Shostack + Friends Blog Archive

 

Man Charged For Notifying USC of Vulnerability

Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data.

A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June with news of a flaw in the Web server and database system used to accept online applications from prospective students. SecurityFocus notified the University of Southern California of the vulnerability and worked with the university to close the flaw before publishing an article about the issue.

“It wasn’t that he could access the database and showed that it could be bypassed,” said Michael Zweiback, an assistant U.S. Attorney for the U.S. Department of Justice’s cybercrime and intellectual property crimes section. “He went beyond that and gained additional information regarding the personal records of the applicant. If you do that you are going to face, like he does, prosecution.”

The clear message: Next time, don’t tell.

[Update: The story quoted is Rob Lemos, “Man Charged With Accessing USC Student Data.”]

[2nd Update: Rob Lemos has a good three page story on this, “Breach case could curtail Web flaw finders.”]

10 comments on "Man Charged For Notifying USC of Vulnerability"

  • Scott says:

    A wee spot of jumping to conclusions, don’t you think? Clearly, if the prosecution is about the demonstration of the flaw it is overzealous for our tastes. Equally clearly, if the guy took a tour through the database because he could before reporting the flaw, he should be prosecuted. The SecurityFocus article (link?) hints that his viewing wasn’t gratuitous, but the full facts are not presented.
    The clear message: have the facts before drawing a conclusion.

  • Chris Walsh says:

    @Scott:
    Security focus link: http://www.securityfocus.com/brief/191
    “The flaw could have allowed an attacker to send commands to the database that powered the site by using the user name and password text boxes. USC’s Information Services Division confirmed the problem and shuttered the site, which contained data on nearly 280,000 applicants, on June 20 as a precaution. The university believes, and the prosecutors allege, that only a handful of records were actually accessed.”
    As I read this, they KNOW he looked at a handful, but he COULD have looked at 280K (or done a ‘DROP database’ for all we know. Whether looking at a handful of records (which could easily have come from a single select statement) is worthy of prosecution is a judgment call. I’m with Adam on this.

  • That’s silly.
    If I break into a database with malicious intent and only view a handful of records, I have commited a crime. My sentencing will take into account that it was only a handful, but it isn’t grounds to dismiss the case.
    I could spend my life developing a nuclear weapon to destroy the world, my not doing that does not count in my favour. I’m not going to slap my work mates on the back and thank them for not going on a murderous romp throught the office (well, there is this one guy…).
    Many of us have been there, sitting with the live system, sure that your exploit will give you the access you want and dying to take it further. The reality is, you aren’t allowed to. Rather chat to the admins and get their permission to test the exploit.

  • Adam says:

    Dominic,
    I don’t think everything that’s wrong is a crime that ought to be prosecuted. I also don’t think that we should structure incentives to discourage noticing problems.

  • I fully agree, but we[1] do prosecute some things which are a crime, and breaking into databases is one of them.
    I think the incentive here is that he should be let off the hook for not intending to do harm, but rather good. This is the kind of analysis a trial is supposed to perform.
    My real bone of contention is that you are making it sound like disclosing flaws will get you in jail. That is true in some cases and should be fought against. But in this instance it isn’t the disclosure which got him into trouble, it was the breaking in to the database. Given that it is possible to seperate the two i.e. disclosure could have happened without him breaking the law, there is no point conflating them.
    [1] By we, I mean Merkins, I am not a Merkin and may have missed some subtleties of Merkin law.

  • I fully agree, but we[1] do prosecute some things which are a crime, and breaking into databases is one of them.
    I think the incentive here is that he should be let off the hook for not intending to do harm, but rather good. This is the kind of analysis a trial is supposed to perform.
    My real bone of contention is that you are making it sound like disclosing flaws will get you in jail. That is true in some cases and should be fought against. But in this instance it isn’t the disclosure which got him into trouble, it was the breaking in to the database. Given that it is possible to seperate the two i.e. disclosure could have happened without him breaking the law, there is no point conflating them.
    [1] By we, I mean Merkins, I am not a Merkin and may have missed some subtleties of Merkin law.

  • Iang says:

    The prosecution and any popular press article will cover their butts by claiming that the “researcher” was really “hacking”. If you believe the prosecutor, or SecurityFocus, I’ve got a bridge to sell you. If you want to wait for the facts, I’ve two bridges to sell you! This isn’t to say that the guy *wasn’t* hacking … but … as a security researcher or practitioner, if you go anywhere near a security site, you risk prosecution. You risk setting off a chain of events that results in you having to defend your actions before the judge, and he isn’t interested in your arcane opinions of security or any informal permissions.
    The easily visible but predictably unforseen consequences are that a security researcher would be mad raving nuts loony to do any security research in any sense at all near a company unless he was backed up by clear contracts, disclaimers, promises and was married to the boss’s daughter. And even then, he could get into trouble. Check the prices on liability insurance for ethical hacking. So costs for defence will rise because most programmers will wisely look the other way when they see a flaw.
    Which inevitably means that net security as a whole will decrease. Especially as none of this applies to the (real) attacker.

  • Whoops sorry about the double posting. Damn GPRS.

  • Adam says:

    I think this is a good case for prosecutorial discretion. Where’s the deep harm? A trial will cost (I think) $100,000 for legal fees. That’s a deterent, in and of itself.

  • Agreed 🙂

Comments are closed.