[LINK] Super fund security breach lands good Samaritan in hot water

Stephen Wilson swilson at lockstep.com.au
Wed Oct 19 15:12:55 AEDT 2011


All true.

It's definitely not black and white. If a case went to trial and lawyers 
constructed arguments around analogies with doors and locks and flimsy 
latches, then sure as eggs, expert witnesses would be lined up on both 
sides to attest to the goodness of the analogies.  I don't know if 
'securing' an account by secreting the account number inside a long URL 
is comparable to an unlocked door, and if the consultant could be said 
to have 'pushed on' such a door.  But I must say that to do what he did 
required a level of IT expertise that probably exceeds that of the 
typical banking user.

So anyway, if you circumvent a security solution no matter how "good" it 
is, you may be in trouble.

In another post in this thread, it was revealed that the consultant 
availed himself of data on 500 clients.  That seems like a lot more than 
what's required to make the point.

So here's another analogy.  If I found that Commodores had a faulty fuel 
system that made them liable to catch fire, and then to prove it, I 
arranged for one to actually catch fire, then I guess I might face arson 
charges, regardless of the merits of the safety point I was trying to make.

And if I set fire to 500 cars for dramatic effect ...



Stephen Wilson

Lockstep Consulting provides independent specialist advice and analysis
on digital identity and privacy.Lockstep Technologies develops unique
new smart ID solutions that enhance privacy and prevent identity theft.

On 19/10/2011 12:35 PM, Karl Auer wrote:
> On Wed, 2011-10-19 at 09:43 +1100, Stephen Wilson wrote:
>> Yet the technicality remains: if you circumvent a
>> security system, you may be in trouble.
> If I push open an unlocked door, have I "circumvented security" just
> because the door had a lock?
> What if I push the door to see if it is locked? And surely it also makes
> a difference depening on what I do once I am through the door?
> That's why this is not black and white. Circumvention must (almost by
> definition) have both an element of intent of the part of the
> circumventer, and an element of notice given by the circumventee. For
> example, if the door has a large sign on it saying "private property
> keep out" and I go through it, even if it is unlocked, the situation is
> different to me going through some random unmarked door.
> If security software is supposed to do X, Y and Z, but actually does
> only X and Y, then the situation could be seen as analogous to having
> three doors, only two of which are locked. Is it bad to stroll through
> the unlocked door?
> Or to take a similar but different analogy, if I have a big bunch of
> keys, and I try them all in a lock, and one of them unlocks the door, I
> have not "defeated" the lock, I opened it in the standard manner. What
> if the lock is old and worn, and one of my keys works, even though it's
> not actually the "right" key? What if I use a skeleton key? There are
> many shades of grey even with a physical door, and many more when it
> comes to computer security.
> So I really think that intent and awareness are important.
> Regards, K.
> Regards, K.
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list