Slashdot Mirror
Talk About A Security Hole, Go To Jail?
Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.
Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole
Guess whose hole will need tight security now ?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Makes you not want to even bother saying anything. Wait till the rest of the world decides that and you have security holes everywhere.
Of course, can you have holes within holes?
Gizmo
When doing wireless security assessments, I've noticed neighbooring companies with unencrypted WEP access points, but I don't bother telling them because of this sort of thing.
He reported it to management, like he should have. He should have left it alone there.
Just exploit it, maybe when buisness has lost millions (see msblast/slammer) that they will seek action to force people to disclose exploits
sometimes you have to hit corporations where it hurts (their bottom line) in order for them to play ball
but he did kinda take extreme measures. But they did even worse by deleting the mails
Well, if it's too dangerous to disclose security holes when they know who you are, do it anonymously on Slashdot. That'll sure get their attention...
Do not look into laser with remaining eye.
Nice network you got there. It'd be a shame if something happened to it. Like a security hole getting exploited, right Vinnie?
... the land of free speech.
Isn't this going a little too far. I thought a suggestion box was always welcome, or even a public message board where people could leave suggestions was A Good Thing(TM).
I may have been wrong. But this isn't right. no sir, it is not.
The Matrix is real... but I'm only visiting!
The Matrix is real... but I'm only visiting!
Does anyone have any ideas as to what alternative third parties would be good for this kind of whistle blowing?
US Democracy:The best person for the job (among These pre-selected choices...)
putting excutives in jail for creating software that is buggy and insecure allowing 14yr olds to cost buisness millions of dollars
responsibility and accountability seems to be forgotton words thesedays, if you do bad and your an excutive you just walkaway and collect your golden parachute
One thing not mentioned in the article was where he got the list of email addresses of the Tornado clients. If he had taken this information when he left Tornado, there could be legalilty issues involved there as far as client privacy goes. Perhaps that weighed on the jury's decision...
Talk About A Security Hole, Go To Jail?
Man, 90% of Microsoft's employees must be working out of prison...
The coolest voice ever.
So these guys are allowed to develop Tornadoes that cause massive destruction to trailer parks everywhere, but you are not allowed to tell people about insecure e-mail?
This is so stupid. If we were to leave the finding and patching of security holes, etc. to the companies in question, attacks, virii, etc. would be even more prevalent then they are today. By increasing the number of sources for reporting these flaws to basically the population of the world, we significantly increase the chances that these problems will be discovered before they can be exploited.
The DMCA (which IIRC correctly makes pointing out security flaws illegal) needs to be severely looked over or things like the MS Blaster virus are only going to be the beginning of a much larger, nastier problem. Thankfully, it's only applicable in the U.S.
In C++, friends can touch each others private parts.
Obligatory 1984 paraphrase:
This is doubleplusungood.
Also, to quote Winston Smith:
who do i tell when i find out my credit card company's website is not secure? ...or do i just wait for the charges to start appearing on the card?
I keep hearing stuff along the lines of this and it reminds me of things you used to only hear of in the former Soviet Union. What is this country coming to?
"Sir, if you don't lock your car, someone could steal your stereo."
"Officer! Arrest this man! He has figured out a way to steal my stereo!"
Sign. Some people are just too stupid to live.
This is disgusting. I can't imagine the sort of idiots who would think that this is a sensible interpretation of the law. What a bunch of useless motherHEYWHATAREYOUDOIdfhg;dkghtjk;htrshy
As I was saying, what a fair and just decision this is. God bless our legal system and all those who work to support it, especially the ones with guns.
Big guns
That aren't in any way being used to coerce me into writing thi';4grhy43gj[w3r#';;4NO CARRIER
I suggest that he counter-sue, claiming that Tornado knowingly "impaired the integrity" of his Tornado email account.
guy: "you're using Microsoft products, right?"
customer: "yes, that's correct"
guy: "well that's a huge security hole!"
customer: "no way! we have to keep this secret! come on Jeff, let's put this guy in jail before he tells anyone else!"
Hate to say it, and I suppose I should prepare for the 'flamebait' moderation, but the editorial is a bit biased on this one. Will this really stop people posting to bugtraq? Not really... this man was not (like the bugtraq contributors) responsibly informing people who needed to know about the details of the bug. He distributed this information to thousands of potential attackers (i.e. random strangers, not the company involved), and in the process spamming thousands of people who just didn't want to know (yes, spam; I'm sure every spammer thinks his mail is absolutely crucial to every recipient, but it's still spam).
No more of these disruptive "warnings" of vulnerabilities. If you warn people about the real dangers they face instead of giving them vague color-coded faux-warnings, then the terrorists win.
The Sad Tale of a Security Whistleblower
"There is no teacher but the enemy."-Mazer Rackham
He actually could have done it in a more subtle way. Doing Jailtime for what he did is harsh and so typical US-insane, I agree, but he actually did probably break law never the less.
We suffer more in our imagination than in reality. - Seneca
'ta
It was the company who "impaired the security of the network" by not fixing the vulnerability once they were informed of it. The whistleblower did nothing to impair the security of the network, he merely informed the users of the impaired security status of the network,
As someone said either today or yesterday, quoting someone else :), "No good deed goes unpunished."
Everybody wants something. Apparenlty the company wanted to be left alone, even in its broken state, and it wanted more money.
-
ping -f 255.255.255.255 # if only
..
This is a non-cyber version, but is it different?
I suppose there are a couple of possible things that might happen:
Anyway, what is the propper protocol for reporting a security hole? Post a H4X0r site detailing how to get pasta security hole, or maybe ost an article about it to slashdot?
[/end ramble]
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
b) They continued to advertise their webmail services as secure despite knowing that they were vulnerable.
He should get all of the users of the service together and class-action sue Tornado for knowingly lying to them about the security of their service.
It's pretty clear most of you haven't read the article. All the police state/hat the USA/Big brother comments prove this. The guy was stupid. He went way beyond what normally is done to disclose major security flaw.
...why not just jack some credit card numbers/SSN's/other confidential info from the email system? If it means jail whether you do the good thing or the bad thing, why not make some scratch out of the process?
All's true that is mistrusted
The DMCA (which IIRC correctly makes pointing out security flaws illegal) needs to be severely looked over ...but written out "which if I recall correctly correctly makes pointing out security flaws illegal" it sounds like the last correctly means that to make pointing out security flaws illegal was correct, but from the context you obviously meant the opposite. Or maybe it's just me reading slashdot past midnight, either way it's time to head to bed.
Kjella
Live today, because you never know what tomorrow brings
I feel for the guy, but if he was genuinley interested in the welfare of his former employers customers, wouldn't it have made more sense to cantact someone (even a friend) at the company and give them a heads up?
This is not a case about exposing a security hole and going to jail but the headline makes it seem that way. Read the article and you will see that this guy deliberately told people about the security hole with the intention of causing harm. His reason for exposing the security hole seems more to do with getting revenge on his previous employer than helping the company fix the problem. Prison time is what he gets for acting so childish.
...the solution to securing the hole was to use a Mac! And you thought it was bad when last week on Slashdot the buzz was you'd lose your job if you suggested using Macs! :)
"Right now, somewhere in this world, Scott Baio is plowing a woman he doesn't love," - Peter Griffin, *Family Guy*
The government argued that the message was incorrect, useful to would-be attackers, and was intentionally designed to give Tornado trouble.
