Social Network Insecurity | Disclosing the Vulnerabilities - IT Policy | Audit

12/21/2010

Social Network Insecurity | Disclosing the Vulnerabilities

White Hat Computer Crime?

Does a well-intentioned security researcher commit a crime by probing a social network for vulnerabilities?

Some observers have feared the answer is yes. They have speculated that the researcher might enter a computer without authority and thereby violate an anti-hacking law like the federal Computer Fraud and Abuse Act.

The validity of those fears is debatable. And by tradition some web site owners have taken offense to researchers who test their sites for security holes. Tradition suggests that the less discussion of security the better. [For a rough example, see the FBI investigation that emerged after self-proclaimed researchers announced they had acquired sensitive information from AT&T about new iPad owners (although I do not know whether the investigation came as a consequence of a complaint from AT&T).]

But Facebook is pioneering a fresh approach. Facebook feels it can benefit from tests by independent researchers. Rather than forbidding security interrogations, it encourages them, provided they meet some conditions. Facebook says it will not seek punishment of someone who finds a security flaw and then reports it to Facebook a reasonable time before disclosing it to the public (provided the person makes a good effort to avoid abuses like identity theft or data destruction).

[Facebook doesn’t say what it will do if it catches a good researcher who is probing its network, but not finding anything to report.]

Facebook’s strategy suits our modern, networked age. Facebook candidly admits that it can make a mistake. Facebook’s attitude is that while it cannot know everything about its systems, it wants to learn as much as it can, as fast as it can. Thus, it encourages the multitudes on the Internet to find and reveal information Facebook craves. When Facebook opens itself to scrutiny, the cost is low, but the payoff in tips can be high.

These days, being open to talking about dangerous topics can help an enterprise win friends and propel it on a course of constant improvement.

–Benjamin Wright

Mr. Wright, a practicing attorney, teaches the law of data security and investigations at the SANS Institute.

Posted at 01:12 PM in computer fraud abuse act, facebook, law enforcement, social networking | Permalink

Tags: hacker

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by: |

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:

Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)

Name is required to post a comment

Please enter a valid email address

Invalid URL

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He helps tech professional firms write engagement contracts, and otherwise manage their legal liability and right to be paid. Such firms include QSAs, auditors, blockchain analysts, penetration testers and forensic investigators. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.
The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.
Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.
Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.
The only person responsible for Mr. Wright's words is Mr. Wright.
Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.
Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.
Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.
Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.
Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

Become a Fan

IT Policy | Audit | Investigate Cyber Crime

Liability | Lawsuits | Strategy

12/21/2010