Where's The Line Between Exploiting A Security Flaw And Alerting People To The Flaw?
from the blurry-lines dept
Over the years we've seen so many stories of the messengers being blamed for finding security holes that you would think that most folks would realize how dangerous it is to do so. After all, that just encourages those who find security holes to keep quiet resulting in huge security vulnerabilities left wide open for those with malicious intent to exploit. However, what happens in cases where someone alerts those responsible for the flaw, but also is exploiting the flaw in some way? Do the lines get blurry?For example, there's a story making the rounds about a 15-year-old student who has been charged with various crimes after accessing data on school employees. Apparently the school misconfigured its servers, meaning that plenty of students could have gotten access to the file. What's unclear, however, is the student's motive. In the article linked above, it just says that one of the two students who accessed the data "alerted the principal" of the security hole, sending a semi-anonymous email signed from "a student." However, the kid was quickly tracked down and promptly arrested.
On reading that story, it certainly sounds like yet another case of "blame the messenger." But it's not clear if that's really accurate. A local newspaper's version of the story is somewhat different, where it's claimed that the "alert" to the principal was the student sending an email saying "look what I have" as if he were gloating -- rather than alerting the school to a security breach. The police officer involved in the case also claims that the kid "was looking to profit from his criminal act." There aren't any details provided to back that up, but it certainly sounds like there may be more to this story than just a kid alerting officials to a security breach.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
If someone broke into your house, looked around, then left you a letter of how they got in and proved it by leaving the letter and describing what the author of the message saw you'd probably freak the f#%& out and call the cops.
This is how non technical people perceive security breaches over computers, they believe it takes some sort of devious evil mind to break into a computer requiring some sort of arcane twisted magic that involves you to bleed on your computer to access these files. When in actuality it is stumbled upon while just poking around out of curiosity.
Also I hate crappy reporting, news agencies do not know the power they wield as this kid is seemingly guilty of black mail/extortion if he was going "look what I have! If you want your precious digital puppy back give everyone an A in Biology classes and ice cream!" but what if he was honestly a good kid trying to help out saying "whoa! look out! here's a security hole some bad kids can get into!" With conflicting reports who knows without more facts.
[ link to this | view in chronology ]
Re:
I would have to disagree with you on this one. They know perfectly well the power they wield and they use it with precision. The article mentioned was designed to start the very knee-jerk reaction you talked about in your second and third paragraph.
[ link to this | view in chronology ]
Re:
If someone broke into your house, looked around, then left you a letter of how they got in and proved it by leaving the letter and describing what the author of the message saw you'd probably freak the f#%& out and call the cops.
Everybody makes the mistake of trying to draw a parallel to someone breaking into your house. 'Tis wrong. Wrong, wrong, wrong.
A publically connected server should be compared to a publically accessible structure, mkay? So, saying to the webmaster "Your server has a glaring security issue right there," is more akin to telling the manager at a convenience store "The back door to your beer cooler is wide open and nobody's paying attention."
The appropriate response from the (manager or webmaster), assuming you didn't clean out the cooler first, is "Oh, crap!" and to CLOSE THE DOOR. Ranting, raving, and suing the messenger is just rude, and only encourages the next person to ignore the open door and say nothing while less scrupulous folks rob them blind.
[ link to this | view in chronology ]
MORONS!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Singing e-mail?
And shouldn't it be sang instead of singed?
Anyway, it sounds like this kid was not being helpful and was instead trying to blackmail the school somehow. In that case he should get some punishment (suspended from school for a week, computer privileges suspended, etc.), but felonies are probably a little harsh for a 15-year-old high school kid playing pranks.
[ link to this | view in chronology ]
Re: Singing e-mail?
Yet another reason to get a mac! My OS can read my email in like 20 different sing song harmonic voices. Even some that sound like bubbles popping and bells ringing and all sorts of other things I couldn't care less about!
[ link to this | view in chronology ]
white hat hacking
[ link to this | view in chronology ]
Re: white hat hacking
[ link to this | view in chronology ]
[ link to this | view in chronology ]
"He sent an e-mail to his principal saying, 'look what I have,'" DeFeciani said.
If you ask me, this is an example of rather poor journalism. By itself, the quote has a vague implication of guilt, but that's not necesarilly the case. It's not too much of a stretch that the kid may have said "Look what I have" in the context of presenting evidence of a security breach that he found and wanted to report.
Also, the fact that the kid didn't realize that his e-mail could be tracked leads me to believe he's not some criminal hacker mastermind. From the vague information provided, it looks like, at worst, he's "guilty" of is using some poor judgement.
[ link to this | view in chronology ]
Right way & wrong way
These days there seems to be an automatic suggestion that someone accessing a network without authorization means harm and the curious young folks with the best intentions get turned into criminals.
If the kid in this story said "look what I have, now I expect payment or I'll publish all personal information on usenet." it would be different than if he said "look what have, your server was configured to let any authenticated user access this file, including students and guests, & BTW, I could just an after school IT job".
Joseph Durnal
[ link to this | view in chronology ]
Re: Right way & wrong way
[ link to this | view in chronology ]
Re: Re: Right way & wrong way
[ link to this | view in chronology ]
Re: Re: Right way & wrong way
Arguably, though, poking around to see what will happen if you do such and such is still something you really shouldn't be doing on someone else's equipment;
Arguably, though, he might not have even been "poking around", at least not in the sense you're speaking of. For all you know, based on the level of detail in the article, it could just be an excel spreadsheet left in a network share with open permissions. It could be plain old human stupidity on the front end security and no more hacking than "I wonder what's in that folder" on the student's part.
You don't think that stuff happens? Salaries got leaked at my last job in exactly this way.
[ link to this | view in chronology ]
Re: Re: Re: Right way & wrong way
... and reported to the president not so differently either, come to think of it. Not an anonymous email, but an anonymous printout with cover letter expressing some non-specific dismay at certain inequities in pay levels for people in similar positions.
The bossman, he was not pleased. "Politically charged atmosphere" doesn't come close. Ballamer's chair throw might.
[ link to this | view in chronology ]