Ed,
Inline.
On Mon, 28 Mar 2005 15:30:05 -0500, Ed Tracy @ Aspect Security
<ed.tracy@aspectsecurity.com> wrote:
I think it's fair to
assume (or that it's known) that the applicants:
1. knew there was a date in the future upon which they would be receiving
notification
2. identified themselves to the system
3. modified url parms to attempt to access something in the site that wasn't
normally in their interface -OR-
4. submitted a published url that they knew would offer them information
that wasn't supposed to be available until a future date
I'll agree to that ...
It's such a trivial thing (modifying the URL) that it is a little
unreasonable for the person performing the action to know
what they were doing was 'wrong'.
This is exactly what I was referring to when I used the
term, "warped." This is not a trivial thing to people who are not familiar
with the Web. As further illustrated by your analogy to finding $5 on the
sidewalk, I think your expertise has you thinking that this is so easy that
the person just stumbled across it.
No, not just stumbled across it, but 'so easy' that it doesn't really
'feel' wrong for the people carrying it out. Clearly, it's not _right_
for them to do this, and it _is_ something that they should be
punished for, but (of course) the punishment should fit the crime; and
I don't think it does.
I feel strongly that regardless of how
easy it was to stumble across it, the person still knew that they were
trying to access a part of the website that would provide them data that
they weren't supposed to have access to.
I agree to it.
You suggest that if Harvard had done more, or less, it wouldn't 'diminsh
their culpability'. Well I couldn't disagree more. As
Then let me ask you.
If Harvard HAD done more...and the applicant tried the url manipulation
without any success, would that diminish their culpability? No, I don't
think so. They still tried to do something wrong.
What I meant was if the 'instructions' were:
1) Download <password-cracking-tool>
2) Download this file: http://foo.harvard.edu/../etc/passwd
3) Run program
4) Review "admin" password
5) Login
6) View your results and relax!
Then the punishment should be more than what they were already given.
There is no possible punishment (unless it's outside Harvard that it
is given) that could be placed on these people. That then suggests
that a person who got into the network via installing a physical
key-logger on some staffers computer, and received his marks would be
given the same punishment (from Harvard's POV). That doesn't seem
fair, does it?
Kinda like our attempted
murder charge in the criminal justice system.
More comparable to, say, 'attempted reading of a newspaper you didn't
purchase' :)
-- Michael
PS:
It's also appropriate to note that these people probably weren't
exactly 'clear-headed'at the time they did this. Stressing out about
results can be difficult for anyone, and if there is a proposed way to
see your results ahead of time, it'd be hard to students under so much
pressure to resist... Even so, I still think they should be punished,
just not to the extent they were.
