Re: The Legality of Publishing Hacked E-Mails

[Paul Ferguson <fergdawgster () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Dec 16, 2009 at 9:59 PM, Gadi Evron <ge () linuxbox org> wrote:

> http://www.cjr.org/the_observatory/the_legality_of_publishing_hac.php

On a related note, here's something that is just wrong:

"Minnesota Public Radio Reporter Faces Hacking Charges For Reporting On
Data Leak"

Via techdirt.com.

[snip]

We were just noting how the Computer Fraud and Abuse Act is regularly
abused to bring "hacking" charges where none are really warranted. And here
we have yet another example. Alex Howard points out that a Minnesota Public
Radio reporter, Sasha Aslanian, is potentially facing "hacking" charges
from a Texas company called Lookout Services. Lookout creates
employment/compliance software for large organizations, and Aslanian was
reporting on a supposed data vulnerability in the software used to verify
employment eligibility that could potentially reveal private info.
Aslanian's report noted that she was able to see info from the state of
Minnesota, and the state was now directing agencies to stop using Lookout.
The details are not entirely clear, but from what's written at the MinnPost
link above, it sounds like there were some vulnerabilities, poor security,
and a bungled demonstration which revealed a vulnerability -- all of which
Lookout admits -- and from those vulnerabilities (which Lookout claims it
closed), someone was able to adjust the URL to find private data.

So, basically, the company admits to a series of vulnerabilities, which
exposed info that allowed the reporter to eventually see some private
data... but still claims that the reporter was "hacking" and is now looking
to sue under the same Computer Fraud and Abuse Act, which could lead to 5
years in prison. Because our federal government still hasn't passed a
journalism shield law, the reporter is potentially liable, though, as the
MinnPost reporter notes, Lookout seems particularly shortsighted in
bringing this lawsuit in the first place. All it does is call more
attention to its own vulnerabilities and failings. And the CEO of Lookout
basically responds that she doesn't care [...]

[snip]

More:
http://www.techdirt.com/articles/20091215/2340237379.shtml

Key quote:

"I would argue that the company's reaction to this gives many more reasons
never to do business with Lookout -- more than any discovered
vulnerabilities."

- - ferg


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.3 (Build 5003)

wj8DBQFLKc2Uq1pz9mNUZTMRApKsAKDknSx3ODzO7FlXNzQBW8CHLWGWTwCfSHak
JgbxBXpdWzE9rjdPk35/u5w=
=RJTo
-----END PGP SIGNATURE-----




-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.