Where's The Line Between Exploiting A Security Flaw And Alerting People To The Flaw?

from the blurry-lines dept

Over the years we've seen so many stories of the messengers being blamed for finding security holes that you would think that most folks would realize how dangerous it is to do so. After all, that just encourages those who find security holes to keep quiet resulting in huge security vulnerabilities left wide open for those with malicious intent to exploit. However, what happens in cases where someone alerts those responsible for the flaw, but also is exploiting the flaw in some way? Do the lines get blurry?

For example, there's a story making the rounds about a 15-year-old student who has been charged with various crimes after accessing data on school employees. Apparently the school misconfigured its servers, meaning that plenty of students could have gotten access to the file. What's unclear, however, is the student's motive. In the article linked above, it just says that one of the two students who accessed the data "alerted the principal" of the security hole, sending a semi-anonymous email signed from "a student." However, the kid was quickly tracked down and promptly arrested.

On reading that story, it certainly sounds like yet another case of "blame the messenger." But it's not clear if that's really accurate. A local newspaper's version of the story is somewhat different, where it's claimed that the "alert" to the principal was the student sending an email saying "look what I have" as if he were gloating -- rather than alerting the school to a security breach. The police officer involved in the case also claims that the kid "was looking to profit from his criminal act." There aren't any details provided to back that up, but it certainly sounds like there may be more to this story than just a kid alerting officials to a security breach.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 7:23am

    Then technology gets involved ordinary thinking people get stupid.

    If someone broke into your house, looked around, then left you a letter of how they got in and proved it by leaving the letter and describing what the author of the message saw you'd probably freak the f#%& out and call the cops.

    This is how non technical people perceive security breaches over computers, they believe it takes some sort of devious evil mind to break into a computer requiring some sort of arcane twisted magic that involves you to bleed on your computer to access these files. When in actuality it is stumbled upon while just poking around out of curiosity.

    Also I hate crappy reporting, news agencies do not know the power they wield as this kid is seemingly guilty of black mail/extortion if he was going "look what I have! If you want your precious digital puppy back give everyone an A in Biology classes and ice cream!" but what if he was honestly a good kid trying to help out saying "whoa! look out! here's a security hole some bad kids can get into!" With conflicting reports who knows without more facts.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 7:23am

    security = stopping people from knowing about security holes and arresting those who expose it.

    MORONS!

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 7:27am

    Re:

    That is security through obscurity, and it doesn't work to protect you from real threats.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    PRMan, Oct 29th, 2008 @ 7:35am

    Singing e-mail?

    Mike, I didn't know e-mail could sing. Mine can't.

    And shouldn't it be sang instead of singed?

    Anyway, it sounds like this kid was not being helpful and was instead trying to blackmail the school somehow. In that case he should get some punishment (suspended from school for a week, computer privileges suspended, etc.), but felonies are probably a little harsh for a 15-year-old high school kid playing pranks.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    drkkgt, Oct 29th, 2008 @ 7:59am

    Re:

    "news agencies do not know the power they wield"

    I would have to disagree with you on this one. They know perfectly well the power they wield and they use it with precision. The article mentioned was designed to start the very knee-jerk reaction you talked about in your second and third paragraph.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Benjamin Wright, Oct 29th, 2008 @ 8:45am

    white hat hacking

    One of the key differences between a white hat hacker and a black hat is transparency . . . i.e., open, generous communication. A black hat hides and sneaks. A white hat announces herself, clearly, in advance, with full identification. See my essay for more detail and nuance. --Ben (This ain't legal advice for anyone; just public discussion. If you need legal advice, you should consult your lawyer.)

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 8:59am

    Re: white hat hacking

    What about pink hats?

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Oct 29th, 2008 @ 9:10am

    it's not pink, just a lightish red!

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Hulser, Oct 29th, 2008 @ 9:11am

    Here's a quote from the local newspaper article...

    "He sent an e-mail to his principal saying, 'look what I have,'" DeFeciani said.

