from the federal-shield-law? dept
So, basically, the company admits to a series of vulnerabilities, which exposed info that allowed the reporter to eventually see some private data... but still claims that the reporter was "hacking" and is now looking to sue under the same Computer Fraud and Abuse Act, which could lead to 5 years in prison. Because our federal government still hasn't passed a journalism shield law, the reporter is potentially liable, though, as the MinnPost reporter notes, Lookout seems particularly shortsighted in bringing this lawsuit in the first place. All it does is call more attention to its own vulnerabilities and failings. And the CEO of Lookout basically responds that she doesn't care:
While the legality and severity of Lookout's security breach remains to be adjudicated, there's no doubt Aslanian was trying to serve the public interest -- something a prosecutor might consider. As Dalglish says, "The state of Minnesota should be grateful MPR exposed what's going on. It seemed like a pretty good story."So, even though this will publicize not just Lookout's failings, but also how it responds to people who notice and report on vulnerabilities, the company still thinks it needs to bring a lawsuit because exposing those vulnerabilities "was wrong"? I would argue that the company's reaction to this gives many more reasons never to do business with Lookout -- more than any discovered vulnerabilities. Vulnerabilities in software happen -- and it's more telling how a company reacts when they're exposed. Suing those who expose them isn't what you want to see. Update: Lots of good points in the comments, pointing out (of course) that Lookout cannot bring criminal charges against the woman, only prosecutors could do that, and it seems unlikely they would do so in this case.
I asked Morley if she realized, by filing a high-profile suit, how hapless her timeline made Lookout look. After all, there's the webinar screwup, letting clients pick lame IDs/passwords and caching security credentials in such a way that rendered them useless.
"Yup," she admitted. "It was a perfect storm that came together. Our communication with the state really broke down -- in our contract, we had 60 days to fix any problem. But there was still an unauthorized intrusion, and that was wrong."