Another Security Expert Faces Jailtime For Exposing Flaw

from the it-was-a-bad-idea-the-first-time-too dept

A few years ago, the government admitted it had erred in jailing Brett McDanel for discovering a security flaw at an ISP, and then emailing its customers to let them know. Now the government is heading down the same path as it is pressing charges against security consultant Eric McCarty. McCarty's crime? He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability. After SecurityFocus wrote about the incident, USC was easily able to trace the incident back to McCarty, prompting the DOJ to prosecute him. So what is a security researcher to do in this situation? Should they sit on the information? In retrospect he probably should have gone to the university first, with his claims, though it's likely his warning would have fallen on deaf ears. It seems reasonable that he thought going to a respected trade website was the best way to get the word out quickly. One possible argument in favor of prosecution is that malicious hackers shouldn't be able to claim benign intent as a defense. But the facts in this case seem abundently clear. If he had had any criminal intent there was nothing stopping him from committing a crime. Clearly his intent was to expose a flaw and help the university clean up its system. Institutions need to learn that they are safer when third parties are helping them discover holes, and then establish guidelines for how to report flaws. Security by obscurity isn't much different than turning your face to the wall in a game of hide-and-go-seek. Remember how well that worked?
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Jeremy, 10 May 2006 @ 1:55pm

    Security Researchers who don't tell the ISP or Net

    give other Security Professionals a bad name. He really should have notified the Uninversity's Networking department before exposing them to the world. It's good public policy to give them a chance to correct the problem. You can always go public if they sit on the information first. Otherwise you just make them mad and thus less likely to fix it.

    link to this | view in thread ]

  2. identicon
    anonymous coward, 10 May 2006 @ 1:59pm

    he chose getting press for himself over fixing the problem. he deserves the legal hassles.

    if you are trying to hack systems so you can then report the vulnerabilities to a third party so you can get your name in lights, you ARE a hacker! You don't deserve your name in lights, you deserve your on the police blotter.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 10 May 2006 @ 2:01pm

    though it's likely his warning would have fallen on deaf ears

    Substantiation please?

    link to this | view in thread ]

  4. identicon
    Patrick Mullen, 10 May 2006 @ 2:01pm

    So how is this different than breaking into a bank at night, taking the money out and going public with the loot? Oh, and then expect banks to hire you to help them with their security?

    If his goal was to help the university clean up its system, he would have went to the university, not have it posted in a trade website.

    You can't break the law.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 10 May 2006 @ 2:14pm

    The difference is that, perhaps, with a bank if you get caught red-handed, nobody will ever know whether you were trying to be helpful or trying to be malicious. With hacking, you are unlikely to get caught redhanded.

    The situations are not exactly analogous. Neither is this, but it illustrates the continuum: suppose you noticed the vault door was cracked and you opened it to peek inside and see if anybody was there and then get arrested for opening it and attempting to steal its contents.

    link to this | view in thread ]

  6. identicon
    Chris Harris, 10 May 2006 @ 2:17pm

    Re: how is this different

    Well, hundreds of criminals have gotten jobs with government agencies by being so good that they have to be hired to catch the other good guys...

    maybe he IS expecting a job out of it.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 10 May 2006 @ 2:26pm

    Re: grammar police

    should have "went"???

    link to this | view in thread ]

  8. identicon
    Adam, 10 May 2006 @ 2:31pm

    Re:

    Frank William Abagnale Jr. did. It takes a thief to catch a thief.

    link to this | view in thread ]

  9. identicon
    Yoop, 10 May 2006 @ 2:34pm

    subject here

    He probably will get a job out of this. So many people who have done this type of thing end up getting a job like the crime they commited was a badge of honor.
    I'd also like to know about the "fallen on deaf ears" thing.

    I like AC but I'll never get sick of people correcting spelling and grammar on internet web/chat/communication forums.

    link to this | view in thread ]

  10. identicon
    Git R Done..., 10 May 2006 @ 2:58pm

    Hang em high. These schmucks deserve to be sent to prison.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 10 May 2006 @ 3:15pm

    What if he typed the wrong IP and found a login prompt and tried blank/blank and got in? What if he smashed his way into their system and destroyed its usability and wrecked it so bad the entire network needed reinstalling?

    What if he noticed a webpage might be vulnerable to a quick workaround in such a way that it could be caused to print student records, then printed out a couple and emailed them to someone whom he thought (correctly, as it turns out) could make the problem be solved?

