Archive for the ‘Computer Crime’ Category

Disclosing Website Vulnerabilities with the Threat of Criminal Prosecution

Monday, July 26th, 2010

Another website vulnerability with the threat of criminal prosecution has been in the news. It appears that Goatse Security disclosed that AT&T’s website made the email addresses of iPad owners public by displaying the email address associated with a user if anyone correctly guessed and entered a valid username.

The Wall Street Journal reported that AT&T issued a statement saying “…it would cooperate with any efforts to investigate or prosecute the breach [of its website].” Why would someone be prosecuted for disclosing a threat of identity theft, so a vulnerability could be fixed? A look at several of the incidents alleged to have “gone over the line” show similar or shared characteristics.

With the AT&T iPad episode, the Wall Street Journal reported another expert as saying that Goatse Security “…created a program that exploited the hole, harvesting 114,000 emails of iPad owners.” If this is true, Goatse Security may have built a burglar’s tool which could be prosecuted and evidenced by the sheer number of emails taken.

This might have been overlooked and maybe even responded with a “thank you” by AT&T if Goatse Security had only obtained a half a dozen email addresses; took a screen capture; reported it directly to AT&T; and did not disclose it publicly. According to Ryan Naraine at ZDNet, Google and Mozilla will even pay you for finding vulnerabilities, however, Microsoft will just thank you and give you credit which is also valuable.

One of the problems with disclosing vulnerabilities is that often the vulnerability is not accidentally discovered by normal use of the website as intended by the website owner.  Instead, vulnerabilities are often discovered by people searching for them by the same means as an illegal hacker.

Some characteristics which could be evaluated either by a company wondering if they have been victimized or if they have been given useful information by a good doer, or by a prosecutor in determining whether to prosecute are:

  • Was any software created to identify the vulnerability?
  • Were any private areas of the website penetrated in order to identify the vulnerability?
  • How much data was taken?
  • How much data was needed to identify and report the vulnerability?
  • Was the data disclosed to anyone other than the website owner?
  • Was the vulnerability reported to anyone other than the website owner?
  • If the vulnerability was publicly disclosed, was it publicly disclosed only after the website owner had sufficient time to research the vulnerability, an appropriate fix, and incorporate or distribute the fix?
  • Was the vulnerability reported to the website owner without asking for anything in return?

Posted in Computer Crime | No Comments »

Computer Problems? You and Your Computer Repair Technician Could Be Arrested!

Monday, June 30th, 2008

What happens when legislators write a law about a subject which they know nothing about, such as repairing computers? A Texas law enacted in 2007 turns computer technicians and consumers into criminals under certain conditions when a consumer or anyone seeks to have a computer repaired.

The Texas law requires a computer technician to have a private investigator’s license to analyze someone else’s data on a hard drive. The problem is that some repairs require the technician to look at the data.

The law makes it a Class A misdemeanor punishable by up to one year in jail, a $4,000 fine and civil penalties up to $10,000 if the computer technician accesses data in violation of the law. The law even provides the same penalties for the consumer or person who knowingly requested the repair from an unlicensed computer technician.

It must have seemed like a good idea at the time for legislators who don’t consider the consequences of a law that they write, but a computer technician would have to go back to school for three years to earn a degree in Criminal Justice or complete an apprenticeship with a licensed private investigator.

The Institute for Justice filed a lawsuit against the Texas Private Security Board seeking a decision finding the law unconstitutional. Until then, if you have to fix your computer in Texas, ask your computer shop if they have a technician with a private investigator’s license. If you forget to ask and the computer police knock at your door, you can look for a computer crime defense lawyer!

Tags: , , , ,
Posted in Computer Crime | No Comments »