Tag Archives: privacy

Legalize Hacking Now!

“If you don’t hack your systems, someone else will.” The latest data breach statistics (IBM / Verizon / OSFDB) prove the conventional wisdom is still valid. The AT&T “hacking” case of Andrew “Weev” Auernheimer made me revisit my 2007 views on hacking and responsible disclosure, especially in light of the changes in the field since my article was published.

Weev’s case forces one to try to reconcile contradictory views: on one hand, the greater good was served because AT&T fixed a hole that easily exposed much sensitive personal information of their iPad users. On the other hand, after inspection of his code on Git, there is no reason to think it’s not a case of parameter tampering and clearly illegal.

In the broader picture, society needs people who can and are willing to expose information security issues that clearly hurt individuals (or groups of people) either physically or in regards to their privacy. We need a way to give people who have the technical prowess the ability to legally search and report what they find thereby improving and strengthening society.

With the disclosure that Nation-States continuously hack computer infrastructures and the development of industry bug bounty programs offered by Facebook, Microsoft and Google it seems to me it’s time — and society is ready — to legalize hacking. Legalization does not mean we should give just anyone free reign to research another’s online infrastructure property. While I’m not looking to lay out an entire program in this short op-ed, I image such a program would be similar to Facebook’s bug bounty program: the researcher would most likely be required to register (or create a test account) and be looking for specific types of vulnerabilities in order to legitimately engage in the activity. Companies and government entities would be required to have  procedures for receiving and fixing reported vulnerabilities disclosed to them through the “hacking” channel in a timely fashion.

“If you don’t hack your systems, someone else will.” That “someone else” already has, now we must. Legalize hacking now!

NYC holds ShredFest 2010 ID Protection

NYC rocks!!! If you care about protecting your identity attend NYC Shred Fest 2010, May 23rd from 10AM-4PM… Massive paper shredding for sensitive documents as a free NYC service! My tax dollars at work folks to help protect you… In addition, the first three people to each location receive a free shredder!

Facebook Gaffe Shares Pvt Emails

In the past I wrote that sometimes end user share a single facebook account exposing your private email to others.

This time it’s the app itself as Facebook routed the emails to the wrong boxes.

Cloud computing gaffes will expose privacy limits.

Germany to buy stolen data

I’m not sure I like it when Governments do this kind of stuff.

On Tuesday, German Finance Minister Wolfgang Schaüble said the government had agreed to buy a CD from an anonymous informant that contains the stolen bank details of up to 1,500 people who are suspected of evading German taxes by stashing their money in Swiss bank accounts.

I will most likely write more on this case through bloginfosec.com.