Security Research and Computer Crime - Where do we Draw the Line?
May 10th, 2006 by Doug
This is interesting -
the case
of Eric McCarty, a security researcher and sysadmin charged
by Federal prosecutors last month with
"knowingly
having transmitted a code or command to intentionally cause
damage" to the University of Southern California’s
applicant website (I noticed the FBI press release uses the
word “sequel” instead of SQL. I hope that wording didn’t come
from the complaint itself…).
Apparently, McCarty exploited a SQL injection flaw to access student data (which included social security numbers and dates of birth) in the database backing USC’s website. He then notified SecurityFocus via email, who notified USC of the vulnerability. USC shut their site down for two weeks while it was being fixed (my guess is the “damage” comes from the fact that USC had to take their applicant website offline, since McCarty didn’t do anything malicious with the information). Here is the text of the statute he is alleged to have violated (see section (5)(A)(i)).
The case, and others like it, show the ethical conflict involved in some computer crime prosecutions. In particular, this case reminds me of Randal Schwartz’s case from way back in 1993. The same issues were raised back then - in that case, Schwartz was running the crack program to disclose weak passwords, but without authorization. In the end, he was convicted of three state felony charges.
Unfortunately, the law is pretty clear in these cases. It appears McCarty violated Federal law, a felony that could land him up to ten years in jail. This seems quite excessive, however, given McCarty’s intent. Perhaps some exceptions are needed in various Federal and state computer crime statutes to allow for legitimate security research, although the question of what is legitimate and what is not could be unclear. Sure, USC had to take down their site for two weeks (does anyone else but me think that’s a long time to fix a SQL injection bug?), but just think of how long it would have been down after a real compromise. At the same time such an exception could be said to encourage security research, you could see this used as a loophole that crackers with malicious intent could use to escape prosecution. “Really, detective, I was just testing their security”. Web application security testing can also be dangerous, unintentionally resulting in database or web server outages. For now, the risks of doing “stealth” research just are not worth it, whatever the intent.
Technorati Tags: Security, Ethics, Pen Testing
Apparently, McCarty exploited a SQL injection flaw to access student data (which included social security numbers and dates of birth) in the database backing USC’s website. He then notified SecurityFocus via email, who notified USC of the vulnerability. USC shut their site down for two weeks while it was being fixed (my guess is the “damage” comes from the fact that USC had to take their applicant website offline, since McCarty didn’t do anything malicious with the information). Here is the text of the statute he is alleged to have violated (see section (5)(A)(i)).
The case, and others like it, show the ethical conflict involved in some computer crime prosecutions. In particular, this case reminds me of Randal Schwartz’s case from way back in 1993. The same issues were raised back then - in that case, Schwartz was running the crack program to disclose weak passwords, but without authorization. In the end, he was convicted of three state felony charges.
Unfortunately, the law is pretty clear in these cases. It appears McCarty violated Federal law, a felony that could land him up to ten years in jail. This seems quite excessive, however, given McCarty’s intent. Perhaps some exceptions are needed in various Federal and state computer crime statutes to allow for legitimate security research, although the question of what is legitimate and what is not could be unclear. Sure, USC had to take down their site for two weeks (does anyone else but me think that’s a long time to fix a SQL injection bug?), but just think of how long it would have been down after a real compromise. At the same time such an exception could be said to encourage security research, you could see this used as a loophole that crackers with malicious intent could use to escape prosecution. “Really, detective, I was just testing their security”. Web application security testing can also be dangerous, unintentionally resulting in database or web server outages. For now, the risks of doing “stealth” research just are not worth it, whatever the intent.
Technorati Tags: Security, Ethics, Pen Testing
![[Post to Yahoo Buzz]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-buzz.png){kind=icon}
![[Post to Delicious]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-delicious.png){kind=icon}
![[Post to Digg]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-digg.png){kind=icon}
![[Post to Reddit]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-reddit.png){kind=icon}
![[Post to StumbleUpon]](http://blog.unixlore.net/wp-content/plugins/tweet-this/icons/tt-su.png){kind=icon}
![[FSF Associate Member]](http://www.unixlore.net/images/fsf_button.png "[FSF Associate Member]"){kind=small}