Robert Lemos, SecurityFocus 2006-04-26
Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.
Colapse all |
Post comment
In other words, shoot the messenger
2006-04-26
Anonymous (1 replies)
Anonymous (1 replies)
Re: In other words, shoot the messenger
2006-04-26
Anonymous (5 replies)
Anonymous (5 replies)
As was clearly pointed out in the article, he didn't just "find" the hole, he EXPLOITED IT. He did his "research" on the school's system WITHOUT their permission. He was caught. Records of applicants were found on his personal machine and he was (rightfully) charged. There is no gray area here. ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: In other words, shoot the messenger
2006-04-27
Anonymous
Anonymous
Yes, never take pre-emptive action to protect the people, or your fellow student for that matter. It is the DA's opinion by filing the case that these actions are against the law. In reality you cannot tell if a website is vulnerable without running a test. Would you put your social security numb...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: In other words, shoot the messenger
2006-04-27
Anonymous (3 replies)
Anonymous (3 replies)
I'm the OP. Since you are obviously a security expert, explain to me how you find a SQL Injection flaw without exploiting it?...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Re: In other words, shoot the messenger
2006-04-28
Anonymous
Anonymous
well first off, you don't try to randomly inject peoples websites....second of all the ole single quote rarely returns data or anything besides a sql error if you inject something like 'blah so i think that would be tough to call intrusion, but still don't so this without a signed contract. ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: In other words, shoot the messenger
2006-04-28
Anonymous
Anonymous
Wrong. He proved that the hole was exploitable, and provided necessary information to the proper authorities for handling. Who benefits from that action? The students whose sensitive information is at risk.
If he sold the database to spammers or the russian mafia, then his actions would have been w...
[ more ] [ reply ]
If he sold the database to spammers or the russian mafia, then his actions would have been w...
[ more ] [ reply ]
Re: Re: In other words, shoot the messenger
2006-05-18
Spider Jerusalem
Spider Jerusalem
You're a fool.
USC originally LIED and claimed the emperor was quite clothed. In order to disprove this lie of the complacent, he accessed additional records.
You're right about one thing: no grey area here. Just some corrupt and/or incompetent admins abusimng our already-overloaded legal sy...
[ more ] [ reply ]
USC originally LIED and claimed the emperor was quite clothed. In order to disprove this lie of the complacent, he accessed additional records.
You're right about one thing: no grey area here. Just some corrupt and/or incompetent admins abusimng our already-overloaded legal sy...
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-04-26
Anonymous (7 replies)
Anonymous (7 replies)
I wonder who reading this article and is outraged by it would support this case (which is essentially the same thing): Say someone is walking by your house and decides they want to test the safety of the lock on your door. They then proceed to pick the lock, take a stroll through your house, and g...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Breach case could curtail Web flaw finders
2006-04-26
Anonymous (1 replies)
Anonymous (1 replies)
This isn't really the case. This is more you leaving your door open, someone looking inside and noticing you have a pile of money on the table.
He then contacts you and lets you know the door was open, no money was taken and how to properly secure your door.
Analogies are going to go both wa...
[ more ] [ reply ]
He then contacts you and lets you know the door was open, no money was taken and how to properly secure your door.
Analogies are going to go both wa...
[ more ] [ reply ]
Re: Breach case could curtail Web flaw finders
2006-04-26
Anonymous (2 replies)
Anonymous (2 replies)
You're absolutely correct. Like I said in my previous reponse, there is no gray area here. Everything he did from start to finish is exactly what Joe Hacker would do to break into the site. He claims he "tried not to hide" his actions, which I believe he is saying just to avoid the embarassment o...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Breach case could curtail Web flaw finders
2006-04-26
Anonymous
Anonymous
This is not true at all, Joe hacker would be interested in ALL the records, not the 7 this guy is accused of accessing. Per another article, the only reason the number went from 2 to 7 is because USC didn't believe him when he reported the flaw.
The fact is that the data was accessible, it was fo...
[ more ] [ reply ]
The fact is that the data was accessible, it was fo...
[ more ] [ reply ]
Re: Re: Breach case could curtail Web flaw finders
2006-04-26
Anonymous
Anonymous
How is reporting the vulnerability through a well respected site such as this one, and providing more records to the admin upon claiming that full DB access wasnt possible to show them it was hiding? He waived his right to anonymity, and didnt bother to remove the records from his PC and gave them t...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Breach case could curtail Web flaw finders
2006-04-27
unikbyte
unikbyte
I think it is more the case of:
1. House owner has a party and invites everyone to his/her home.
2. House owner asks everyone to leave their valuables in a "secure safe".
3. One particular "concerned guest" is skeptical of the "secure safe" and decides to check and see if his/her valuables...
[ more ] [ reply ]
1. House owner has a party and invites everyone to his/her home.
2. House owner asks everyone to leave their valuables in a "secure safe".
3. One particular "concerned guest" is skeptical of the "secure safe" and decides to check and see if his/her valuables...
