Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Your Rights Online Technology

Talk About A Security Hole, Go To Jail? 472

Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.
This discussion has been archived. No new comments can be posted.

Talk About A Security Hole, Go To Jail?

Comments Filter:
  • Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole

    Guess whose hole will need tight security now ?
    • by e40 ( 448424 )
      Too late, he already served the time.... if you had actually read the article you'd know this!
    • Article's title:
      The Sad Tale of a Security Whistleblower

    • by gnovos ( 447128 ) <gnovos@nospAm.chipped.net> on Monday August 18, 2003 @05:24PM (#6727185) Homepage Journal
      Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole

      Guess whose hole will need tight security now ?


      Ha ha, prison rape is funny! I'm so glad this country is civilized enough that we can not only condone it, but we can laugh at his humiliation!

      Ha ha!

      Man, I can't wait until society evolves to the point where we can laugh at normal rapes too, especially violent gang rape and child molestation. Ha ha, you got raped at gunpoint while walking to you car, maybe you have AIDS now! Ha ha, your uncle made you stick his little friend in your mouth when you were five, hopefully you are scared for life!
      • by CausticWindow ( 632215 ) on Monday August 18, 2003 @05:35PM (#6727286)

        Prison rape jokes on Slashdot, or in the pub, is perfectly acceptable, and maybe even funny...

        What's not funny, is that prison rape jokes are considered great material for prime time family entertainment in the US. That's not only disgusting, but fucking scary.

        • by Anonymous Coward
          Yah, but this is America we're talking about! 100% of all our prisoners are guilty, and 100% of those crimes were committed against the laws of God - like those people smoking and eating plants created by Satan. Torture in forign jails such as those in China is bad because their government is evil and jails good people. Turture in our jails is funny because we know that all our prisoners are evil and deserving of torture.
        • by BlueEar ( 550461 ) on Monday August 18, 2003 @05:54PM (#6727456) Homepage
          Yes, I have to agree with CausticWindow. Somehow the culture evolved so that a man getting raped or having his teeth smashed out to give another prisoner a blow job, is funny. Naturally, nobody would even dare to suggest that if the same happened to a woman that would be funny. But then again, one of the main sources of jokes on TV are men getting punched or kicked in the groin. Again, if a woman was ... you get the picture. So before making another joke like that think how it would sound if you replaced "man" by "woman" and then by "human being" ...
      • I can't wait until society evolves to the point where it's not possible to communicate anything to anyone due to the remote possibility of offending someone somewhere somehow. Actually, I think I *can* wait.
  • Gee, thats swell (Score:5, Insightful)

    by gizmoiscariot ( 442386 ) on Monday August 18, 2003 @05:12PM (#6727042)
    Makes you not want to even bother saying anything. Wait till the rest of the world decides that and you have security holes everywhere.

    Of course, can you have holes within holes?
    • Of course, can you have holes within holes?

      Of course! You just can't have a bag of holding [hexgrid.com] in one.

    • by sustik ( 90111 ) on Monday August 18, 2003 @07:58PM (#6728445)
      The following tidbits were turned up by a little search on the web.

      The FBI says that: "COMPUTER SPAMMER SENTENCED TO FEDERAL PRISON". Yes, they advertise the conviction of Bret McDanel as a spammer sent to jail:
      http://www.fbi.gov/fieldnews/march/la032503 .htm

      The San-Diego union tribune(?) writes that:
      "Prosecutors allege that McDanel hacked into his former employer's server and sent thousands of e-mail messages at practically the same time, forcing the company to shut down its computer system in August and September 2000." Link:
      http://www.signonsandiego.com/news/business /200206 12-9999_1b12hacker.html

      In the FBI note there was no mention of the security bug at all they said:
      "Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there."

      Now that is such a selective disclosure of information that I am inclined to equate it with telling an untruth. (Just like printing that some John Doe killed several people in 1967 in he is still not behind bars, omitting that he was acting in war...)

      What alarms me that he was found guilty on spamming charges which damaged the mail server while that seems not to be the basis of his ex-employers discontent. I guess the prosecutor was not interested in bringing out the truth but rather just have a conviction based on the "Computer Fraud and Abuse Act" on his resume.

      Note that the company (Tornado) went out of business.
      • by DNS-and-BIND ( 461968 ) on Tuesday August 19, 2003 @01:44AM (#6730388) Homepage
        I can confirm that Bret McDanel is no hero. He's actually quite an asshole. The kind of guy who spits out a nasty insult about reading the man page when you ask him how to set up a VPN so you can help a customer. He seemed to really enjoy carrying grudges against people. I had the distinct displeasure of working with him at Tornado, I was the on-duty sysadmin when the attack occurred, and I was one of the witnesses at the trial against him.

