Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Government The Courts Your Rights Online News

Feds Admit Error In McDanel Security Case 211

prostoalex writes "US federal prosecutors have admitted that an error was made in prosecuting Bret McDanel under the Computer Fraud and Abuse Act. McDanel discovered a security vulnerability on his former employer's server, and seeing that little efforts were put into repairing it, sent out e-mails to the customers of Tornado Development Inc. After the prosecution revised the court materials, they admitted there was no proof that McDanel intended to impair the system's integrity."
This discussion has been archived. No new comments can be posted.

Feds Admit Error In McDanel Security Case

Comments Filter:
  • OK people (Score:1, Troll)

    by Evil Adrian ( 253301 )
    Are we going to be grown-ups about this, or are there going to be a million immature posts about how every hacker that has broken the law should be freed?
    • Every hacker that has broken the law should be freed!
    • Are we going to be grown-ups about this, or are there going to be a million immature posts...

      You're new here aren't you?
      • You're new here aren't you?

        I am new here, you insensitive clod. (Look at the extremely high user ID)

        Also, most hackers like this should be freed. He was trying to do the right thing, even if it meant exposing a weakness and inviting the black hats. Crackers on the other hand, who exploit weaknesses for their own gain should still be prosecuted and punished.

    • Comment removed based on user account deletion
    • Re:OK people (Score:1, Informative)

      As a lawyer, I can tell you that civil suits require damages of some kind. Mr. McDanel caused no damages of any kind to the servers. He did not take down any machines. He did not post exploits to the Internet. Simply put, he is a perfectly harmless individual.

      Frankly, I believe that the justice system fears individuals with computer knowledge. The judges presiding today are the same ignoramuses who have been on the bench since the 1970s. Now, I've been using computers since the 1980s (that's right,

      • As a lawyer, I can tell you that civil suits require damages of some kind.

        IAAS (I am a skeptic).

        The parent poster claims he is a lawyer.

        His website is listed as http://sethf.com/

        On that website, he apologigizes for his HTML with "Quick navigation (I'm a server programmer, not a web-designer ...)"

        On that same page, he describes himself as "Seth Finkelstein - Anti-censorship activist and programmer Seth Finkelstein "

        On that same page, he makes reference to, and links to, a whitepaper he co-wrote. The wh
    • +1 Funny
    • Free Kevin!

      oh...wait...
  • Cold comfort (Score:5, Insightful)

    by Jonathunder ( 105885 ) * on Wednesday October 15, 2003 @07:13PM (#7225182) Homepage
    Little consolation, after serving 16 months in prison, to be told that the prosecution was a mistake.

    But this is a country which has hundreds of people locked up, with currently no prospect of seeing their day in court, or even a lawyer.

    • Wouldn't it be real justice for clueless judges to have to serve similar sentences to the ones they F***ed up on?
      • Wouldn't it be real justice for clueless judges to have to serve similar sentences to the ones they F***ed up on?

        Do you think maybe it should be each of the members of the jury instead?

        • No.
          The judge can set aside a verdict which is an obvious misinterpretation of the law by the jury.

          In the simplest of terms, he was found guilty of damages to their business.

          The damage, however, was not so much to their systems, as the law he was conviced of states is punishable, but to their reputation, as their lawyers argued.
      • Re:Cold comfort (Score:2, Insightful)

        Yeah, 16 months of anal rape might just make the Judge think twice the next time this subject comes up. But I think the prosecutors should also have to go to jail for 16 months, since it was their mistake.
    • Re:Cold comfort (Score:4, Insightful)

      by GreyPoopon ( 411036 ) <gpoopon@@@gmail...com> on Wednesday October 15, 2003 @07:43PM (#7225361)
      Little consolation, after serving 16 months in prison, to be told that the prosecution was a mistake.

      Actually, it could be tremendous opportunity. Let's examine the possible outcomes. Disclaimer: IANAL.

