A security researcher was arrested in Florida for publicly disclosing a SQL injection (SQLi) vulnerability in an election web server. Should we be up in arms that they’re demonizing someone helping organizations patch flaws, or upset that the “hacker” is poking his nose where he shouldn’t? Normally, I side immediately with researchers, but this case is a little gray. Watch today’s video to learn why.
(Episode Runtime: 3:51)
Direct YouTube Link: https://www.youtube.com/watch?v=ekX6BYNdGw4
EPISODE REFERENCES:
- Video disclosure of the Lee County server vulnerability – YouTube
- Article about the researcher’s arrest – ZDNet
— Corey Nachreiner, CISSP (@SecAdept)
The ZDNet article has a link to this article, which also covers it well:
http://windowsitpro.com/troy-hunts-security-sense/security-sense-when-security-researcher-arrested-there-s-usually-good-reas
Personally, I think Levin goofed when he didn’t report the flaw immediately. As mentioned, once he proceeded from that point, he broke the law.
Thanks for the follow up reference. I like Troy’s take, and saw some of his twitter comments. I agree. Levin did goof when he didn’t report it immediately. I think he too regrets it, and has learned from it, based on his own response to Hunt.