[ more ] [ reply ]
Re: Breach case could curtail Web flaw finders
2006-04-27
Anonymous
Anonymous
It's not essentially the same thing, unless I'm storing your valuables in my house. If you want a scenario, how about this:
You're sitting in your bank's parking lot while you significant other is inside cashing a check. You notice people walking up to the employee entrance and entering without...
[ more ] [ reply ]
You're sitting in your bank's parking lot while you significant other is inside cashing a check. You notice people walking up to the employee entrance and entering without...
[ more ] [ reply ]
Re: Breach case could curtail Web flaw finders
2006-05-15
Anonymous
Anonymous
Sorry. That does not fly. We're not talking about anyones home here. What we're talking about is an educational institution that insists on having you social security number for identification purposes, a request which is illegal in the first place unless allowed by additional law. It is their r...
[ more ] [ reply ]
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-04-26
Anonymous
Anonymous
No, this is the case, I didn't say the door was left open I said it was locked. I also said the person went in and took something. This is trespassing and this is what the guy did. He broke in (unlocked the door) went inside (grabbed data from the database) and stole something (stored the data on...
[ more ] [ reply ]
[ more ] [ reply ]
FreeMcCarty.com
2006-04-26
Anonymous (2 replies)
Anonymous (2 replies)
Here is the website for his defense, worth looking at to see his side of the story....
[ more ] [ reply ]
[ more ] [ reply ]
Re: FreeMcCarty.com
2006-04-28
Bilz
Bilz
I agree that Mr. McCarty may have broken the law in an attempt to do something good. Unfortunately, what many of us see as "good" is sometimes not seen as "right" by others.
As they say: "The road to hell is paved with good intentions."
But I digress.
I think the shabby way Mr. McCarty is being...
[ more ] [ reply ]
As they say: "The road to hell is paved with good intentions."
But I digress.
I think the shabby way Mr. McCarty is being...
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-04-26
Anonymous
Anonymous
At this point, I'm inclined to agree. If a website is vulnerable do not put your data in there, don't say anything, let it be exploited, screw the people... That is the opinion of the courts DA who filed the case with statements from the trained observers that filed the case with the DA (All who r...
[ more ] [ reply ]
[ more ] [ reply ]
In other words don't steal data?
2006-04-27
Anonymous (1 replies)
Anonymous (1 replies)
This guys didn't give USC some sort of free security audit. He found an SQL vulnerability, then instead of telling the USC website admins he exploited it to take other peoples data, gave that data to a third party and then bragged about it? "ihackedusc@gmail"? oooo, he's l337 then USC gets to cont...
[ more ] [ reply ]
[ more ] [ reply ]
Re: In other words don't steal data?
2006-04-27
Anonymous
Anonymous
Wow, way to twist a story around. He found the vulnerability, reported it to a neutral third party so they could contact the school and work to get it resolved.
As for notifying everyone, that CA law, tough cookies. Let me ask you, would it be better if a researcher reported the vuln and helped ...
[ more ] [ reply ]
As for notifying everyone, that CA law, tough cookies. Let me ask you, would it be better if a researcher reported the vuln and helped ...
[ more ] [ reply ]
Imagine a world...
2006-04-27
jvf (1 replies)
jvf (1 replies)
...in which roving bands of well-meaning, idealistic vandals break into our homes and businesses on a regular basis, in order to enlighten us about how insecure our buildings are. You wouldn't stand for it, and you know it. The hypocritical behavior on the part of security researchers needs to sto...
[ more ] [ reply ]
[ more ] [ reply ]
as expected...
2006-04-27
infamous41md (2 replies)
infamous41md (2 replies)
90% of you blindly take one side or the other, making up stupid examples to try and "prove" that your view is correct. This is issue is amazingly complex; I don't see how anyone could come to such a firm conclusion on their own (more heads better than one).
I agree that when a student - or to ge...
[ more ] [ reply ]
I agree that when a student - or to ge...
[ more ] [ reply ]
Re: as expected...
2006-04-27
BXLE
BXLE
Infamous,
Everyone is just ticked that a security guy found a problem and reported it. To make matters worse, he was arrested by a lackluster no-nothing police agency called the FBI. And, we all know that the FBI couldn't catch the clap in a whorehouse. That is the issue. The political scum that...
[ more ] [ reply ]
Everyone is just ticked that a security guy found a problem and reported it. To make matters worse, he was arrested by a lackluster no-nothing police agency called the FBI. And, we all know that the FBI couldn't catch the clap in a whorehouse. That is the issue. The political scum that...
[ more ] [ reply ]
Re: as expected...
2006-04-28
Anonymous
Anonymous
You are obviously intelligent, and I will always question motive, but I do not believe you understand what the individual security researcher is facing [Uncle Sam + corp America] if that researcher [obviously not an evil person or there would be an extra 245k x ? of spam flowing] finds a point of ex...
[ more ] [ reply ]
[ more ] [ reply ]
appearance today
2006-04-29
mv
mv
>When the FBI came knocking in August, McCarty
>had told them everything, believing he had
>nothing to hide, he said.
i made the same mistake. i don't know how your appearance in court today(28th) turned out, but i pray for your sake you pled "not guilty" and fight this to the end. "our" system...