      1. If the conviction is successfully appealed, he can then have his record expunged, so he no longer has to answer "yes" to the job application question "Have you ever been convicted of a felony?" That's a real multipler for success when seeking jobs in the future.
      2. Now that the federal government is "backing" his story of not intending to cause problems with the servers, he may be seen in a more amicable light by potential employers.
      3. I believe he now has amunition for lawsuits against both his former employer and the federal government.
      Having said all of that, I believe the feds should hang their heads in shame for being overzealous and making the mistake in the first place, but should be commended for admitting the mistake. That's a step up for our government.
      • Cool.
        You spent 16 months away from your family, friends, home, job (if you were lucky enough to have one after the tech bust), all the things that define you as you, and then tell me what a "tremendous opportunity" it was.
        No need to explain the 1 and a half year gap in your resume, all the PHBs will see you as one of "those" people.
      • I believe the feds should hang their heads in shame for being overzealous and making the mistake in the first place, but should be commended for admitting the mistake.

        Right... let's see if you still feel the same way when the feds admit they fucked up one day after having [a family member|close friend|you] executed for a murder you didn't commit. OK, yah, I'm being sensationalistic here, but the point is the same. Do you really think he feels better after 16 months in the federal pokey to hear the feds

        • > Right... let's see if you still feel the same
          > way when the feds admit they fucked up one day
          > after having [a family member|close friend|you]
          > executed for a murder you didn't commit.

          I think that I would most certainly not feel the same way if I was executed.

          --
          -JC
      • so he no longer has to answer "yes" to the job application question "Have you ever been
        convicted of a felony?" That's a real multipler for success when seeking jobs in the future.


        Unless you are trying to get a job with the Russian Mafia.
      • Actually, it could be tremendous opportunity... ...he now has amunition for lawsuits against both his former employer and the federal government... having said all of that, I believe the feds should hang their heads in shame for being overzealous and making the mistake in the first place

        What about the opportunity for payback for overzealous prosecutors?

        Sometimes after reading about cases like this, I wonder if there shouldn't be a law which says that if prosecutors over reach -- and especially if there's
    • But this is a country which has hundreds of people locked up, with currently no prospect of seeing their day in court, or even a lawyer.

      I can tell your' glass is always half empty. Locked up, no day in court, no charges, no rights or even fair representation. But do you mention, no bill for staying on a luxurious tropical island paradise?
    • before the damn trial even begins.

      When talking about a computer is punishable by more years in prison than manslaughter, the system is wrong by any damn standards.

      Can he sue for wrongful prosecution?
  • and get thrown in jail? At least they admitted their error on this one. If someone pointed a flaw out in a system I was ultimately responsible for, I'd have him fix it and give him a bonus or something.
    • My brother's friend realized an error in a *very* big company in Toronto. He worked as a purchaser and managed to save the company something around 6 million dollars because of some screwed up process that they used. What did the company do? They told him this: "You broke company policy, don't do it again." Not all companies want to be well run apparently, maybe his company is one of 'em.
  • by Midnight Thunder ( 17205 ) on Wednesday October 15, 2003 @07:15PM (#7225193) Homepage Journal
    According to the article it was only he served 16 months, in fedral prison, that the government decided it was in error. I hope the guy gets some sort of compensation. 16 months for someone who was not guilty of a crime is too long.
    • Well considering all people that get released after 10 or so years on death row without even the apolog... sorry... "admission of error" this guy got, I think he's already been compensated.
    • 16 months for someone who was not guilty of a crime is too long.

      Not according to Ashcroft.
      • 16 months for someone who was not guilty of a crime is too long.

        Not according to Ashcroft.


        Note to mods: despite appearences, the parent post should not be modded "+1 Funny"; it shoudl be modded "+1 Insightful".
    • Well, for one thing, they should eliminate his balance owed for staying in prison. They don't just hold you there, they charge you rent and for supplies.

      Next, they should pay him a lump sum for all of the money he would probably have earned if he hadn't been prosecuted and imprisoned.

      Next, they should refund him lawyer fees.

