Friday, June 15, 2007

The Strange Case of USC vs. McCarty

University of Southern California has an enviable reputation as an education facility, and an endowment of $3.2 billion. It generates half a billion dollars a year in research funding.

The very same USC recently sued a would-be-student for $140,000 after he reported some security vulnerabilities on their web site to a security firm.

Eric McCarty is a young guy in his twenties who went to USC's web site with the intention of becoming a student. He says, upon looking at the site, he wasn't sure if USC's online application process was secure enough to protect his personal information.

So he ran a couple of tests and found that the site had a serious vulnerability - a SQL injection could be performed on the home-grown authentication software, allowing an attacker to circumvent the security and access *any* of the forms in the database - a database which at the time contained data on 275,000 individuals.

McCarty then contacted a reporter at SecurityFocus, which then contacted USC, and informed them of the vulnerability.

Now, California has some excellent laws that detail what organizations must do if personal data is compromised. USC had to follow them - which meant contacting anyone potentially facing data loss or otherwise affected by the vulnerability.

Contacting all these people about the vulnerability cost USC $140,000 - a cost they decided to recover by suing McCarty - the person who originally discovered the breach.

Which is where things get really weird.

According to the FBI, as quoted in SecurityFocus, an email found on McCarty's computer shows that he targeted the school because he was denied admission.

Yet McCarthy, from the standpoint of SecurityFocus' reporting, appears to have acted without malice and done very little - if any - damage, based on his unauthorized testing of the web site.

Upon finding the hole, he did the right thing - he reported it to responsible, third-party authorities who reported it to USC, ahead of their publication of the problem.

The reaction he would have received had he reported it directly to USC cannot be known. But as the CEO of Authentium, a security software company, I have called in more than a few security alerts and I find companies can be surprisingly blase about security vulnerabilities - unless threatened with publication. McCarty did the right thing.

And now for the (un)happy ending.

According to the Computer Science Institute, at the time of the suit, Eric McCarty simply did not have the resources to fight USC, so he negotiated a settlement with the university and the State Prosecutor and agreed to pay almost $36,800 in monthly installments of $500 for the next 72 months (6 years), and spend six months under house arrest.

And I thought universities were supposed to improve the human condition.

USC's motto is palmam qui meruit ferat - "Let whoever earns the palm bear it". USC, it's pretty apparent that you "earned this palm" with your sloppy coding. You should have borne the cost of telling people affected by this vulnerability yourself, not foisted it off onto McCarty.

No comments: