew finally gets the vault open? Remember how Fur Elise starts playing and the robbers see stacks and stacks of bearer bonds? This is totally like that.

Microsoft Opens IE Bug Database

Users will be able to report bugs found in the Web browser.

To post or view bugs, users must sign up for a Passport account on the Microsoft Connect Web site.

"Many customers have asked us about having a better way to enter IE bugs. It is asked, "Why don't you have Bugzilla like Firefox or other groups do?" said the Microsoft blog post.

Microsoft is only accepting bug posts for Internet Explorer 7 and future versions.

This is interesting. IE 7 is a 1.0 product in a 7.0 wrapper. There are going to be lots of bugs MS's QA department just didn't get to. More importantly, there will be more bugs than they can fix. There will be a backlog that is ripe for 0day.

This will make for interesting things in the Layer 7 world.

Microsoft Opens IE Bug Database!!!

The prankster decides to unwittingly enlist his cat in the fun. The cat has a subdermal pet ID tag, which the attacker rewrites with a virus using commercially available equipment. He then goes to a veterinarian (or the ASPCA), claims it is stray cat and asks for a cat scan. Bingo! The database is infected. Since the vet (or ASPCA) uses this database when creating tags for newly-tagged animals, these new tags can also be infected. When they are later scanned for whatever reason, that database is infected, and so on. Unlike a biological virus, which jumps from animal to animal, an RFID virus spread this way jumps from animal to database to animal.

I ignored this article this morning but its actually pretty cool. SQL injection, CSS, and buffer overflows from data stored in RFIDs is a vector that few people have really looked at. I wonder if the new U.S. Passports are vulnerable?

RFID Viruses: Is your cat infected with a computer virus?

"Whitedust is running a very interesting article with the DEF CON speaker and cryptographer Elonka Dunin. The article covers her career and specifically her involvement with the CIA and other US Military agencies."

Elonka continues to prove why she is the most famous user on MemeStreams. Rumor also has it she has been accepted into the Industrial Memetics Institute...

Go Elonka! I truly cannot wait till I have a copy of her upcoming book. I expect it to be very well recieved by a very wide audience. I think the result will be suprising...

Elonka should wind up on the talk show circut. We need to get Elonka on Oprah after her book comes out! It's imperative.

Slashdot | Interview With Cryptographer Elonka Dunin