Another Security Expert Faces Jailtime For Exposing Flaw

from the it-was-a-bad-idea-the-first-time-too dept

A few years ago, the government admitted it had erred in jailing Brett McDanel for discovering a security flaw at an ISP, and then emailing its customers to let them know. Now the government is heading down the same path as it is pressing charges against security consultant Eric McCarty. McCarty's crime? He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability. After SecurityFocus wrote about the incident, USC was easily able to trace the incident back to McCarty, prompting the DOJ to prosecute him. So what is a security researcher to do in this situation? Should they sit on the information? In retrospect he probably should have gone to the university first, with his claims, though it's likely his warning would have fallen on deaf ears. It seems reasonable that he thought going to a respected trade website was the best way to get the word out quickly. One possible argument in favor of prosecution is that malicious hackers shouldn't be able to claim benign intent as a defense. But the facts in this case seem abundently clear. If he had had any criminal intent there was nothing stopping him from committing a crime. Clearly his intent was to expose a flaw and help the university clean up its system. Institutions need to learn that they are safer when third parties are helping them discover holes, and then establish guidelines for how to report flaws. Security by obscurity isn't much different than turning your face to the wall in a game of hide-and-go-seek. Remember how well that worked?


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Jeremy, May 10th, 2006 @ 1:55pm

    Security Researchers who don't tell the ISP or Net

    give other Security Professionals a bad name. He really should have notified the Uninversity's Networking department before exposing them to the world. It's good public policy to give them a chance to correct the problem. You can always go public if they sit on the information first. Otherwise you just make them mad and thus less likely to fix it.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    anonymous coward, May 10th, 2006 @ 1:59pm

    he chose getting press for himself over fixing the problem. he deserves the legal hassles.

    if you are trying to hack systems so you can then report the vulnerabilities to a third party so you can get your name in lights, you ARE a hacker! You don't deserve your name in lights, you deserve your on the police blotter.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 10th, 2006 @ 2:01pm

    though it's likely his warning would have fallen on deaf ears

    Substantiation please?

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      ehrichweiss, May 10th, 2006 @ 8:30pm

      Substantiation...

      someone said:
      though it's likely his warning would have fallen on deaf ears
      and then an anonymous coward said:
      Substantiation please?

      Read 2600 magazine sometime, there are usually 3-5 stories of how students report security flaws to the school's system admins and then find themselves banned from using a computer at school forever.

      Had a friend who tested a network as a favor for a friend of his...my friend crashed the network amazingly easily and they got it back up fairly quickly but he got charged, his "friend" decided to save his own ass and rolled over and so my friend was convicted for hacking their network.

      Then there was the admin who installed the Seti@Home screensaver and was charged with felonly stealing company resources.

      Do I need to go on? I'm sure I can think of a few more.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Patrick Mullen, May 10th, 2006 @ 2:01pm

    So how is this different than breaking into a bank at night, taking the money out and going public with the loot? Oh, and then expect banks to hire you to help them with their security?

    If his goal was to help the university clean up its system, he would have went to the university, not have it posted in a trade website.

    You can't break the law.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Chris Harris, May 10th, 2006 @ 2:17pm

      Re: how is this different

      Well, hundreds of criminals have gotten jobs with government agencies by being so good that they have to be hired to catch the other good guys...

      maybe he IS expecting a job out of it.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 10th, 2006 @ 2:26pm

      Re: grammar police

      should have "went"???

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Adam, May 10th, 2006 @ 2:31pm

      Re:

      Frank William Abagnale Jr. did. It takes a thief to catch a thief.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Mike (profile), May 10th, 2006 @ 6:28pm

      Re:

      So how is this different than breaking into a bank at night, taking the money out and going public with the loot? Oh, and then expect banks to hire you to help them with their security?

      Well, he didn't "take the money" so to speak. In this case, he simply proved that there was a security problem and then chose to make that information known...

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 10th, 2006 @ 2:14pm

    The difference is that, perhaps, with a bank if you get caught red-handed, nobody will ever know whether you were trying to be helpful or trying to be malicious. With hacking, you are unlikely to get caught redhanded.