        Bret was not prosecuted for revealing a security vulnerability. He was prosecuted for DOS'ing our server. He sent 14,000 emails to our system, and it overloaded and stopped accepting mail. He did this several times, and knew it overloaded the system when he did it, and knew the FBI had been called after the first time, so nobody needs to feel sorry for him. Holding him up as a martyr or hero is just asinine, but it speaks volumes about how our media works these days.

        Of course, there's plenty of culpability to go around...the main server was a Sun Enterprise 4500 with 4x450 CPU and 4Gb RAM. A machine like that should swallow 14,000 emails without a trace. Of course, Tornado's brain-dead custom system implementation meant that every single incoming email spawned off an SQL script to take the message apart and inject it into the database, and a shell process to control the SQL script. The system load went over 100. I had to write a script to kill off all the processes. Since the load was so high, sendmail stopped accepting incoming mail and the rest of the spam piled up on the backup server, where it was rm'd. So, it was Bret's fault for spamming us, but it was Tornado's fault for such a painfully bad email processing method. This actually raises the most interesting question of all, is it a crime to knock down a system that was incompetently implemented?

        Of course, the email system was not the only part of the system that was breakable...we had system outages several times a week from different causes, and really, the Bret thing was not that bad, being in that it was easily identifiable and fixable.

        Another fun thing was that Tornado initially claimed $300,000 in losses from the incident. This is important because the FBI will not get involved with anything under $50,000. This figure was later reduced (much, much later) to $9,000. Oh yeah, what else...Tornado's great email implementation also meant that we had to run an open relay, which was frequently abused. We sent out hundreds of thousands of nigerian bank account emails. A manager who took a stand and turned off the relaying one weekend was demoted and ultimately fired. Basically Tornado was a bunch of Windows developers who couldn't use Windows to implement their custom email/fax/paging application because Windows wouldn't scale to the sizes they needed. So they had to use Unix, and they didn't know anything about Unix, and they made just about all of the predictable errors that the ignorant make.

        In conclusion, it's scary that every time this story comes up, there's a different (wrong) angle on it.

        • Well, people shouldn't have to go to jail because they're assholes.

          Okay, he sent a lot of mails. Would he have received the same sentence if he was a garden variety spammer?

          Clearly it has something to do with the content of the mail or with the intent of the "attack".

          If it disclosed some confidential information, it could be tried in a civil court I guess, if there was a confidentiality clause in his contract which was still in effect. But even then, he could be considered a whistleblower.

          The only thing
  • by phaetonic ( 621542 ) on Monday August 18, 2003 @05:12PM (#6727043)
    When doing wireless security assessments, I've noticed neighbooring companies with unencrypted WEP access points, but I don't bother telling them because of this sort of thing.
    • by The Kiloman ( 640270 ) on Monday August 18, 2003 @05:32PM (#6727253) Homepage
      Would you like to explain how someone manages to have Unencrypted WEP? That's kind of like saying that they have some dry water.

      WEP is encryption. I think you meant to say they had unencrypted networks, or networks without WEP.

      Why do I get the feeling that your 'security audits' involve looking for an open connection with which to connect to Kazaa?
    • by jc42 ( 318812 ) on Monday August 18, 2003 @05:36PM (#6727293) Homepage Journal
      Yeah; it's not a good idea to tell people that they have weak security. For a really good example, ask google about "Randal Schwarz". His story is going onto a decade now, and still isn't over.

      Basically, he had done a lot of consulting work for Intel, and they gave him permanent free accounts on some machines to use as he wished when not on a contract. He saw a new company doc about how to deal with poor passwords. So he thought he'd help them out by nabbing a few password crackers off the Net and applying them to nearby machines. He found that some company VPs had easily-guessed passwords. While he was writing up a report, the sheriff showed up at his door with an arrest warrant. He is now a conviced felon.

      Reading between the lines, it seems pretty clear that the people in the legal system think this is ridiculous, and it's really Intel who should be convicted and punished. But there seems to be little that can be done about it. As the judges read the laws, following the company's published guidelines and testing security is a felony, no matter how stupid that sounds. Telling people in the company that their VPs are violating the company's own security rules is also a crime.

      So if you find problems, the best practice is to keep quiet about it.
      • Where in this did he contact Intel about his intentions? From what you write here it sounds like their internal security team noticed his trespass and reported it to the correct authorities.
        Running password crackers on a company network without written authorization is Criminally stupid.
      • by legLess ( 127550 ) on Monday August 18, 2003 @06:59PM (#6728061) Journal
        Not to pull a wet blanket over your martyr story (and not to slam Randal, 'cause I don't want to get punched at the next Perl Mongers meeting), but you're leaving out some important details:
        • Intel caught him and told him to stop. He continued.
        • He actually used some of the passwords to login, although he didn't change or grab any data.
        • None of this was directy related to performance of his duties as a contractor.
        I think Intel was merciful the first time, cause they could have nailed him then. The end result is awfully harsh and all out-of-proportion to the harm caused, however he was by his own admission doing something illegal that he'd been warned not to do.

