So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:

I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.

TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).

Follow

@tweedge yikes. Hopefully recent announcements by the DOJ will temper their enthusiasm to prosecute/investigate bug hunters

@jerry I'm hopeful here but cautious. In this specific case, there's no doubt I would be unprotected - someone did something unethical, and the DOJ will find out who.

In the other cases I've handled - private, public, or advisory - I would almost certainly be guaranteed protection from DOJ prosecution now (though I remain unprotected from other litigation ex. state-level laws). That said, for any protection at all to be offered is big step and worth acknowledging.

@tweedge @jerry :oof:

The whole posture around information security is just generally upside-down, I feel.

Media focuses on blaming scary :hacker_h: :hacker_a: :hacker_c: :hacker_k: :hacker_e: :hacker_r: :hacker_s: for cases of gross incompetence on device vendors' part; LEA is hell-bent on prosecuting security researchers for disclosures; and three-letter agencies weaponize vulnerabilities and then lose cabin pressure, leading to WannaCries and NotPetyas.

Heavy sigh.

@jerry @rysiek @tweedge let's meet at the Full Moon in the forest to dance and heal, my sisters!

@rysiek Yup, plus the media completely misses the fact that hacking is simply playful cleverness, and those who break security are really crackers.
Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.