      Unfortunately, I've never heard of the federal government having to pay punitive damages. I'm not even sure they've ever had to compensate the wrongly imprisoned.
      • I'm not even sure they've ever had to compensate the wrongly imprisoned.
        Hell, if they kill you, they don't even have to give your body to your family. If they kill you and then find out you were innocent, I doubt your family would get so much as an offical "We're sorry."
    • And people wonder why I oppose the death penalty.
    • Hope he can still walk straight rather than being saddle sore :)

      Rus
    • Compensation, im smelling civil lawsuit blood in the water. The fact that the Da screwed up, but Tornado must have pushed it also to deflect blame from themselves. I wonder how many false statements the made to the FBI? There is potential for some nasty fall out here boys and girls.
    • There is no compensation for losing 16 months of your life. He could be awarded all the money in the world and it wouldn't even begin to make up for what they've stolen from him.

      I call this a massive failure of government, and one which is a direct result of an overly complex, ambiguous, highly exploitable system of law, i.e. big government.
  • Well I'm glad (Score:4, Interesting)

    by The Munger ( 695154 ) on Wednesday October 15, 2003 @07:17PM (#7225205) Homepage
    I'm sure most of us have heard of this story by now. It was also covered on The Register [theregister.co.uk] the other day. If I were a customer, I'd certainly want to know about this kind of hole. Does anyone think he caused any grief? He gave notice to the right people, and they still didn't listen. This is like Microsoft ignoring security holes - and we've all heard those stories.

    I think he did the right thing. The only people to lose out appear to be the incompetents who are now forced to fix their mistake.
    • Does anyone think he caused any grief?
      The "Customers" should be happy that they were warned of the security hole.
      "no proof that McDanel intended to impair the system's integrity" How would you impair a system by sending out emails? Wait a minute shouldn't spammers be guilty of the same? and they have to wait 16 months to find this while he was "pounded in the arse". Just great.
      • I agree with you. He didn't cause anyone any grief apart from a bunch of munchkins who needed a kick in the behind. I think it's disgraceful that he was put behind bars in the first place.
    • This is like Microsoft ignoring security holes - and we've all heard those stories.

      Yeah, except Microsoft wouldn't have you tried as a criminal and incarcerated .... Oh wait.

  • Even tho IANAL, I know precedent is much of what law is. What does this really mean for the future?
    In a motion filed Tuesday, Assistant U.S. Attorney Ronald L. Cheng said his office made "an error" in its prosecution against Bret McDanel.
    Does this mean the case doesn't have the same "weight of precedence" (to put it in my own possibly incorrect terms) as a completed court case would? The U.S. Attorney, does it effect laws nationwide now?

    Jonah Hex
    • I'd say that, if anything, this case should now have a weight of precedence in the opposite direction...
  • Been there done that (Score:5, Interesting)

    by segment ( 695309 ) <sil.politrix@org> on Wednesday October 15, 2003 @07:24PM (#7225255) Homepage Journal
    During his trial, prosecutors argued McDanel intentionally caused damage to Tornado's computer server by overloading it with too many messages and impaired the system's security by exposing its vulnerability to the public. A judge found him guilty of unauthorized access and sentenced him to 16 months in federal prison.

    The problem with prosecutors is, they're quick to jump on a case and will do all sorts of stuff to get a conviction. I know because I've dealt with them and have been incarcerated for computer intrusion and electronics eavesdropping. While at trial, federal agents purjured themselves on the stand and got warnings. A federal agent stated "Mr. XXX is wanted for breaking into NSA, FBI, CAI, and Military machines... But he is not being charged with that right now" ... Another so called FBI computer expert stated he didn't understand what an IP address was (no bullshitting as my case and the transcripts are public record). My ISP, my phone company testified I hadn't used the phone, nor was I online at the time it happened. Now if that is not cause for reasonable doubt I'll go on...

    Upon my arrest the agents stated they had been to my previous address of which I hadn't lived at for YEARS. So you mean to tell me, that if you think I attacked some machine, where did you get my information from. If it were via IP they would have come straight to my address via my ISP's logs. Now they had firewall logs with none of my information whatsoever, and they had a sniffer log which recorded the entire breakin. On the sniffer log, nothing shows up remotely all you see are mail connections, then an attack coming from the same host the sniffer log was on.

