funsec mailing list archives
Re: The Legality of Publishing Hacked E-Mails
From: Paul Ferguson <fergdawgster () gmail com>
Date: Wed, 16 Dec 2009 22:20:10 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Dec 16, 2009 at 9:59 PM, Gadi Evron <ge () linuxbox org> wrote:
http://www.cjr.org/the_observatory/the_legality_of_publishing_hac.php
On a related note, here's something that is just wrong: "Minnesota Public Radio Reporter Faces Hacking Charges For Reporting On Data Leak" Via techdirt.com. [snip] We were just noting how the Computer Fraud and Abuse Act is regularly abused to bring "hacking" charges where none are really warranted. And here we have yet another example. Alex Howard points out that a Minnesota Public Radio reporter, Sasha Aslanian, is potentially facing "hacking" charges from a Texas company called Lookout Services. Lookout creates employment/compliance software for large organizations, and Aslanian was reporting on a supposed data vulnerability in the software used to verify employment eligibility that could potentially reveal private info. Aslanian's report noted that she was able to see info from the state of Minnesota, and the state was now directing agencies to stop using Lookout. The details are not entirely clear, but from what's written at the MinnPost link above, it sounds like there were some vulnerabilities, poor security, and a bungled demonstration which revealed a vulnerability -- all of which Lookout admits -- and from those vulnerabilities (which Lookout claims it closed), someone was able to adjust the URL to find private data. So, basically, the company admits to a series of vulnerabilities, which exposed info that allowed the reporter to eventually see some private data... but still claims that the reporter was "hacking" and is now looking to sue under the same Computer Fraud and Abuse Act, which could lead to 5 years in prison. Because our federal government still hasn't passed a journalism shield law, the reporter is potentially liable, though, as the MinnPost reporter notes, Lookout seems particularly shortsighted in bringing this lawsuit in the first place. All it does is call more attention to its own vulnerabilities and failings. And the CEO of Lookout basically responds that she doesn't care [...] [snip] More: http://www.techdirt.com/articles/20091215/2340237379.shtml Key quote: "I would argue that the company's reaction to this gives many more reasons never to do business with Lookout -- more than any discovered vulnerabilities." - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLKc2Uq1pz9mNUZTMRApKsAKDknSx3ODzO7FlXNzQBW8CHLWGWTwCfSHak JgbxBXpdWzE9rjdPk35/u5w= =RJTo -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- The Legality of Publishing Hacked E-Mails Gadi Evron (Dec 16)
- Re: The Legality of Publishing Hacked E-Mails Paul Ferguson (Dec 16)
- Re: The Legality of Publishing Hacked E-Mails Larry Seltzer (Dec 17)
- Re: The Legality of Publishing Hacked E-Mails Paul M Moriarty (Dec 17)
- Re: The Legality of Publishing Hacked E-Mails Larry Seltzer (Dec 17)
- Re: The Legality of Publishing Hacked E-Mails Paul M Moriarty (Dec 17)
- Re: The Legality of Publishing Hacked E-Mails Larry Seltzer (Dec 17)
- Re: The Legality of Publishing Hacked E-Mails Paul M Moriarty (Dec 17)
- Re: The Legality of Publishing Hacked E-Mails Paul M Moriarty (Dec 17)
- Re: The Legality of Publishing Hacked E-Mails Valdis . Kletnieks (Dec 17)