Another Security Expert Faces Jailtime For Exposing Flaw
from the it-was-a-bad-idea-the-first-time-too dept
A few years ago, the government admitted it had erred in jailing Brett McDanel for discovering a security flaw at an ISP, and then emailing its customers to let them know. Now the government is heading down the same path as it is pressing charges against security consultant Eric McCarty. McCarty's crime? He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability. After SecurityFocus wrote about the incident, USC was easily able to trace the incident back to McCarty, prompting the DOJ to prosecute him. So what is a security researcher to do in this situation? Should they sit on the information? In retrospect he probably should have gone to the university first, with his claims, though it's likely his warning would have fallen on deaf ears. It seems reasonable that he thought going to a respected trade website was the best way to get the word out quickly. One possible argument in favor of prosecution is that malicious hackers shouldn't be able to claim benign intent as a defense. But the facts in this case seem abundently clear. If he had had any criminal intent there was nothing stopping him from committing a crime. Clearly his intent was to expose a flaw and help the university clean up its system. Institutions need to learn that they are safer when third parties are helping them discover holes, and then establish guidelines for how to report flaws. Security by obscurity isn't much different than turning your face to the wall in a game of hide-and-go-seek. Remember how well that worked?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Security Researchers who don't tell the ISP or Net
[ link to this | view in chronology ]
if you are trying to hack systems so you can then report the vulnerabilities to a third party so you can get your name in lights, you ARE a hacker! You don't deserve your name in lights, you deserve your on the police blotter.
[ link to this | view in chronology ]
Substantiation please?
[ link to this | view in chronology ]
Substantiation...
though it's likely his warning would have fallen on deaf ears
and then an anonymous coward said:
Substantiation please?
Read 2600 magazine sometime, there are usually 3-5 stories of how students report security flaws to the school's system admins and then find themselves banned from using a computer at school forever.
Had a friend who tested a network as a favor for a friend of his...my friend crashed the network amazingly easily and they got it back up fairly quickly but he got charged, his "friend" decided to save his own ass and rolled over and so my friend was convicted for hacking their network.
Then there was the admin who installed the Seti@Home screensaver and was charged with felonly stealing company resources.
Do I need to go on? I'm sure I can think of a few more.
[ link to this | view in chronology ]
If his goal was to help the university clean up its system, he would have went to the university, not have it posted in a trade website.
You can't break the law.
[ link to this | view in chronology ]
Re: how is this different
maybe he IS expecting a job out of it.
[ link to this | view in chronology ]
Re: grammar police
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Well, he didn't "take the money" so to speak. In this case, he simply proved that there was a security problem and then chose to make that information known...
[ link to this | view in chronology ]
The situations are not exactly analogous. Neither is this, but it illustrates the continuum: suppose you noticed the vault door was cracked and you opened it to peek inside and see if anybody was there and then get arrested for opening it and attempting to steal its contents.
[ link to this | view in chronology ]
subject here
I'd also like to know about the "fallen on deaf ears" thing.
I like AC but I'll never get sick of people correcting spelling and grammar on internet web/chat/communication forums.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What if he noticed a webpage might be vulnerable to a quick workaround in such a way that it could be caused to print student records, then printed out a couple and emailed them to someone whom he thought (correctly, as it turns out) could make the problem be solved?
There's a continuum here, guys. This lies somewhere on that line and if you think its near the malicious hacker extraordinaire end you're off your rockers.
[ link to this | view in chronology ]
Right?
Isn't that the message that is being sent here? It's like Diebold threatening to sue, or suing (I can't remember which) a state's security testing team when they found security flaws in the Diebold voting systems.
The fact is that companies and organizations don't like to hear about problems. It's completely counter-intuitive, but it's the reality. If you notify them, they will either ignore you, or they will threaten you. Sometimes if there are other individuals who may be harmed, the only option to protect them is to go public
[ link to this | view in chronology ]
Re:
The 3-day suspension was nothing. Far worse was my computer science teacher being forced to rat me out and thus poisoning our relationship (we never spoke again, it was halfway through 12th grade tho).
[ link to this | view in chronology ]
There may not have been any malice intended, which in cyberspace often means it's not a crime, this is a case that should go to trial for a jury to decide.
[ link to this | view in chronology ]
Re:
Perhaps we can haggle over a more useful definition of exploit (verb)? Exploiting an exploit just enough to prove that it is an exploit might not be in spirit an exploitation.
[ link to this | view in chronology ]
Not so
[ link to this | view in chronology ]
"He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability."
"Well, he didn't "take the money" so to speak. In this case, he simply proved that there was a security problem and then chose to make that information known..."
When you stop saying "but he was trying to do this" and look at what he did, without knowing his intent, he broke the law.
[ link to this | view in chronology ]
Re:
Not as extreme as that. Nor as extreme as knocking somebody over the head and taking their wallet.
Its somewhere on the continuum, no matter how much you want to believe it is a matter of black and white or bold and plain
Did anyone ask the students whose profiles were stolen what they thought of it? I'd be glad it was this guy that noticed the flaw and not a real criminal.
[ link to this | view in chronology ]