[ more ] [ reply ]
>had told them everything, believing he had
>nothing to hide, he said.
i made the same mistake. i don't know how your appearance in court today(28th) turned out, but i pray for your sake you pled "not guilty" and fight this to the end. "our" system...
[ more ] [ reply ]
He Should be Prosecuted
2006-05-01
Anonymous (2 replies)
Anonymous (2 replies)
A real "professional" would have first secured a contract or at the very least a written statement of permission from the University before proceeding with his "research". The law is not tricky! It is very clear and on point about such activities.
What a bonehead!...
[ more ] [ reply ]
What a bonehead!...
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-05-11
Dr MindHacker
Dr MindHacker
The security professional is BS. The fact is, if a company does not specifically hire you to find any flaws / vulnerabilities then you are poking around without permission and deserve what you get.
A store, like a web page is open to public. If I walked into a store and started playing around...
[ more ] [ reply ]
A store, like a web page is open to public. If I walked into a store and started playing around...
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-05-11
Anonymous (1 replies)
Anonymous (1 replies)
I would like to amend that if you are poking around a product that *you* purchased this should definitely be perfectly legal (instead we have the DMCA). This is the equivalent of some schister selling poor alloy locks that can be broken with a crobar and then facing criminal charges because you b...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Breach case could curtail Web flaw finders
2006-05-15
Anonymous
Anonymous
HEY! WAKE UP!
Lest anyone forget ... we broke the law when we separated from England to right a wrong.
Lest anyone forget ... Civil Rights leaders broke the law via civil disobedience to right a wrong.
USC is wrong ... period. The problem is that it's much easier for USC to use Eric as a s...
[ more ] [ reply ]
Lest anyone forget ... we broke the law when we separated from England to right a wrong.
Lest anyone forget ... Civil Rights leaders broke the law via civil disobedience to right a wrong.
USC is wrong ... period. The problem is that it's much easier for USC to use Eric as a s...
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-05-18
Spider Jerusalem
Spider Jerusalem
Turn it around on these imbecilic "administrators" who are suing a man they should be getting down on their knees and thanking not to mention paying.
250k records found to be accessible? The personal information and privacy of these users at risk due to incompetence or negligence? They're now w...
[ more ] [ reply ]
250k records found to be accessible? The personal information and privacy of these users at risk due to incompetence or negligence? They're now w...
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-05-18
King Mob
King Mob
Clearly we must bow to the wiser heads to Law, Order and Bureaucracy.
Just because you *think* you see a mugging in process, doesn't mean you should interfere, Citizen. Leave it to the professionals; they're there to hold after-the-fact press conference, express remorse, proclaim revenge, and lo...
[ more ] [ reply ]
Just because you *think* you see a mugging in process, doesn't mean you should interfere, Citizen. Leave it to the professionals; they're there to hold after-the-fact press conference, express remorse, proclaim revenge, and lo...
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-05-29
Anonymous
Anonymous
This should, but likely will not, serve as a wakeup call for banks, educational institutions, and private businesses that posting an insecure public website on the internet should be a felony. A web database that can be exploited by the SQL Injection hack has a DBA and network sysadmin who need to b...
[ more ] [ reply ]
[ more ] [ reply ]
If it was anyone else, I would sympathize
2006-07-21
Anonymous (1 replies)
Anonymous (1 replies)
I have worked with this individual, and know him to be extremely arrogant, self-serving, boastful, and genuinely an ass much of the tim. I don't believe his motives were pure. He was applying to the school. He is playing the martyr roll very well, and making it rough for the legit folks like Adam L...
[ more ] [ reply ]
[ more ] [ reply ]
Re: If it was anyone else, I would sympathize
2006-08-28
Anonymous (1 replies)
Anonymous (1 replies)
Yes, he may well be all you say, however, not everyone smells like a rose 24x7x365 (or 366) so apart from personality disorders, what is going to be the result?
A law, ala Murphy, I once saw on a web site said that often the solution to a problem would create an even bigger problem. Yep, I think ...
[ more ] [ reply ]
A law, ala Murphy, I once saw on a web site said that often the solution to a problem would create an even bigger problem. Yep, I think ...
[ more ] [ reply ]
Re: Re: If it was anyone else, I would sympathize
2006-09-08
Anonymous
Anonymous
It seems fairly obvious to me if the person is indeed a "professional" (quotes for doubt), his intent was to find a flaw then bring it to the attention of the school and get the kudos (and aid his chances of acceptance if applying as others state). The actions were clearly meant to derive benefit o...
[ more ] [ reply ]
[ more ] [ reply ]
Breach case could curtail Web flaw finders
2006-09-26
Dave
Dave
Brilliant!! - you notice that your neighbor has left their keys in their unlocked car - you tell them - they have you arrested!! Dohhh. To me it's the guy who left His employer's "unlocked car" with the keys in that should be hauled over the coals - and the good samaritan thanked...
[ more ] [ reply ]
[ more ] [ reply ]
Let's see, we wouldn't want to blame the web programmer for writing insecure code. Or the USC Information Security Team for allowing the code to ...
[ more ] [ reply ]