        This case is similar. Yes, the prison sentence is crazy for the crime, however what this guy did was stupid. He was clearly going after the reputation of his former employer: if he'd been motivated only by the good of the customer, he would have sent the email while on the job. Also, he could have just warned folks without publishing exploit details.

        This is a problem many geeks have -- getting nailed for doing something technically correct but socially unnacceptable. Most of the rules that run the world aren't written down and never will be. You can be technically correct and still wrong wrong wrong.
  • Hmmmm (Score:5, Insightful)

    by mao che minh ( 611166 ) * on Monday August 18, 2003 @05:12PM (#6727048) Journal
    That's a pretty tough one. The guy made it public knowledge that there was a flaw in the Tornado system (sending emails to all of the employees and even making a webpage that detailed the flaw), and even demonstrated how to exploit the flaw (on said web page). Normally demonstrating flaws and exploits shouldn't be an issue - but this guy showed an actively vulnerable target to the world and told them how they could crack it. That wasn't a very bright thing to do.

    He reported it to management, like he should have. He should have left it alone there.

    • Re:Hmmmm (Score:2, Interesting)

      by mrcparker ( 469158 )
      From the article:

      He could have explained to the customers that their information was at risk, without revealing quite so much detail. But according to the government's theory of liability, this would not have prevented his prosecution. Moreover, as is frequently the case with security vulnerabilities, this likely would have prompted a quick denial by Tornado that any such bug existed -- and they may or may not have fixed them.


      It looks like just saying that there was a flaw would have gotten the guy thr
    • by burgburgburg ( 574866 ) <splisken06.email@com> on Monday August 18, 2003 @05:26PM (#6727204)
      a) The company did nothing about the flaw for over six months after it was reported
      b) They continued to advertise their webmail services as secure despite knowing that they were vulnerable.

      He should get all of the users of the service together and class-action sue Tornado for knowingly lying to them about the security of their service.

      • by Anonymous Coward on Monday August 18, 2003 @05:47PM (#6727400)
        I think both of those things point to a better course of action. While, personally, my opinion on bug disclosure is tell the vendor, wait two weeks, then tell the world--another, safer, avenue WAS available.

        Simply call the State Attorney General and try to open a fraud case. They are advertising a secure service while knowingly ignoring large security holes. It's simple fraud. And are you going to go to jail for talking to the Attorney General? Who exactly is going to prosecute you? It's the safe choice.

        Nevertheless, I believe he had the absolute right to do what he did. He just could have chosen a safer, smarter path.
      • by sumbry ( 644145 ) on Monday August 18, 2003 @06:18PM (#6727671) Homepage
        It's not that you're forgetting a few things, is that you're forgetting one major thing. He discovered this exploit while he worked at the company. It doesn't matter that he felt the need to alert the world to this exploit after he left, he gained this knowledge while employed there.

        In the same way that you can't work at a company, learn it's trade secrets, and then jump ship to another company, and disclose all of their trade secrets (similiar to an NDA except this pretty much applies anywhere you work) you also can't gain knowledge of security exploits while you're under their employment, leave, and then tell the entire world about it.

        THe feds were completely right in going after this guy. Some of you are being blinded by the security aspects of this, and I would argue differently if he had never worked at the company in question and discovered this exploit as an outsider, but that is not the case.

        He got what he deserved. I've worked at tons of companys where to this day I could tell you any number of ways to get back into their networks. Am I going to do that? Hell no. My best course of action is to alert the company of the exploit, and walk away.

        That's exactly what he should have done. He didn't, and he paid the price.
        • by Darth_Burrito ( 227272 ) on Monday August 18, 2003 @08:01PM (#6728462)
          you also can't gain knowledge of security exploits while you're under their employment, leave, and then tell the entire world about it... THe feds were completely right in going after this guy.

          This sounds very much like a civil matter. An NDA would definitely be a civil matter. Why would the feds be involved at all?
        • by Darth_Burrito ( 227272 ) on Monday August 18, 2003 @08:20PM (#6728583)
          Sorry to double reply but here's another point. If we were talking about a guy working for a tobacco company who found out the company was deliberately making their product more addictive while running a PR campaign saying the cigarette smoking was safe, would we even be having this debate?

          I agree that the guy's actions sounded malicious, but when it comes down to it, he was a whistle blower. He demonstrated that the company continued to advertise its services as secure even while they knew about a blatant security flaw which they did nothing to fix for six months.
    • Re:Hmmmm (Score:5, Interesting)

      by wytcld ( 179112 ) on Monday August 18, 2003 @05:47PM (#6727396) Homepage
      There's a question of whose data was at risk. In this case, it was the customers who had data at risk. His notifying them was proper to the cause of enabling those with possibly sensitive data to protect it. To repeat: It was not the data of the e-mail provider that was at risk, it was instead data belonging to the customers, and the provider which was putting that data at risk.