    The situations are not exactly analogous. Neither is this, but it illustrates the continuum: suppose you noticed the vault door was cracked and you opened it to peek inside and see if anybody was there and then get arrested for opening it and attempting to steal its contents.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Yoop, May 10th, 2006 @ 2:34pm

    subject here

    He probably will get a job out of this. So many people who have done this type of thing end up getting a job like the crime they commited was a badge of honor.
    I'd also like to know about the "fallen on deaf ears" thing.

    I like AC but I'll never get sick of people correcting spelling and grammar on internet web/chat/communication forums.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Git R Done..., May 10th, 2006 @ 2:58pm

    Hang em high. These schmucks deserve to be sent to prison.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 10th, 2006 @ 3:15pm

    What if he typed the wrong IP and found a login prompt and tried blank/blank and got in? What if he smashed his way into their system and destroyed its usability and wrecked it so bad the entire network needed reinstalling?

    What if he noticed a webpage might be vulnerable to a quick workaround in such a way that it could be caused to print student records, then printed out a couple and emailed them to someone whom he thought (correctly, as it turns out) could make the problem be solved?

    There's a continuum here, guys. This lies somewhere on that line and if you think its near the malicious hacker extraordinaire end you're off your rockers.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 10th, 2006 @ 3:18pm

    moral of the story, if youi discover a flaw in somebody's computer system, don't bother trying to help them.... just rob 'em blind.

    Right?

    Isn't that the message that is being sent here? It's like Diebold threatening to sue, or suing (I can't remember which) a state's security testing team when they found security flaws in the Diebold voting systems.

    The fact is that companies and organizations don't like to hear about problems. It's completely counter-intuitive, but it's the reality. If you notify them, they will either ignore you, or they will threaten you. Sometimes if there are other individuals who may be harmed, the only option to protect them is to go public

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 10th, 2006 @ 3:34pm

      Re:

      My high school didnt like to hear from me how some other kids had broken the pc security systems and replaced start pages with whitehouse.com [nfsw of course].

      The 3-day suspension was nothing. Far worse was my computer science teacher being forced to rat me out and thus poisoning our relationship (we never spoke again, it was halfway through 12th grade tho).

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, May 10th, 2006 @ 3:37pm

    After he broke in, he e-mailed student profiles to a third party. This was very poor judgement and a little beyond exposing a security flaw. While it's not illegal to discover, and even advertise, security problems, it is illegal to exploit them.

    There may not have been any malice intended, which in cyberspace often means it's not a crime, this is a case that should go to trial for a jury to decide.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 10th, 2006 @ 3:55pm

      Re:

      Maybe he sanitized the records somehow. Seems like the sort of fact that might get overlooked.

      Perhaps we can haggle over a more useful definition of exploit (verb)? Exploiting an exploit just enough to prove that it is an exploit might not be in spirit an exploitation.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Brad Joe D.D., PhD., May 10th, 2006 @ 4:25pm

    Not so

    He didn't "exploit" the hack (making it available to the public). He saw a broken window went in and let security know. Of course why he needed to show proof is his biggest problem... actually gathering the other student's information. If you see a broken window you dont go in, take a TV and head to the police station to give them the TV to show proof that the window was broken.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Matt, May 10th, 2006 @ 9:08pm

    From the post..

    "He entered the University of Southern California computer network, and then emailed some student profiles to the website SecurityFocus as evidence that the university had a major vulnerability."


    "Well, he didn't "take the money" so to speak. In this case, he simply proved that there was a security problem and then chose to make that information known..."


    • Email is basically a file in a format suitable for transmitting across the internet.
    • Student profiles are files in a format for storage on a server.
    • Above described files were stored on a server, property of USC.
    • The taking of someone else's property without their sole permission is, under U.S. law, theft.



    When you stop saying "but he was trying to do this" and look at what he did, without knowing his intent, he broke the law.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, May 11th, 2006 @ 9:51am

      Re:

      Perhaps the same way you break the law when you go into someone else's burning building to rescue a screaming child.

      Not as extreme as that. Nor as extreme as knocking somebody over the head and taking their wallet.

      Its somewhere on the continuum, no matter how much you want to believe it is a matter of black and white or bold and plain

      Did anyone ask the students whose profiles were stolen what they thought of it? I'd be glad it was this guy that noticed the flaw and not a real criminal.

       

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This