Robert Lemos, 2006-04-20
Colapse all |
Post comment
Man charged with accessing USC student data
2006-04-21
Anonymous (3 replies)
Anonymous (3 replies)
Re: Man charged with accessing USC student data
2006-04-21
Anonymous (2 replies)
Anonymous (2 replies)
He didn't have permission to access the data or test it for flaws. Its one thing if you are hired to test a system for flaws and you find one...that's okay. Its a very different thing if you pound away on systems without authorization and find a flaw. That's illegal. ...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Re: Man charged with accessing USC student data
2006-04-24
Roger
Roger
> He didn't have permission to access the data or test it for flaws.
Yes, he did. He was a student at that university, legitimately using the site in question, who accidentally discovered the flaw whilst entering his own data. (This was clearly stated in the original article.) In other words, he ...
[ more ] [ reply ]
Yes, he did. He was a student at that university, legitimately using the site in question, who accidentally discovered the flaw whilst entering his own data. (This was clearly stated in the original article.) In other words, he ...
[ more ] [ reply ]
According to the article, he claimed to be a student...
2006-04-24
Anonymous
Anonymous
According to the article, he claimed to be a student. If that's true and this site was asking for his personal information, I think ethically he has the right to verify that the data is going to be stored securely. Granted, the details and facts are sketchy, but if USC had my data, I'd be thanking...
[ more ] [ reply ]
[ more ] [ reply ]
Re: Man charged with accessing USC student data
2006-04-22
Anonymous
Anonymous
> This guy freely gave information about the flaw
It wouldn't be the first time they shot the messenger. Witness what happened to Adrian Lamo after he contacted the gov and sent them his name.
"I went to a non-existent Web site with a longly-structured URL consisting of a sentence indicating t...
[ more ] [ reply ]
It wouldn't be the first time they shot the messenger. Witness what happened to Adrian Lamo after he contacted the gov and sent them his name.
"I went to a non-existent Web site with a longly-structured URL consisting of a sentence indicating t...
[ more ] [ reply ]
Re: Man charged with accessing USC student data
2006-04-22
Anonymous
Anonymous
I would like to hear what the fallout at USC was. Is anyone there criminally negligent for not have procedures in place to verify that the data protection mechanisms were effective.
How can you get ten years for typing ' or 1=1-- into a text input on a public web page? Who did this harm? If it w...
[ more ] [ reply ]
How can you get ten years for typing ' or 1=1-- into a text input on a public web page? Who did this harm? If it w...
[ more ] [ reply ]
Man charged with accessing USC student data Lessons to be learned
2006-04-24
Anonymous
Anonymous
Unfortunately for Eric, but it will serve a lesson to those starting in security field not to do anything before being prepaid and covered by legal exempt/non-accountability agreement with the client.
Once I read an article by group of Russian security researchers (a reputable one) where they ...
[ more ] [ reply ]
Once I read an article by group of Russian security researchers (a reputable one) where they ...
[ more ] [ reply ]
Man charged with accessing USC student data
2006-04-25
Proneet (1 replies)
Proneet (1 replies)
Considering that this is not the first incidence of data stolen from educational institutions, it would be again highlight why Intrusion Prevention Systems form a critical component of the security framework. Along with NAC ( Network Access Control), they would go a long way in protecting the infras...
[ more ] [ reply ]
[ more ] [ reply ]
Man charged with accessing USC student data
2006-05-06
Anonymous (2 replies)
Anonymous (2 replies)
Hey, his actions cost the university $140,000 (at least part of the expense went towards the notification of those whose data was potentially exposed - per CA state law http://www.signonsandiego.com/news/metro/20060421-9999-1m21hacker.html) and the loss of the system for 10 days.
What he did was ...
[ more ] [ reply ]
What he did was ...
[ more ] [ reply ]
Re: Man charged with accessing USC student data
2006-05-10
Anonymous
Anonymous
Your absolutely right, what he did was wrong. Everyone should be perfect and never type anything into a text box other than the programmers expect, and there should be criminal and civil penalties for everyone who does make a typing mistake.
If we were to punish every white hat in the world, ...
[ more ] [ reply ]
If we were to punish every white hat in the world, ...
[ more ] [ reply ]
Re: Man charged with accessing USC student data
2006-05-11
VoodooChild
VoodooChild
But at what point did he penetrate the system? He did not take over the system, he did not try to figure out the administrator password, he did not exploit any buffer overflows. McCarty asked the database the right question. He did grab a few records which maybe not have been the smartest thing in t...
[ more ] [ reply ]
[ more ] [ reply ]
This guy freely gave information about the flaw, in such a way that the flaw could be fixed before it was public knowledge.
The details of what precisely the flaw was are sketchy, but it appears that it ...
[ more ] [ reply ]