      Define the "system" for purposes of interpreting the law in virtual terms, as a data-space. Consider that primary rights in that space belong to whoever leases it. If you break into a business office, the breakin is against the occupant of that office, not the landlord. And if you discover that the landlord has left the master key to the building's offices where thieves can make copies, your moral responsibility is to the tenants, to warn them the locks are insecure, rather than to the landlord, to help cover up the collusion with thieves.
    • by kfg ( 145172 ) on Monday August 18, 2003 @06:03PM (#6727558)
      you're using the system password as part of your data security on your Win98 box.

      Did you know that the entire password system can be aborted by simply hitting escape?

      Have I just commited a federal crime, and if so, why?

      KFG
    • Re:Hmmmm (Score:3, Insightful)

      by u19925 ( 613350 )
      So how come, nobody is prosecuting a person who discovered hotmail security flaw? that was the easiest to exploit and he showed it to everyone about how to exploit it(see this story [securitytracker.com]). just go to hotmail website using the link information provided and you will be able to reset anyone's password that you wanted to and get a new password delivered to whatever email you wanted to. what is more, the inventor falls in classic "terrorist" profile of FBI/CIA: a muslim male in 16-45 years range from Pakistan.
  • it's wrong (Score:2, Interesting)

    by Tomji ( 142759 )
    but he did kinda take extreme measures. But they did even worse by deleting the mails
    • Re:it's wrong (Score:4, Informative)

      by Aadain2001 ( 684036 ) on Monday August 18, 2003 @05:50PM (#6727425) Journal
      I don't think he took extreme measures at all. IMHO he took the next logical step. He showed it to his boss. They did nothing. Since he was no longer in a position of influence at the company (like he ever was before) he talked to the next logical group of people: the people directly effected by this. If he had posted this to /. or had sent it out to the underground hacker rings he would have definatly gone too far. But he only informed those most at risk for the company's screwup: the customers. The company is lucky he didn't report it to any big bug tracking organizations. A lot of people read that, both white and black hat hackers.

      I say that if a company does not actively seek to fix a security hole within a reasonable amount of time, they deserve to be humiliated before their customers like this. The guy was only trying to put the customer first, and not the company's reputation. Hell, the customers could probably sue the company since they knew they weren't secure but kept advertising that they were. Damn marking droids.
  • by TWX ( 665546 ) on Monday August 18, 2003 @05:13PM (#6727059)
    Well, if it's too dangerous to disclose security holes when they know who you are, do it anonymously on Slashdot. That'll sure get their attention...
    • Intereting indeed. (Score:5, Interesting)

      by FreeLinux ( 555387 ) on Monday August 18, 2003 @05:33PM (#6727260)
      That would be a very interesting exercise. It would be facinating to see just how fast OSDN would roll over and cough up the "Anonymous" IP address to the feds.
  • by Mad-cat ( 134809 ) on Monday August 18, 2003 @05:13PM (#6727065) Homepage
    Nice network you got there. It'd be a shame if something happened to it. Like a security hole getting exploited, right Vinnie?
  • USA ... (Score:2, Funny)

    by Anonymous Coward
    ... the land of free speech.
  • by zoloto ( 586738 ) on Monday August 18, 2003 @05:15PM (#6727080)

    To put McDanel in jail, the government adopted a rather unique interpretation of the federal computer crime statute.

    The applicable language in the Computer Fraud and Abuse Act make it a crime to "knowingly cause the transmission of information and as a result of such conduct, intentionally cause any impairment to the integrity or availability of data, a program, a system, or information without authorization." Ordinarily, this is used to go after people who distribute worms or viruses, mailbombs and Trojan horses: things that actually shut down or affect the computer system itself


    Isn't this going a little too far. I thought a suggestion box was always welcome, or even a public message board where people could leave suggestions was A Good Thing(TM).

    I may have been wrong. But this isn't right. no sir, it is not.
  • by BrynM ( 217883 ) * on Monday August 18, 2003 @05:15PM (#6727086) Homepage Journal
    His big mistake was e-mailing the customers. On top of that, he shouldn't have directed users to his own site. True: the company screwed with the customers further by deleting their e-mail, but he should have found a better third party to apply pressure with. Messing with a company's customers is like talking smack about someone's Mom. It will get you into a fight.

    Does anyone have any ideas as to what alternative third parties would be good for this kind of whistle blowing?

    • by rossjudson ( 97786 ) on Monday August 18, 2003 @05:57PM (#6727477) Homepage
      Excuse me, but exactly WHY do you think he shouldn't have emailed the customers? We have the right in this country to say whatever the fuck we want, to whoever we want to say it to. And the point of the justice system is exactly that: Justice. It's not supposed to be about who has the most money -- it's supposed to be about who's right.

