The current culture of lazy seeps into the government as prosecutors put people on trial for reporting security violations: Spot a Bug, Go to Jail.
A new federal prosecution again raises the issue of whether computer security experts must fear prison time for investigating and reporting vulnerabilities.
On April 28, 2006, Eric McCarty was arraigned in U.S. District Court in Los Angeles. McCarty is a professional computer security consultant who noticed that there was a problem with the way the University of Southern California had constructed its web page for online applications. A database programming error allowed outsiders to obtain applicants' personal information, including Social Security numbers.
For proof, the man copied seven applicants' personal records and anonymously sent them to a reporter for SecurityFocus. The journalist notified the school, the school fixed the problem, and the reporter wrote an article about it.
The incident might have ended there, but didn't.
The school went through its server logs and easily traced the activity back to McCarty, who had made no attempt to hide his tracks. The FBI interviewed McCarty, who explained everything to the agents. Then the U.S. Attorney's Office in Los Angeles charged the security expert with violating 18 U.S.C. 1030, the federal computer crime law.
Read the whole thing. It really shows how it's so easy to go after law-abiding citizens and it's so much harder to investigate, build a case, and prosecute identity thieves and criminal hackers. That would actually take work. It's as if the mentality is to nail some do-gooder when he isn't covering his tracks. At least the prosecutors can show they took another case to trial and put another notch on their desks. This is not about protecting the public; it's about collecting low-hanging fruit while ignoring the rest of the jungle.
Popularity: 1% [?]
Unrest by Parkway Drive