SecurityCurve Weblog

Keystone Cops go Virtual

As a security guy, I've always viewed law enforcement as "brothers and sisters in arms" - I've always felt a close comraderie with the folks whose job it is to go out there and bring the bad people to justice. After all, isn't that pretty much what we're trying to do as security people? But recently it seems like law enforcement is making it tougher and tougher for us infosec folks to do our job.

Don't believe me? Check out the recent prosecution of Eric McCarty for pointing out a web application security flaw exposing personally identifiable information on the University of Southern California. Here's a guy who found a flaw in a public web app, brought it to the attention of the folks over there, and got arrested for his efforts. Apparently, PII was avialable through the webapp, McCarty noted this, anonymously divulged the information through a third party (with the intention of having that get back to the University), and because he looked at that data he was arrested. Now, it seems to me that if the University of Southern California makes subscriber data available through their own incompetence, the folks who happen to come around and look at it shouldn't get arrested for doing so.