      This guy didn't do anything wrong. If you're not revealing classified information you can say whatever the hell you want. What we're dealing with is a vicious, stupid, unethical prosecution, if the facts in the security focus article are accurate.
  • by AgentOJ ( 320270 ) on Monday August 18, 2003 @05:16PM (#6727094)
    One thing not mentioned in the article was where he got the list of email addresses of the Tornado clients. If he had taken this information when he left Tornado, there could be legalilty issues involved there as far as client privacy goes. Perhaps that weighed on the jury's decision...
    • Stealing the customer list from an employer, leaving the company, and then using the list is cause enough to throw someone in jail. Normally such people are fined, but when coupled with a "I know how to hack into you." threat, it gives a justification If you don't wanna be thrown in jail, don't be a criminal.
  • Obligatory (Score:5, Funny)

    by Faust7 ( 314817 ) on Monday August 18, 2003 @05:16PM (#6727095) Homepage
    Talk About A Security Hole, Go To Jail?

    Man, 90% of Microsoft's employees must be working out of prison...
  • Stupid! (Score:5, Insightful)

    by Anti Frozt ( 655515 ) <{chris.buffett} {at} {gmail.com}> on Monday August 18, 2003 @05:16PM (#6727098)

    This is so stupid. If we were to leave the finding and patching of security holes, etc. to the companies in question, attacks, virii, etc. would be even more prevalent then they are today. By increasing the number of sources for reporting these flaws to basically the population of the world, we significantly increase the chances that these problems will be discovered before they can be exploited.

    The DMCA (which IIRC correctly makes pointing out security flaws illegal) needs to be severely looked over or things like the MS Blaster virus are only going to be the beginning of a much larger, nastier problem. Thankfully, it's only applicable in the U.S.

    • Viruses... virii is the misspelled Latin plural for -Man- or Vir. In Latin the word virus had no plural, since we pluralise it in English, we use English rules for pluralising it making the plural of the word virus "viruses".
    • The DMCA (which IIRC correctly makes pointing out security flaws illegal) needs to be severely looked over ...but written out "which if I recall correctly correctly makes pointing out security flaws illegal" it sounds like the last correctly means that to make pointing out security flaws illegal was correct, but from the context you obviously meant the opposite. Or maybe it's just me reading slashdot past midnight, either way it's time to head to bed.

      Kjella
  • 1984 (Score:5, Insightful)

    by spoonist ( 32012 ) on Monday August 18, 2003 @05:17PM (#6727105) Journal

    Obligatory 1984 paraphrase:

    This is doubleplusungood.

    Also, to quote Winston Smith:

    Thoughtcrime does not entail death: thoughtcrime IS death.
    • Re:1984 (Score:2, Funny)

      by Anonymous Coward
      Right, because this is JUST LIKE having your face eaten by rats and drinking Victory Gin. Jay-sus, do you pull out your Orwell for EVERY YRO STORY?
  • In other words... (Score:5, Interesting)

    by Dog and Pony ( 521538 ) on Monday August 18, 2003 @05:18PM (#6727125)
    "Sir, if you don't lock your car, someone could steal your stereo."

    "Officer! Arrest this man! He has figured out a way to steal my stereo!"

    Sign. Some people are just too stupid to live.

    • by gl4ss ( 559668 ) on Monday August 18, 2003 @05:45PM (#6727375) Homepage Journal
      a bit proper way:

      -"Mr. Locksmith, your locks suck, they can be opened with a straw"

      -"grumble grumble*snooze* yeah whatever"

      -> 6months.

      -"Mr. Locksmith, your locks still suck and you advertise them as secure! I can't stand it anymore, I must tell your clients that they can't trust your locks!"

      -"ah lad, you're going to prison then!"

      actually.. the company itself did something illeagal as well(deleted mails, which, can be in some places much higher crime than telling how to get to those mails because it is in effect breach of communications secrecy the customers expected). speaking of the vulnurability to anyone else than the customers would have been more malicious as well(posting on a security webpage or similar). i'd be making investigation requests(on why they manipulated the mail) if i was customer of that said company..
  • summary (Score:5, Funny)

    by kaan ( 88626 ) on Monday August 18, 2003 @05:21PM (#6727150)
    guy: "you're using Microsoft products, right?"
    customer: "yes, that's correct"
    guy: "well that's a huge security hole!"
    customer: "no way! we have to keep this secret! come on Jeff, let's put this guy in jail before he tells anyone else!"
  • by burgburgburg ( 574866 ) <splisken06.email@com> on Monday August 18, 2003 @05:22PM (#6727158)
    for this administration. This so meshes with the Ashcroft security paradigm.

    No more of these disruptive "warnings" of vulnerabilities. If you warn people about the real dangers they face instead of giving them vague color-coded faux-warnings, then the terrorists win.

