Comments
White Hat Hackers Fight For Legal Reform
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:59:14 AM
Re: Long-term conversation with legislators & regulators
I can't argue with the fact that this is a critically important national conversation to have. Probably an international conversation...  Have to applaud the white-hatters for beating the drums about it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 8:59:09 AM
Re: Long-term conversation with legislators & regulators
I can't argue with the fact that this is a critically important national conversation to have. Probably an international conversation...  Have to applaud the white-hatters for beating the drums about it.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/22/2014 | 8:54:48 AM
Re: Long-term conversation with legislators & regulators
My first question about this initiative was "This Congress? Are you kidding me?" But it's really more about keeping the conversation going, educating these industries that have no clue about security research, and hopefully getting consumers more information about the products they are buying and the safety implications of vulnerable software in their cars, etc. I like Billy Rios' perspective about the importance of researchers working with the corresponding fed agencies like DHS and FDA where applicable.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/22/2014 | 7:53:47 AM
Long-term conversation with legislators & regulators
Sadly, given the gridlock in Washington, it's hard to imagine a thoughtful conversation about reforming giving white hat hackers the freedome to do their work and ensure the safety of the IoT. That, and the anti-regulatory lobbyists who work for the product manufacturers.
No SOPA
50%
50%
No SOPA,
User Rank: Ninja
10/21/2014 | 7:01:59 PM
White Hat Police Academy
I've heard it suggested before when legal types were part of this conversation that potentially white hat needs to fall under law enforcement, or similar agencies.  In other words, if you want to work in the field of computer security and do penetration testing and combative hacking, you'll be protected but under the umbrella of the LAPD or FBI, for example.  Amusing, considering some of the more talented cyber security specialists out there are kids.  Of course, being associated with such organizations should provide that extra amount of protection white hatters are calling for, right?  Well, maybe not.  How many fully justified shootings have we seen ruin the career of both peace and police officers?  And, with all the political and economic pressure applied daily to these agencies, who can say when a scapegoat is needed when that really bad exploit is revealed that these agencies can't have anyone else know about?  

Another bill, then?  Well, search away on the Library of Congress website under Bills and Resolutions.  There are plenty of stalled bills out there with keywords like "penetration" "cybersecurity" "hacker" and so forth; many intending to redefine the ecosystem and what happens in it.  But the keyword here is "stalled".  Hell could freeze over before we get the protection and standards being asked for.  What, then?  Well, the industry could pull together and up the game; improve technology and keep some of that tech under wraps, as best it can.  White hatters can start thinking a little more gray, even black, and start covering tracks a little better; write less papers, and deliver exploits anonymously.

Ultimately, this is going to be a long battle.  The force and tactics needed for white hatters to do good work and beat cyber criminals at their own game might always be on the gray side of legal, no matter how laws are adjusted.  And once we start adjusting those laws, whose to say if the black hatters don't just benefit a little themselves from it...

 

 


  


New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: In Russia, application hangs YOU!
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7929
PUBLISHED: 2018-09-18
Huawei Mate RS smartphones with the versions before NEO-AL00D 8.1.0.167(C786) have a lock-screen bypass vulnerability. An attacker could unlock and use the phone through certain operations.
CVE-2018-7991
PUBLISHED: 2018-09-18
Huawei smartphones Mate10 with versions earlier before ALP-AL00B 8.0.0.110(C00) have a Factory Reset Protection (FRP) bypass vulnerability. The system does not sufficiently verify the permission, an attacker uses a data cable to connect the smartphone to the computer and then perform some specific o...
CVE-2018-14641
PUBLISHED: 2018-09-18
A security flaw was found in the ip_frag_reasm() function in net/ipv4/ip_fragment.c in the Linux kernel from 4.19-rc1 to 4.19-rc3 inclusive, which can cause a later system crash in ip_do_fragment(). With certain non-default, but non-rare, configuration of a victim host, an attacker can trigger this ...
CVE-2018-14642
PUBLISHED: 2018-09-18
An information leak vulnerability was found in Undertow. If all headers are not written out in the first write() call then the code that handles flushing the buffer will always write out the full contents of the writevBuffer buffer, which may contain data from previous requests.
CVE-2018-16958
PUBLISHED: 2018-09-18
An issue was discovered in Oracle WebCenter Interaction Portal 10.3.3. The ASP.NET_SessionID primary session cookie, when Internet Information Services (IIS) with ASP.NET is used, is not protected with the HttpOnly attribute. The attribute cannot be enabled by customers. Consequently, this cookie is...