Your absolutely right, what he did was wrong. Everyone should be perfect and never type anything into a text box other than the programmers expect, and there should be criminal and civil penalties for everyone who does make a typing mistake.

If we were to punish every white hat in the world, there would be the same number of vulnerabilities, but only the criminals would know about them. Why, because most system administrators still believe in security through obscurity and most programmers are more concerned about getting the job done, than writing secure code.

This guy, right or wrong is innocent until proven guilty, no matter what the FBI says.

USC spent $100,000+ dollars notifying people because they wrote or bought bad code, he notified security focus, but USC and the FBI have no knowledge that he was the first to find the vulnerability in their code. This data could have been hacked within days of it going on line, and obviously USC was not monitoring it very closely, or there would have saw that people were running non standard SQL queries.

Lastly, only and only if he is guilty of attempting to break into the system should he deal with the prosecutor and take the plea. If he actually did discover the vulnerability by accident, and did stupidly test it a few times, he should stand up for what right and fight. Luckily, I not smart enough to find a vulnerability like this, because I would test it a few time, just to make sure I didn?t end up with egg on my face. End up facing charges, and get run over by the FBI and Prosecutor in there rush to get on the news.

Oh, why is it illegal to find the vulnerability but not even a slightly embarrassing to put the innocent at risk?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/191/973#973