Either the message was incorrect (which would render it useless to would be attackers), OR the message was CORRECT if indeed the message could be useful to would be attackers. I see a real contradiction in the government's arguement here (yes I know, big surprise eh?).
Does this mean that when Microsoft issues a report warning of a vulnerability in their software and exactly where it is and what the vulnerability can cause along with a security advisory that they are breaking the law?
This, IMHO sets a very dangerous precedent. It reminds me of another reuters article I read today concerning corporate whistle blowers having trouble continuing their careers in other companies after exposing illegal activity.
The Matrix is real... but I'm only visiting!
The Matrix is real... but I'm only visiting!
That would be a very interesting exercise. It would be facinating to see just how fast OSDN would roll over and cough up the "Anonymous" IP address to the feds.
He went to jail for sending emails? Perhaps he should have just sent a death-threat to his somebody by email, probably would have netted him less time.
Seriously, more and more nowadays you read about people being incarcerated for defying authority, the government, of worse: corporations. Real crime is being pardoned, especially corporate white-collar criminals, while the jails are being filled with people just trying to exercise their rights.
America strikes me as a very odd country. There, you have a right to bear arms, based on the revolution against the government sometime ago. Yet somehow, say one wrong thing, against the government, or against their sleazy funders (big business) and your screwed. Give us another 10-15 years, and the crime for whistleblowing with be more than murder - and you'd be better off solving your problems with a gun than making an honest attempt at helping your fellow countrymen.
The US is BY FAR the most litigious, uncaring, ethnocentric civilization on this planet earth (particularly since King George, fascist autocrat, and his cronies hit office).
Thus, stop trying to help companies or their customers. You are GUILTY FIRST in this society and have to prove innocence later. Be a TRUE AMERICAN, be rascist, selfish, controlling, and militaristic. Be all that, and you will still end up in the slammer getting poked up the bunghole.
If fascists keep getting elected, must mean most americans are fascists..
Any cheap land up there in CANADA??
Its interesting that other professions actually have a duty to inform others of their vulnarability - while in IT you can be punished for it.
As a physician, if I find that a patient presents a danger to another person (for example, a man has a psychotic break and intends to kill his wife), I have a legal and ethical obligation to inform that person (whom I have never met.) If I fail to do so, I can be thrown in jail.
Its not hard to envision a future scenario in information security where one could have legal obligations both to inform and _not_ inform -- thus finding a security hole would guarentee punishment no matter the road taken.
+--------------------- You idiot! I told you we were facing the wrong way!
This would be like somebody taping a sign to the front door of a video store that says, "The lock has fallen out of this door. You should fix this, or thieves could enter in the middle of the night and steal from you." I suppose to complete the analogy, you should assume that the shop owner does not have the correct tool to fix the lock.
In both cases, making a general alert -- while maybe not the best thing to do (a private note to the owner would always be a better idea) -- still doesn't amount to anything more than commentary on a situation. And just because the shop owner could not fix the situation himself, does not make you responsible for the situation itself.
Now, turn that around, and say that the note was sent privately to a would-be-burglar, and if the person sending the note was aware that this was a would-be-burglar, then the person would be accessory to the theft.
Now here's the far-fetched analogy, just to point out parallels...
Say a bank robber was planning on robbing First City Bank in Pretendville. You are walking down the street when this bank robber passes you, flustered and nervous. "Where's First City Bank?" he asks. You tell him, "two blocks that way, then make a left, can't miss it." You've just revealed information which can potentially be used for a theft. Since the bank was, at the time, protected from the theft by having a location unknown by the robber, you just impaired the integrity of the bank's security. Bam. 16 months....
(ok, that was a stretch)
.
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
Isn't this type of action protected by whistle blower protection laws?
Do you get to pass "GO" first?
i don't intend to troll, but in this case, the truth IS a troll. In the FUD-ruled USA, only officials & big corps are alowed to fud. Any individual or small organisation that spreads fud si considered a threat. Probably to prove that the govt is not allowing fud.
The only way to disclose security holes is by letting big corps do it, or by doing it as anon as possible. Currently, europe is a tad better, but I expect this evil practice to fly our way in no time, as DRM is apparently doing. Sigh. It's so sad to see capitalism failing. I guess this must be a bit how the commies felt after they were proven wrong. Our only hope is that the future will come up with something better.
When will I end this grieving ? When will my future begin ?
Isn't *this* protected...
Go directly to jail. Do not pass go. Do not collect 200 dollars. Do not tell others what you found. Let the hole be there for years. Let someone else find it and exploit it and collect 200 dollars.
[alk]
"do it anonymously on Slashdot. That'll sure get their attention"
The whole scientology affair showed us how they were willing to stand up to lawyers. Better off posting it anon to some newsgroups, or another site that allows posting through open proxies.
can I have a rimjob?
CmdrTaco
I know that non-technical managers simply don't care how their systems work. They think in strategic and tactical terms. Buffer overflows are just an excuse why things can't get done. Managers hate those things. But there has to be a balance somewhere. Geeky technical issues cannot be ignored by managers. Granted, they don't need to personally learn the technical details. That's why they have tech guys working for them. But they need to invest the time, effort and resources into an ongoing technical systems maintenance program. This includes everything from cleaning dust out of computer chassis to maintaining security from the strategic level to the bits and bytes level. It is the technical department's duty to ensure that management understands the risks, like it or not. It is the management's responsibility to make sure the technical department is doing its job.
In nearly all businesses today, it is necessary to be on the Internet. Being on the Internet entails certain risks. In the course of its business, the company will need to address these risks on an ongoing basis. For these reasons, it is important that all but the smallest companies refrain from outsourcing their "IT" departments.
To make a long story short, corporate management unaware of the implications of their lack of attention to technical matters. This applies to computers as well as manufacturing processes. Since they fail to gain an understanding of the implications and since they fail to respect the technical field enough to invest the necessary time and effort into it, they should be subject to the consequences of their irresponsibility. Therefore, if you are aware of a security hole, you should do the following: Nothing. Let a black hat cracker break in, steal data and wreak havoc on their network. This is the only way they will learn.
Want to insist on doing "the right thing?" Send an anonymous letter to the company's IT department and to their management. State that if the vulnerability is not fixed within 48 hours, it will be posted on all the public disclosure sites. Do not include any identifying information.
holes disclosed when a zero day attack is much more fun, and has LESS chance of landing you into jail?
It looks like McDanel's ex-employers got what they deserved, in the end:
...
% mozilla http://www.tornadodevelopment.com/
The following error was encountered:
Unable to determine IP address from host name for www.tornadodevelopment.com
The dnsserver returned:
Name Error: The domain name does not exist.
Generated Mon, 18 Aug 2003 22:42:50 GMT by rosemary (squid/2.5.STABLE1)
morons WANdering about use of term interaction
for the most part, that appears to mean that you sheeples read the pitch, & hopefully pull out
yOUR wallets. that's your end of the 'interaction'.
other possible uses for the miracles of communication we've been given:
disempowering the unprecedented evile that is destroying the planet/population.
how does won login/become a member?
consult with/trust in yOUR creator. get more oxygen on yOUR brains. seek others of non-aggressive
intentions/behaviours.
couldn't be easier. what's blocking all this interaction/cooperation? why greed/fear based
misinformation canpains of course.
you NEVER hear of any corepirate deathmongers touting oxygen, even though it's the best thing for
you/us. perhaps there's no countabull profit in it. another possibility is the overwhelming fear
associated with knowing that a power that exceeds all known before, is in the wings/air.
we're in crisis mode. the lights are coming up. pay attention (to the weather for example). it's
affordable, & tends to help prevent being misled further.
