The kid screwed up. If he wanted to do good, he should have tipped the paper's chief information officer, CEO and top technology reporter anonymously, especially after creating an account. His investigation went way too far to be able to ethically take credit for it.

As far as I'm concerned, somebody dropped the ball at the Times. Hell, they didn't even see the ball. He's embarassed the hell out of the Times. They're scared, humiliated and they want their pound of flesh.

I think he should be prosecuted, but I think his intent should be taken very much into account when it comes time for sentencing. In otherwords, he should not face the same kind of punishment those who cause damage would face (erasing files, selling information, etc, etc.).

Probably a suspended five year sentence with stringent probation requirements and a payment to the Times. I wouldn't want to see him barred from working with computers, but I could see a clause in his probation that would send him up river if he did certain things.

I would be interested to hear what Kevin P thinks would be appropriate. If you do nothing, you'll have hundreds of people thinking it is fine and dandy to go ahead and perform unsolicited security investigations anywhere, anytime. We can't have that, now can we?

-bob

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6888/22038#22038