Home » Data Protection » Application Security

Interview with Eric McCarty

Eric McCarty's guilty plea in a hacking case illustrates the chilling effect prosecutors are having on people who point out flaws in online systems

Eric McCarty personifies case law in the field of computer systems vulnerability disclosure. He is now preparing for six months of home detention after pleading guilty last year to accessing without permission computer systems at the University of Southern California. The story goes like this: McCarty, 25, hacked into the online admission system, copied seven records from the database and mailed the information under a pseudonym to a security news website. He blogged about the exploit. The university's admission site shut down for 10 days, and soon McCarty faced charges for sharing data without authority to do so.

While McCarty might not be the perfect poster child for a debate about vulnerability disclosureshe was a lone actor, not part of an academic or research teamhis guilty plea rankles champions of legitimate vulnerability research, which after all, can involve a kind of digital trespassing.

For his part, McCarty says he was researching colleges in California when, on the USC site he discovered a reasonably simple SQL injection flaw. He informed the university, which he says didn't do much about it. So he sent the information anonymously to a security website. McCarty says the exploit that got him into trouble was one he developed to help prove to the university that the database was vulnerable. McCarty maintains he had no malicious intent and never used any of the records he compromised for personal gain. (The university, which at first claimed only a few records were vulnerable, later said the entire databasemore than 250,000 recordswas at risk, and it sought McCarty's prosecution.)

McCarty believes he did nothing wrong. He says he had to accept a plea bargain in the case, and believes it's a permanent stain on his record. Press coverage of his case makes it "hard to get [job] interviews these days," he says. "Once you disclose you have a felony on your record for an IT-related crime, it's hard."

As he prepares for home detention (his sentence also calls for three years probation and $36,000 in restitution for USC's system down time), McCarty spoke to CSO Senior Editor Scott Berinato about his case.

CSO: From beginning to end, what has this experience been like for you?
McCarty: It's by far the worst experience I've ever gone through. From the FBI guy kicking down my door and taking computers, to not being told until a year later they'd be prosecuting me. Having to go from my home in San Diego to Los Angeles for court appearances and other stuff 15 or 20 times. The judgeI don't know if it's prudent for me to make these statementsbut I don't think he was fair, and I don't think he understood what the case was all about.