For capitalism to work, it requires consumers to be able to make informed choices about the goods and services they purchase. By criminalizing the distribution of security information, the federal courts are preventing consumers from making truly informed decisions regarding security, which is arguably an important element of a purchase decision. If it were not, then why would Tornado be so miffed? Two end results, if this decision runs its course. First, security will fall through the floor as companies realize that they do not need to invest in it to get customers. Second, consumers will only be able to choose based on who presents the best front; advertising wins. I'm fine with advertising, but it should not replace informed discourse in the marketplace.
Joking about prison rape is the same as joking about some woman being raped on the street. Period. That is all.
Freedom: "I won't!"
of a new wabsite
www.goatse.info
thanks you and great a have day
They complain that the editorial says this might cause a reduction in posts to Bugtraq, and this might not be true. So what? It could equally BE true. You don't know, so how is that a valid criticism of the editorial?
The morons complain that the guy "spammed" the ISP's customers. He sent ONE email, staggered out over three days to different people, so he wouldn't overload the email servers. Sounds responsible to me. How much spam do these customers get from Tornado anyway? You don't know, do you? I get spam from Yahoo occasionally just because I have SBC DSL.
They complain he was "irresponsible" because he didn't use "other channels". Like what? If he posts it ANYWHERE in public, he gets hit with the same charge. What PRIVATE channels are there that would work if talking directly to the ISP management did not work? Does he call Ahh-nold and get him to pressure the ISP?
Face it, you right-wing, statist-worshipping geek pussies. The guy did the right thing. HE BLEW THE WHISTLE. The government did the wrong thing. THEY PUT HIM IN JAIL FOR WHISTLE-BLOWING.
Now fuck off.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Everyone knows that the best way to let a company know about a security hole is to write a worm that exploits it and release it into the wild.
-R
It was definetly not a very bright thing to do, but I dont think keeping quite about it would be the right thing either. Maybe like some other poster stated, it might have been better if he posted something about it on BugTraq (or similar).
I see this guy as a whistle-blower, who like most other wistle-blowers, got screwed (In his case the Government and inmates did the screwing).
Also when will software companies start being held accountable for this kinda crap. Its about time the government stops making examples of people like Mr. McDanels and starts makeing examples of corporations.
From the Article:
"The applicable language in the Computer Fraud and Abuse Act make it a crime to "knowingly cause the transmission of information and as a result of such conduct, intentionally cause any impairment to the integrity or availability of data, a program, a system, or information without authorization."
If I am interpreting that correctly, would I be guilty of a federal crime if I send out a mass email that said "OMG, Windows F%^&ing sucks. It just crashed and I lost all my work!!" I am after all intentially try to damage the integrety of a program right?
The government's actions (in this case) provides electronic security professionals (and "crackers" if you prefer) with a "perverse incentive."
s /thu-1530-b-and erson.html
"Why Information Security is Hard - An Economic Perspective."
http://www.acsac.org/2001/abstract
"In a survey of fraud against autoteller machines [4], it was found that the patterns of fraud depended on who was liable for them. In the USA, if a customer disputed a transaction, the onus was on the bank to prove that the customer was mistaken or lying; this gave US banks a motive to protect their systems properly. But in Britain, Norway and the Netherlands, the burden of proof lay on the customer: the bank was right unless the customer could prove it wrong. Since this was almost impossible, the banks in these countries became careless. Eventually, epidemics of fraud demolish their complacency. US banks, meanwhile, suffered much less fraud; although they actually spent less money on security then their European counterparts, they spent it more effectively [4]."
If the government's goal is a more secure Internet, the government should encourage actions via incentive that result in more secure systems. It is clear that if Bret McDanel had not informed Tornado Development's customers of the security problem, Tornado would have done nothing to repair it.
If you subscribe to Ross Anderson's theories, the government's actions provide incentive for security technicians to take the following actions on the discovery of a security vulnerability:
1. Don't talk or write about it without obscuring the publishers identity.
2. Exploit the vulnerability for personal gain.
Heavy handed prosecution of people like Bret McDanel will lead to a less secure internet.
That's still legal however, assuming you can get the list of customers legally.
you're using the system password as part of your data security on your Win98 box.
Did you know that the entire password system can be aborted by simply hitting escape?
Have I just commited a federal crime, and if so, why?
KFG
i`ll take this story as advice from slashdot to exploit holes that i find instead of reporting them.
Thank You SlashDot!
("see you in court")
Comment: Yes I realise the username 'fuckfuck101' makes me sound intelligent, no you cannot buy it from me.
In Soviet Russia, you don't report security holes. The security holes report you!
The mystery is solved! Thank you! All further 1, 2, n, n+1 Profit jokes are now obsolete.
Overrated / Underrated : Moderation
"Under the theory articulated by the government, the transmission of any information that can be used by others to impair the integrity of a computer system (or cause loss of reputation) if done without authorization (and who would authorize it?) is a federal crime."
I have several college profs that taught me how a hash table works. I also have a couple of math teachers that taught me all about prime numbers. Then I read a book or two on how to build some basic encryption routines. Now, should these people go to jail because they have given me what I need (assuming I am smart enough to do something with it) to crack any security software? How about if I threaten to use this information to take advantage of some security hole? Where does it stop?
No man is an island... But I wouldn't mind having a bigger moat.
Sounds like it's high time for another revolution.
The Web is like Usenet, but
the elephants are untrained.
Heaven forbid anyone should be held accountable for irresponsibly reporting an exploit! He did those customers a favor, yeah!
Consider the possible outcomes. Let's say some on-board digital electronic unit within a popular automobile contained some sort of flaw that could ultimately result in accident, injury or even death. Given than the manufacturer was informed and failed to issue a recall, if someone decided to tell everyone potentially affected by this flaw, do you think it would be moral for the whistleblower to be sent to prison?
I hardly think so. In this case, it's something far less "deadly." It's only privacy (something 'they' don't want us to have anyway) and potentially identity fraud and theft. These are growing into huge issues.
According to the article, the man has already served his time but he wants his conviction reversed. I believe justice should be served by reversing this conviction... and in the future possibly preventing any such "backlash" from companies in the future for "felony embarassment."
If you're going to post something anonymously then you really ought to use an anonymous network.
http://freenet.sourceforge.net/
http://jtcfrost.sourceforge.net/index.html
Big Brother Bush is doubleplus ungood.
After reading the article, I can't help but wonder if this ruling essentially makes the publication of 2600 Illegal.
The US may have started out founded on freedom, but it appears that is has since turned its back on those principals
I get the impression he had much more intimate access to Tornado's system than an outside user. It's one thing for an outside user to discover a bug -- then you know anyone could discover and exploit it. But what if the bug was very difficult to discover from the outside?
Shouldn't the company (not an ex-employee) gauge the risk of an outsider discovering the bug? And the company can take the consequences if it does blow up.
-Paul
Dissatisfied with the pace at which Tornado addressed the issue [...], McDanel severed his employment with them, and went to work for another company.
There is no way in hell I'd risk my future after I'd severed my employment with the company in question. As far as I would be concerned, it's too damn bad. They knew about the risk, they did little to nothing to address it, so they're obviously willing to accept the risk of an actual compromise from a third party happening. I'm not risking a jail term, or especially a possible felony charge! You get convicted of a felony, your job prospects have just been cut to about 10% of what they were previously.
