A few years ago, the government admitted it had erred in jailing Brett McDanel for discovering a security flaw at an ISP, and then emailing its customers to let them know. Now the government is heading down the same path as it is pressing charges against security consultant Eric McCarty. McCarty's crime? He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability. After SecurityFocus wrote about the incident, USC was easily able to trace the incident back to McCarty, prompting the DOJ to prosecute him. So what is a security researcher to do in this situation? Should they sit on the information? In retrospect he probably should have gone to the university first, with his claims, though it's likely his warning would have fallen on deaf ears. It seems reasonable that he thought going to a respected trade website was the best way to get the word out quickly. One possible argument in favor of prosecution is that malicious hackers shouldn't be able to claim benign intent as a defense. But the facts in this case seem abundently clear. If he had had any criminal intent there was nothing stopping him from committing a crime. Clearly his intent was to expose a flaw and help the university clean up its system. Institutions need to learn that they are safer when third parties are helping them discover holes, and then establish guidelines for how to report flaws. Security by obscurity isn't much different than turning your face to the wall in a game of hide-and-go-seek. Remember how well that worked?
If you liked this post, you may also be interested in...
- Documents Show LA Sheriff's Department Hired Thieves, Statutory Rapists And Bad Cops
- Unarmed Man Charged With Assault Because NYC Police Shot At Him And Hit Random Pedestrians
- Judge In No Fly Case Explains To DOJ That It Can't Claim Publicly Released Info Is Secret
- German Court Says CEO Of Open Source Company Liable For 'Illegal' Functions Submitted By Community
- More Schools Reconsidering Zero Tolerance Policies And On-Campus Law Enforcement