Earlier this week I covered a story that claimed that voluntary disclosure was pointless if the company reporting were to receive a fine.
Fair point, and the debate between Stewart Room and the Information Commissioner's Office is one worth considering. So in a different environment but in the same vein, I came across a blog today that gave a scenario that was worth considering.
Written by ‘Complex360', a pupil who describes himself as an ‘Xbox security F***er upper' and ‘someone who needs a real hobby', talked about his discovery of a vulnerability in RM Connect that allows file intrusion. He said that he used shortcuts to establish a link between a hidden drive/server/folder to be able to see its contents, which would be ‘a very dangerous thing in an establishment like a school', as pictures, phone numbers, addresses, academic targets and current levels could be found.
He said: “I, just as much as anyone, didn't want someone like above-mentioned to access this.”
From this, Complex360 said he had three options: release the exploit online on some full disclosure website leaving the personal details of potentially 100,000+ students at risk; to keep quiet and run the risk that someone could discover what he had discovered and use it for bad purposes; or copy everything and post it to the internet leaving nearly 1,500 past and present students vulnerable.
However he claimed that what he did was ‘the right thing, report it'. He said: “I told Mr Sanderson (a maths teacher who saw me creating an html file for easy access) because I felt like if anyone could tell it how it really was it would be him. This way, they could patch the hole and everything would be alright. This is obviously the most practical thing to do as I didn't want anyone's, especially myself and my friends, information stolen and used against us.”
He also talked of giving a demonstration to the IT technicians and a representative from Research Machines, with four solutions to patch the hole without using third party tools. He said: “I would like to make it apparent now that I didn't damage, edit, or corrupt anything, I merely found it was possible and reported for everyone's good.”
However this good character and activity has led to Complex360 being taught separately from other students at his school, his father talking to senior staff and then him talking about it to the police, on the grounds that he committed a crime ‘viewing confidential files'.
He said: “This recent drama has made me truly realise why people go black hat, it seems there would have been less repercussions in releasing it on some full-disclosure site. You would have thought that with recent paedophile abduction attempts that the securing of data would be something they would be thinking heavily about, but apparently not.”
My knowledge of who Complex360 is, is minimal, but it is easy to sympathise with him (I assume it is a male) considering that he has decided to report the code rather than publicise it. After all he had reported this to the company in question, can you imagine Microsoft reporting vulnerability detections to the informant's parents?
He claimed on his Twitter page that the day in question is today, and asked some ethical hackers for help. Considering the criticism that was levelled at Tavis Ormandy after he gave Microsoft five days to fix a problem before going public with details of a flaw, I guess it is easy to take his side. What is the bigger concern is his claim that the ‘recent drama has made me truly realise why people go black hat', is this sort of treatment breeding the next generation of hackers?