[LINK] Super fund security breach lands good Samaritan in hot water
Roger.Clarke at xamax.com.au
Wed Oct 19 10:48:31 AEDT 2011
At 16:27 -0700 18/10/11, Scott Howard wrote:
>It's always hard to know exactly which parts of articles like this to
>believe, but if the following is true then IMHO he does have something to
>answer to - even if it's just bad judgement :
>*"To demonstrate the flaw to First State's IT staff, he wrote a script that
>cycled through each ID number and pulled down the relevant report to his
>computer. He confirmed that the vulnerability affected the firm's full
>Downloading a small number of random reports is all that would have been
>required to prove a problem existed. There is absolutely no excuse for
>downloading all ~770,000 (or even just a small percentage of them) - if that
>really is what he did.
>>From First State's perspective they would have to presume that he still has
>copies of all of the reports he downloaded - which clearly requires action.
The vigilante wants to demonstrate more than that a couple of
people's data are accessible. Otherwise the company (and after that
the media) may just ignore it as a picayune little weakness. So an
automated tool seems like a good idea.
The vigilante needs evidence that will hold up in a complaints
process, a court of law, and/or the court of public opinion. So a
copy of the successfully downloaded data seems like a good idea.
Agreed: There would have been value in providing assurances e.g.:
- I've eyeballed several in order to be sure that the data is what
he's claiming it to be
- I've printed none of it and disclosed none of it to any other party
- I've secured the data (e.g. on a hidden thumb-drive or by encryption)
But ... this isn't a corporation we're talking about, nor
necessarily a consultant wise in the ways of the law. It's a person.
Put another way: if we set the 'safe harbour' criteria too high, the
'many eyes' theorem doesn't work.
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link