Information access?

The Business School hack has highlighted issues of definition around access to information. The (US based) article in The Register by Mark Rasch reports the facts as follows…

  • Some US business schools farm out processing of Web based applications to a third party Web company
  • Someone identified a security hole in the system used to process the applications that allows access to personal details without passwords (modified URL - a scripting error
  • This person (handle: ‘Brookbond’) posts details of the hack and a helpful script on a forum that applicants might be expected to read
  • 119 applicants use the hack to check the progress of their applications
  • The Web server logs contain details of who peeked
  • different Business Schools adopt different standards when dealing with the applicants – ranging from disqualification to review on a case by case basis
  • The Web services company makes no comment about the exploit in public

Rasch runs through the US laws (less relevant to UK) and then goes on to discuss the ethical aspects of the activities of the various actors. He contrasts physical trespass (nice hotel analogy) with cyberspace tresspass.

“The ordinary rules of behavior tend not to apply in cyberspace. For some reason, because we are merely sitting at a computer screen in our own den just typing, we aren’t doing anything “wrong” or criminal. There is a huge tendency to blame the victim – if they didn’t WANT me to break in, why didn’t they have better security?”

I’ll be using a role play based on this example in the Forensic ICT unit…

Comments are closed.