In theory, he could probably be prosecuted for copyright violations as well, as the boarding passes he produced included the airline logo, and they didn't agree to its use. Really, it depends on the skill and guts of the lawyers involved what he will be charged with and how it all will go down. It's all about perception.

But, coming back to the issue at hand here... Is what he did wrong? Sure. Should he be locked up for it? I don't think so. This just falls back to the age-old full disclosure argument. If you know about a vulnerability, do you disclose it, or do you try to work with the vendor to get it fixed. In most cases, if the vuln is not publicly known, the vendor isn't really under any pressure to fix it, so they either don't, or really take their time about it. Making such things publicly known forces the vendor (or whoever) to acknowledge the problem and act on it. At least in theory.

I think, for the most part, responsible disclosure is important. Otherwise, only the bad guys will know about vulnerabilities and the vendors will be sitting on their hands. The question is, was this a responsible way to disclose this issue? Probably not, but I still don't think that this is a crime worthy of a long prison term. A slap on the wrist for him, and then refocus on the _real_ issue. The fact that this was even possible.

Just my $0.02

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/newsbriefs/342/1490#1490