Re: Web security breach changes the lives of 119 people

[Michael Silk <michaelslists () gmail com>]

Ed,

 Inline.


 On Mon, 28 Mar 2005 15:30:05 -0500, Ed Tracy @ Aspect Security
<ed.tracy () aspectsecurity com> wrote:
> I think it's fair to
> assume (or that it's known) that the applicants:
>
> 1. knew there was a date in the future upon which they would be receiving
> notification
> 2. identified themselves to the system
> 3. modified url parms to attempt to access something in the site that wasn't
> normally in their interface -OR-
> 4. submitted a published url that they knew would offer them information
> that wasn't supposed to be available until a future date

 I'll agree to that ... 


> > It's such a trivial thing (modifying the URL) that it is a little
> > unreasonable for the person performing the action to know
> > what they were doing was 'wrong'. 
>
> This is exactly what I was referring to when I used the
> term, "warped." This is not a trivial thing to people who are not familiar
> with the Web. As further illustrated by your analogy to finding $5 on the
> sidewalk, I think your expertise has you thinking that this is so easy that
> the person just stumbled across it. 

 No, not just stumbled across it, but 'so easy' that it doesn't really
'feel' wrong for the people carrying it out. Clearly, it's not _right_
for them to  do this, and it _is_ something that they should be
punished for, but (of course) the punishment should fit the crime; and
I don't think it does.
 
 
> I feel strongly that regardless of how
> easy it was to stumble across it, the person still knew that they were
> trying to access a part of the website that would provide them data that
> they weren't supposed to have access to.

 I agree to it.


> >  You suggest that if Harvard had done more, or less, it wouldn't 'diminsh
> > their culpability'. Well I couldn't disagree more. As
>
> Then let me ask you.
> If Harvard HAD done more...and the applicant tried the url manipulation
> without any success, would that diminish their culpability? No, I don't
> think so. They still tried to do something wrong.

 What I meant was if the 'instructions' were:

  1) Download <password-cracking-tool>
  2) Download this file: http://foo.harvard.edu/../etc/passwd
  3) Run program
  4) Review "admin" password
  5) Login
  6) View your results and relax!

 Then the punishment should be more than what they were already given. 
 
 There is no possible punishment (unless it's outside Harvard that it
is given) that could be placed on these people. That then suggests
that a person who got into the network via installing a physical
key-logger on some staffers computer, and received his marks would be
given the same punishment (from Harvard's POV). That doesn't seem
fair, does it?


> Kinda like our attempted
> murder charge in the criminal justice system.

 More comparable to, say, 'attempted reading of a newspaper you didn't
purchase' :)

-- Michael

PS:

It's also appropriate to note that these people probably weren't
exactly 'clear-headed'at the time they did this. Stressing out about
results can be difficult for anyone, and if there is a proposed way to
see your results ahead of time, it'd be hard to students under so much
pressure to resist... Even so, I still think they should be punished,
just not to the extent they were.