WebApp Sec mailing list archives
Re: Web security breach changes the lives of 119 people
From: Michael Silk <michaelslists () gmail com>
Date: Tue, 29 Mar 2005 10:17:41 +1000
Ed, Inline. On Mon, 28 Mar 2005 15:30:05 -0500, Ed Tracy @ Aspect Security <ed.tracy () aspectsecurity com> wrote:
I think it's fair to assume (or that it's known) that the applicants: 1. knew there was a date in the future upon which they would be receiving notification 2. identified themselves to the system 3. modified url parms to attempt to access something in the site that wasn't normally in their interface -OR- 4. submitted a published url that they knew would offer them information that wasn't supposed to be available until a future date
I'll agree to that ...
It's such a trivial thing (modifying the URL) that it is a little unreasonable for the person performing the action to know what they were doing was 'wrong'.This is exactly what I was referring to when I used the term, "warped." This is not a trivial thing to people who are not familiar with the Web. As further illustrated by your analogy to finding $5 on the sidewalk, I think your expertise has you thinking that this is so easy that the person just stumbled across it.
No, not just stumbled across it, but 'so easy' that it doesn't really 'feel' wrong for the people carrying it out. Clearly, it's not _right_ for them to do this, and it _is_ something that they should be punished for, but (of course) the punishment should fit the crime; and I don't think it does.
I feel strongly that regardless of how easy it was to stumble across it, the person still knew that they were trying to access a part of the website that would provide them data that they weren't supposed to have access to.
I agree to it.
You suggest that if Harvard had done more, or less, it wouldn't 'diminsh their culpability'. Well I couldn't disagree more. AsThen let me ask you. If Harvard HAD done more...and the applicant tried the url manipulation without any success, would that diminish their culpability? No, I don't think so. They still tried to do something wrong.
What I meant was if the 'instructions' were: 1) Download <password-cracking-tool> 2) Download this file: http://foo.harvard.edu/../etc/passwd 3) Run program 4) Review "admin" password 5) Login 6) View your results and relax! Then the punishment should be more than what they were already given. There is no possible punishment (unless it's outside Harvard that it is given) that could be placed on these people. That then suggests that a person who got into the network via installing a physical key-logger on some staffers computer, and received his marks would be given the same punishment (from Harvard's POV). That doesn't seem fair, does it?
Kinda like our attempted murder charge in the criminal justice system.
More comparable to, say, 'attempted reading of a newspaper you didn't purchase' :) -- Michael PS: It's also appropriate to note that these people probably weren't exactly 'clear-headed'at the time they did this. Stressing out about results can be difficult for anyone, and if there is a proposed way to see your results ahead of time, it'd be hard to students under so much pressure to resist... Even so, I still think they should be punished, just not to the extent they were.
Current thread:
- RE: Web security breach changes the lives of 119 people, (continued)
- RE: Web security breach changes the lives of 119 people Altheide, Cory B. (IARC) (Mar 09)
- RE: Web security breach changes the lives of 119 people Griffiths, Ian (Mar 13)
- RE: Web security breach changes the lives of 119 people Bill Nichols (Mar 13)
- Re: Web security breach changes the lives of 119 people El C0chin0 (Mar 18)
- Re: Web security breach changes the lives of 119 people Jeff Williams (Mar 20)
- RE: Web security breach changes the lives of 119 people roger . franks (Mar 18)
- Re: Web security breach changes the lives of 119 people ed . tracy (Mar 22)
- Re: Web security breach changes the lives of 119 people Peter Conrad (Mar 23)
- Message not available
- Re: Web security breach changes the lives of 119 people Ed Tracy @ Aspect Security (Mar 29)
- Re: Web security breach changes the lives of 119 people Cory Foy (Mar 29)
- Message not available
- Message not available
- Re: Web security breach changes the lives of 119 people Michael Silk (Mar 29)