I just saw this listing on the Craigslist NY job board. It sounded a litle, uh, questionable:
What do you think?
Of COURSE it’s illegal.
It’s a request for someone to blatantly hack someone else’s passwords, thus assuming their identities. Identity theft is a crime.
Which one is your question:
Is this ad illegal?
or
Is the task of cracking AOL passwords illegal?
Circumventing security without permission in the real world or online is illegal. Period.
(I guess there might be exceptions, but I really can’t think of any.)
Who’s to say that AOL security is not behind the ad, to snag the unwary hacker?
I have no info for the OP regarding this particular job posting (especially since it was pulled by Craigslist before I could read it), but I’d say this generalization is far too broad. There are legitimate research reasons for breaking security without permission. This is often done to verify that a product or service lives up to expectations, and we cannot rely on companies to self-audit sufficiently to protect our concerns.
Granted, this is a huge grey area, and analogies to other real-world situations are difficult because of the fact that many security products are used under license rather than being owned by the consumer. For instance, many companies use DMCA to assert that you cannot attempt to circumvent the security measures they provide to protect your own privacy. This is analogous to a lock manufacturer trying to make it illegal for you to rattle your own doors and windows to test security once his locks are installed. As a strict answer to the OP, the DMCA has made much of this activity illegal even when common sense would hold that it is a necessary and useful arena for research, but even with DMCA in place, there are exemptions which allow for testing of security without permission. I’d be happy to provide numerous cites, but that might be overkill since this is a hijack.
Well, I think my statement still stands in those cases. Generally a company will ask/hire someone to check their server security. If someone hacks into their server and then says, “well, this is how I did it, you should fix it”, that’s still illegal because they bypassed security without permission. The lockmaker analogy is a little better, but those locks are protecting your domain, so you have the permission to test them.
That might work if companies had any incentive to do that. They don’t, or at least many of them have very little incentive. AOL certainly has plenty of incentive to protect their own servers, but a company who produces a software product has very little incentive to validate their security when they can simply sue anyone who dares test it. For instance, see the recent news story about the digital-rights security system which could be circumvented by holding down the shift key when opening the file. The company obviously didn’t look very hard at their own system and then tried to sue the student who exposed the flaw for illegal hacking even though he didn’t do anything except “product review” type testing.
I really don’t want to call your “trust the company to audit itself” stance laughably naive, but anyone who works in the security industry knows that independent testing is an absolute necessity and you cannot trust a company’s claims without impartial validation. Do you think Microsoft’s recent committment to security came because their internal auditors realized their security was weak or because the marketing people got tired of dealing with the negative press of frequent exploits published by outsiders? However, from a legal standpoint, DMCA has had a chilling effect on legitimate research and it is still unclear how much product-review testing is legal for different types of licenses.
Granted, you’re correct about the situation where someone attacks your server (which is presumably what the OP was asking about). I was objecting to your blanket statement as applied to other situations. If I buy a firewall or other security product to protect my domain, the company who sells it may still hold that it is illegal for me to test my own security by trying to circumvent their product. They can do this under the law (to some extent) because I don’t actually own their product, I license it, unlike the locks in my analogy. However, there are plenty of cases where a company pursues someone for breaking the security of their software when the company itself was never attacked (i.e. a company filing suit against someone who published an exploit even when the exploit was never used outside the lab).
For example, say I want to test the security of ABC Corp.'s new security product. I could either:[list=1][li]port-scan the net to find XYZ Corp has installed the product and run my tests against them without permission[/li][li]obtain the product, install it in my lab and test security[/li][li]ask Opal[/list=1]Obviously #1 is and should be illegal. Logically it should be XYZ who is the victim, but current law might leave me liable to both XYZ and ABC. #2 may or may not be illegal depending on license agreements with ABC and interpretation of laws like DMCA, though I hold that this activity should be legal and is a necessary part of true security. #3 costs too much because Opal is busy. There are some legal hairs to split because it might be legal for me to test the security a product is trying to provide but illegal to me to test the security protecting the product itself (i.e. legal for me to do penetration tests on my firewall but illegal to crack the admin password file set by the company).[/li]
I’m not a lawyer and I’m not qualified to debate the finer points of license agreements and laws like DMCA. I really just wanted to point out that your statement that “circumventing security … is illegal” was too broad. Circumventing security does not always equate with attacking someone else. Attacking someone else’s security without permission should always be illegal, but circumventing security measures for research purposes should be a protected activity.
I agree with you entirely that it should, but that statement does not hold in the US due to this wonderful, WONDERFUL thing called the DMCA, that you already know about. So I think we’re on the same page, I was just arguing from the letter of the law and you’re arguing how things should be.
I don’t believe the full effect of the DMCA has been settled. DMCA has certainly had a chilling effect due to the threat of suits, but I’m not aware that any of the suits against bona fide researchers have actually gone to court to test the law. In addition, there are specific research exemptions built into DMCA as well as the power for the Copyright office to define new exemptions without sending the law back to Congress.
Sorry to perpetuate this hijack even further, but just wanted to point out that the Copyright Office has used this power to add after-the-fact exemptions to DMCA on at least one case. In the Lexmark case, the Copyright Office said that DMCA does not block circumvention intended to provide interoperability. Interoperability was also the issue when a federal judge ruled DMCA did not apply to the circumvention used in a garage-door opener.
I suspect (or maybe just hope) that if any of the DMCA-based lawsuits against legitimate security researchers actually went to court, we’d see additional exemptions to cover some of this lab-based “white-hat” hacking. That’s one reason a lot of the suits aren’t pressed, because the software makers want to continue to wield the threat of a lawsuit and don’t want that threat invalidated by a court finding against them. So, with respect to the OP, a lot of legitimate circumvention work might be illegal now based on the letter of DMCA law, but that status would almost certainly change if that law were tested in court. It would be more appropriate to say that the legality of some of these activities is uncertain.