{"href":"http://player.captivate.fm/services/oembed?url=http%3A%2F%2Fplayer.captivate.fm%2Fepisode%2Fd6b0b14b-7f3d-4872-8df9-b63d594b3c24","version":"1.0","provider_name":"Captivate.FM","provider_url":"https://www.captivate.fm","width":600,"height":200,"type":"rich","html":"<iframe style=\"width: 100%; height: 200px;\" title=\"When good-faith hacking gets people arrested, with Harley Geiger\" frameborder=\"0\" scrolling=\"no\" allow=\"clipboard-write\" seamless src=\"http://player.captivate.fm/episode/d6b0b14b-7f3d-4872-8df9-b63d594b3c24\"></iframe>","title":"When good-faith hacking gets people arrested, with Harley Geiger","description":"When Lock and Code host David Ruiz talks to hackers\u2014especially good-faith hackers who want to dutifully report any vulnerabilities they uncover in their day-to-day work\u2014he often hears about one specific law in hushed tones of fear: the Computer Fraud and Abuse Act.\nThe Computer Fraud and Abuse Act, or CFAA, is a decades-old hacking law in the United States whose reputation in the hacker community is dim. To hear hackers tell it, the CFAA is responsible not only for equipping law enforcement to imprison good-faith hackers, but it also for many of the legal threats that hackers face from big companies that want to squash their research.\nThe fears are not entirely unfounded.\nIn 2017, a security researcher named Kevin Finisterre discovered that he could access sensitive information about the Chinese drone manufacturer DJI by utilizing data that the company had inadvertently left public on GitHub. Conducting research within rules set forth by DJI's recently announced bug bounty program, Finisterre took his findings directly to the drone maker. But, after informing DJI about the issues he found, he was faced not with a bug bounty reward, but with a lawsuit threat alleging that he violated the CFAA.\nThough DJI dropped its interest, as Harley Geiger, senior director for public policy at Rapid7, explained on today's episode of Lock and Code, even the threat itself can destabilize a security researcher.\n\"[It] is really indicative of how questions of authorization can be unclear and how CFAA threats can be thrown about when researchers don\u2019t play ball, and the pressure that a large company like that can bring to bear on an independent researcher,\" Geiger said.\nToday, on the Lock and Code podcast, we speak with Geiger about other hacking laws can be violated when conducting security researcher, how hackers can document their good-faith intentions, and the Department of Justice's recent decision to not prosecute hackers who are only hacking for the benefits of security.\nYou can also find us on\u00a0Apple Podcasts,\u00a0Spotify, and\u00a0Google Podcasts, plus whatever preferred podcast platform you use.\nShow notes and credits:\nIntro Music: \u201cSpellbound\u201d by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: \u201cGood God\u201d by Wowa (unminus.com)","thumbnail_width":300,"thumbnail_height":300,"thumbnail_url":"https://artwork.captivate.fm/46f60530-5dbe-4702-8eda-82bea14341ab/lock-and-code-logo-2021-ar2rs.jpg"}