    Local attack then right? Try explaining that to a jury of 40-50 year old comp-phobic people who's favorite tv show is Judge Judy.

    I was the first case in the Southern District to go to trial, and was told if I take it to trial I would face 10 years. I was offered 1year, then 6 months, then a 6 month split 3 in jail 3 under house arrest. I still fought it. Feds took this as something arrogant, I fought for my rights. Now given I was no angel growing up (sold drugs, stole cars you name early 90'ish) I swallowed it as karma. Appeal? Sure to go through the same thing? Wasn't worth it for me, the impact of the trial is enough to drain you, financial, mentally (if your weak).

    First thing the feds thing coming into my house... High five each other... "Yes we got sil from AntiOffline..." what a scam.

    Its nice to know however the DA was quickly promoted and a whole new cybersecurity *cough political bullshit* department was thrown up in NYC

    So after this post... Let's see how long it will be before my PO calls up and automagically violates me for some bullshit. Meaning I spoke in a manner the feds didn't like. Fuck a fed

    • I call BS. If your case is public record, link us to it.
      • In his post he hints about this:

        http://www.theregister.co.uk/content/55/20547.ht ml

      • Um, just because it's public record doesn't mean it's online.

        You have heard of paper, haven't you?
        • Um, just because it's public record doesn't mean it's online.
          You have heard of paper, haven't you?


          A link doesn't have to be online. It could be a reference number, a place/date/whatever, or something of this kind.
      • You could request for a copy of my case from any legal library or any lawyer could have a copy of the transcripts of the case. PUBLIC RECORD.

        My response to an article about the case [antioffline.com]. Again, I've spent so many sleepless days and nights over it, I don't even bother answering anyone's questions, being that the bottom line is I was convicted.

    • While at trial, federal agents purjured themselves on the stand and got warnings.

      This is a FELONY. If it is really a matter of the written record, as it would be if it were conducted in COURT, **PRESS CHARGES**.

      C//
      • Sure you have a couple million to spare? The feds have deep pockets, and you really don't want them on your ass. Nor will your friends like you much when the feds go to there house and so on and so forth. I lost the case s'all the matters for public record, me on the other hand I don't harbor bad feelings I look at is as politically motivated nothing more. As for fighting, its a losing battle. I had contacted staff at the ACLU, and they wanted to make a public thing about it, I on the other hand didn't want
    • It's a mistake to give a rats ass about anybody's security but your own. Unless you either own the computer or were directly ordered by your boss to secure the computer, it's not your business to care if it's secure or not.

      Don't go around jiggling door handles, and the cops won't bust you for breaking and entering.
    • You should have had a better lawyer.

      I believe you. I have certainly come across officers who routinely lie in court. Some law men feel themselves above the law but see someone who they feel that it is "their turn to go down". The victim concerned has probably committed a number of minor offences but this time are guilty of nothing more than being a PITA to law officers.

      So law officers perjure themselves, knowing that even if their falsehoods are discovered they are written off as nothing more than exce


    • I'm sorry, I have trouble feeling any sympathy for someone who was unjustly prosecuted and chose to roll over and die rather than fight for what's right. Injustice took place, and it could happen again, because YOU let it happen.

      Not that I would take your account of the events at face value, either. If the facts were as one-sided as you present them, it would have taken a conspiracy between the federal agents, prosecutors, judges, jurors, and your own defense attorney to result in prison time.
      • I'm sorry, I have trouble feeling any sympathy for someone who was unjustly prosecuted and chose to roll over and die rather than fight for what's right. Injustice took place, and it could happen again, because YOU let it happen.

        Shows how much you know. Some people don't have the funds to fight the system (which he mentioned). Some people have families to think about. "Mommy, where's Daddy, and why do we live in a shelter?" "Daddy's in jail, honey. He tried to fight the Man and we went broke doing it



    • I read what you have written, and I understand them all, because I had a similar experience.

      I was lucky, that the public prosecutor was a dork, and because I know people in really high places.

