Security researchers say they have been threatened with indictment for their work investigating internet vulnerabilities

Some of the world’s best-known security researchers claim to have been threatened with indictment over their efforts to find vulnerabilities in internet infrastructure, amid fears American computer hacking laws are perversely making the web less safe to surf.

Many in the security industry have expressed grave concerns around the application of the US Computer Fraud and Abuse Act (CFAA), complaining law enforcement and lawyers have wielded it aggressively at anyone looking for vulnerabilities in the internet, criminalising work that’s largely benign.

They have also argued the law carries overly severe punishments, is too vague and does not consider context, only the action.

HD Moore, creator of the ethical hacking tool Metasploit and chief research officer of security consultancy Rapid7, told the Guardian he had been warned by US law enforcement last year over a scanning project called Critical.IO, which he started in 2012. The initiative sought to find widespread vulnerabilities using automated computer programs to uncover the weaknesses across the entire internet.
'Law enforcement are killing careers'

Jeremiah Grossman, CEO of cyber research firm Whitehat Security, believes that the aggressive application of the law will lead to researchers quitting before they’ve found serious problems on the internet, leading to a degradation of its overall security.

“Right now they are probably killing careers, because they're not accounting for intent,” said Grossman.

“The chilling effect is on the problems we don't know about yet. The canaries in the coalmine? They just killed them all. So now we're going to suffer the consequences.”

The project that landed Moore in trouble, Critical.IO, uncovered some serious, widespread vulnerabilities, including one case where between 40 and 50 million network machines could have been compromised due to weaknesses in a network protocol, known as Universal Plug and Play (UPnP).

Yet US law enforcement continued to pursue Moore, even though he was transparent with his role and the reasons for his scanning, he claimed, without naming the government body that was responsible.

[link to www.theguardian.com]