I think we need to be VERY careful with how we define 'hacking' especially if there are going to be dire consequences attached. I, personally, went thru a circus wherein I disclosed a security problem with a closely related organization's server that was simply (and inexcusably) misconfigured. All I used was Netscape's Server Tools menu. Disclosure of their problem was immediate (within hours) and the repurcussions none too pleasant. If it wasn't for saner heads in much higher ranks telling the techno-stupid to shut up and fix their problem I could easily have been brought up on charges ands courts martial.

I don't totaly condone this guy's behavior nor his tardiness in disclosure. As soon as he found a problem he should IMO have been on the phone with the admins. "Zero Tolerance" policies have never worked and their unintended side-effects are absolutely staggering and serious to the least likely of victims. Washington needs to take a big chill pill. And people who find holes (even by accident) need to be more responsible.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/358/11434#11434