In the first story, a man is charged with hacking USC. He claims to have been trying to warn USC of a security vulnerability. http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=187201428

In the second story, an attacker potentially compromises data on 800,000 user accounts at UCLA. Presumably, UCLA received no warning. http://www.informationweek.com/news/security/showArticle.jhtml?articleID=196603485

Would USC have suffered the same fate if they were not warned? Would they have been better off if they were given the time and opportunity to fix the problem on their own?

In the next post, I am going to give out links some of my favorite InfoSec sites and tools. Like any tool, it is not intrinsically Good or Bad. It is not the tool that has the intent but the wielder thereof.

Granted, the following links are likely to be well-known. Many of the people who use them will not be swayed by my words. But for those who are new to the field, I offer the following guidance:

The electronic world is just as real and as important as the physical one. In some ways, it is even more complicated than Real Life because there are few hard and fast rules that will apply to every situation.

1) Respect others. Any site or system or network you interact with was built by the effort and resources of a real person. Others you interact with online are real people.
2) Minimize your impact. Computing resources are finite and each user should take what they need and no more. For a specific example: do not crush a Tor relay with your BitTorrent traffic of stolen movies.
3) Be aware of applicable laws and regulations. Something that may be legal in your home country may not be while you are travelling.
4) Act in good faith. A server misconfiguration that allows you access to private files is not an invitation to do so. You may even want to inform the server admin.

When you encounter those ever-so-frequent grey areas, put yourself in the other person’s position. Think about what you would want and not just from a technical perspective.

Think about the first story. USC is not just another host with a vulnerability. It is an educational institution with a full-time mission. It is, in some aspects, a very large business. It is run by a group of people who wish to sleep soundly at night. It may have some very trigger happy executives or an overly protective legal team. These entities, regardless of whether you think they are doing the right thing or not, all have a say in what happens on their systems.

Think broadly and carefully the next time you find yourself in that no-man’s land of legal and technical ambiguity.