Rob Lemos from SecurityFocus writes about the recent developments in the case of Eric McCarty and the University of Southern California (USC).
I've been following Eric's story since he first made news by disclosing a SQL Injection vulnerability in USC's online student application. Eric's plea agreement stipulates that he'll serve three years of probation, possibly some home detention, and pay $36,800 in damages to USC. Could have been worse for Eric, but still seems like a lot to pay for helping to protect the sensitive information of thousands. Don't get me wrong, what Eric did was against the rules, but he's not one of the "bad guys" we need to worry about either.
Only a few days ago I wrote that vulnerability "discovery" is more important than disclosure to the information security industry. Talk about validation! "The case should send a message to vulnerability researchers that they must obey the law when looking for flaws in Web sites", said Michael C. Zweiback, Assistant U.S. Attorney for the Central District of California. We get the message and also trying to figure out what the lasting repercussions will be to software (in)-security.
Who's on the side of the consumer?
What hopefully Mr. Zweiback and others realize is the REAL "bad guys", the profit-driven-extortionist -identity- thieving- scamming- fraudulent- criminal- scum-of-the-earth, are not going to stop. And they're certainly not going to disclose their findings and risk prosecution either. Everything gets a pen-test, with permission or otherwise. What this prosecution means is the "good guys" will think twice about discovering or disclosing anything they might uncover or stumble upon. If one of the few precious checks-and-balances the industry has is out of the picture, then who's on the side of the consumer? PCI? Please. There are 96,854,877 sites out there. I'm guessing way less than 1% are professionally assessed for security.
As for Eric McCarty, I wish him the best of luck, and hopefully he'll be able to continue pursuing his career.