Spread the RC luvin'
The government has gotten some judges to agree to bogus interpretations of when the law applies to "intercepting" email - mail sitting in a user's mailbox has gotten less protection than mail in transit, letting government snoops off the hook, so perhaps Tornado's actions aren't illegal, but they're still reprehensible.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
From the article: The government argued that the message was incorrect, useful to would-be attackers...
How can it be wrong and useful to attackers? Man, the prosecution lawyers must have had fun with that one:
"Your Honour, the security flaw described here does not exist. You can see how dangerous it would be for hackers to know about this non-existent flaw."
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
"They'll say, 'You can't joke about rape. Rape's not funny.' I can prove to you that rape is funny. Picture Porky Pig raping Elmer Fudd. See? Hey, why do you think they call him Porky?"
--George Carlin
"Sufferin' succotash."
Yeah, this is bad for end users. But, as Microsoft's popularity has shown, the general public cares more about being able to play multimedia than about system security. It won't be until ID theft becomes widespread that people will get serious.
Ultimately, I think people ultimately get the security they deserve. If they don't want to know about system holes, let them get hacked I say. It would do us all a favor.
The society for a thought-free internet welcomes you.
Now, this *is* a US-insane kind of thing to do, and he could have been more subtle.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I remember the looks I got when I showed the logs of my warwalking around a buidling I worked in. Instead of, wow, thanks for letting us know we are broadcasting, I got looks of, great, what did you DO? Totally suspcious. Now I don't say anything . . it's too risky.
He was arrested primarily for spamming, not hacking.
http://www.cybercrime.gov/mcdanelSent.htm
Computer Spammer Sentenced To Federal Prison
A former Southern California man who maliciously bombarded the computer system of an El Segundo computer messaging company with thousands of email messages was sentenced today to 16 months in federal prison.
Bret McDanel, who used the moniker "Secret Squirrel" and is now a 30-year-old resident of Fiddletown, California, was sentenced for his conviction on a federal charge of maliciously sending thousands of email messages in September 2000 to a computer server operated by Tornado Development, Inc., formerly located in El Segundo. McDanel was sentenced by United States District Judge Lourdes G. Baird, who presided over McDanel's trial last year and found that he acted with the intent to cause damage to Tornado's email server.
In addition to the prison term, Judge Baird ordered McDanel to submit to unannounced searches of his computers, to advise future employers about this conviction and computer-related federal criminal charges now pending in New Jersey, and to receive psychological counseling.
The evidence presented during the bench trial showed that McDanel, who worked at Tornado from June 1999 until February 2000, committed the crime to retaliate against Tornado (Tornado folded in the fall of 2002). The prosecutors argued to Judge Baird that McDanel harbored resentment against his former employer and that he planned to start a competitor messaging company.
McDanel sent thousands of email messages and overloaded the Tornado computer server. Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there.
During the trial, the government also presented evidence that McDanel had attacked the computer system of another former employer in New Jersey in 1997. McDanel was indicted in September 2002 in New Jersey in connection with the alleged 1997 conduct.
This was the first case to go to trial in Los Angeles brought under the "Computer Fraud and Abuse Act," the federal statute covering computer abuse and malicious spamming.
This case is the result of an investigation by the Federal Bureau of Investigation.
CONTACT: Assistant United States Attorney Pamela L. Johnston (213) 894-2686
Assistant United States Attorney Jeremy D. Matz (213) 894-0649
Release No. 03-51
That argument is akin to saying "It was the highway barricades that impaired the integrity of the highway, not the collapsed bridge!"
Admittedly the guy who found and posted the exploit was overzealous and even foolish about his proof of concept.
But COME ON! The flaw in the software is the integrity problem not the guy trying alert potential victims.
"Waitress I need two more boat-drinks..."
Someone else, whose comment has disappeared, mentioned that tornadodevelopment.com is down. Another person said that the company now uses torsys.com and tems.com. These both redirect to xmsg.com, if you're curious about what the company actually produces. The xmsg faq does not include questions about email security nor about the politics of the McDanel case.
The owner of Tornado Development also owns a completely unrelated site. Excerpt: "Vintage Trends, Inc. was created to be the leading web-based distributor of vintage, military, recycled and designer clothing and accessories....Advanced technology and security encryption standards create a highly organized, remarkably efficient and aesthetically pleasing format for fast, convenient and secure shopping."
You can read the McDanel appeal in HTML format here.
btw: the us is only one of 3 un member countries that still executes minors. dont believe me? look up amnesty international.
am i us bashing? not really. but when a country claims to be the greatest in the world they should live up to it.
hard to belive that such a technolgically advanced country, with openly stated ideals about freedom, could have such a repressive, and ignorant justice system.
hey, arent your judges elected? Anybody who does not like this decision should make sure that corporate account rep of a judge should not even be able to run for dog catcher next time around. btw, it mentioned that tornado had deleted customer emails. isnt tampering with mail a felony in the us? dollars to doughnut the company did not face any such charges. they are also guilty of mismanagement (only rich ppl use this charge however), and malicious prosecution, which should also net some punitive action on the overzealous prosecutor, who misused.
caveat: the article posted may not tell the whole story, like bad blood, etc between the said felon and his former employer, ie journalists often (gasp) twist and omit things.
2 note to dude in prison, lyrics from tupac song: whatcha gonna do when you get outta jail? I'm gonna buy me a gu-un...
He was prosecuted under this law
http://www4.law.cornell.edu/uscode/18/1030.html
Passed in 1996. Signed into law by Bill Clinton
Well, that kind of exaggerating would be preferable to anybody. The bigger the case, the more stupid this law would look in public.
But major case is really needed in that part, otherwise, lonely suckers will just get screwed.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
As a former employee of Tornado Development, i can tell you that security in it's application was not a priority.
The developers, system administrators and the dbas all told 'the mgmt' about the security issues, but they didn't bother to listen.
Tornado is now out of business if that tells you anything.
I'm trying to think about what I would do in this situation. On one hand you have informed the management of the situation, so your hands are clean. On the other hand, I would not feel right saying "screw it let'em get hacked", because it is the customer's data that is at risk, not the company's.
Doing what he did was obviously asking for trouble, but it would be nice to have someway to put more pressure on the company.
I wonder what effect it would have if you gave the primary stockholders this information (anonymously of course).
God damned hippy programmers. Some dip shit from the east spouts something cryptic and you, because you're high on dope, think it's wise.
All eastern philosphy is a bunch of shit that only fucking dope-smoking hippies and easterners can stomach.
integrity -
1. Steadfast adherence to a strict moral or ethical code.
2. The state of being unimpaired; soundness.
3. The quality or condition of being whole or undivided; completeness.
No, if the vulnerability existed, I don't see how there could have been any integrity in the first place.
Also, I'm no lawyer, didn't they give up the ability to prosecute when they found out a problem existed, but did not may any attempt to correct it? Didn't he do the same thing as reporting neglect?
Stop the Slashdot effect! Don't read the articles!
Didn't you hear? She is going to jail too. :)
Someone exploiting a security hole must be a terrorist.
Someone who talks to a terrorist must also be a terrorist.
Dunno what state you live in. Here in Texas, I decided I wanted a gun (I had reason to believe my life might be in danger - there was a string of burglaries of my neighbors, and my car). I walked over to the pawn shop, plopped down $90 in cash, got an automatic handgun, and walked home with it. Took about half an hour (counting walking). Not too hard is it?
funny munging
"So if you find problems, the best practice is to keep quiet about it."
