Consultant who exposed flaw on Coleman site fires back

'I did it for all the right reasons,' says Adria Richards

A Minneapolis-based IT consultant is defending her decision to post details of a security weakness she found on former Minnesota Sen. Norm Coleman's campaign Web site in January, a flaw that later resulted in a donor database on the site being compromised.

The database contents were posted on the whistle-blower site Wikileaks on Tuesday, publicly exposing the names, phone numbers, street addresses and e-mail addresses of more than 51,000 Coleman supporters and donors. Included in the data were partial credit card numbers -- truncated to the last four digits -- of more than 4,700 people.

Wikileaks, no stranger to controversy, said it posted the database to substantiate rumors that sensitive information about thousands of Coleman's supporters had been floating around the Internet since Jan. 28.

The database is believed to have been accessed via a weakness on Coleman's site that was first publicized by Adria Richards, owner of Aden Networks, a Minneapolis consulting firm. Because of a basic configuration error, the site basically offered all of its directory files in plain text to anyone who entered the site's IP address in a browser. Among the files exposed was the database containing the donor data.

Richards said she did not access the data herself, but instead posted screenshots and details of her discovery on her own blog, on Flickr and two other blog sites. In an interview, she said that the decision to publicize her discovery was not politically motivated nor was it done for malicious reasons. Coleman, a Republican, and Democratic contender Al Franken are locked in a bitter dispute over the recent Senate election results for Minnesota. Franken currently leads the disputed race by a razor-thin margin, and the dispute has polarized supporters on both sides.

Richards said she might have done the same thing if the flaw had existed on a Democratic candidate's Web site, noting that she simply wanted to document how she found the information, explain what the problem was and tell others how to protect themselves from potential breaches. "Some people may think I was being unprofessional," Richards said, referring to comments on her own Web site from upset readers.

One person who posted on her site, for instance, wondered why Richards felt "morally licensed to abet criminal action," while another accused her of a "complete lack of conscience."

Richards defended her actions and claimed that no one in the Coleman camp would have responded if she had approached them with the information. In the past, Richards said, she has tried alerting others to similar problems but is usually ignored.

In this case, the details of her discovery involving the Coleman site were largely ignored until Wikileaks posted the database contents. "No one took notice of this until the numbers got released," Richards said. "But I think I did it for all the right reasons. I did think it was better [for] it to be me than someone else," who could have exploited the weakness to secretly steal information.

Coleman's campaign office, which on Wednesday was forced to start informing donors of the potential data compromise, called the incident a "federal crime." In a statement, it said the campaign intends to "fully pursue all legal options available" and is working with local, state and federal authorities to identify those responsible for the breach.

The statement pointed to a Web site crash in late January and noted that concerns had been expressed at that time about whether the site had been compromised. It added that a later investigation by law enforcement officials found nothing to suggest any information had been accessed.

Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon