Where's The Line Between Exploiting A Security Flaw And Alerting People To The Flaw?
from the blurry-lines dept
Over the years we’ve seen so many stories of the messengers being blamed for finding security holes that you would think that most folks would realize how dangerous it is to do so. After all, that just encourages those who find security holes to keep quiet resulting in huge security vulnerabilities left wide open for those with malicious intent to exploit. However, what happens in cases where someone alerts those responsible for the flaw, but also is exploiting the flaw in some way? Do the lines get blurry?
For example, there’s a story making the rounds about a 15-year-old student who has been charged with various crimes after accessing data on school employees. Apparently the school misconfigured its servers, meaning that plenty of students could have gotten access to the file. What’s unclear, however, is the student’s motive. In the article linked above, it just says that one of the two students who accessed the data “alerted the principal” of the security hole, sending a semi-anonymous email signed from “a student.” However, the kid was quickly tracked down and promptly arrested.
On reading that story, it certainly sounds like yet another case of “blame the messenger.” But it’s not clear if that’s really accurate. A local newspaper’s version of the story is somewhat different, where it’s claimed that the “alert” to the principal was the student sending an email saying “look what I have” as if he were gloating — rather than alerting the school to a security breach. The police officer involved in the case also claims that the kid “was looking to profit from his criminal act.” There aren’t any details provided to back that up, but it certainly sounds like there may be more to this story than just a kid alerting officials to a security breach.
Comments on “Where's The Line Between Exploiting A Security Flaw And Alerting People To The Flaw?”
Then technology gets involved ordinary thinking people get stupid.
If someone broke into your house, looked around, then left you a letter of how they got in and proved it by leaving the letter and describing what the author of the message saw you’d probably freak the f#%& out and call the cops.
This is how non technical people perceive security breaches over computers, they believe it takes some sort of devious evil mind to break into a computer requiring some sort of arcane twisted magic that involves you to bleed on your computer to access these files. When in actuality it is stumbled upon while just poking around out of curiosity.
Also I hate crappy reporting, news agencies do not know the power they wield as this kid is seemingly guilty of black mail/extortion if he was going “look what I have! If you want your precious digital puppy back give everyone an A in Biology classes and ice cream!” but what if he was honestly a good kid trying to help out saying “whoa! look out! here’s a security hole some bad kids can get into!” With conflicting reports who knows without more facts.
Re: Re:
“news agencies do not know the power they wield”
I would have to disagree with you on this one. They know perfectly well the power they wield and they use it with precision. The article mentioned was designed to start the very knee-jerk reaction you talked about in your second and third paragraph.
Re: Re:
If someone broke into your house, looked around, then left you a letter of how they got in and proved it by leaving the letter and describing what the author of the message saw you’d probably freak the f#%& out and call the cops.
Everybody makes the mistake of trying to draw a parallel to someone breaking into your house. ‘Tis wrong. Wrong, wrong, wrong.
A publically connected server should be compared to a publically accessible structure, mkay? So, saying to the webmaster “Your server has a glaring security issue right there,” is more akin to telling the manager at a convenience store “The back door to your beer cooler is wide open and nobody’s paying attention.”
The appropriate response from the (manager or webmaster), assuming you didn’t clean out the cooler first, is “Oh, crap!” and to CLOSE THE DOOR. Ranting, raving, and suing the messenger is just rude, and only encourages the next person to ignore the open door and say nothing while less scrupulous folks rob them blind.
security = stopping people from knowing about security holes and arresting those who expose it.
MORONS!
Re: Re:
That is security through obscurity, and it doesn’t work to protect you from real threats.
Singing e-mail?
Mike, I didn’t know e-mail could sing. Mine can’t.
And shouldn’t it be sang instead of singed?
Anyway, it sounds like this kid was not being helpful and was instead trying to blackmail the school somehow. In that case he should get some punishment (suspended from school for a week, computer privileges suspended, etc.), but felonies are probably a little harsh for a 15-year-old high school kid playing pranks.
Re: Singing e-mail?
Mike, I didn’t know e-mail could sing. Mine can’t.
Yet another reason to get a mac! My OS can read my email in like 20 different sing song harmonic voices. Even some that sound like bubbles popping and bells ringing and all sorts of other things I couldn’t care less about!
white hat hacking
One of the key differences between a white hat hacker and a black hat is transparency . . . i.e., open, generous communication. A black hat hides and sneaks. A white hat announces herself, clearly, in advance, with full identification. See my essay for more detail and nuance. –Ben (This ain’t legal advice for anyone; just public discussion. If you need legal advice, you should consult your lawyer.)
Re: white hat hacking
What about pink hats?
it’s not pink, just a lightish red!
Here’s a quote from the local newspaper article…
“He sent an e-mail to his principal saying, ‘look what I have,'” DeFeciani said.
If you ask me, this is an example of rather poor journalism. By itself, the quote has a vague implication of guilt, but that’s not necesarilly the case. It’s not too much of a stretch that the kid may have said “Look what I have” in the context of presenting evidence of a security breach that he found and wanted to report.
Also, the fact that the kid didn’t realize that his e-mail could be tracked leads me to believe he’s not some criminal hacker mastermind. From the vague information provided, it looks like, at worst, he’s “guilty” of is using some poor judgement.
Right way & wrong way
There is definitely a right way and a wrong way to do this. Back in the day it was common for a white hat to drop a meta tag in the index.html, or some other non disruptive message. These things would often be ignored and even the white hats had to be a little more obnoxious to get the admin to fix something, like, replacing the index.html page with something different (and saving the old one of course). I always liked the, “hey, your server wasn’t secure, I fixed it for you and here is what I did” messages :).
These days there seems to be an automatic suggestion that someone accessing a network without authorization means harm and the curious young folks with the best intentions get turned into criminals.
If the kid in this story said “look what I have, now I expect payment or I’ll publish all personal information on usenet.” it would be different than if he said “look what have, your server was configured to let any authenticated user access this file, including students and guests, & BTW, I could just an after school IT job”.
Joseph Durnal
Re: Right way & wrong way
Arguably, though, poking around to see what will happen if you do such and such is still something you really shouldn’t be doing on someone else’s equipment; even a white-hat could end up doing some fairly major damage by accident, for which they should not expect and do not deserve much in the way of leniency.
Re: Re: Right way & wrong way
So what you’re saying is nobody should be probing for security vulnerabilities, and we should all just let the black hats do it instead?
Re: Re: Right way & wrong way
Arguably, though, poking around to see what will happen if you do such and such is still something you really shouldn’t be doing on someone else’s equipment;
Arguably, though, he might not have even been “poking around”, at least not in the sense you’re speaking of. For all you know, based on the level of detail in the article, it could just be an excel spreadsheet left in a network share with open permissions. It could be plain old human stupidity on the front end security and no more hacking than “I wonder what’s in that folder” on the student’s part.
You don’t think that stuff happens? Salaries got leaked at my last job in exactly this way.
Re: Re: Re: Right way & wrong way
… and reported to the president not so differently either, come to think of it. Not an anonymous email, but an anonymous printout with cover letter expressing some non-specific dismay at certain inequities in pay levels for people in similar positions.
The bossman, he was not pleased. “Politically charged atmosphere” doesn’t come close. Ballamer’s chair throw might.