This is a fund to support the legal defense of a clever curious teen who found the Nova Scotia government site had all their FOI requests unsecured and looked at them by incrementing a web URL number without malicious intent. Now some politicians want to make him the scapegoat for their lameness in not securing that data with their inadequate security auditing practices and mistakenly making the data publicly available.
Web security professionals test websites like this every day, and any responsible web site operator would have tested and secured this function instead of trying to blame a child for their incompetence. Reference: http://www.cbc.ca/news/canada/nova-scotia/freedom-of-information-request-privacy-breach-teen-speaks-out-1.4621970
I, Dragos Ruiu, organize one of Canada’s leading information security conferences CanSecWest for the last 19 years, as well as performing security audits for Western Canadian companies, frequently looking at misconfigurations such as these, and find this situation outrageous. On behalf of all information security professionals in Canada - we will get these funds to the defendant to support his legal defense while attempting to not compromise his identity and privacy to the best of our ability. Which is more than we can say for the due dilligence the Nova Scotia government has shown with their citizens’ information and websites.
We will instruct his legal counsel to apply any excess funds, should there be any beyond legal bills, to be applied to paying for education tuition for continuing education at any school for this bright young man with a promising future - who does not deserve the callous treatment he has received to deflect attention from improperly securing the data and servers hosting it. This young man could have just as easily been my son or a colleague and we must all fight this manner of injustice and misunderstanding of internet functions.
What folks need to be wary about this kind of denial and defensiveness through police from the Nova Scotia government is that this kind of throwback attitude is usually an indicator of an organization with very immature information security. Who knows what kind other serious vulnerabilities and problems are being brushed under the carpet and being attempted to be hidden if this is how they deal with them? These days industry practice is to reward folks who identify problems and fix them not to try to hide the issue and deflect blame by arresting them, like this other example of a high-school student who earned a $10,000 bounty from Google for discovering a very similar problem: http://goo.gl/xT8gxK
Please note, that should the best of all possible outcomes occur and the prosecution and Nova Scotia government has a sudden inspiration of common sense and the ethical decency to drop the charges, my intent is still to forward any funds collected to this young man. He’s been through enough. He deserves our support, and I certainly hope that comes to pass.
To verify this campaign you may contact me at @dragosr on Twitter or via email at email@example.com
Thank you for your support.
The beneficiary for this campaign has been set to David T.S. Fraser from the firm McInnes Cooper as we were informed by CBC and the Narional Post reporters who interviewed the young man charged that he was selected as legal counsel for him. A great choice and we wish them the best luck in righting this injustice.