What security researchers should take from the example of Aaron Swartz

January 13, 2013 ∞

In my corner of the Internet you can’t go anywhere today without reading about Aaron Swartz. It’s amazing to see how many people he touched.

Although he was not engaged in security research, his legal troubles are a familiar story to anyone who has been working in security for more than a few years. They are a particularly tragic instance of the pattern I mentioned in my last post.

For those new to the field, I’ll say it more plainly: if you demonstrate a vulnerability in someone’s web site or live system, expect to be prosecuted. If that’s not clear enough, read the cartoon.

This isn’t about right or wrong, or what the law says or what it should say. It doesn’t matter that you mean well, that you are trying to make everyone safer. It doesn’t matter that you responsibly disclosed the vulnerability to the vendor. It doesn’t matter that the vulnerability was easy to find, obvious, even. It’s just a fact that any security researcher must keep in mind: this has happened over and over again, and it’s going to continue.

In the early days after 9/11, you would hear about people who saw that the new security measures at airports were laughable and demonstrated that fact to the authorities by smuggling knives and so on through security. These people meant well. They were arrested.

Exactly the same thing happens in computer security. Someone discovers a security vulnerability in a system, investigates to verify the problem, and, hoping to fix the problem, notifies owner of the system. They are in legal jeopardy. Read this story by an acquaintance of Aaron for one example. There are many, many others.

Of course, if your intentions are less noble, you are even more likely to be prosecuted. a href="https://en.wikipedia.org/wiki/Samy_(computer_worm)"Samy was prosecuted for the MySpace worm, even though he just wanted to impress girls.

Once again, I’m not talking about right or wrong, or what the law says or what it should say. That needs to be discussed too. But for now, if you are a security researcher, activist, or “hacker”, please understand that you have to be careful out there.