So I've gradually opened up about this as the risk has decreased, but I think it's time I can publicly share something that happened to me this year:

I was part of an investigation into a possible violation of the CFAA. Or, more accurately, I was being investigated as a suspect.

TL;DR: I ethically disclosed an security vulnerability - SQLi leading to account info, plaintext passwords. That same issue was, according to the investigators, abused by someone (possibly me, they thought).

I cannot convey to you how fantastically ready I am to be investigated for CFAA issues. I've disclosed many vulnerabilities privately, gone public with one, and even consult 1:1 with other researchers working on their first disclosures to help keep them safe & out of trouble.

I'm a cis white man in tech. I have a salaried job and a minor but positive reputation. I have enough savings to fight even a serious legal battle.

And I was still anxious for weeks while preparing to defend myself.

The serious reality of the situation is, even though I did *everything right*, something out of my control almost landed me a federal charge.

I cannot imagine disclosing the same issues if I had less protection for myself. Hacking - even ethical hacking - can have serious, life-ending ramifications.

I applaud the work of the DOJ to start reducing risk for us - I really do. But this scare (and the long history of cudgeling hackers) is a big part of why I remain wary for us all.

I'll probably write this up in another post sometime with more info, but just in case anyone else runs into the same situation, here's what to do:

* Shut the fuck up
* Contact the EFF legal desk
* If assistance is offered, TAKE IT
* If not, have your inquiry forwarded to the Cooperating Attorneys list
* Verify any lawyer that voices interest in your case can practice in your state & look for relevant case history
continues ...

* Contact the lawyer - first consult is usually free, but it's mostly so both parties know more about the situation
* CAREFULLY follow their plan going forward, but be warned that any ongoing assistance will almost 100% cost you

In my case, it didn't go further (hooray). If that happens - and you have the means - it seemed a nice gesture to ask to send someone their favorite food/drink or make a charity donation in their name.

Do you have insurances in the States to cover the cost of a lawyer?

@RyunoKi There are some options for legal insurance (I have one provided by my employer) though they're not amazing... In my case, I would contact them and would be assigned a lawyer - it's a system designed to handle small issues, for example paperwork when buying a house. I honestly just didn't trust my coverage for a specialized concern, so I didn't try to get assistance through them.

@LovesTha Yeah. I even got the classic line "I mean, *I* don't think it was you, but ..." -.-

In retrospect the way things played out it looks more like a due diligence check than a real threat to me, but the fact that it could have been "just" a due diligence check already speaks volumes about my keeping-the-nose-clean internet presence, workplace, etc.

@tweedge yikes. Hopefully recent announcements by the DOJ will temper their enthusiasm to prosecute/investigate bug hunters

@jerry I'm hopeful here but cautious. In this specific case, there's no doubt I would be unprotected - someone did something unethical, and the DOJ will find out who.

In the other cases I've handled - private, public, or advisory - I would almost certainly be guaranteed protection from DOJ prosecution now (though I remain unprotected from other litigation ex. state-level laws). That said, for any protection at all to be offered is big step and worth acknowledging.

@tweedge @jerry :oof:

The whole posture around information security is just generally upside-down, I feel.

Media focuses on blaming scary :hacker_h: :hacker_a: :hacker_c: :hacker_k: :hacker_e: :hacker_r: :hacker_s: for cases of gross incompetence on device vendors' part; LEA is hell-bent on prosecuting security researchers for disclosures; and three-letter agencies weaponize vulnerabilities and then lose cabin pressure, leading to WannaCries and NotPetyas.

Heavy sigh.

@jerry @rysiek @tweedge let's meet at the Full Moon in the forest to dance and heal, my sisters!

@tweedge That is pretty crazy. I listen to securityNow podcast and they've covered an instance or two of this happening to people that disclosed vulnerabilities.

Glad to hear its died down and the Mr Robot men in suits aren't chasing you anymore lol but still that is wild. Esp. in a day and age where people get paid for responsible vulnerability disclosures.

@spaphy The whole system is still backwards, and a lot of people are playing with fire by participating before the legal grey areas are resolved.

It is a rewarding fire to play with though - even with a scare like this, I struggle to think of another field I'd enjoy as much. Just going to do my best to avoid scares like it in the future. This stuff is exactly why I would never dare disclose a vulnerability with my name attached.

You either get little reward or end up with a lawsuit.

@privateger Absolutely fair. If my situation were even slightly riskier (and I'm risk-insulated as hell right now), I don't know if I could justify doing any ethical disclosures - anonymous or not. The potential downside is just too fuckin' big.

Sign in to participate in the conversation

Taking the "Twitter" out of "InfoSec Twitter."