    If you ask me, this is an example of rather poor journalism. By itself, the quote has a vague implication of guilt, but that's not necesarilly the case. It's not too much of a stretch that the kid may have said "Look what I have" in the context of presenting evidence of a security breach that he found and wanted to report.

    Also, the fact that the kid didn't realize that his e-mail could be tracked leads me to believe he's not some criminal hacker mastermind. From the vague information provided, it looks like, at worst, he's "guilty" of is using some poor judgement.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    some old guy, Oct 29th, 2008 @ 9:13am

    Re: Singing e-mail?

    Mike, I didn't know e-mail could sing. Mine can't.


    Yet another reason to get a mac! My OS can read my email in like 20 different sing song harmonic voices. Even some that sound like bubbles popping and bells ringing and all sorts of other things I couldn't care less about!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Joseph Durnal, Oct 29th, 2008 @ 9:31am

    Right way & wrong way

    There is definitely a right way and a wrong way to do this. Back in the day it was common for a white hat to drop a meta tag in the index.html, or some other non disruptive message. These things would often be ignored and even the white hats had to be a little more obnoxious to get the admin to fix something, like, replacing the index.html page with something different (and saving the old one of course). I always liked the, "hey, your server wasn't secure, I fixed it for you and here is what I did" messages :).

    These days there seems to be an automatic suggestion that someone accessing a network without authorization means harm and the curious young folks with the best intentions get turned into criminals.

    If the kid in this story said "look what I have, now I expect payment or I'll publish all personal information on usenet." it would be different than if he said "look what have, your server was configured to let any authenticated user access this file, including students and guests, & BTW, I could just an after school IT job".

    Joseph Durnal

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Jake, Oct 29th, 2008 @ 10:34am

    Re: Right way & wrong way

    Arguably, though, poking around to see what will happen if you do such and such is still something you really shouldn't be doing on someone else's equipment; even a white-hat could end up doing some fairly major damage by accident, for which they should not expect and do not deserve much in the way of leniency.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    nasch, Oct 29th, 2008 @ 10:50am

    Re: Re: Right way & wrong way

    So what you're saying is nobody should be probing for security vulnerabilities, and we should all just let the black hats do it instead?

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Dosquatch, Oct 29th, 2008 @ 1:00pm

    Re: Re: Right way & wrong way

    Arguably, though, poking around to see what will happen if you do such and such is still something you really shouldn't be doing on someone else's equipment;

    Arguably, though, he might not have even been "poking around", at least not in the sense you're speaking of. For all you know, based on the level of detail in the article, it could just be an excel spreadsheet left in a network share with open permissions. It could be plain old human stupidity on the front end security and no more hacking than "I wonder what's in that folder" on the student's part.

    You don't think that stuff happens? Salaries got leaked at my last job in exactly this way.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Dosquatch, Oct 29th, 2008 @ 1:05pm

    Re: Re: Re: Right way & wrong way

    ... and reported to the president not so differently either, come to think of it. Not an anonymous email, but an anonymous printout with cover letter expressing some non-specific dismay at certain inequities in pay levels for people in similar positions.

    The bossman, he was not pleased. "Politically charged atmosphere" doesn't come close. Ballamer's chair throw might.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Dosquatch, Oct 29th, 2008 @ 1:14pm

    Re:

    If someone broke into your house, looked around, then left you a letter of how they got in and proved it by leaving the letter and describing what the author of the message saw you'd probably freak the f#%& out and call the cops.

    Everybody makes the mistake of trying to draw a parallel to someone breaking into your house. 'Tis wrong. Wrong, wrong, wrong.

    A publically connected server should be compared to a publically accessible structure, mkay? So, saying to the webmaster "Your server has a glaring security issue right there," is more akin to telling the manager at a convenience store "The back door to your beer cooler is wide open and nobody's paying attention."

    The appropriate response from the (manager or webmaster), assuming you didn't clean out the cooler first, is "Oh, crap!" and to CLOSE THE DOOR. Ranting, raving, and suing the messenger is just rude, and only encourages the next person to ignore the open door and say nothing while less scrupulous folks rob them blind.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This