Another Security Expert Faces Jailtime For Exposing Flaw
from the it-was-a-bad-idea-the-first-time-too dept
A few years ago, the government admitted it had erred in jailing Brett McDanel for discovering a security flaw at an ISP, and then emailing its customers to let them know. Now the government is heading down the same path as it is pressing charges against security consultant Eric McCarty. McCarty’s crime? He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability. After SecurityFocus wrote about the incident, USC was easily able to trace the incident back to McCarty, prompting the DOJ to prosecute him. So what is a security researcher to do in this situation? Should they sit on the information? In retrospect he probably should have gone to the university first, with his claims, though it’s likely his warning would have fallen on deaf ears. It seems reasonable that he thought going to a respected trade website was the best way to get the word out quickly. One possible argument in favor of prosecution is that malicious hackers shouldn’t be able to claim benign intent as a defense. But the facts in this case seem abundently clear. If he had had any criminal intent there was nothing stopping him from committing a crime. Clearly his intent was to expose a flaw and help the university clean up its system. Institutions need to learn that they are safer when third parties are helping them discover holes, and then establish guidelines for how to report flaws. Security by obscurity isn’t much different than turning your face to the wall in a game of hide-and-go-seek. Remember how well that worked?
Comments on “Another Security Expert Faces Jailtime For Exposing Flaw”
Security Researchers who don't tell the ISP or Net
give other Security Professionals a bad name. He really should have notified the Uninversity’s Networking department before exposing them to the world. It’s good public policy to give them a chance to correct the problem. You can always go public if they sit on the information first. Otherwise you just make them mad and thus less likely to fix it.
he chose getting press for himself over fixing the problem. he deserves the legal hassles.
if you are trying to hack systems so you can then report the vulnerabilities to a third party so you can get your name in lights, you ARE a hacker! You don’t deserve your name in lights, you deserve your on the police blotter.
though it’s likely his warning would have fallen on deaf ears
Substantiation please?
Re: Substantiation...
someone said:
though it’s likely his warning would have fallen on deaf ears
and then an anonymous coward said:
Substantiation please?
Read 2600 magazine sometime, there are usually 3-5 stories of how students report security flaws to the school’s system admins and then find themselves banned from using a computer at school forever.
Had a friend who tested a network as a favor for a friend of his…my friend crashed the network amazingly easily and they got it back up fairly quickly but he got charged, his “friend” decided to save his own ass and rolled over and so my friend was convicted for hacking their network.
Then there was the admin who installed the Seti@Home screensaver and was charged with felonly stealing company resources.
Do I need to go on? I’m sure I can think of a few more.
So how is this different than breaking into a bank at night, taking the money out and going public with the loot? Oh, and then expect banks to hire you to help them with their security?
If his goal was to help the university clean up its system, he would have went to the university, not have it posted in a trade website.
You can’t break the law.
Re: how is this different
Well, hundreds of criminals have gotten jobs with government agencies by being so good that they have to be hired to catch the other good guys…
maybe he IS expecting a job out of it.
Re: grammar police
should have “went”???
Re: Re:
Frank William Abagnale Jr. did. It takes a thief to catch a thief.
Re: Re:
So how is this different than breaking into a bank at night, taking the money out and going public with the loot? Oh, and then expect banks to hire you to help them with their security?
Well, he didn’t “take the money” so to speak. In this case, he simply proved that there was a security problem and then chose to make that information known…
The difference is that, perhaps, with a bank if you get caught red-handed, nobody will ever know whether you were trying to be helpful or trying to be malicious. With hacking, you are unlikely to get caught redhanded.
The situations are not exactly analogous. Neither is this, but it illustrates the continuum: suppose you noticed the vault door was cracked and you opened it to peek inside and see if anybody was there and then get arrested for opening it and attempting to steal its contents.
subject here
He probably will get a job out of this. So many people who have done this type of thing end up getting a job like the crime they commited was a badge of honor.
I’d also like to know about the “fallen on deaf ears” thing.
I like AC but I’ll never get sick of people correcting spelling and grammar on internet web/chat/communication forums.
Hang em high. These schmucks deserve to be sent to prison.
What if he typed the wrong IP and found a login prompt and tried blank/blank and got in? What if he smashed his way into their system and destroyed its usability and wrecked it so bad the entire network needed reinstalling?
What if he noticed a webpage might be vulnerable to a quick workaround in such a way that it could be caused to print student records, then printed out a couple and emailed them to someone whom he thought (correctly, as it turns out) could make the problem be solved?
There’s a continuum here, guys. This lies somewhere on that line and if you think its near the malicious hacker extraordinaire end you’re off your rockers.
moral of the story, if youi discover a flaw in somebody’s computer system, don’t bother trying to help them…. just rob ’em blind.
Right?
Isn’t that the message that is being sent here? It’s like Diebold threatening to sue, or suing (I can’t remember which) a state’s security testing team when they found security flaws in the Diebold voting systems.
The fact is that companies and organizations don’t like to hear about problems. It’s completely counter-intuitive, but it’s the reality. If you notify them, they will either ignore you, or they will threaten you. Sometimes if there are other individuals who may be harmed, the only option to protect them is to go public
Re: Re:
My high school didnt like to hear from me how some other kids had broken the pc security systems and replaced start pages with whitehouse.com [nfsw of course].
The 3-day suspension was nothing. Far worse was my computer science teacher being forced to rat me out and thus poisoning our relationship (we never spoke again, it was halfway through 12th grade tho).
After he broke in, he e-mailed student profiles to a third party. This was very poor judgement and a little beyond exposing a security flaw. While it’s not illegal to discover, and even advertise, security problems, it is illegal to exploit them.
There may not have been any malice intended, which in cyberspace often means it’s not a crime, this is a case that should go to trial for a jury to decide.
Re: Re:
Maybe he sanitized the records somehow. Seems like the sort of fact that might get overlooked.
Perhaps we can haggle over a more useful definition of exploit (verb)? Exploiting an exploit just enough to prove that it is an exploit might not be in spirit an exploitation.
Not so
He didn’t “exploit” the hack (making it available to the public). He saw a broken window went in and let security know. Of course why he needed to show proof is his biggest problem… actually gathering the other student’s information. If you see a broken window you dont go in, take a TV and head to the police station to give them the TV to show proof that the window was broken.
From the post..
“He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability.”
“Well, he didn’t “take the money” so to speak. In this case, he simply proved that there was a security problem and then chose to make that information known…”
When you stop saying “but he was trying to do this” and look at what he did, without knowing his intent, he broke the law.
Re: Re:
Perhaps the same way you break the law when you go into someone else’s burning building to rescue a screaming child.
Not as extreme as that. Nor as extreme as knocking somebody over the head and taking their wallet.
Its somewhere on the continuum, no matter how much you want to believe it is a matter of black and white or bold and plain
Did anyone ask the students whose profiles were stolen what they thought of it? I’d be glad it was this guy that noticed the flaw and not a real criminal.