  • RTFA. (Score:5, Informative)

    by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Monday August 18, 2003 @05:23PM (#6727163)
    He actually could have done it in a more subtle way. Doing Jailtime for what he did is harsh and so typical US-insane, I agree, but he actually did probably break law never the less.
  • by Montgomery Burns III ( 642155 ) <montgomery-burns&zaqz,com> on Monday August 18, 2003 @05:23PM (#6727171) Homepage Journal
    In order to obtain a security certification, I had to write a paper on an aspect of security(insecurity).


    I chose to write in detail about the particular implementation of a Remote control software for Windows. In order to demonstrate that I was not a loser, I needed to include packet traces, hex dumps, etc. to show detail of the password storage mechanism of the software in question.
    To be honest, I was nervous submitting this paper.... It would be nice for people to be able to disclose such information without having to worry about joining the Witness Relocation Program.
  • As someone said either today or yesterday, quoting someone else :), "No good deed goes unpunished."

    Everybody wants something. Apparenlty the company wanted to be left alone, even in its broken state, and it wanted more money.
  • Picture this: I walk by my bank at midnight while walking my dog, and I tug on the door to find it unlocked. I then write a letter and deliver it to the bank manager the next day. The letter says: You bank is unlocked at midnight. it may be possible for someone that is not authorized to walk in.

    This is a non-cyber version, but is it different?

    I suppose there are a couple of possible things that might happen:
    • The bank manager finds that there is $2,000 missing and decides to pin in on me becuase I know ho
    • Post a H4X0r site detailing how to get pasta security hole

      Pasta Security Hole? Sounds yummy.
    • Bah.

      If you notice the door open, you quietly tell the bank manager.

      What this guy did after telling the manager was, in effect, to put up a big sign explaining that the bank doors were always accidentally left open at night and oh, by the way, the cash is in the safe at the rear left of the bank, which is may also unlocked if you 'd like to look. He then contacted all the bank's customers to tell them where to find the sign explaining all this. And, the sign was actually put up right along a rather large
      • Still, the point is that if I was a customer at said bank, I would very much like to see that sign and immediatly close my account with the bank and move to some place that will secure my money at least a bit. And I would personaly thank whoever posted this sign.
  • I feel for the guy, but if he was genuinley interested in the welfare of his former employers customers, wouldn't it have made more sense to cantact someone (even a friend) at the company and give them a heads up?
  • by jmors ( 682994 ) on Monday August 18, 2003 @05:33PM (#6727254)
    I particularly like this section of the article...

    The government argued that the message was incorrect, useful to would-be attackers, and was intentionally designed to give Tornado trouble.

    Either the message was incorrect (which would render it useless to would be attackers), OR the message was CORRECT if indeed the message could be useful to would be attackers. I see a real contradiction in the government's arguement here (yes I know, big surprise eh?).

    Does this mean that when Microsoft issues a report warning of a vulnerability in their software and exactly where it is and what the vulnerability can cause along with a security advisory that they are breaking the law?

    This, IMHO sets a very dangerous precedent. It reminds me of another reuters article I read today concerning corporate whistle blowers having trouble continuing their careers in other companies after exposing illegal activity.

    The Matrix is real... but I'm only visiting!

  • So basically (Score:5, Interesting)

    by phorm ( 591458 ) on Monday August 18, 2003 @05:33PM (#6727262) Journal
    He went to jail for sending emails? Perhaps he should have just sent a death-threat to his somebody by email, probably would have netted him less time.

    Seriously, more and more nowadays you read about people being incarcerated for defying authority, the government, of worse: corporations. Real crime is being pardoned, especially corporate white-collar criminals, while the jails are being filled with people just trying to exercise their rights.

    America strikes me as a very odd country. There, you have a right to bear arms, based on the revolution against the government sometime ago. Yet somehow, say one wrong thing, against the government, or against their sleazy funders (big business) and your screwed. Give us another 10-15 years, and the crime for whistleblowing with be more than murder - and you'd be better off solving your problems with a gun than making an honest attempt at helping your fellow countrymen.
  • California? (Score:5, Informative)

    by sleepingsquirrel ( 587025 ) * <Greg@Buchholz.sleepingsquirrel@org> on Monday August 18, 2003 @05:36PM (#6727288) Homepage Journal
    I thought that by law they had to disclose security breaches [slashdot.org]? Here's another relevant article [crblaw.com].
    The law requires all businesses that own, license or maintain any "computerized data" that contains "personal information" to disclose any breach of the security of such database to any California resident whose personal information was, or is reasonably believed to have been, acquired by a hacker
  • by DarthBobo ( 152187 ) on Monday August 18, 2003 @05:37PM (#6727295)
    Its interesting that other professions actually have a duty to inform others of their vulnarability - while in IT you can be punished for it.

