[LINK] Super fund security breach lands good Samaritan in hot water

Roger Clarke Roger.Clarke at xamax.com.au
Wed Oct 19 10:48:31 AEDT 2011 

At 16:27 -0700 18/10/11, Scott Howard wrote:
>It's always hard to know exactly which parts of articles like this to
>believe, but if the following is true then IMHO he does have something to
>answer to - even if it's just bad judgement :
>*"To demonstrate the flaw to First State's IT staff, he wrote a script that
>cycled through each ID number and pulled down the relevant report to his
>computer. He confirmed that the vulnerability affected the firm's full
>customer database."*
>
>Downloading a small number of random reports is all that would have been
>required to prove a problem existed.  There is absolutely no excuse for
>downloading all ~770,000 (or even just a small percentage of them) - if that
>really is what he did.
>
>>From First State's perspective they would have to presume that he still has
>copies of all of the reports he downloaded - which clearly requires action.

The vigilante wants to demonstrate more than that a couple of 
people's data are accessible.  Otherwise the company (and after that 
the media) may just ignore it as a picayune little weakness.  So an 
automated tool seems like a good idea.

The vigilante needs evidence that will hold up in a complaints 
process, a court of law, and/or the court of public opinion.  So a 
copy of the successfully downloaded data seems like a good idea.

Agreed:  There would have been value in providing assurances e.g.:
-   I've eyeballed several in order to be sure that the data is what
     he's claiming it to be
-   I've printed none of it and disclosed none of it to any other party
-   I've secured the data (e.g. on a hidden thumb-drive or by encryption)

But  ...  this isn't a corporation we're talking about, nor 
necessarily a consultant wise in the ways of the law.  It's a person.

Put another way:  if we set the 'safe harbour' criteria too high, the 
'many eyes' theorem doesn't work.


-- 
Roger Clarke                                 http://www.rogerclarke.com/

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list