Talk About A Security Hole, Go To Jail?

Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.

the real reason he went to jail...

[The+Lynxpro]

...the solution to securing the hole was to use a Mac! And you thought it was bad when last week on Slashdot the buzz was you'd lose your job if you suggested using Macs! :)

Keep Quiet? How about tell the right people?

[KalvinB]

"So if you find problems, the best practice is to keep quiet about it."

No, the best practice is to ask permission of those in charge before doing security checks and then to tell those in charge about the flaws you find.

It's moronic to break in without permission and then tell everyone about it. Especially those who can't even do anything to correct the situation.

What do you think would happen if you broke into your neighbor's house and then informed everyone on the block how you got past his security?

The guy is rightfully going to jail because he's a moron.

If you want to check your neighbor's security, you ASK YOUR NEIGHBOR and then TELL YOUR NEIGHBOR what weaknesses you found.

The moron in this story, didn't ask permission and then scared off customers. It's not his job to check security and then report to the world the results of his unauthorized tests.

Duh. It's amazing how many otherwise intelligent people can be so braindead.

Ben