Security holes in online applications may go unfixed because well-intended hackers are afraid to report bugs.
Web applications pose a dilemma for bug hunters: how to test the security without going to jail? If hackers probe traditional software such as Windows or Word, they can do so on their own PCs. That isn't true for Web applications, which run on servers operated by others. Testing the security there is likely illegal and could lead to prosecution.
"There are more legal dangers to testing an application that is hosted on somebody else's system. That is a real challenge of this new application model," said Wendy Seltzer, an assistant professor specialized in Internet law at New York's Brooklyn Law School.
"We're losing the Good Samaritan aspect of security," said Jeremiah Grossman, chief technology officer at Web security company WhiteHat Security. "If it's illegal to find vulnerabilities in Web sites, it means only bad guys know where the vulnerabilities are. This is one of the big issues in information security as we shift to a Web 2.0 world."
Caleb Sima, chief technology officer at rival Web security firm SPI Dynamics, agreed that the legal threats effectively make Web applications less secure. "If a vulnerability existed, it would be the black hat hacker that would find it because they don't care. That causes Web apps to be less secure," he said.
The onset of what's become known as Web 2.0 is causing a splash, as it stretches the boundaries of what Web sites can do. But as sites become rich with new features, offering an experience akin to desktop applications, the security risks also increase, experts have said.
Bug hunting has been a legal gray area for people who probe desktop software. They may be breaking the law when they take apart, or reverse-engineer, software sitting on a PC. But the law is clear-cut when it comes to Web sites, said Jonathan Zittrain, professor of Internet governance and regulation at Oxford University's Internet Institute.
"The venerable Computer Fraud and Abuse Act in the U.S., and corresponding laws in other countries, criminalizes unauthorized access to a machine, including 'exceeding authorized access.' The point of a hack to expose a security vulnerability (in a Web application) is usually to do just that," Zittrain said.
Prosecutors could use several laws to go after security researchers who break into an online application, but the Computer Fraud and Abuse Act is the primary one. It provides for a fine or up to a year in prison for somebody who "intentionally accesses a protected computer without authorization, and as a result of such conduct, causes damage."
"It is a problem for people who do have the public interest in mind and who are trying to expose flaws that are putting people's privacy or information at risk," Seltzer said.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
European Union grants unconditional approval for $12.5 billion deal, but says it will monitor Google's and rival's use of patents to make sure that the deal complies with antitrust rules.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
We've got an itch to touch us some Super Stars and get all Mario on some poor unfortunate bitmappy baddies. Looks like Converse is set to hand us just the footwear for the job.
Hackers are the good guys while crackers are the bad guys.
But laws and regulations don't differentiate between them putting the good guys in the same bandwagon as the bad guys.
When you start handcuffing the good guys out of consideration for the bad guys... you'll always end up deeper in the $#!% hole than you started!!!
It's just common sense.
FWIW