    There's a continuum here, guys. This lies somewhere on that line and if you think its near the malicious hacker extraordinaire end you're off your rockers.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 10 May 2006 @ 3:18pm

    moral of the story, if youi discover a flaw in somebody's computer system, don't bother trying to help them.... just rob 'em blind.

    Right?

    Isn't that the message that is being sent here? It's like Diebold threatening to sue, or suing (I can't remember which) a state's security testing team when they found security flaws in the Diebold voting systems.

    The fact is that companies and organizations don't like to hear about problems. It's completely counter-intuitive, but it's the reality. If you notify them, they will either ignore you, or they will threaten you. Sometimes if there are other individuals who may be harmed, the only option to protect them is to go public

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 10 May 2006 @ 3:34pm

    Re:

    My high school didnt like to hear from me how some other kids had broken the pc security systems and replaced start pages with whitehouse.com [nfsw of course].

    The 3-day suspension was nothing. Far worse was my computer science teacher being forced to rat me out and thus poisoning our relationship (we never spoke again, it was halfway through 12th grade tho).

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 10 May 2006 @ 3:37pm

    After he broke in, he e-mailed student profiles to a third party. This was very poor judgement and a little beyond exposing a security flaw. While it's not illegal to discover, and even advertise, security problems, it is illegal to exploit them.

    There may not have been any malice intended, which in cyberspace often means it's not a crime, this is a case that should go to trial for a jury to decide.

    link to this | view in thread ]

  15. identicon
    Anonymous Coward, 10 May 2006 @ 3:55pm

    Re:

    Maybe he sanitized the records somehow. Seems like the sort of fact that might get overlooked.

    Perhaps we can haggle over a more useful definition of exploit (verb)? Exploiting an exploit just enough to prove that it is an exploit might not be in spirit an exploitation.

    link to this | view in thread ]

  16. identicon
    Brad Joe D.D., PhD., 10 May 2006 @ 4:25pm

    Not so

    He didn't "exploit" the hack (making it available to the public). He saw a broken window went in and let security know. Of course why he needed to show proof is his biggest problem... actually gathering the other student's information. If you see a broken window you dont go in, take a TV and head to the police station to give them the TV to show proof that the window was broken.

    link to this | view in thread ]

  17. icon
    Mike (profile), 10 May 2006 @ 6:28pm

    Re:

    So how is this different than breaking into a bank at night, taking the money out and going public with the loot? Oh, and then expect banks to hire you to help them with their security?

    Well, he didn't "take the money" so to speak. In this case, he simply proved that there was a security problem and then chose to make that information known...

    link to this | view in thread ]

  18. identicon
    ehrichweiss, 10 May 2006 @ 8:30pm

    Substantiation...

    someone said:
    though it's likely his warning would have fallen on deaf ears
    and then an anonymous coward said:
    Substantiation please?

    Read 2600 magazine sometime, there are usually 3-5 stories of how students report security flaws to the school's system admins and then find themselves banned from using a computer at school forever.

    Had a friend who tested a network as a favor for a friend of his...my friend crashed the network amazingly easily and they got it back up fairly quickly but he got charged, his "friend" decided to save his own ass and rolled over and so my friend was convicted for hacking their network.

    Then there was the admin who installed the Seti@Home screensaver and was charged with felonly stealing company resources.

    Do I need to go on? I'm sure I can think of a few more.

    link to this | view in thread ]

  19. identicon
    Matt, 10 May 2006 @ 9:08pm

    From the post..

    "He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability."


    "Well, he didn't "take the money" so to speak. In this case, he simply proved that there was a security problem and then chose to make that information known..."


    • Email is basically a file in a format suitable for transmitting across the internet.
    • Student profiles are files in a format for storage on a server.
    • Above described files were stored on a server, property of USC.
    • The taking of someone else's property without their sole permission is, under U.S. law, theft.



    When you stop saying "but he was trying to do this" and look at what he did, without knowing his intent, he broke the law.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 11 May 2006 @ 9:51am

    Re:

    Perhaps the same way you break the law when you go into someone else's burning building to rescue a screaming child.

    Not as extreme as that. Nor as extreme as knocking somebody over the head and taking their wallet.

    Its somewhere on the continuum, no matter how much you want to believe it is a matter of black and white or bold and plain

    Did anyone ask the students whose profiles were stolen what they thought of it? I'd be glad it was this guy that noticed the flaw and not a real criminal.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.