      All I did was nothing - in a discussion, I laid out a _hypothetical-case-of-a-possibility-electronic-br e aking_ and then someone snitched on me.

      All hell broke loose, and I had to face what you had gone thru, - sans the sentencing thingy, - but all in all, looking back, I spent more than 500K in attorney's fee alon
  • If I'm not mistaken, the intention of these laws was to lock up the so-called "script kiddies" and such who maliciously broke into and destroyed/exploited computer systems. This guy just published a vulnerability to the company's users, and while it may have damaged their reputation, they certainly didn't have much to begin with after not fixing that flaw.
    • For the prosecutors that willfully witheld evidence or exaggerate seriousness of the crimes to get convictions, lets jail them for the same length of time and to the same facilities as their victims. Should their victims not survive the incarceration, neither should the prosecutors.
    • This is a gigantic problem with lawmakers; they create laws with a particular spirit, but with a letter that is much more broad. These morons don't realize that local prosecutors don't give a shit about the spirit of the law, they simply want to use the letter of the law to put people in jail when they think these people deserve it.

      Congress needs to stop trusting prosecutors, and spell everything out if they really have the intentions they claim.

      Or, tin-foil hat mode, they actually mean to do business thi
  • Boy this sure is a scary precedent. The obvious effect regardless of the end result is that lawyers will tell their clients not to expose security holes. Good for the government for admitting the mistake, but I do believe the damage is done.

    What I want to know is if I expose a weakness in someone else's code, how is it that I'm the one 'impairing the functioning' of the code? I didn't put the security flaw in there. However, I can see a bit of an argument that you are communicating trade secrets, why i
  • by divide overflow ( 599608 ) on Wednesday October 15, 2003 @07:38PM (#7225345)
    This seems like another example of what I would call a Pyrrhic victory. As long as the system can throw someone in jail for 16 months for doing something both legal and defensible then I see little reason to celebrate our freedoms.
    • We have to celebrate the freedom to go into jail whenever we [don't] want!

  • The 16 months that he served constitutes the entire term of his sentence.

    "During his trial, prosecutors argued McDanel intentionally caused damage to Tornado's computer server by overloading it with too many messages and impaired the system's security by exposing its vulnerability to the public. A judge found him guilty of unauthorized access and sentenced him to 16 months in federal prison."

    It's sad that there is not better review of cases in this country. Federal prosecuters should be held to the hig
  • Lawrence Lessig posted some interesting comments about this case in his blog [lessig.org].

    DZM
  • This just goes to further prove the pattern:

    When it comes to computers, the people making laws and doling out punishment haven't the slightest clue what they're doing.

    This is seen over and over, such as DMCA, proabbly parts of the Patriot act, this case, SCO, and I'm sure that there's thousands others.

    Politicals (and lawyers) tend to be PHBs when it comes to computers. They know the buzzwords, as well as "Computer == Windows == Microsoft".
  • I actually submitted this when I first saw it (no I'm not bitter... yes i am..) but in my version I bring up two points.
    1) Should/Will this man be compensated for his time in the pokey. How do you repay a man 16 months in prison? Granted I would have loved to have seen something on the books (e.g. precedent) to stick some real spammers in jail. Good thing this guy had a great attorney.
    2) He had an excellent attorney. For those of you who don't know Jennifer Grannick [granick.com] she is one of the most knowledgable l
  • The feds are supposed to be a bit aggressive on the side of prosecuting, just like defenders are supposed to be aggressive in their defence.

    The real problem is with the judge.
  • I think hell just froze over. Or at least got a good frost.
  • "It is on this principle that the government confesses error in this case," Cheng [the prosecutor] said.

    That's all well and good, but how is this going to help this guy get his life back?

    Are they going to renumerate his legal fees?

    His lost wages?

    His lost reputation?

    Undoubtedly no.

    The guy is ruined from a financial standpoint, unless of course he was a rich man to begin with. He enters an incredibly tight job market in the IT industry with a raltively ruined resume thanks to overzealous prosecution,

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...