Sign up to save your podcasts
Or
Share When good-faith hacking gets people arrested, with Harley Geiger
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
When good-faith hacking gets people arrested, with Harley Geiger
When Lock and Code host David Ruiz talks to hackers—especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work—he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act.
The Computer Fraud and Abuse Act, or CFAA, is a decades-old hacking law in the United States whose reputation in the hacker community is dim. To hear hackers tell it, the CFAA is responsible not only for equipping law enforcement to imprison good-faith hackers, but it also for many of the legal threats that hackers face from big companies that want to squash their research.
The fears are not entirely unfounded.
In 2017, a security researcher named Kevin Finisterre discovered that he could access sensitive information about the Chinese drone manufacturer DJI by utilizing data that the company had inadvertently left public on GitHub. Conducting research within rules set forth by DJI's recently announced bug bounty program, Finisterre took his findings directly to the drone maker. But, after informing DJI about the issues he found, he was faced not with a bug bounty reward, but with a lawsuit threat alleging that he violated the CFAA.
Though DJI dropped its interest, as Harley Geiger, senior director for public policy at Rapid7, explained on today's episode of Lock and Code, even the threat itself can destabilize a security researcher.
"[It] is really indicative of how questions of authorization can be unclear and how CFAA threats can be thrown about when researchers don’t play ball, and the pressure that a large company like that can bring to bear on an independent researcher," Geiger said.
Today, on the Lock and Code podcast, we speak with Geiger about other hacking laws can be violated when conducting security researcher, how hackers can document their good-faith intentions, and the Department of Justice's recent decision to not prosecute hackers who are only hacking for the benefits of security.
You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
View all episodes
By Malwarebytes
4.7
4242 ratings
When Lock and Code host David Ruiz talks to hackers—especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work—he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act.
The Computer Fraud and Abuse Act, or CFAA, is a decades-old hacking law in the United States whose reputation in the hacker community is dim. To hear hackers tell it, the CFAA is responsible not only for equipping law enforcement to imprison good-faith hackers, but it also for many of the legal threats that hackers face from big companies that want to squash their research.
The fears are not entirely unfounded.
In 2017, a security researcher named Kevin Finisterre discovered that he could access sensitive information about the Chinese drone manufacturer DJI by utilizing data that the company had inadvertently left public on GitHub. Conducting research within rules set forth by DJI's recently announced bug bounty program, Finisterre took his findings directly to the drone maker. But, after informing DJI about the issues he found, he was faced not with a bug bounty reward, but with a lawsuit threat alleging that he violated the CFAA.
Though DJI dropped its interest, as Harley Geiger, senior director for public policy at Rapid7, explained on today's episode of Lock and Code, even the threat itself can destabilize a security researcher.
"[It] is really indicative of how questions of authorization can be unclear and how CFAA threats can be thrown about when researchers don’t play ball, and the pressure that a large company like that can bring to bear on an independent researcher," Geiger said.
Today, on the Lock and Code podcast, we speak with Geiger about other hacking laws can be violated when conducting security researcher, how hackers can document their good-faith intentions, and the Department of Justice's recent decision to not prosecute hackers who are only hacking for the benefits of security.
You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.
Show notes and credits:
Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)
More shows like Lock and Code
View all
Freakonomics Radio
32,078 Listeners
WSJ Opinion: Potomac Watch
2,848 Listeners
Security Now (Audio)
2,005 Listeners
Talking Real Money - Investing Talk
779 Listeners
CyberWire Daily
1,023 Listeners
The Clark Howard Podcast
5,451 Listeners
Click Here
418 Listeners
Bold Names
1,448 Listeners
Hacking Humans
315 Listeners
All-In with Chamath, Jason, Sacks & Friedberg
10,020 Listeners
Cybersecurity Headlines
140 Listeners
What the Hack?
229 Listeners
The 404 Media Podcast
389 Listeners
The Kim Komando Show
162 Listeners
Decoding Retirement
21 Listeners