Re: Web security breach changes the lives of 119 people

["Ed Tracy @ Aspect Security" <ed.tracy () aspectsecurity com>]

Michael,

Thanks for your professionalism in your response. I'd like to articulate 
my point (comments inline).

Michael Silk wrote:


> > Ed,
> >
> > I guess you mean "hacking" as in performing an illegal action; not
> > "hacking" (as the original intent of the word -
> > http://www.catb.org/jargon/html/meaning-of-hack.html).
> >  
>  
No, neither. I used hacking in the layman's sense. "Doing something 
unethical on an IT system."


> > In this specific case I don't think there is enough info out about
> > exactly what instructions were given to the students who did the URL
> > modification. 
>  
That's true. And in cases like this people typically make some 
assumptions so that they can have a discussion on a concrete topic. I 
think it's fair to assume (or that it's known) that the applicants:

1. knew there was a date in the future upon which they would be 
receiving notification
2. identified themselves to the system
3. modified url parms to attempt to access something in the site that 
wasn't normally in their interface -OR-
4. submitted a published url that they knew would offer them information 
that wasn't supposed to be available until a future date

If you don't agree with this case description, let me know. But if you 
don't, then we may not have anything interesting to argue about.


> > It's such a trivial thing (modifying the URL) that it is
> > a little unreasonable for the person performing the action to know
> > what they were doing was 'wrong'. 
>  
This is exactly what I was referring to when I used the term, "warped." 
This is not a trivial thing to people who are not familiar with the Web. 
As further illustrated by your analogy to finding $5 on the sidewalk, I 
think your expertise has you thinking that this is so easy that the 
person just stumbled across it. I feel strongly that regardless of how 
easy it was to stumble across it, the person still knew that they were 
trying to access a part of the website that would provide them data that 
they weren't supposed to have access to. (If you disagree with this, 
please be specific, as it is this assumption that I base the rest of my 
argument on.)

Considering they knowingly made this action, they are culpable in my 
book, period. And yes, the vendor/school, whoever, should bear some 
responsibility, too. But this is independent of the applicants 
culpability. I've heard brought this up a lot and most people in the 
industry only want to talk about what Harvard should have done and 
should do. Outside our industry, people focus on the individual's 
culpability. What ever happened to independence of components?


> > You suggest that if Harvard had done more, or less, it wouldn't
> > 'diminsh their culpability'. Well I couldn't disagree more. As
> >  
>  
Then let me ask you. If Harvard HAD done more...and the applicant tried 
the url manipulation without any success, would that diminish their 
culpability? No, I don't think so. They still tried to do something 
wrong. Kinda like our attempted murder charge in the criminal justice 
system.


-- Ed

        
        
        
* Edward Tracy, CISSP *
ed.tracy () aspectsecurity com <mailto:ed.tracy () aspectsecurity com>
(443) 745-6270 (cell)
(301) 604-4882 (office)
(781) 240-7886 (fax)
*Aspect Security™*
Securing your applications at the source 
<http://aspectsecurity.com/about.html>
http://www.aspectsecurity.com
Do your developers know the top ten web application security mistakes 
<http://aspectsecurity.com/topten>?