After a weekend away I got an interesting email from one of my subscribers. It was regarding some auditing that he was performing against a website, and that website had asked him to remove the offending information from his website. Here’s a snippet from the email (I’m not going to post who it is unless he wants to talk about it more himself):
Does he have the legal right to ask such a thing, and If I didn’t remove
it, would anything happen because of it?
I’m no lawyer, honestly, but I really don’t think he has a legal right to get you top stop publishing your information unless it falls under one of three categories. One of which is libel. Libel is where you write something that is not the truth. In this case, if it is true, it’s not libelous. Slander is where you say something that is not true, and defamatory. Clearly neither are true.
The second is more along the lines of a governmental issue, where you cannot insight riots, terrorism, etc… I don’t think this falls under that one either.
The last one that comes to mind is DMCA. The DMCA might hold true if you are reverse engineering the software to perform a security audit of it. I’m not sure if there is actually and valid legal precedence for that claim, although Snosoft was nearly sued under it by HP for finding a vulnerability in their product a few years back. After a huge uproar by the security community HP issued a press release and retracted the suit against Snosoft.
Now all that said, the legality in performing unsolicited penetration tests against live websites is pretty much getting to be risky business. Regardless of your intentions any sort of unsolicited security penetration testing is tantamount to hacking. Dmitry was pretty much screwed after finding an issue with Adobe’s products. Then there was the kid who did a F5 “attack” by trying to get his classmates to DoS their school server by hitting refresh. The amusing part of that attack is that it caused the attack to happen inadvertantly because it was Slashdotted later (my favorite comment on that one was, “I went to the website, but it was down, so I hit refresh, and it’s still down.”) It was later taken down by slashdot because of legal ramifications, I’m assuming.
It’s basically war on penetration testing and vulnerability assesments right now. So good intentioned or not, watch your back.