'Hacking' Journalists Case Dredges Up Security Research Legal Debates

A legal storm is brewing between researchers who uncovered a cache of sensitive information about 170,000 consumers through a Google search and the company which left the information freely available online. It sounds like the typical disclosure scuffle that the security research community has come to expect as part of the territory, with the exposed firm threatening to ring up researchers for violating the Computer Fraud and Abuse Act. But this one comes with a twist: the researchers in this incident weren't code slingers, they were word slingers.

The exposed information was discovered by two journalists with Scripps-Howard news service who stumbled into the openly searchable information from data stores held by telecom vendor TerraCom Inc. through Google. Their search came while investigating a story on why so many consumer participants in government-subsidized cell phone program Lifeline -- a program in which TerraCom and its affiliate company YourTel participated -- were having their identities stolen.

"The Scripps News team discovered the unsecured records while looking into companies participating in Lifeline. A simple online search into TerraCom yielded a Lifeline application that had been filled out and was posted on a site operated by Call Centers India Inc., under contract for TerraCom and YourTel,"

Many in the security community say the incident and its legal fallout could stand to draw attention to a more mainstream audience some of the biggest legal and ethical problems facing white and grey hat hackers today.

[Why does SQL injection linger? See

10 Reasons SQL Injection Still Works .]

"I love this, this is a perfect example because what you effectively have here is a very innocent set of research. They stumbled on this data through simple searches," says Trey Ford, Black Hat general manager. "The custodian of this data was not properly managing authorized access. And just because the custodian didn't feel like they wanted this other company or the rest of the Internet to have 'authorized' access to this data, they cited a law that allowed them to hide and sue someone doing something that was ultimately trying to help them out."

But the slippery topic of motivation is what has some other researchers torn on whether the journalists acted appropriately.

"They definitely came up on some very poorly secured information and I completely agree that poorly secured information needs to be pointed out," says Wade Williamson, senior security analyst for Palo Alto Networks. "But I think that when you download all those records and start reaching out to contact people [from those records] for a quote in a story, you're very much using that for your own personal gain."

The split in opinion even among security experts shows how nuanced the perception problem can be in these disclosure cases. For his part, Ford believes the Scripps reporters acted appropriately to get the story out for the benefit of affected consumers.

"I actually appreciate the fact that they took the time to do some user awareness training, saying, 'Hey, you have got information out there, you trusted your information with these people and they didn't manage that, how do you feel about that?'" he says. "I mean, that's effectively what news is at the end of the day."

Regardless of the security community weigh-in, though, the true litmus test could be how the courts decide. If things were based strictly on precedence, things wouldn't look good for the Scripps scribes.

"To me I really don't see much difference between that and the teenagers that get sent down for a long time," Williamson says, "other than saying 'We're doing this for the public good.' A lot of people say they're doing it for the public good."

That's the exact argument that Andrew 'weev' Auernheimer made when defending himself in a case against him spurring from his disclosure of personal details of 120,000 iPad users to media site Gawker after finding a business logic flaw in the AT&T website. He's currently serving three years for his actions.

But if the courts are consistent in their judgments it could mean an extremely negative potential outcome for the industry that only serves to work against the ultimate best interest of companies like TerraCom that pursue legal action, says Marc Maiffret, chief technology officer at BeyondTrust.

"If there are going to be cases where people get in big trouble with potential jail time, it's going to make everybody stop pointing vulnerabilities out and all that means is that the bad guys are the only ones doing it because they don't care about the law," he says. "It's a balance. You want to have a way for good people in the world to not feel like they're going to jail for pointing out something wrong that a company is doing, whether they know it or not."

But the unusual nature of the case and the legal resources of the journalists' news organization could potentially help set a new precedence of its own. According to Ford, the experience of of the Scripps journalists is very dissimilar to the typical researcher because of the professional backstop journalists have in this instance.

"This is a good example of what researchers deal with all the time, the only difference is they don't have the backing of a strong media arm to protect them," Ford says. "There's also a certain amount of protection afforded to members of the press compared to some random Joe Schmuck hacker dude that's trying to say 'I found something, I'm worried for you and I want you to know about this.' When they say, 'what are you talking about, I'm going to sue you,' the journalist says 'I'm going to quote you. Thank you.' There's some level of accountability when you say something like that to a member of the press."

Robert "Rsnake" Hansen agrees that there's a contrast between a journalist's experience disclosing and a traditional security researcher's struggle. He thinks it underscores the difficulties many independent researchers face in order to be heard.

"Precisely because he's a member of the press, it makes it naturally not like every other researcher," says Hansen, Black Hat Review Board member and a long-time fixture in the security research community. "Someone who writes for a magazine or whatever can really shape the conversation in a way that some researcher who may not even speak English very well is trying to explain some very complex thing, and explain a history with a company that may be extremely complicated."

However, if this case does go anywhere, it could potentially benefit the research community if it brings enough attention to the lowlights of the legal framework around computer manipulation and ethical hacking. A big part of the problem is even legally defining what hacking really is.

"My personal definition of hacking is if you can find it through a Google search and it's out there open to the public, that's not really hacking because you're not specifically manipulating the system based on a security weakness to get the information out of it. But that's not necessarily what the law says," Maiffret says. "The law has definitely not evolved with the rate of innovation and the changing of how society is communicating and data is flowing."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.