No, the best practice is to ask permission of those in charge before doing security checks and then to tell those in charge about the flaws you find.
It's moronic to break in without permission and then tell everyone about it. Especially those who can't even do anything to correct the situation.
What do you think would happen if you broke into your neighbor's house and then informed everyone on the block how you got past his security?
The guy is rightfully going to jail because he's a moron.
If you want to check your neighbor's security, you ASK YOUR NEIGHBOR and then TELL YOUR NEIGHBOR what weaknesses you found.
The moron in this story, didn't ask permission and then scared off customers. It's not his job to check security and then report to the world the results of his unauthorized tests.
Duh. It's amazing how many otherwise intelligent people can be so braindead.
Ben
Work Safe Porn
Dumb (Altruist), Dumber (Prosecutors, Judges/Juries), Dumbest (Parochial Enforcers and Politicians), Dummies (others that see any justice in these actions); Therefor, the laws work, people feel safer, and justice is absent.
.... So, what should we expect from a failing Capitalist Republic legal and governing system managed by Capitalist Feudal lords (including the you get what you paid for supporting politicians) of the economy maintaining the good profitable ways in opposition to the potential instabilities caused by the evolving new Collaborative Community Consensus dynamics. Oh well human history proves: "Shit Happens and Things Change", pretentious fools will always become the oppressive tyrants before achieving their anachronistic place in history, and best of all humanity as a community gets better and achieves more with less oppressive religion and government.
....
... they should expect arrest and significant prison time. Dang good proven concept to administer an active anti-virus medication, maybe Norton will take the credit; So, the real hero won't get in trouble. Yep, they deserve a Presidential Freedom Medal, but I ain't the G.W.Bush. Oh, Yea, THANKS MUCH Anti-Worm ... wherever you are, whoever you are, and however you got to be who you are (THE STARS!).
... and the many others of the REAL salient silent majority in the world working for humanity ... GBYA.
Altruistic activities will not go unpunished in a Capitalist Republic.
The type of behavior displayed by the Altruist (Dumb) is as un-American (Anti-Capitalist) as OSS, FSF, RMS,
Next step real & true separation of business, church, and state. Humanity governs much better without greed, lies, flimflam scam,
I suspect, that in today's climate of escalating totalitarianism in EU and US that if the hacker that wrote the Anti-Worm for the Slammer virus is ever identified
Who in the Global Community will be the next hero to follow RMS, PZ, LT, Anti-Worm,
OldHawk777
Reality is a self-induced hallucination.
Unaccountable leaders are masters, and unrepresented people are slaves. How do US and EU fare?
Basically, the Act defines speech as conduct ("knowingly cause the transmission of information" == speech) and thus spits on the U.S. Constitution (1st Amendment, Right to Free Speech). The judge(s) and the prosecutor(s) in this case should be thrown in prison.
The following tidbits were turned up by a little search on the web.
3 .htm
s /200206 12-9999_1b12hacker.html
The FBI says that: "COMPUTER SPAMMER SENTENCED TO FEDERAL PRISON". Yes, they advertise the conviction of Bret McDanel as a spammer sent to jail:
http://www.fbi.gov/fieldnews/march/la03250
The San-Diego union tribune(?) writes that:
"Prosecutors allege that McDanel hacked into his former employer's server and sent thousands of e-mail messages at practically the same time, forcing the company to shut down its computer system in August and September 2000." Link:
http://www.signonsandiego.com/news/busines
In the FBI note there was no mention of the security bug at all they said:
"Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there."
Now that is such a selective disclosure of information that I am inclined to equate it with telling an untruth. (Just like printing that some John Doe killed several people in 1967 in he is still not behind bars, omitting that he was acting in war...)
What alarms me that he was found guilty on spamming charges which damaged the mail server while that seems not to be the basis of his ex-employers discontent. I guess the prosecutor was not interested in bringing out the truth but rather just have a conviction based on the "Computer Fraud and Abuse Act" on his resume.
Note that the company (Tornado) went out of business.
And he did time...at least he didn't get "Gitmo'd"
What this man needs is money, and a solid lawyer...and even then, there is so much vague and easily abused language in our laws to make this essentially a losing effort for him. He already lost the time...no amount of money can get that back.
Kind of late, isn't it?
man rtfm
"not" was supposed to be "now".
I previewed! Really!!
I hope he does stay in jail. I don't condone the admins at tornado not actually doing their job, but having said that, it was not McDanel's place to give all of their customers exploit info.
What if some of them were on holiday and couldn't do anything about it?
He could have let everybody know without giving them too much info. And yes, I'm ignoring the fact that he probably shouldn't have had a list of all those email addresses anyway.
The reason girls and Windows users don't understand UNIX is because all the documentation is in Man files.
While I don't agree with what he did, I certainly don't think he did anything illegal. Why isn't the government going after Tornado for exposing their customers to a risk that could breach the confidentiality of their emails?
This is another example of "Security through obscurity". Someone makes a broken piece of code, doesn't want to bother to fix it, and then gets pissed off when someone forces their hand.
If the U.S. eventually passes a law that makes software publishers liable for these flaws, there will probably be a huge backlash from sloppy programmers because it interferes with their Consitutional rights for the "Pursuit of Happiness", since they are stuck at work fixing their unsecure code.
--
Luck is just skill you didn't know you had.
If you want to check your neighbor's security, you ASK YOUR NEIGHBOR and then TELL YOUR NEIGHBOR what weaknesses you found.
But it wasn't his "NEIGHBOR". It was a company with confidential information that affected a lot of people.
If you noticed your bank had a wide-open back door that led directly into their vault (where your money, along with other peoples money is stored), wouldn't you publicize the fact, if only to get then to close that door?
Same thing here. It has been shown time and time again that companies don't care about security breaches that are 'only' potential. But you make an exploit and release it, and somehow, magically, the company becomes interested in producing a fix. Why? The publicity. Period.
Around my workplace there is a set of rules, rule #1 is:
...
The world is a fucked up place, and people are the problem.
#2 is:
99.95% of people are not completely, utterly, astoundingly, stupid.
If you are not part of rules #1 and #2 you can do something about this. (There are other rules, but would be OT.)
Register to vote (vote or not), only registered voters are called for jury duty. When you are called up, go! Be honest, and do your part and you can torpedo this type of thing when it happens.
EVERY time there is some fiasco like this where one guy gets thrown in (FPMITAP) jail for 16 months and the next guy HS ex-football star-rapist gets 3 months of probation there is a jury there. THEY convict the person. Not the procecutor.
Get in there and do your moral/societal duty by particpiating in our judicial system. Judging by the news and articles I see, the cops, the lawyers, the judges, the clerks and the accused need someone that knows a little more stuff about tech stuff. In general, you may not get that trial, but you may get the next Skylarov
I had the experience of spending an entire week in a DUI trial last year, and I tell you it is scary how much power the jury has, you can make a difference. We did.
Do it.
{Sorry if I spelled Sklarov wrong.)
It's amazing how many braindead abusive posters don't read the article.
He did inform his former employer. At great length. Over a long period of time, both before and after his employment terminated. The flaw was not fixed.
The customers were mostly not scared off, because his mass-email was ERASED before the customers saw it. An amazing liberty taken with the customers' email, if you think about it. the customers never saw a message from a knowledgeable source informing them that their userids were hijackable - because it might hurt the provider's profits.
