Interesting article today in the Washington Post about some freelance consultants who apparently rummaged through a bunch of Department of Defense computers without authorization. What they found was pretty appalling. But what they did seems pretty appalling too – although the article takes pains not to mention this. Here is the beginning of the article:
Security consultants entered scores of confidential military and government computers without approval this summer, exposing vulnerabilities that specialists say open the networks to electronic attacks and spying.
The consultants, inexperienced but armed with free, widely available software, identified unprotected PCs and then roamed at will through sensitive files containing military procedures, personnel records and financial data.
[…]
ForensicTec officials said they first stumbled upon the accessible military computers about two months ago, when they were checking network security for a private-sector client. They saw several of the computers’ online identifiers, known as Internet protocol addresses. Through a simple Internet search, they found the computers were linked to networks at Fort Hood.
Former employees of a private investigation firm – and relative newcomers to the security field – the ForensicTec consultants said they continued examining the system because they were curious, as well as appalled by the ease of access.
What is amazing to me is that the writer seems to be working hard to avoid pointing out that what these guys did looks to have been unethical and probably illegal. The rule is pretty simple – honest discussion of security vulnerabilities: good; actually breaking into other people’s computers: bad.
True, careful readers of the article might still connect the dots between the description of what the ForensicTec guys did, and the mention fifteen paragraphs later of laws against unauthorized intrusion. But isn’t it the writer’s job to point out such basic connections?
It’s hard to believe the writer and his editor would have missed this obvious point. Yet I can’t understand why they would have chosen to ignore it. Any suggestions?
UPDATE: Within hours of appearance of the above-mentioned Washington Post article, the FBI raided the offices of ForensicTec.