[News] Spot a Bug, Go to Jail

[ben]

In the Wired News article Spot a Bug, Go to Jail there was some discussion about a few different court cases.

Case 1. Eric McCarty, a professional computer security consultant, found a coding issue with a web application at USC that allowed an attacker to harvest personal information. As proof McCarty anonymously e-mailed a sample of personal records to a reporter. USC later traced the server activity back to McCarty yet he claims he is innocent of any crime.

I can't believe he's claiming to be innocent. He found a vulnerability, which I can see as being fairly benign, but then he accessed personal information and sent it to someone else. It's like if he noticed a car was unlocked (not a crime) but then he took a package out of the back seat to prove to the owner (or in this case someone else) that it was unlocked. He still took the package.

Case 2. Stefan Puffer, a security consultant, was charged with illegally accessing a county court's wireless LAN to prove that it was insecure.

I haven't been able to find much information about what he accessed, or how it was accessed so I can't really comment on this one. If he just accessed the wireless network by connecting to an unauthenticated network I don't believe he broke any laws. If he cracked WEP, or any used any other unauthorized authentication, I believe he should have been convicted.

If others have info about how he accessed the wireless LAN or what information he accessed while on the wireless LAN I'd be interested in reading more.

Case 3. Bret McDanel was charged with a crime for e-mailing out information about a security hole to "customers of his former employer" to potential victims.

Since McDanel did not use the security vulnerability in any way (at least not as is stated in any information I could find) I believe he was not guilty computer crimes. He unfortunately was convicted but later had the ruling overturned.

The most disturbing part of the article was the following quote:

People need to be able to exercise a little bit of self-help before plugging their data into web forms, and security professionals who happen upon vulnerabilities shouldn't have to choose between leaving the system wide open to attack and prosecution.

I agree that people should check out the security of a web site before using it but I believe there is no difference between someone who uses a bug in code to get information to show the company that a bug exists and a person who uses a bug in code to get information that they use for crimes. Both of these people illegally accessed private data. If you were not hired by the company to test the security of a site or system then you have absolutely no reason to access that data, even as proof of a security bug.

If you find a potential security bug you should report it to the company. As long as you don't use that bug to access data you should not be convicted of any crimes. If, after you report the bug, the company fails to fix the bug then you can choose to not use their services.

What are other people's opinions about the individual cases or personal testing of systems/site security in general??

Ben

[Shaun]

I agree that people should check out the security of a web site before using it but I believe there is no difference between someone who uses a bug in code to get information to show the company that a bug exists and a person who uses a bug in code to get information that they use for crimes. Both of these people illegally accessed private data. If you were not hired by the company to test the security of a site or system then you have absolutely no reason to access that data, even as proof of a security bug.

Well I think there is a difference, but it's obviously the wrong way to go about it. I think intent is an issue here. Obviously the correct way to go about it is:

If you find a potential security bug you should report it to the company. As long as you don't use that bug to access data you should not be convicted of any crimes. If, after you report the bug, the company fails to fix the bug then you can choose to not use their services.

[cooper]

If you find a potential security bug you should report it to the company. As long as you don't use that bug to access data you should not be convicted of any crimes. If, after you report the bug, the company fails to fix the bug then you can choose to not use their services.

But what if that bug is in a common program, like, say, 3tunes? ;)

Do you choose not to run the program, or do you feel compelled to let the rest of the world know about the problem? Possibly providing proof (and in doing so, breaking the law) to someone else?

The problem is that, particularly in the US, there appears to be a 'Sue first, ask questions later' mentality. Having the DMCA around doesn't help the situation much.

[ben]

But what if that bug is in a common program, like, say, 3tunes?

I think the difference here is the author is suggesting that the people were testing the application to prevent someone else from stealing their information. If you find a bug in any program you can either choose to continue using that program or not. You just need to realize the consequences of your choices.

Ben

[wetelectric]

Well sometimes the only way to discover a bug is to access that private data. I can understand demonstrating the bug to the company concerned. Demonstrations often lead to quicker action.

[cooper]

Well sometimes the only way to discover a bug is to access that private data. I can understand demonstrating the bug to the company concerned. Demonstrations often lead to quicker action.

But in the first example cited that's exactly what got a guy in trouble.

I read about this before, it's a rather old case. The reporter (or someone posing as him) came over with a couple more people. The guy demonstrated the issue, and got subsequently arrested by those other people who suddenly turned out to be feds.

There was no intent to cause harm, just proof of the issue he was trying to bring attention to. I my opinion, they should've sent the guy a thank-you note for bringing the issue up and allowing them to solve the problem. But, of course, that means you have to get off you ass...

[kainchick]

Eric McCarty, a professional computer security consultant, found a coding issue with a web application at USC that allowed an attacker to harvest personal information. As proof McCarty anonymously e-mailed a sample of personal records to a reporter. USC later traced the server activity back to McCarty yet he claims he is innocent of any crime.

I think that he should have reported this and said if you want proof i can prove it, instead of doing that first. cause as you said

I can't believe he's claiming to be innocent. He found a vulnerability, which I can see as being fairly benign, but then he accessed personal information and sent it to someone else. It's like if he noticed a car was unlocked (not a crime) but then he took a package out of the back seat to prove to the owner (or in this case someone else) that it was unlocked. He still took the package.

And i agree, me and my brother in-law we're trying to reconnect out wan cause it goes out frequently and we found a open network, we lived in apartments so any number of people could have been on their network, we wanted to go find them and let them know but we were also afraid of them acusing us of hacking when we just hit hte refresh button to find our network and theirs came up. Sometimes laws suck, but well their there.