http://news.zdnet.co.uk/security/0,1000000189,39562174,00.htm



By Tom Espiner

ZDNet.co.uk

25 Nov 2008 



The US-based Electronic Frontier Foundation has published a guide on how 

IT professionals can avoid falling foul of the law as a result of 

ethical hacking.



The Electronic Frontier Foundation (EFF) 'Grey Hat' Guide [1] ponders 

such questions as what a security researcher should do if they 

unintentionally "violate the law" in the course of their investigations.



"A computer-security researcher who has inadvertently violated the law 

during the course of her investigation faces a dilemma when thinking 

about whether to notify a company about a problem she discovered in one 

of the company's products," the guide states. "By reporting the security 

flaw, the researcher reveals that she may have committed unlawful 

activity, which might invite a lawsuit or criminal investigation. On the 

other hand, withholding information means a potentially serious security 

flaw may go unremedied."



The EFF said that researchers in this situation could reconstruct 

research using technology they are authorised to use, or report the flaw 

in general terms. However, both of these options are "undesirable", the 

EFF said.



[1] http://www.eff.org/issues/coders/grey-hat-guide



[...]





_______________________________________________      

Help InfoSecNews.org with a donation!

http://www.infosecnews.org/donate.html



Received on Wed Nov 26 2008 - 02:14:44 PST