It is not uncommon for security researchers to test vulnerabilities they discover, making sure that they result in flaws that expose data, before reporting the problems to companies so they can be fixed. “Legitimate people will push a door open if it looks ajar,” said Chester Wisniewski, a principal research scientist at Sophos, a cybersecurity firm. Thompson had ventured too far into Capital One’s systems to be considered a white-hat hacker. “She was motivated both to make money and to gain notoriety in the hacking community and beyond.” attorney for the Western District of Washington, wrote in a legal filing. “Even if her actions could be broadly characterized as ‘research,’ she did not act in good faith,” Nicholas W. Instead, she chatted with friends online about how she might be able to profit from the breach, according to legal filings. Thompson had no interest in helping Capital One plug the holes in its security and that she cannot be considered a “white hat” hacker. The Justice Department has argued that Ms. The law “doesn’t give a lot of visibility to people on what could get you in trouble and what couldn’t get you in trouble,” Mr. “They are interpreting a statute so broadly that it captures conduct that is innocent and as a society we should be supporting, which is security researchers going out on the internet and trying to make it safer,” said Brian Klein, a lawyer for Ms. Thompson’s discovery of flaws in Capital One’s data storage system reflected the same practices used by legitimate security researchers and should not be considered criminal activity. Thompson had planned to use the information she gathered for identity theft, and had taken advantage of her access to corporate servers in a scheme to mine cryptocurrency.
Capital one phone number payment trial#
Thompson’s trial will raise questions about how far security researchers can go in their pursuit of cybersecurity flaws before their actions break the law. Last month, the Justice Department told prosecutors that they should no longer use the law to pursue hackers who engaged in “good-faith security research.” And in April, a federal appeals court ruled that automated data collection from websites, known as web scraping, did not violate the law. The Supreme Court narrowed the scope of the law last year, ruling that it could not be used to prosecute people who had legitimate access to data but exploited their access improperly. In recent years, courts have begun to agree. Stacey BrownsteinĬritics of the computer fraud law have argued that it is too broad and allows for prosecutions against people who discover vulnerabilities in online systems or break digital agreements in benign ways, like using a pseudonym on a social media site that requires users to go by their real names.
0 kommentar(er)
