2006-04-20
Expand all |
Post comment
Man charged with accessing USC student data
2006-04-21
Anonymous (3 replies)
Anonymous (3 replies)
|
Man charged with accessing USC student data
2006-04-20
Expand all |
Post comment
Man charged with accessing USC student data
2006-04-21 Anonymous (3 replies) |
|
|
Privacy Statement |
Yes, he did. He was a student at that university, legitimately using the site in question, who accidentally discovered the flaw whilst entering his own data. (This was clearly stated in the original article.) In other words, he accidentally mistyped whilst legitimately using the site, and the application showed him the data for one or more other persons; after saying "WTF?!?", he did it one or two more times to try to understand what he was seeing, realised it was a security hole, and reported it to a responsible person who was in a position to get it fixed.
You might ask why he didn't report it directly to USC, but the reason is obvious; it was because of the sort of idiocy embodied in this very report. No doubt McCarty has learned his lesson -- too late -- and next time he won't say anything at all, so the USC will be able to tell their student body that the entire database was stolen by the Russian mafia, instead of a handful of records briefly glimpsed by an honest man.
> Its a very different thing if you pound away on systems without authorization and find a flaw.
He didn't "pound away" on the system; even the prosecution allegation is that only a "handful of records were actually accessed". "A handful" is a vague quantifier (no doubt deliberately), but could be as few as two and certainly isn't as many as "pounding away".
> That's illegal. ...
You may well be right that it's illegal. But it certainly wasn't immoral, irresponsible, dishonest, or harmful to society. What McCarty did was the decent, moral, and responsible thing. If the law criminalises his actions, then it is a bad law and must be changed before it does more harm to society.
More to the point, there is a reason why prosecutors are allowed discretion for the benefit of the public good, and this is as clear cut an example as any I have seen. If Zweiback thinks this prosecution is in the public interest, then Zweiback should be removed from public office before he, too, can do more harm to society.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/191/912#912