Eric McCarty personifies case law in the field of computer systems vulnerability disclosure. He is now preparing for six months of home detention after pleading guilty last year to accessing without permission computer systems at the University of Southern California. The story goes like this: McCarty, 25, hacked into the online admission system, copied seven records from the database and mailed the information under a pseudonym to a security news website. He blogged about the exploit. The university's admission site shut down for 10 days, and soon McCarty faced charges for sharing data without authority to do so.
While McCarty might not be the perfect poster child for a debate about vulnerability disclosureshe was a lone actor, not part of an academic or research teamhis guilty plea rankles champions of legitimate vulnerability research, which after all, can involve a kind of digital trespassing.
For his part, McCarty says he was researching colleges in California when, on the USC site he discovered a reasonably simple SQL injection flaw. He informed the university, which he says didn't do much about it. So he sent the information anonymously to a security website. McCarty says the exploit that got him into trouble was one he developed to help prove to the university that the database was vulnerable. McCarty maintains he had no malicious intent and never used any of the records he compromised for personal gain. (The university, which at first claimed only a few records were vulnerable, later said the entire databasemore than 250,000 recordswas at risk, and it sought McCarty's prosecution.)
McCarty believes he did nothing wrong. He says he had to accept a plea bargain in the case, and believes it's a permanent stain on his record. Press coverage of his case makes it "hard to get [job] interviews these days," he says. "Once you disclose you have a felony on your record for an IT-related crime, it's hard."
As he prepares for home detention (his sentence also calls for three years probation and $36,000 in restitution for USC's system down time), McCarty spoke to CSO Senior Editor Scott Berinato about his case.
CSO: From beginning to end, what has this experience been like for you?McCarty: It's by far the worst experience I've ever gone through. From the FBI guy kicking down my door and taking computers, to not being told until a year later they'd be prosecuting me. Having to go from my home in San Diego to Los Angeles for court appearances and other stuff 15 or 20 times. The judgeI don't know if it's prudent for me to make these statementsbut I don't think he was fair, and I don't think he understood what the case was all about. You've also called out the media on this case.
One of the biggest inaccuracies that keeps getting repeated is that I was angry for being denied access to the school. However, I never applied to the school. It puts this black cloud over me as a person.
The fact is, you hacked the system. Isn't that all that matters?
That's the other thing that no one has tapped into. The whole intent of the thing. There was never any gain for me. Not financially. Not anything. It was a very simple vulnerability, easily exploitable for anyone with a security background. My motivation was to let them know and make sure they were aware of it. But when I told them, they said it's absolutely not true, and they asked me to show them. And when I did, that's what I was convicted for, the seven records I took because they wanted proof it could be done.
Prosecutors called you a "glory hacker" and made special note of your bragging. The e-mail address you used to disclose the vulnerability was "ihackedusc," and you posted on your blog: "USC Got Hacked, I was involved, I'm sorry, my bad, so all the hot USC girls, I got your phone number ladies, if your name is Amanda, Allison, Amy or Anita, expect a call any day now." How do you explain this? It certainly sounds like you were hacking for reasons besides helping USC understand its vulnerabilities.
The e-mail address simply was chosen to get the attention of the recipients. Most people get tons of e-mail every day, and I wanted to make sure the e-mail wasn't lost in the fray. "ihackedusc@gmail" is much more attention grabbing than "my_name@gmail." As for the blog posting, I have openly admitted this was simply an immature act on my part, nothing more. Before the media became involved I think my blog got five hits a month, hardly a great avenue for bragging.
Why plead guilty if you say you're not?
One of the things people don't recognize is the cost to defend against these charges. You're around $50,000 just to get to trial. That was a make-or-break issue. I didn't have that cash floating around. It was a rock and a hard place. Either you have the money to afford a lawyer or if you don't have that money you lose everything you have. I would have lost my condo and everything else I own. The prosecution had expert witnesses lined up a long time before I could. They have endless resources. It was very daunting. David and Goliath for sure. That's how the plea agreement became more appetizing. It ended up being the lesser of two evils. My options were somewhat limited, and this was better than the alternative.
So if you had unlimited resources, or more resources, you're saying you would have fought this?
Absolutely. I would have fought this.
Were you surprised by USC's aggressive response to your disclosure?
Their lack of technical awareness of what was going on surprised me the most. I don't know if they had a security team or someone who even understood SQL injection. They said they couldn't figure out what I was saying and that their vendors told them there was nothing to worry about. But I think they had gotten so much bad press as a result of this that they needed to present this idea of "We're prosecuting someone, we're compensating for it." The reality is anyone who understands the case doesn't see it as the right way to go about it.
How do you mean?
It was irresponsible to prosecute me for something I did with good intentions. I understand the legal aspect, but what about their moral and ethical obligations? You put up a website that puts [250,000] people at risk. Where's the responsibility there? If I had used those records for my gain, that's one thing, but that's what's frustrating. I don't think they realize there's absolutely no gain for me in any sense.
What do you think your case means for vulnerability research on the Web?
The Internet is full of sites that have the same problems as USC's had. But I have a feeling people aren't going to come forward as a result of cases like this. Finding and reporting vulnerabilities is not new. What's new is proving malicious intent is no longer necessary for prosecution.
So researchers will be scared from disclosing flaws on websites?
When you look at the disclosure [it's clear that] people now just analyze third-party open-source software. And people look at software packages, operating systems. Which is great. I believe in auditing. What you're not seeing is Web application flaws being found and published, even though the Internet is arguably more of a low-hanging fruit than client software. People who should be looking at websites aren't going to because they face prosecution. So who does that leave? We need to take a long, hard look at people who are going to be finding Web vulnerabilities if it's not going to be security researchers. The climate isn't going to get better. No justice came out of this case. No good will come out of it.
RELATED ARTICLESwhy disclosures are vital.
Bruce Schneier on