Should Uninvited Security Examiners Be Punished?

Print the article

This entry was posted on 5/3/2006 7:15 AM and is filed under Internet.

Recently another "good samaritan" has been criminally charged (SAN DIEGO COMPUTER EXPERT CHARGED WITH HACKING INTO U.S.C. COMPUTER SYSTEM CONTAINING STUDENT APPLICATIONS, http://www.usdoj.gov/usao/cac/pr2006/045.html) relative to the discovery of a security risk which was then revealed; all efforts having been made without the knowledge of the owner of the database.  Rather than discuss the specific case, the basic question is do we as a society allow/encourage or punish those that practice vigilante like security tests?

While a well intentioned individual that were to walk around a neighborhood and check whether doors and windows were locked, it would not take too long before the individual would be apprehended by law enforcement and likely face a bevy of charges.  Some would like to have the same level of enforcement on the Internet, but few support the concept as the Internet is a "new world" and deserves unique controls.  However, when the Internet "security examiner" takes overt steps to exploit vulnerabilities and perhaps even "takes" a sample item to prove their success the picture changes.  This is not unlike the well intentioned individual walking into homes with unlocked doors and searching for and taking an item of value to prove success.

If that were your home, you would likely be outraged and very possibly embarrassed.  Law enforcement would also take a very dim view.  Whereas the first incident would likely result in probation with full dismissal upon successful completion of probation or the charges simply dropped with a stern warning, the latter situation would likely result in some form of permanent criminal record.  Should not the same standard apply to those who take on the role of vigilante Internet security examiner?

 

What did you think of this article?




Trackbacks
Trackback specific URL for this entry
  • No trackbacks exist for this post.
Comments
    Display comments as (Linear | Threaded)

    • 5/3/2006 10:23 AM Jack Holleran wrote:
      I will stipulate he may have been trying to do a good deed.

      But California has a law and so does the fed.

      Due to the California law, they have to notify over 250,000 people. The postage alone is over $100,000. Add the extra costs of preparing a letter, reproduction, envelopes, stuffing, and answering constituents (alumni and 250,000 potential calls), and news media (lots of unscheduled clerical to executive man hours "diverted" from normal work schedules).

      Mr. McCarty should have been aware of the law.

      In reading some of the articles, my biggest concern is he did not go to USC but to a publisher to report the problem.

      He could have anonymously (worse case) submitted proof to USC discussing the problem.

      But I think he wanted credit (probably why he went to Security Focus).

      I'm not sure what the punishment should be if he is found guilty. Restitution of costs alone will probably take 15-20 years to pay off (purely a WAG).

      But what should we, information security professionals, do as a group?

      Maybe we can develop an ethics presentation with some case studies and impact to society when someone does actions like Mr. McCarty has done. This is an example where proactive education and awareness events might reduce and possibly eliminate vigilante acts such as this.

      Additionally, we may want to develop a tech tool package and offer volunteer services to do exactly what Mr. McCarty was doing. The difference, we're invited to do it with permissions.
      Reply to this
    • 5/3/2006 10:24 AM Anonymous wrote:
      To me, this is akin to the current question of the illegal aliens
      looking for amnesty and acceptance. If a law is on the books and
      someone breaks it, should they be prosecuted? My vote is yes. If it's
      a dumb law, litigate the heck out of it and change it via our
      republic's way of doing that, but follow it as written until.
      Reply to this
    • 5/3/2006 8:15 PM David Gillett wrote:
      History abounds with examples of laws so cretinously immoral (not
      necessarily stupid) that many people of conscience could not follow
      them -- and generally this has tended to lead to litigation and
      change. So I'm reluctant to accept that "follow it as written until"
      is a sound *universal* approach.

      But I haven't seen a convincing argument that would qualify either
      current immigration law or current computer security law as
      "cretinously immoral", and so I concur with the application of this
      philosophy to the case under discussion.

      Access without permission is access without permission. Personal
      credentials just mean one should know better and cannot convincingly
      plead innocent error. Altruism might be taken into consideration at
      sentencing, but only then.
      Reply to this
    • 5/3/2006 10:06 PM anonymous coward wrote:
      Bob, the problem with the whole "entering a house and taking something" analogy is that it doesn't work right. In the real world, the Cops have to prove you intended to "permanently deprive" someone of the object in question to get home for a conviction - and your putative burglar is not so intent. Besides which, "taking data" is in fact getting a replicated copy of a pattern of electrons/magnetic poles, leaving the original in place: No theft, the "owner" still has it. Which is why we have ended up with some pitifully drafted legislation, worldwide which is successfully catching all the wrong people. No slur on LE, just doing their jobs. But when the laws ( which almost exclusively do NOT contain wording around intent! ) permit these kinds of infringements of natural justice, law abiding citizens cannot be safe. For instance, I would have thought it impossible to get convicted of mistyping something in a browser, until the tsunami hacker, but apparently the law is so badly skewed that this radical idea from wonderland ( after all, where are the laws saying that websites must only accept properly formatted, error corrected strings before they can go online? ) is now a reality. But it seems that until a "real raw user" gets convicted, rather than a Computer Professional, it's not news.
      Reply to this
    • 5/11/2006 6:32 AM Steve Kalman wrote:
      Bob,

      I agree with your basic premise, that uninvited security testers do more harm than good and need to be discouraged by law and by society.

      My concern here is the person who stumbles upon a weakness through otherwise legitimate actions. We need a safe harbor in any law prohibiting the former that protects the latter.

      In the current environment, anyone who contacts a company advising them of a security shortcoming is likely to become the target of a criminal investigation. With law enforcement not yet computer-savvy enough to make the distinction between an attacker and a good samaritan (and with no good samaritan computer laws) the best advice for anyone is to keep quiet about your discoveries. This is an unfortunate loss to security in particular and society in general.

      Steve
      Reply to this
    • 6/4/2007 11:17 AM Samiam wrote:
      Agree for the most part with S. Kalman, for the reasons he stated. However, your "home/door/arrest" analogy is seriously flawed. With some exceptions, hacking security at internet web sites is more analogous to testing the locks on a public (or quasi-public) building that contains confidential personal information about some or all of us, including the erstwhile hacker. That changes the conceptual landscape in such a way that it could lead to a different conclusion, although that is not preordained.

      -Samiam
      Reply to this
    Leave a comment

    Submitted comments are subject to moderation before being displayed.

     Enter the above security code (required)

     Name

     Email (will not be published)

     Website

    Your comment is 0 characters limited to 3000 characters.



      
    Copyright 2006 http://BLOG.E-COMPUTER-SECURITY.INFO. All rights reserved.