Today I came across an article through slashdot: Pupil expelled from Montreal college after finding ‘sloppy coding’ that compromised security of 250,000 students personal data
Essentially, a computer science student was developing an app to help students look at their records for the college when he discovered a security flaw that gavie him access to more information than he should have been able to see. He reported the flaw the college that opened a can of worms resulting in his expulsion. The story reports that the offense was his use of a security tool against the college servers that they regarded as an attack.
Is this justified? He did come forward with his findings and didn't seem to be trying to hide what he was doing from the college. I have personally been guilty of letting my curiosity go a little too far and doing an inadvertent test of my company's security. I was thanked for demonstrating that the security worked and told never to do it again. (It was the first time that I'd ever run a port scanner, nmap.)
Cyber security is a big deal. A quick glance at the IBM Security Solutions list shows a vast array of solutions for various situations. As more and more of our world goes digital and virtual we are much more likely to be victims of cyber crime than physical ones... and those crimes are potentially more impactful. Good security can't rely on obfuscation. You have to be able to know something is there and still not be able to get it. I imagine that those who safeguard the most sensitive information have a number of sleepless nights as the tools available to the average hacker become more sophisticated. Of course, the vast majority of hackers are as Ahmed (the man in our story) claims to be. They are technology enthusiasts who want to see things work well and eliminate mediocrity when they find it. Of course, some of that crowd feels that the lesson needs to be humiliating to be effective, which tends to attract more anger than solutions.
Are any of my readers amateur security sleuths? If you found a vulnerability would you feel comfortable in bringing it forward? Does our current ant-terrorism client create a harsher environment for the good guys?