RE: [WEB SECURITY] another good guy is charged

["Schmidt, Albert E" <AES@xxxxxxxxxxxxxxx>]

I remember in a law class, my instructor told the class everybody has a
right to be stupid.  However, individuals have to practice due
diligence.  When we provide critical information to others, they have a
responsibility to practice due diligence to protect the critical
information.  How far should an individual go to determine if their
information is protected?

Let's say that a student attends a University and has to provide the
University with critical information.  Should the student be allowed to
attempt to hack the University to determine that their information is
safe?  I think that would be illegal.  However, the University should
provide to the student proof that the student's information is
adequately protected.  However, I am not sure how a University would go
about doing this.  I have audited several Universities in the State of
Maryland and found that their computer security left a lot to be
desired.  The main cause of this is political.  While the IT departments
want to secure the Computer Operations, some of the academic departments
believe this to block academic freedom.  

-----Original Message-----
From: Martin O'Neal [mailto:martin.oneal@xxxxxxxxxxxx] 
Sent: Thursday, April 27, 2006 9:21 AM
To: Michael Simpson
Cc: Web Security
Subject: RE: [WEB SECURITY] another good guy is charged


Hiya,

> If i leave my car unlocked and it gets stolen then the 
> person stealing the car has been bad and iI have been 
> stupid.
 
> If i leave my car unlocked and i have left your medical 
> case record sitting in full view on the passenger seat 
> and you then notice this when walking by, why shouldn't 
> you have the right to complain.

However the subtle variations on the second scenario are where the gray
areas occur:

If you have to enter the unlocked car to discover your records...
If you have to break into the car to discover your records...
If there was a design flaw in the car locks that you only knew about
because you worked for the manufacturer...
If you only knew about the records because you were the doctors
colleague...
Etc...

If an institution breaks the law, then it should be liable.  If an
individual breaks the law, then they should be liable.  In this
scenario, the two things do not have to be dependent, and do not have to
be mutually exclusive.

Having said all that, I know nothing of the Eric's case, and this isn't
comment on his particular circumstances.

Martin...


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/