A white hat hacker is a phrase used to refer to ethical hackers. The main application of ethical hacking is the security evaluation of sites. Responsible disclosure of vulnerability entails disclosing the details of the vulnerability. The authorities as disclosing it publicly puts the company in danger as someone might exploit the vulnerability. However, not all site owners are happy to learn about the vulnerability of their site. The following is an example of how even responsible disclosure is not welcome.
A security researcher, Eric McCarthy discovered a flaw in the online application system of the University of Southern California (USC) website. The flaw gives a hacker the ability to access and manipulate the database of 275000 USC student applicant records, which is dangerous as a hacker can copy a student’s personal information, such as their social security numbers contained in the registry record as was the case in the University of Texas at Austin.
In my opinion, his actions were not malicious because he sent an email to security focus, giving details on the vulnerability of the website as opposed to making a public disclosure with his findings, which could have resulted in more harm to the university. Lack of evidence that he used the information that he retrieved from the website is also an indication that save for exposing the vulnerability, he had no reason to hack into the system.
The university, however, had to close down the site for 10 days, which resulted in $140, 000 in damages. Although his intentions might have been pure, Eric did break the law by accessing university of California’s online application system without the permission of the university. He also copied some files, which contain personal information of the applicants, in to his computer (this is not legal, regardless of the reason it was done-to obtain evidence that the system was flawed).
In conclusion, his conviction will further discourage researchers from looking for the vulnerability. This will reduce the security of the websites as the vulnerabilities not being pointed out do not mean they are not there. This is in the assumption that, simply because you cannot see them then they do not exist is acting like the proverbial camel that buries its head in the sand so as not to see the approaching storm. If Eric could access and copy information, then can somebody else, which means that without the likes of Eric finding the vulnerabilities and pointing them out, the web will be more insecure. The companies will now have to spend to find vulnerabilities.