In Brief
Interview with Eric McCarty
Eric McCarty's guilty plea in a hacking case illustrates the chilling effect prosecutors are having on people who point out flaws in online systems
By Scott Berinato
So if you had unlimited resources, or more resources, you're saying you would have fought this?
Absolutely. I would have fought this.
Were you surprised by USC's aggressive response to your disclosure?
Their lack of technical awareness of what was going on surprised me the most. I don't know if they had a security team or someone who even understood SQL injection. They said they couldn't figure out what I was saying and that their vendors told them there was nothing to worry about. But I think they had gotten so much bad press as a result of this that they needed to present this idea of "We're prosecuting someone, we're compensating for it." The reality is anyone who understands the case doesn't see it as the right way to go about it.
How do you mean?
It was irresponsible to prosecute me for something I did with good intentions. I understand the legal aspect, but what about their moral and ethical obligations? You put up a website that puts [250,000] people at risk. Where's the responsibility there? If I had used those records for my gain, that's one thing, but that's what's frustrating. I don't think they realize there's absolutely no gain for me in any sense.
What do you think your case means for vulnerability research on the Web?
The Internet is full of sites that have the same problems as USC's had. But I have a feeling people aren't going to come forward as a result of cases like this. Finding and reporting vulnerabilities is not new. What's new is proving malicious intent is no longer necessary for prosecution.
So researchers will be scared from disclosing flaws on websites?
When you look at the disclosure [it's clear that] people now just analyze third-party open-source software. And people look at software packages, operating systems. Which is great. I believe in auditing. What you're not seeing is Web application flaws being found and published, even though the Internet is arguably more of a low-hanging fruit than client software. People who should be looking at websites aren't going to because they face prosecution. So who does that leave? We need to take a long, hard look at people who are going to be finding Web vulnerabilities if it's not going to be security researchers. The climate isn't going to get better. No justice came out of this case. No good will come out of it.
Eric McCarty
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
