Home » Data Protection » Application Security

Interview with Eric McCarty

Eric McCarty's guilty plea in a hacking case illustrates the chilling effect prosecutors are having on people who point out flaws in online systems

You've also called out the media on this case.
One of the biggest inaccuracies that keeps getting repeated is that I was angry for being denied access to the school. However, I never applied to the school. It puts this black cloud over me as a person.

The fact is, you hacked the system. Isn't that all that matters?
That's the other thing that no one has tapped into. The whole intent of the thing. There was never any gain for me. Not financially. Not anything. It was a very simple vulnerability, easily exploitable for anyone with a security background. My motivation was to let them know and make sure they were aware of it. But when I told them, they said it's absolutely not true, and they asked me to show them. And when I did, that's what I was convicted for, the seven records I took because they wanted proof it could be done.

Prosecutors called you a "glory hacker" and made special note of your bragging. The e-mail address you used to disclose the vulnerability was "ihackedusc," and you posted on your blog: "USC Got Hacked, I was involved, I'm sorry, my bad, so all the hot USC girls, I got your phone number ladies, if your name is Amanda, Allison, Amy or Anita, expect a call any day now." How do you explain this? It certainly sounds like you were hacking for reasons besides helping USC understand its vulnerabilities.

The e-mail address simply was chosen to get the attention of the recipients. Most people get tons of e-mail every day, and I wanted to make sure the e-mail wasn't lost in the fray. "ihackedusc@gmail" is much more attention grabbing than "my_name@gmail." As for the blog posting, I have openly admitted this was simply an immature act on my part, nothing more. Before the media became involved I think my blog got five hits a month, hardly a great avenue for bragging.

Why plead guilty if you say you're not?
One of the things people don't recognize is the cost to defend against these charges. You're around $50,000 just to get to trial. That was a make-or-break issue. I didn't have that cash floating around. It was a rock and a hard place. Either you have the money to afford a lawyer or if you don't have that money you lose everything you have. I would have lost my condo and everything else I own. The prosecution had expert witnesses lined up a long time before I could. They have endless resources. It was very daunting. David and Goliath for sure. That's how the plea agreement became more appetizing. It ended up being the lesser of two evils. My options were somewhat limited, and this was better than the alternative.