The security researcher's lot is not an easy one. This player is an essential part of the security ecosystem, an experienced security person who tries and finds security holes in systems so that they can be flagged and fixed. The problem is that the good guy security researcher—at a glance—looks and acts an awful lot like a bad guy cyberthief. From the CISO's desk, how is one to tell the difference?
As a practical matter, though, this column is not really about confusing the two. That is because if the CISO detects the security researcher's efforts, then that CISO is on top of their defenses enough that it's not a problem. No, this column is about how the rules for security researchers and cyberthieves must be polar opposites—and they're not. If it's not fixed soon, today's security problems will be heaven compared to what things will be like in two years.
Consider a recent case. According to a fascinating report in The Daily Dot, "Once again, a security researcher has found himself facing possible prosecution under a federal statute known as the Computer Fraud and Abuse Act (CFAA). His crime, according to a dental-industry software company, was accessing what had been left publicly available on the open Internet."
Specifically, the researcher (Justin Shafer) "was researching an issue with hard-coded database credentials when a search for a password led him to an anonymous FTP server that allowed anyone access. When Shafer looked at the files on the publicly available server and saw a directory with patient data, he took steps to alert Patterson to secure the protected health information. Only after Shafer determined that the patient data had been secured did he and DataBreaches.net disclose the incident publicly."
The owner of the servers contacted the FBI, accusing Shafer of having "exceeded authorized access." Check out the Daily Dot piece to read the full details, but that's the essence of the case.
A key element of U.S. criminal prosecution is a legal concept known as mens rea, which is essentially criminal intent. But here's where common sense falls apart. Criminal intent, as it was originally intended, is an intent to steal from or to harm someone. Today, though, many laws merely require a literal violation of a statute's phrasing with no intent to do anything wrong.
Let's consider an example of a helpful neighbor. She notices that your front-door is wide open, which is very unusual. She walks closer and peers in. She walks right up to the door and shouts "Is everything OK?" When no one responds, she slowly steps into the doorway and looks to see if anything looks wrong. When she sees nothing concrete, she exits the house and calls the homeowner's mobile phone and reports what she found.
Legally, that woman is guilty of burglary. She knew that she didn't own that house and she entered anyway. How is that burglary? Burglary is entering with the intent to do something illegal. What was the illegal thing she intended to do? Trespass, of course.
The state of the door is important. Was it locked and did she smash in with a battering ram? Did she pick the lock? Was the door closed and unlocked? Was it slightly ajar? Or was it wide open? Now let's go back to Shafer's situation. He saw this server and its protections amounted to it being wide-open.
Now let's make this analogy even closer. Shafer wasn't merely a neighbor who happened to stumble upon this open door. He's a security professional who knows what to look for. Getting back to that house with the open door and the concerned neighbor, the closer analogy would be a local police officer or perhaps the head of the neighborhood watchgroup.
That police officer or watchgroup leader are supposed to make rounds through the neighborhood, looking for any indications of something unusual, something that might signal criminal activity. Would you rather have your unlocked door discovered by a watchgroup or police officer, or a burglar or murderer?
That brings us back to criminal intent. When Shafer walked into the open door to check on the safety of those ultra-sensitive medical records, was his intent to steal those records or to help keep them safe? That's the more meaningful mens rea at issue here.
Without reading someone's mind—or having to take someone at their word—how do you establish what their intent had been? It's reasonable to make inferences from their actions. Had that neighbor taken valuables out of the house and sold them, that is pretty indicative of criminal intent. Instead, she took nothing and immediately phoned the homeowner.
What did Shafer do? In effect, the same thing. He immediately contacted the owner of the servers and reported the problems he found. He waited until the records were secured and then reported the security problems publicly, to get others to protect their own files.
As for exceeding authorized access, that's the weakest part of this case. The intent of that phrasing is to punish people who have the authority to use one part of a system, but uses someone else's password—or cracks passwords—to get into an unauthorized area. In Shafer's case, there were no passwords. That's the whole point. Indeed, permissions were set in such a way that a random visitor had full authority to look at those files. He didn't exceed authorized access. He used his authorized access.
The problem is that the server had its permissions set improperly. That's certainly not Shafer's fault.
This case criminalizes security behavior that every responsible security professional needs to be legal and encouraged. If you have a security hole, wouldn't you rather be told about it by a good guy before you're attacked by a bad guy?
Admittedly, bad guys and good guys look an awful lot alike. A report last week spoke of CiCi's Pizza—more than 500 stories in 35 states—where thieves "obtained access to card data at affected restaurants by posing as technical support specialists for the company's point-of-sale provider," according to a report in KrebsOnSecurity.
But it doesn't take a Sherlock Holmes to recognize the difference between someone acting like Shafer and a thief. The only one who couldn't see the difference is an embarrassed security chief at a medical company that wanted to strike out vindictively at the guy who revealed that the emperor is wearing no clothes. That is the kind of conduct that the industry must crack down on.