I cannot cover this topic completely without devoting an entire book to it, and perhaps not even then. Security practices do not fit neatly into white hat or black hat categories. There are legal and ethical gray areas where most of you live and work. This book intends to give you technical skills in using an assortment of security tools, but it's how you use those tools that create the legal and ethical challenges with which this chapter, the legal system, and society grapple.
Any bozo can file a lawsuit, but you will usually receive some notification first, in the form of a demand or cease and desist letter. If you receive one of these, get advice from a lawyer. Perhaps the suit can be prevented or settled ahead of time.
Criminal charges often come without any advance notice to you. The FBI may show up at your door asking questions; they may have a warrant to seize your computers; they may ask permission to take your machines. You may never hear anything further from them, or you may get arrested months later. Local law enforcement investigates differently. If law enforcement comes to question you, ask for a lawyer immediately. You may have done nothing wrong, and you may want to cooperate, but that is something that a skilled attorney must help you with. Sometimes the police tell you that getting a lawyer is just making matters worse for you. Actually, it makes matters worse for them, because there's someone looking out for your interests and making sure that they keep their promises to you.
In less extreme situations, consider following the basic "What to do to protect yourself" bullet points throughout this chapter. They are certainly obvious, but you'd be surprised how seldom they are considered.
Ask for permission. Do not take things you are not intended to take. Do not break things. Publish your findings in open forums, using not-for-profit language and with good intent. Do not fake passwords. When you tinker with programs, make sure they are yours, do your research on your own time, on your own computers, without intent to gain financially or destroy something someone else has built.
Finally, there may be times you will not be able to follow these edicts. But as my best friend wrote when she gave me an etiquette book for my wedding, its best to know the rules before you break them. The legalities and ethics of the network security field is in its infancy. If I haven't said it enough times already, here it is once more: if you are operating in a grey area and something feels strange, get legal advice from a practicing lawyer in the field.
—Jennifer Stisa Granick