Tuesday, February 23, 2010

Monday, February 22, 2010

Remember Jr. High Band

Check out who just got busted for a DUI at 9:30 a.m.  KSL link

Wednesday, February 17, 2010

Calling all Takasakis

I am calling on Steve and Jen Takasaki to make a blog. 

It was okay to put it off until Paxson was born. 
Now, the world is calling....

If you support me in this endeavor, please make it known.

Thursday, February 11, 2010

The Strange Case of USC vs. McCarty

University of Southern California has an enviable reputation as an education facility, and an endowment of $3.2 billion. It generates half a billion dollars a year in research funding.

The very same USC recently sued a would-be-student for $140,000 after he reported some security vulnerabilities on their web site to a security firm.

Eric McCarty is a young guy in his twenties who went to USC's web site with the intention of becoming a student. He says, upon looking at the site, he wasn't sure if USC's online application process was secure enough to protect his personal information.

So he ran a couple of tests and found that the site had a serious vulnerability - a SQL injection could be performed on the home-grown authentication software, allowing an attacker to circumvent the security and access *any* of the forms in the database - a database which at the time contained data on 275,000 individuals.

McCarty then contacted a reporter at SecurityFocus, which then contacted USC, and informed them of the vulnerability.

Now, California has some excellent laws that detail what organizations must do if personal data is compromised. USC had to follow them - which meant contacting anyone potentially facing data loss or otherwise affected by the vulnerability.

Contacting all these people about the vulnerability cost USC $140,000 - a cost they decided to recover by suing McCarty - the person who originally discovered the breach.

Which is where things get really weird.

According to the FBI, as quoted in SecurityFocus, an email found on McCarty's computer shows that he targeted the school because he was denied admission.

Yet McCarthy, from the standpoint of SecurityFocus' reporting, appears to have acted without malice and done very little - if any - damage, based on his unauthorized testing of the web site.

Upon finding the hole, he did the right thing - he reported it to responsible, third-party authorities who reported it to USC, ahead of their publication of the problem.

The reaction he would have received had he reported it directly to USC cannot be known. But as the CEO of Authentium, a security software company, I have called in more than a few security alerts and I find companies can be surprisingly blase about security vulnerabilities - unless threatened with publication. McCarty did the right thing.

And now for the (un)happy ending.

According to the Computer Science Institute, at the time of the suit, Eric McCarty simply did not have the resources to fight USC, so he negotiated a settlement with the university and the State Prosecutor and agreed to pay almost $36,800 in monthly installments of $500 for the next 72 months (6 years), and spend six months under house arrest.

And I thought universities were supposed to improve the human condition.

USC's motto is palmam qui meruit ferat - "Let whoever earns the palm bear it". USC, it's pretty apparent that you "earned this palm" with your sloppy coding. You should have borne the cost of telling people affected by this vulnerability yourself, not foisted it off onto McCarty.*

*Reposted from here.

Monday, February 8, 2010

Just me thinking...

It's 6:31 on Saturday night and I am alone. Katie left at 6:28 to go to her late shift at Macey's. As I packed her a little snack, walked her to the door, gave her a good-bye kiss and watched her leave I was overwhelmed with thanksgiving and love. How did I get so lucky? Have you ever felt so overwhelmed and grateful that you can't believe this is your reality? I have. In fact it happens on a regular basis. Last night I was laying in bed and I thought to myself, "You know, I am in a good position. Life is so good right now." Then sense kicked in my door and proclaimed, "You don't know what you're talking about. You've got no permanent residence, you've got no money, and you've got no job. How could you feel so sure?" I don't know. I just do. I guess that's what you call hope...and maybe faith. I just feel blessed. I know that for some reason, God's grace is shining down on me and I can feel his mercy everyday of my life. Do I deserve it? No. Not by any means. Could I live without it? No. Not by any means. I am busier than ever right now and life seems to be in panic mode, but I couldn't be happier. I love my wife and she loves me. We're as happy as could be!

Thursday, February 4, 2010

{insert graduation song here}

Guess who just applied for graduation!!  

*Class of 2010*

Look out world!  Here I come!

(come on economy, i need job)
...dang...