    As a physician, if I find that a patient presents a danger to another person (for example, a man has a psychotic break and intends to kill his wife), I have a legal and ethical obligation to inform that person (whom I have never met.) If I fail to do so, I can be thrown in jail.

    Its not hard to envision a future scenario in information security where one could have legal obligations both to inform and _not_ inform -- thus finding a security hole would guarentee punishment no matter the road taken.

  • This would be like somebody taping a sign to the front door of a video store that says, "The lock has fallen out of this door. You should fix this, or thieves could enter in the middle of the night and steal from you." I suppose to complete the analogy, you should assume that the shop owner does not have the correct tool to fix the lock.

    In both cases, making a general alert -- while maybe not the best thing to do (a private note to the owner would always be a better idea) -- still doesn't amount to anyth
  • by YoDave ( 184176 )
    Isn't this type of action protected by whistle blower protection laws?
  • only in the USA (Score:3, Insightful)

    by selderrr ( 523988 ) on Monday August 18, 2003 @05:42PM (#6727347) Journal
    i don't intend to troll, but in this case, the truth IS a troll. In the FUD-ruled USA, only officials & big corps are alowed to fud. Any individual or small organisation that spreads fud si considered a threat. Probably to prove that the govt is not allowing fud.

    The only way to disclose security holes is by letting big corps do it, or by doing it as anon as possible. Currently, europe is a tad better, but I expect this evil practice to fly our way in no time, as DRM is apparently doing. Sigh. It's so sad to see capitalism failing. I guess this must be a bit how the commies felt after they were proven wrong. Our only hope is that the future will come up with something better.
  • jail (Score:5, Funny)

    by loconet ( 415875 ) on Monday August 18, 2003 @05:43PM (#6727354) Homepage
    Go directly to jail. Do not pass go. Do not collect 200 dollars. Do not tell others what you found. Let the hole be there for years. Let someone else find it and exploit it and collect 200 dollars.
  • by rice_burners_suck ( 243660 ) on Monday August 18, 2003 @05:45PM (#6727380)
    This is my personal opinion on the matter of vulnerability disclosure:

    I know that non-technical managers simply don't care how their systems work. They think in strategic and tactical terms. Buffer overflows are just an excuse why things can't get done. Managers hate those things. But there has to be a balance somewhere. Geeky technical issues cannot be ignored by managers. Granted, they don't need to personally learn the technical details. That's why they have tech guys working for them. But they need to invest the time, effort and resources into an ongoing technical systems maintenance program. This includes everything from cleaning dust out of computer chassis to maintaining security from the strategic level to the bits and bytes level. It is the technical department's duty to ensure that management understands the risks, like it or not. It is the management's responsibility to make sure the technical department is doing its job.

    In nearly all businesses today, it is necessary to be on the Internet. Being on the Internet entails certain risks. In the course of its business, the company will need to address these risks on an ongoing basis. For these reasons, it is important that all but the smallest companies refrain from outsourcing their "IT" departments.

    To make a long story short, corporate management unaware of the implications of their lack of attention to technical matters. This applies to computers as well as manufacturing processes. Since they fail to gain an understanding of the implications and since they fail to respect the technical field enough to invest the necessary time and effort into it, they should be subject to the consequences of their irresponsibility. Therefore, if you are aware of a security hole, you should do the following: Nothing. Let a black hat cracker break in, steal data and wreak havoc on their network. This is the only way they will learn.

    Want to insist on doing "the right thing?" Send an anonymous letter to the company's IT department and to their management. State that if the vulnerability is not fixed within 48 hours, it will be posted on all the public disclosure sites. Do not include any identifying information.

  • Capitalism thwarted (Score:5, Informative)

    by Piquan ( 49943 ) on Monday August 18, 2003 @05:50PM (#6727421)

    For capitalism to work, it requires consumers to be able to make informed choices about the goods and services they purchase. By criminalizing the distribution of security information, the federal courts are preventing consumers from making truly informed decisions regarding security, which is arguably an important element of a purchase decision. If it were not, then why would Tornado be so miffed? Two end results, if this decision runs its course. First, security will fall through the floor as companies realize that they do not need to invest in it to get customers. Second, consumers will only be able to choose based on who presents the best front; advertising wins. I'm fine with advertising, but it should not replace informed discourse in the marketplace.

  • by Master of Transhuman ( 597628 ) on Monday August 18, 2003 @05:55PM (#6727460) Homepage
    They complain that the editorial says this might cause a reduction in posts to Bugtraq, and this might not be true. So what? It could equally BE true. You don't know, so how is that a valid criticism of the editorial?

    The morons complain that the guy "spammed" the ISP's customers. He sent ONE email, staggered out over three days to different people, so he wouldn't overload the email servers. Sounds responsible to me. How much spam do these customers get from Tornado anyway? You don't know, do you? I get spam from Yahoo occasionally just because I have SBC DSL.