And it doesn't matter what his job was.
Business practice does not override the Constitution. Are we seeing the birth of a new class of crime: anti-commercial speech?
If he had mailed it via USPS, would they have been justified in tracking down all the pieces of mail and destroying them? How about phone conversations? Are they allowed, if technologically capable, of montitoring voice communications to their customers, in case a person is telling their customers that their system is hackable? How about verbal notification? If he had turned up at a customer's door to inform them that they had an unpatched hole, would the cops then be allowed to arrest and imprison him for anti-commercial crimes?
How about then hauling the now-informed customers into a Federal interrogation cell to sweat out the possible information the customer might have heard about their system?
Summing up: he had a right to email the customers. He had a right to speak to the customers. Whether or not it INCONVENIENCED the company is utterly, completely, insanely irrelevant.
The customers of the company involved, and all future customers of similarly nasty companies, are not even now aware that a basic security flaw was concealed from them because their provider did not want them to see it -- deleting their email before they read it. Where is the law for this? Can AOL or ATT delete mail at will from users' accounts because it might cost them their image or profits? Who the hell do they think they are?
And as for a customer being able to switch providers if they don't like the censorship -- HOW THE HELL WOULD THEY KNOW THAT INFORMATION WAS BEING CENSORED FROM THEIR EMAIL? There is no informed choice without a first amendment!!
The following tidbits were turned up by a little search on the web.
3 .htm
s /200206 12-9999_1b12hacker.html
The FBI says that: "COMPUTER SPAMMER SENTENCED TO FEDERAL PRISON". Yes, they advertise the conviction of Bret McDanel as a spammer sent to jail:
http://www.fbi.gov/fieldnews/march/la03250
The San-Diego union tribune(?) writes that:
"Prosecutors allege that McDanel hacked into his former employer's server and sent thousands of e-mail messages at practically the same time, forcing the company to shut down its computer system in August and September 2000." Link:
http://www.signonsandiego.com/news/busines
In the FBI note there was no mention of the security bug at all they said:
"Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there."
Now that is such a selective disclosure of information that I am inclined to equate it with telling an untruth. (Just like printing that some John Doe killed several people in 1967 in he is still not behind bars, omitting that he was acting in war...)
What alarms me that he was found guilty on spamming charges which damaged the mail server while that seems not to be the basis of his ex-employers discontent. I guess the prosecutor was not interested in bringing out the truth but rather just have a conviction based on the "Computer Fraud and Abuse Act" on his resume.
Note that the company (Tornado) went out of business.
Hi-
I am not sure it is wrong for this guy to be punished. Yes jail time is probably not the right way but come on.... He didn't follow the "normal" way to publish a security hole. He sent thousands(if I read correctly) emails to the customers telling them how to break the system. I am involved in the security field, and when I find a hole, I contact the company and try and work with them to fix it. Heck, I am on hold with a company right now. If they don't seem to want to work toward fixing the issue, I publish it to BugTraq or a similar system.
This case appears to be a guy who is angry and using a dangerous means to get back at his previous employer. Then when they cry foul and throw their weight around, everyone bashes them saying how awful, he was just trying to help.
I think we need to rethink the causes we get behind.
Kevin
----- When it is dark enough, men see stars.
If you want to check your neighbor's security, you ASK YOUR NEIGHBOR and then TELL YOUR NEIGHBOR what weaknesses you found.
Um, you're not very good at analogies.
It's more like an apartment building, and this guy was the Super. He knew that the locks on all the apartments could be opened with a butter knife, but the landlord said he'd fix it- then fired him.
6 months later, the super checks- still butterknifable. He distributes leaflets throughout the apartment complex by sliding them under the doors.
The Landlord starts busting into people's apartments and taking the leaflets away and has the Super arrested not for breaking and entering (which *maybe* he's guilty of), but for telling the tenants that their own (and by extension, their neighbors) apartments are unsafe due to the negligence of the landlord, so they should guard their stuff until the situation is resolved.
microsoftword.mp3 - it doesn't care that they're not words...
What happened to free speech? If the guy wrongfully accused the company of having security hole, then that's another issue. But going to jail for pointing out a company's flaw, why not?
We have organizations such as Better Business Bureau to make sure businesses are doing things right and fair for their customers. They would encourage people to point out flaws of a business. It's the same idea with security flaws.
The one that should be punished is the COMPANY that leaves out security flaw, not the guys that points it out. It's about who's responsibility is it...simple as that.
In the United States, it is one man one vote. That man is a picture of a dead President printed on fancy green paper. The more of them you have, the more votes you have. That is how our government works. Unless you have "lots of votes" you are screwed.
That's not what he was arrested for. It was for making the network less secure, not having a list of customers.
And damnit, I'd be glad if I was a customer that he blew that whistle.
microsoftword.mp3 - it doesn't care that they're not words...
does NOT entitle others to that authority to take matters into their own hands. He had NO authority to break/test the security in the first place under any circumstances. And it was blabbing that just put him past any sympathy points. Telling people it's insecure is one thing. Telling people HOW to break in is quite another.
The guy is rightfully going to jail. It's as stupid as the people who try to break airport security.
There are better ways to go about such things.
Ben
Work Safe Porn
Err, you mean I could go to jail if I said. "You can break into your neighbors house with a prybar. Jam the pointy end right above the door knob between the door jam and the door, and pry really hard."
This guy just told everyone about the security hole. He didn't put the security hole in.
Why isn't the company that wrote the code being held to the same standards as the person who ratted them out?
I want to see the company prosecuted using the same law for having the security flaw in the first place, didn't the company itself: "knowingly cause the transmission of information and as a result of such conduct, intentionally cause any impairment to the integrity or availability of data, a program, a system, or information without authorization."
Because they transmitted the web page with a link to the security flaw. This security flaw impaired the ingegrity and availabilty of data, a program, a system or information without the authorization of the customers of that system.
Lets put this guy in Jail where he can tell all the real criminals?
Surely there is some sort of consumer affairs organisation that can prosecute Tornado for fraud and deception, ie lying about how secure their email system was.
He probably got the email addresses through the exploit.
So if you tell your bosses that there is a door into the building with no lock on it and they don't do anything about it, are you under any obligation to take it further? Perhaps report it to the police or corporate equivalent. I get the feeling that this guy would be dammed if he did and dammed if he didn't.
-- it must be true, it's on the internet.
Move to California. Geez, do live in DC or something?
The system has failed you, don't fail yourself. --Billy Bragg
He was fired from Tornado Development. Knowing that information, you think maybe there was some malice involved?
It probably won't stop, at least not for a while.
The stupendous ignorance of most politicians, judges and lawyers about IT has to be rectified, first. That's not likely to happen.
The idiocy is reaching new heights...
realityshunt
Democracy is susceptible to being led astray by having scapegoats paraded in front of the electorate.
Jan 12, 2000 Customer support at Tornado gets an email from an exempoyee saying there is a HTTP REFERER problem in their product (along with 15 other webmail providers hotmail included).
Jan 13, 2000 Development has written a fix and tested the fix (cgi redirect and code to cause all urls in the email to go through this redirect, nothing big).
Feb 1, 2000 McDanel quit (gave 2 weeks notice) because of problems with managment dealing with another employee.
