Comments on: Man Charged For Notifying USC of Vulnerability

By: Dominic White

Dominic White — Wed, 26 Apr 2006 01:17:27 +0000

Agreed :)

By: Adam

Adam — Tue, 25 Apr 2006 20:35:40 +0000

I think this is a good case for prosecutorial discretion. Where’s the deep harm? A trial will cost (I think) $100,000 for legal fees. That’s a deterent, in and of itself.

By: Dominic White

Dominic White — Tue, 25 Apr 2006 16:00:26 +0000

Whoops sorry about the double posting. Damn GPRS.

By: Iang

Iang — Tue, 25 Apr 2006 15:59:06 +0000

The prosecution and any popular press article will cover their butts by claiming that the “researcher” was really “hacking”. If you believe the prosecutor, or SecurityFocus, I’ve got a bridge to sell you. If you want to wait for the facts, I’ve two bridges to sell you! This isn’t to say that the guy *wasn’t* hacking … but … as a security researcher or practitioner, if you go anywhere near a security site, you risk prosecution. You risk setting off a chain of events that results in you having to defend your actions before the judge, and he isn’t interested in your arcane opinions of security or any informal permissions.
The easily visible but predictably unforseen consequences are that a security researcher would be mad raving nuts loony to do any security research in any sense at all near a company unless he was backed up by clear contracts, disclaimers, promises and was married to the boss’s daughter. And even then, he could get into trouble. Check the prices on liability insurance for ethical hacking. So costs for defence will rise because most programmers will wisely look the other way when they see a flaw.
Which inevitably means that net security as a whole will decrease. Especially as none of this applies to the (real) attacker.

By: Dominic White

Dominic White — Tue, 25 Apr 2006 15:57:02 +0000

I fully agree, but we[1] do prosecute some things which are a crime, and breaking into databases is one of them.
I think the incentive here is that he should be let off the hook for not intending to do harm, but rather good. This is the kind of analysis a trial is supposed to perform.
My real bone of contention is that you are making it sound like disclosing flaws will get you in jail. That is true in some cases and should be fought against. But in this instance it isn’t the disclosure which got him into trouble, it was the breaking in to the database. Given that it is possible to seperate the two i.e. disclosure could have happened without him breaking the law, there is no point conflating them.
[1] By we, I mean Merkins, I am not a Merkin and may have missed some subtleties of Merkin law.

By: Dominic White

Dominic White — Tue, 25 Apr 2006 15:55:57 +0000

By: Adam

Adam — Tue, 25 Apr 2006 11:28:17 +0000

Dominic,
I don’t think everything that’s wrong is a crime that ought to be prosecuted. I also don’t think that we should structure incentives to discourage noticing problems.

By: Dominic White

Dominic White — Tue, 25 Apr 2006 10:13:39 +0000

That’s silly.
If I break into a database with malicious intent and only view a handful of records, I have commited a crime. My sentencing will take into account that it was only a handful, but it isn’t grounds to dismiss the case.
I could spend my life developing a nuclear weapon to destroy the world, my not doing that does not count in my favour. I’m not going to slap my work mates on the back and thank them for not going on a murderous romp throught the office (well, there is this one guy…).
Many of us have been there, sitting with the live system, sure that your exploit will give you the access you want and dying to take it further. The reality is, you aren’t allowed to. Rather chat to the admins and get their permission to test the exploit.

By: Chris Walsh

Chris Walsh — Mon, 24 Apr 2006 11:07:25 +0000

@Scott:
Security focus link: http://www.securityfocus.com/brief/191
“The flaw could have allowed an attacker to send commands to the database that powered the site by using the user name and password text boxes. USC’s Information Services Division confirmed the problem and shuttered the site, which contained data on nearly 280,000 applicants, on June 20 as a precaution. The university believes, and the prosecutors allege, that only a handful of records were actually accessed.”
As I read this, they KNOW he looked at a handful, but he COULD have looked at 280K (or done a ‘DROP database’ for all we know. Whether looking at a handful of records (which could easily have come from a single select statement) is worthy of prosecution is a judgment call. I’m with Adam on this.

By: Scott

Scott — Mon, 24 Apr 2006 09:56:21 +0000

A wee spot of jumping to conclusions, don’t you think? Clearly, if the prosecution is about the demonstration of the flaw it is overzealous for our tastes. Equally clearly, if the guy took a tour through the database because he could before reporting the flaw, he should be prosecuted. The SecurityFocus article (link?) hints that his viewing wasn’t gratuitous, but the full facts are not presented.
The clear message: have the facts before drawing a conclusion.