Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
A "Grey Hat" guide for security researchers
Jennifer Granick of the Electronic Frontier Foundation (EFF) has created a guide for security researchers who may have run afoul of computer crime laws. It looks at the risks and some possible solutions for revealing information about vulnerabilities so that they can get fixed. Granick is seeking comments to improve the guide. "The researcher is in a quandary when she has potentially broken the law, but never intended to steal information or invade privacy and wants to see the problem fixed. Reporting the information raises a red flag that could result in an investigation and civil claims or even criminal charges. Keeping quiet means that the flaw will go unremedied and potentially could be exploited by someone who does have criminal intent. What is the grey hat hacker to do?"
(Log in to post comments)
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 1:29 UTC (Tue) by linuxrocks123 (guest, #34648) [Link]
Why is the security researcher necessarily female?
Other than this idiotic and distracting bit of political correctness, the article was informative and sadly accurate.
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 2:29 UTC (Tue) by smoogen (subscriber, #97) [Link]
Maybe because it was a female who wrote the article. Does the security researcher have to be male? Geez.
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 2:42 UTC (Tue) by gbouro (guest, #30593) [Link]
So your question can be asked. As a result, we as a community get to reflect on the small number of women in the field and perhaps get motivated to do something about it.
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 9:22 UTC (Tue) by Los__D (subscriber, #15263) [Link]
So... You wouldn't have lifted an eyebrow if it was a "he", but it's distracting when it's a "she"?
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 19:18 UTC (Tue) by linuxrocks123 (guest, #34648) [Link]
Correct, because "he" is the grammatically correct pronoun for actors of indeterminate gender.
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 22:01 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
Both are equally grammatical.
female Posted Nov 25, 2008 9:41 UTC (Tue) by astrophoenix (guest, #13528) [Link]
some style guides say it is better to use "she" rather than "he" as a generic pronoun. sometimes
people even incorrectly say "they" when they really are referring to a singular, not a plural. so really, this document is just being more formal in using "she".
female -> plural? Posted Nov 25, 2008 10:40 UTC (Tue) by michaeljt (subscriber, #39183) [Link]
On what basis do you say that using "they" here is incorrect? I believe that there is quite a bit of historical precedent for it.
female -> plural? Posted Nov 25, 2008 13:44 UTC (Tue) by nix (subscriber, #2304) [Link]
'Quite a bit' as in 'they as a generic pronoun of indefinite number is older than English'.
Unfortunately, 'the researcher' is not of indefinite number but is definitely singular, so 'they' doesn't work without rephrasing. Try it:
*The researcher is in a quandary when they have potentially broken the law
In this case, English leaves you stuck for a good option. 'He' works better than 'she' because it's hallowed by historical usage: 'she' used to make me feel distinctly thrown off, as if it was explicitly excluding males, but I'm getting used to it.
Either option is better than, say, trying to invent a new pronoun. That throws *everyone* off.
female -> plural? Posted Nov 25, 2008 13:54 UTC (Tue) by michaeljt (subscriber, #39183) [Link]
Actually that sounds OK to me, but I recognise that there are differing opinions on this subject. I will just refer to http://en.wikipedia.org/wiki/Singular_they and leave it at that.
female -> plural? Posted Nov 25, 2008 16:55 UTC (Tue) by iabervon (subscriber, #722) [Link] Using the pronoun "they" for an individual member of a group (that is, when you're not talking about some particular person, but rather about the arbitrarily-selected representative) has a long tradition, including, for example, The King James Bible. For at least one example, the plural-form-for-indefinite-individual replicates both the Greek and the Hebrew. Your example is bad out of context because "the researcher" refers to an individual from the context, and, without any earlier mention, this is presumed to be some particular person (probably Bruce Schneier). I find "A researcher is in a quandary when they have potentially broken the law" perfectly fine, and this sets up "the researcher" as being an indefinite individual, so following with "The researcher might reveal the flaw to the site they examined" would now be fine as well.
female -> plural? Posted Nov 25, 2008 17:06 UTC (Tue) by k3ninho (subscriber, #50375) [Link] 'He' works better than 'she' because it's hallowed by historical usage: 'she' used to make me feel distinctly thrown off, as if it was explicitly excluding males, but I'm getting used to it. I'd not heard of a man thinking that the word 'she' explicitly excludes him or other men. Thank you for broadening my horizons. BTW it seems reasonable to assume that using 'he' also makes women feel excluded. The weight of the historical use of 'he' making women feel excluded is compounds the problem, especially in computing where the exclusion of women is a significant issue, what with women being under-represented and all.
female -> plural? Posted Nov 25, 2008 19:01 UTC (Tue) by nix (subscriber, #2304) [Link]
Quite so. I didn't mean to suggest that I thought that the converse (women feel excluded by the use of generic 'he') didn't exist.
female Posted Nov 25, 2008 13:02 UTC (Tue) by ikm (subscriber, #493) [Link]
> some style guides say it is better to use "she" rather than "he" as a generic pronoun.
Why is that? Do the guides elaborate on this?
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 18:22 UTC (Tue) by leoc (subscriber, #39773) [Link]
The only thing more annoying than 'political correctness' are those people who rant and rave at every opportunity about anything they might perceive as 'political correctness'.
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 19:23 UTC (Tue) by endecotp (guest, #36428) [Link]
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 3:24 UTC (Tue) by syntropy (guest, #54409) [Link] Sadly, I've learnt the hard way that informing anyone at all, even the people you trust and even with the best of intentions, is irrelevant and folly. If the in charge of the network has even the slightest ego, they will, without a doubt make you not only a scapegoat, but an Antichrist.In the crucible, you always lose.
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 9:34 UTC (Tue) by Trou.fr (subscriber, #26289) [Link]
Even if this guide is interesting, I think its focus on "grey hat" researchers is misplaced. Even "white hat" researchers who conducted security research legally (to one's knowledge, given the complexity of the laws, as explained in the article) are quite at risk.
In France nobody is able to tell if vulnerability research is legal or not, no jurisprudence exists and lawyers are unable to provide a definitive answer. The unfortunate consequence is that french security researchers are often refraining from publishing their research in fear of possible prosecution :(
A "Grey Hat" guide for security researchers Posted Nov 25, 2008 12:31 UTC (Tue) by ketilmalde (guest, #18719) [Link]
The safest and most sensible thing to do if you discover a security vulnerability is to sell the information to organized crime. While you will still be breaking the law, at least you'll get some money out of it and since the people you tell have strong incentives to keep the flaw secret, the chance of getting caught is much smaller.
duh; anonymous email Posted Nov 25, 2008 9:38 UTC (Tue) by astrophoenix (guest, #13528) [Link]
gentleman, start up your mixmaster clients. that way you get to tell them what you found, but they
don't know how you are. might be a good idea to wait a little while (few weeks?), so any activity you created in their logs will be rotated out.
"Sexist correctness" and all that Posted Nov 27, 2008 12:43 UTC (Thu) by vonbrand (subscriber, #4458) [Link] Sadly, what could have been a constructive discussion of the important issue at hand got sidetracked into the tiresome endless flamewar on the use of "she", "he", and/or "they". Can't we just agree there is no perfect solution at hand for this blemish of the English language (and many others, I might add) and move on?
|
|
||||||||||||