Aug 24, 2000 McDanel contacts customer support (he is friends with this person) and asks if the problem is ever going to get fixed (McDanel was allowed to keep his account free after quitting, which shows that he didnt leave on horrible terms, and maintained friendships with many people in the company, infact some people in the company tossed work to his fiancees company).
Aug 27, 2000 McDanel was told no they were not going to fix the problem (unknown at that time was that the QA person closed this bug report months ago without applying the fix).
Aug 30, 2000 email from one of the managers at Tornado to McDanel regarding his web page
Aug 31, 2000 McDanel sent emails to the customers at the rate of 6.67/sec (10 rcpt's per body (so the body is effectivly 10% the size) delay 1.5 seconds between each body). The system logs showed NO impairment during this time.
Later the system was shut down (sendmail, web server, etc) *then* the system load went up (resumably when they were deleting the emails, which in itself is a crime).
McDanel was on the phone with admins just prior to sending and continued talking to one admin for 20 minutes, then called others and helped this company fix their system when it broke (turns out it broke cause they were deleting the emails, but none the less McDanel did whatever he could to try to help them, including spending several hours on the phone with them the night the emails were being sent).
In every instance that he sent emails (6.67/sec to a 8 cpu UE 4500 with a gig of ram, that in no way is a DoS) there was no downtime, the xdelay in the mail headers was 1 second or less, it was not suffering at all. The queue stayed below 30 mails most of the time (once for less than 1 minute it went over 30 mails but it quickly processed that and the queue was below 30 again).
Sendmail (which they used) will automatically queue the emails if the load is too high. The mere fact that the queue was empty (or nearly so they do not log if there is less than 30 in the queue) indicates that the system was not overloaded.
The fact that the cpu load reports (HP Openview) indicated that the load did not go up until AFTER services were shut down (if you kill sendmail, sendmail cannot cause load - period!) also shows that it was not a DoS.
What is worse is that McDanel was charged under the 1998 version of 18 USC 1030. The new version (patriot act) makes it tons easier for them to convict you. If you attempt to impair the integrity and are unsuccessful, you can still be guilty (before you actually had to do something, now you just have to attempt/intend to do it, and presumption of intent is easy for them to prove, they just have to say it).
n/t
Try telling a customer that you do business with Israel. Or disagreeing with the Shrubbery. Or getting on a plane with a button saying "Suspected Terrorist". Or getting on a plane if you have the wrong name.
Tiny cracks in liberty will more surely destroy it than will the big and public threats.
To quote from Emily Dickenson (yup, that poetry you had to read in school is sometimes to the point) :
Crumbling is not an instant's Act
...
A fundamental pause
Dilapidation's processes
Are organized Decays.
Ruin is formal - Devil's work
Consecutive and slow -
Fail in an instant, no man did
Slipping - is Crash's law.
We dont look for the hole first. Thats it right there, and its something which has saved us. My examples are from my WiFi scanning, but the general practice applies elsewhere also.
There is a business in my area (which will remain nameless) which contacted us in the MIS department about trying to poke a hole in their security to see how good it is. Not us finding a hole and telling them. That looks like your trying to get in. Think about it, your not real friendly with the guy who keeps scanning your machine and trying to get in without you first knowing about it, why shuold these companies think otherwise? I know that if I was middle aged, balding, and had a job which used tech that I understood half of, that if someone said "oh yeah, while driving by, we found this problem in your WiFi network" I'd question *why* they were looking at my business network. Its a stereotypical response, but you have to place yourself in their shoes.
What we have done at my college is that we first contact the houses and businesses in a given district, say what we are intending to do, how in some places there are services which charge for security analysis like this, and that as a service learning project we are doing it for free. Then we educate them on what it means to be secure all in a quick 5 minute speil and then ask their permission to report any flaws that we find to them and help them patch them. If denied (which so far has only happened once and it was a bank), we move along and dont report anything that we suspect from them. Remember, we are covering a district, so if someone says, "yes, we would like to know so we can better protect ourselves" we generally scan that area, and with WiFi, we havnt had an issue with it. Then we do up a report of whats vulerable as far as connections, and if there are any, we take it a step further. Everything is done with an option NDA agreement which if asked we will sign before hand, and what the limitations of what we will do and offer suggestions to ask outside consultants to check the machine logs after we leave to see if we held up our end.
This has worked very well for us, but the main point is that we are up front with these people and we dont go behind their proverbial back. We dont sneak arround at the dead of night (if they dont want us to, although we do night scans of districts as it provides another view), so it doesnt look suspicious.
The more up front before you do anything, the less trouble you are likely to get into (most of the time) with something like this.
-
We don't need an "overrated" so much as we need a "you completely missed the parent's point, dumbass..."
I now wonder. Is this the first time Emily Dickinson has been quoted on slashdot (except perhaps for a snippit in a signature) ?
Who gets to decide what is "wrong, wrong, wrong"?
The guy signing the paycheck? F*ck him, otherwise we are all just sniveling toadies.
I agree that in this case, the guy was stupid, but it should not be a punishable offense to tell a companies customers how thier data is being intentionally left at risk even if the motive is to screw the company, and it should be socially unacceptable for that company to continue to allow the customers data to remain at risk.
Sure if the guy had told the customers while he was working there, then I can see the company firing him, but as he had already been fired, the jerk was just delivering what he had alread paid for with his job.
Read, L
The complaint says he sent email through Tornado's Email server - but this is just smoke. All Email goes through the destination Email server - that is how Email works!
will they extend his sentance if he finds a hole in the jail wall?
Correctly, but the problems the legislation was intended to address were the problems of keeping problems secret from the users so they wouldn't have to be fixed.
That is the corporate security problem.
Protecting user privacy is something for a marketing department to use in advertising.
Tech Public Policy stuff
In reality male-male prison rape (aka getting butt-fucked, getting your shit pushed in, being someone's bitch) is not very funny. I think the point is to cause discomfort by introducing or describing a clearly uncomfortable, unpleasant situation. It is meant to induce a reaction very similar to seeing someone getting hit in the balls. Most men, when they see the video of a kid smacking a baseball into dad's testes, don't laugh in the same way they would laugh at a truly funny situation. The usual response is a groan or cringe, followed by a laugh of relief that it didn't happen to them. There are few men who could watch man-on-man action, rape or otherwise. The rest of us sure as hell wouldn't be laughing if we witnessed it.
It can be made "funny." It is called situation comedy. Bizarre and unpleasant situations appear on TV all the time. These sitcoms don't translate well to reality, so they don't evoke the same reponse that a real situation would.
Now, when someone says:
Guess whose hole will need tight security now ?
Do you think most people immediately imagine the unpleasant realities of jail-house love? I immediately thought of Leslie Nielson wearing a chastity belt in the shower in Naked Gun 33 1/3. So yeah. I laughed.
If you have issues stemming from a personal experience that prompted your outburst, recognize that many of us will not respond in the same way that you did. (ex. Might not recognize it as an act of humiliation, etc.) There is no shame in getting help.
If you thought the statement was inappropriate, a simple: "This statement is inappropriate and insensitive" would have been fine. Empathy and sensitivity is good-- it's nice to see it once and a while.
If, however, you just wanted to be condescending: Be advised that your slippery-slope argument is invalid. And while you might argue that it is your opinion and that it can't be invalid, if it is based on faulty logic, you risk exposing yourself as illogical. Don't feel too bad though: You got modded up to a +5 insightful, which means that there were other people who thought your slippery-slope statement was insightful or wisdom-packed. Or maybe you said what they wanted to hear.