    They complain he was "irresponsible" because he didn't use "other channels". Like what? If he posts it ANYWHERE in public, he gets hit with the same charge. What PRIVATE channels are there that would work if talking directly to the ISP management did not work? Does he call Ahh-nold and get him to pressure the ISP?

    Face it, you right-wing, statist-worshipping geek pussies. The guy did the right thing. HE BLEW THE WHISTLE. The government did the wrong thing. THEY PUT HIM IN JAIL FOR WHISTLE-BLOWING.

    Now fuck off.

  • by retro128 ( 318602 ) on Monday August 18, 2003 @05:56PM (#6727474)
    Everyone knows that the best way to let a company know about a security hole is to write a worm that exploits it and release it into the wild.

  • by Erik_the_Awful ( 675368 ) * on Monday August 18, 2003 @06:00PM (#6727515) Journal
    The government's actions (in this case) provides electronic security professionals (and "crackers" if you prefer) with a "perverse incentive."

    "Why Information Security is Hard - An Economic Perspective."
    http://www.acsac.org/2001/abstracts /thu-1530-b-and erson.html

    "In a survey of fraud against autoteller machines [4], it was found that the patterns of fraud depended on who was liable for them. In the USA, if a customer disputed a transaction, the onus was on the bank to prove that the customer was mistaken or lying; this gave US banks a motive to protect their systems properly. But in Britain, Norway and the Netherlands, the burden of proof lay on the customer: the bank was right unless the customer could prove it wrong. Since this was almost impossible, the banks in these countries became careless. Eventually, epidemics of fraud demolish their complacency. US banks, meanwhile, suffered much less fraud; although they actually spent less money on security then their European counterparts, they spent it more effectively [4]."

    If the government's goal is a more secure Internet, the government should encourage actions via incentive that result in more secure systems. It is clear that if Bret McDanel had not informed Tornado Development's customers of the security problem, Tornado would have done nothing to repair it.

    If you subscribe to Ross Anderson's theories, the government's actions provide incentive for security technicians to take the following actions on the discovery of a security vulnerability:

    1. Don't talk or write about it without obscuring the publishers identity.
    2. Exploit the vulnerability for personal gain.

    Heavy handed prosecution of people like Bret McDanel will lead to a less secure internet.
  • by erroneus ( 253617 ) on Monday August 18, 2003 @06:26PM (#6727748) Homepage
    Consider the possible outcomes. Let's say some on-board digital electronic unit within a popular automobile contained some sort of flaw that could ultimately result in accident, injury or even death. Given than the manufacturer was informed and failed to issue a recall, if someone decided to tell everyone potentially affected by this flaw, do you think it would be moral for the whistleblower to be sent to prison?

    I hardly think so. In this case, it's something far less "deadly." It's only privacy (something 'they' don't want us to have anyway) and potentially identity fraud and theft. These are growing into huge issues.

    According to the article, the man has already served his time but he wants his conviction reversed. I believe justice should be served by reversing this conviction... and in the future possibly preventing any such "backlash" from companies in the future for "felony embarassment."
  • What the...? (Score:5, Insightful)

    by LordLucless ( 582312 ) on Monday August 18, 2003 @06:42PM (#6727892)
    From the article: The government argued that the message was incorrect, useful to would-be attackers...

    How can it be wrong and useful to attackers? Man, the prosecution lawyers must have had fun with that one:

    "Your Honour, the security flaw described here does not exist. You can see how dangerous it would be for hackers to know about this non-existent flaw."
  • by thepacketmaster ( 574632 ) on Monday August 18, 2003 @07:40PM (#6728334) Homepage Journal
    After reading the article, it seems pretty plain that the case against McDanel is flawed. They say that he "impaired the integrity" of the system. But the "impairment of integrity" was already there, it just wasn't public.

    While I don't agree with what he did, I certainly don't think he did anything illegal. Why isn't the government going after Tornado for exposing their customers to a risk that could breach the confidentiality of their emails?

    This is another example of "Security through obscurity". Someone makes a broken piece of code, doesn't want to bother to fix it, and then gets pissed off when someone forces their hand.

    If the U.S. eventually passes a law that makes software publishers liable for these flaws, there will probably be a huge backlash from sloppy programmers because it interferes with their Consitutional rights for the "Pursuit of Happiness", since they are stuck at work fixing their unsecure code.

  • Isn't it nice (Score:3, Insightful)

    by alizard ( 107678 ) <alizard.ecis@com> on Monday August 18, 2003 @11:13PM (#6729794) Homepage
    to see law working exactly as it was intended to. At least by the lawyers working for the various corporate interests that drafted it, if not by the Congressmen who were told "THIS will fix our computer security problems."

    Correctly, but the problems the legislation was intended to address were the problems of keeping problems secret from the users so they wouldn't have to be fixed.

    That is the corporate security problem.

    Protecting user privacy is something for a marketing department to use in advertising.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...