Guide tells 'grey hats' how to avoid legal pitfalls

[InfoSec News <alerts () infosecnews org>]

http://news.zdnet.co.uk/security/0,1000000189,39562174,00.htm

By Tom Espiner
ZDNet.co.uk
25 Nov 2008 

The US-based Electronic Frontier Foundation has published a guide on how 
IT professionals can avoid falling foul of the law as a result of 
ethical hacking.

The Electronic Frontier Foundation (EFF) 'Grey Hat' Guide [1] ponders 
such questions as what a security researcher should do if they 
unintentionally "violate the law" in the course of their investigations.

"A computer-security researcher who has inadvertently violated the law 
during the course of her investigation faces a dilemma when thinking 
about whether to notify a company about a problem she discovered in one 
of the company's products," the guide states. "By reporting the security 
flaw, the researcher reveals that she may have committed unlawful 
activity, which might invite a lawsuit or criminal investigation. On the 
other hand, withholding information means a potentially serious security 
flaw may go unremedied."

The EFF said that researchers in this situation could reconstruct 
research using technology they are authorised to use, or report the flaw 
in general terms. However, both of these options are "undesirable", the 
EFF said.

[1] http://www.eff.org/issues/coders/grey-hat-guide

[...]


_______________________________________________      
Help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html