(FYI Since the RIAA and MPAA seem to be popular topics here, keep in mind that they routinely adopt slippery slope arguments: Oohh... if we don't have X protection, people will be able to burn our cd's. Then they'll stop buying cd's, and then we'll lose all sorts of money, and the music industry will collapse, and I'll lose my Porche, and there won't be any more music ever in the world, and WWWWWAAAAAAAAAAAAAHHHHHH!!!! OK, so I embellished a little. But you routinely hear this argument. And while it is based on false logic (until they back it with actual data), it still paints a believable story to whoever it is aimed at. And that can be dangerous.)
Maybe some day they will teach (2-valued) logic and reasoning in grade school or high school....
Good quote -- the thing is, it is true that in practicality we don't have the freedoms I wish we had, and that we all truly deserve to have. There's a push and pull to this whole freedom thing, a balance to be found. We have to be a little extreme pushing things in the direction that we want, because the other guys are doing the same thing. They fall into the "just trust us" category of government, and that should scare the hell out of all of us. I'd like to think that they're just going through a moment of weakness because they're scared. Fine -- a lot of social policy comes about from fear. But we need to push against that; we need to provide the balance. That's our role in society. A grey look at what is, is not enough. You should strive for more. You know what's right. You never need to do anything else in your life other than advocate what you know is right. Yes, I am hopelessly idealistic.
That's what counts.
Ask yourself this (especially knowing what you know now)....is it worth it? I say no. The government as a whole has the collective IQ of 10. They neither care about our rights nor the US Constitution. Im so tired about hearing of our rights and the Constitution. We live in a corporation not a democracy and the Constituion is a mission statement. Its what they try to live by but it all comes down to what the "shareholder" wants.
And as far as letting a company know about their security flaw...screw them. They will do nothing about it in most cases( so its not even worth the risk) or they will go after you legally to keep your mouth shut.
Best bet would have been to exploit it...shut them down...and then the customers would have left. Meanwhile set up something similar ( more secure of course) and let the searching little consumers flock your way.
Thats just my opinion however, and really, who am I?
informing people that a company is running Windows?
To know that you know what you know, and that you do not know what you do not know, that is true wisdom. --Scooby Doo
911 operator: Sir, may I help you? ... how did you say he is getting in? ...
.security) in which information about exploits can be FREELY exchanged among (verified) network, system, and security professionals. ... I think 'B-grade' is the DoD terminology here...), we need to toss 'em. If our vendor cannot comply by providing security patches Within A Reasonable Time, toss 'em.
;) ), but we ought to, at the very least, be able to exchange information. Here's the deal: the Bad Guys know this. If they don't, they can find out. The Good Guys know some of this. If they don't ... they'll find out when they're r00t3d by a 1337 h4XX0r!
... this car's about to fall apart. ... all I can say is that it's unsafe. Here are the keys. Have a good trip home *snicker*.
:)
Voice: Aaagh! Please help! There's a man going around twisting doorknobs and going in and burgling the people inside!
Operator: So
Voice: Turning the doorknobs - he's found that by turning a knob on the door, if it's not locked, he'll gain entry!
Operator: We'll send some troopers by...
Voice: Good. Good, then the neighborhood will be protected fr-
Operator: No sir - for YOU. You see, you've disclosed a little-known flaw in door design. You'll be hearing from us shortly.
Voice:
And there you have it. We need a two-fold revival to take place here:
1) The Internet ought to have a designated TLD (like
2) We need to cast aside notions of having to code for the Stockholder, or code for the Board, and instead Code for Longevity & Robustness. Also we need to NOT throw up our hands at attacks (I saw a story on Slashdot about "Intrusion Allowance" or some such, in which a new paradigm of thinking that it's no longer worth defending against attacks was introduced), and instead get serious about connected systems. If they don't meet spec - toss 'em. If they're not B-grade systems (ACL's, file bit permissions
I understand that this will NEVER come about, as it's easier to throw up our collective hands (unless you're a security specialist!
*sigh*
Another example:
Mechanic: Geez
Customer: What's wrong with it?
Mechanic: I'm sorry, sir
Disconcerting, but this is what system/security personnel face now.
Grrr!
My $1.02 or so.
Perhaps they could put a bear holding a shark on their website now and scare away security experts.
CAn'T CompreHend SARcaSm?
Companies like Microsoft should be aware that security holes in it's products will just go underground. Actions like this will force people just to anonymously disclose serious bugs to hacker groups. Far safer to post it anonymously and not worry about the lawyer bills.
If (and it's a large "if") the information is actually correct
then it is another example that your whole system is in such a dire need for replacement that you need another revolution.
Nice troll, it should have been moderatet to Score 5, Troll instead of Score 5, Interesting.
done
I forgot to add: I like the way you worded the statement in such a way that the murder of someone rEWDBOi knows is inevitable ("When" not "If").
http://library.lp.findlaw.com/articles/file/00418/ 002034/title/subject/topic/labor%20%20employment%2 0law_employment/filename/laboremploymentlaw_3_47
Enjoy. There is even a legal opinion, not mine
I know no one will read a post put up this late.
But I was struck by how wrong the article got this guy.
He DOS'd the companies email servers and sent emails to all of the companies clients giving instructions on how to do such an attack.
The line he crossed was DOS'ing those servers. That is where the difference between free speech and destruction of private property lies. If he was so unhappy about his former employer and so disgusted at the way security was handled then a website without a DOS attack on the employers email servers would have been fine. So would writing an article for the local newspaper.
Hell a billboard would have been alright too (assuming this guy has all his facts straight).
But the difference in my mind between that stuff and what he did was the DOS attack.
He deserved to be in the pokey, now it is time for him to move on with his life.
There seems to be a little confusion about some issues. Tornado filed a civil suit and lost. The hole was an HTTP REFERER problem. This was disclosed to the public by an exempoyee publicly while Bret McDanel was working at Tornado. Because this document was public, and HTTP REFERER is not specific to Tornado Tornado lost their civil suit. The NDA was not violated. Nothing secret that was learned while he was there was revealed. After Tornado lost the civil suit *then* the case went criminal. Bret McDanel is currently attempting to sue Tornado (who is now xmsg.com - right after the trial Tornado folded and xmsg.com, with the same people at the same physical office, doing the same service, started up), Kevin Torf, Craig Wasko, Ryan Kim, and Sam Balooch for perjury. Additionally he is filing suit against the FBI whom he has proof they lied as well (Agent Peterson and Agent Watkins) to supress evidence, lie about the evidence they have, etc. His lawyer was suppoosed to bring this up in trial, but the government is good about making sure that people dont have money for trial so he got a public defender who refused to put up any defense (and that is part of his appeal). The brief even mentions some of the lies that were said. A donation for expenses related to this case can be made via paypal to Donate to bret@mcdanel.com (that email address is currently not working, but should be up soon, paypal to that address will work). Anything that can be given is greatly appreciated. If you do not have a paypal account, just creating one gives you $5 and the legal fund $5 if you use this link There is a website that is going to be put up soon with the transcripts, system logs, etc that show that the system was never impaired until after they took it down and started deleting the emails (the criminal act of deleting emails was the only thing that caused any load issues on the system). The amount of logs and all are quite large so it will take some time to get everything up. Just the attachments that are part of the appeal are 3 inches thick, the whole amount of discovery (evidence) was many many thousand pages (and not all of it was printed out).