Slashdot Mirror
Talk About A Security Hole, Go To Jail?
Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.
Too late, he already served the time.... if you had actually read the article you'd know this!
He actually could have done it in a more subtle way. Doing Jailtime for what he did is harsh and so typical US-insane, I agree, but he actually did probably break law never the less.
We suffer more in our imagination than in reality. - Seneca
Yeah; it's not a good idea to tell people that they have weak security. For a really good example, ask google about "Randal Schwarz". His story is going onto a decade now, and still isn't over.
Basically, he had done a lot of consulting work for Intel, and they gave him permanent free accounts on some machines to use as he wished when not on a contract. He saw a new company doc about how to deal with poor passwords. So he thought he'd help them out by nabbing a few password crackers off the Net and applying them to nearby machines. He found that some company VPs had easily-guessed passwords. While he was writing up a report, the sheriff showed up at his door with an arrest warrant. He is now a conviced felon.
Reading between the lines, it seems pretty clear that the people in the legal system think this is ridiculous, and it's really Intel who should be convicted and punished. But there seems to be little that can be done about it. As the judges read the laws, following the company's published guidelines and testing security is a felony, no matter how stupid that sounds. Telling people in the company that their VPs are violating the company's own security rules is also a crime.
So if you find problems, the best practice is to keep quiet about it.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
For capitalism to work, it requires consumers to be able to make informed choices about the goods and services they purchase. By criminalizing the distribution of security information, the federal courts are preventing consumers from making truly informed decisions regarding security, which is arguably an important element of a purchase decision. If it were not, then why would Tornado be so miffed? Two end results, if this decision runs its course. First, security will fall through the floor as companies realize that they do not need to invest in it to get customers. Second, consumers will only be able to choose based on who presents the best front; advertising wins. I'm fine with advertising, but it should not replace informed discourse in the marketplace.
I don't think he took extreme measures at all. IMHO he took the next logical step. He showed it to his boss. They did nothing. Since he was no longer in a position of influence at the company (like he ever was before) he talked to the next logical group of people: the people directly effected by this. If he had posted this to /. or had sent it out to the underground hacker rings he would have definatly gone too far. But he only informed those most at risk for the company's screwup: the customers. The company is lucky he didn't report it to any big bug tracking organizations. A lot of people read that, both white and black hat hackers.
I say that if a company does not actively seek to fix a security hole within a reasonable amount of time, they deserve to be humiliated before their customers like this. The guy was only trying to put the customer first, and not the company's reputation. Hell, the customers could probably sue the company since they knew they weren't secure but kept advertising that they were. Damn marking droids.
Space for rent, inquire within
- Intel caught him and told him to stop. He continued.
- He actually used some of the passwords to login, although he didn't change or grab any data.
- None of this was directy related to performance of his duties as a contractor.
I think Intel was merciful the first time, cause they could have nailed him then. The end result is awfully harsh and all out-of-proportion to the harm caused, however he was by his own admission doing something illegal that he'd been warned not to do.This case is similar. Yes, the prison sentence is crazy for the crime, however what this guy did was stupid. He was clearly going after the reputation of his former employer: if he'd been motivated only by the good of the customer, he would have sent the email while on the job. Also, he could have just warned folks without publishing exploit details.
This is a problem many geeks have -- getting nailed for doing something technically correct but socially unnacceptable. Most of the rules that run the world aren't written down and never will be. You can be technically correct and still wrong wrong wrong.
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
The following tidbits were turned up by a little search on the web.
3 .htm
s /200206 12-9999_1b12hacker.html
The FBI says that: "COMPUTER SPAMMER SENTENCED TO FEDERAL PRISON". Yes, they advertise the conviction of Bret McDanel as a spammer sent to jail:
http://www.fbi.gov/fieldnews/march/la03250
The San-Diego union tribune(?) writes that:
"Prosecutors allege that McDanel hacked into his former employer's server and sent thousands of e-mail messages at practically the same time, forcing the company to shut down its computer system in August and September 2000." Link:
http://www.signonsandiego.com/news/busines
In the FBI note there was no mention of the security bug at all they said:
"Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there."
Now that is such a selective disclosure of information that I am inclined to equate it with telling an untruth. (Just like printing that some John Doe killed several people in 1967 in he is still not behind bars, omitting that he was acting in war...)
What alarms me that he was found guilty on spamming charges which damaged the mail server while that seems not to be the basis of his ex-employers discontent. I guess the prosecutor was not interested in bringing out the truth but rather just have a conviction based on the "Computer Fraud and Abuse Act" on his resume.
Note that the company (Tornado) went out of business.
'ta
Further they wouldnt let McDanel work for (now) 3 years (he wasnt allowed to work while on bail). They make sure that you have no money before the trial starts.
They gave McDanels secrets to this company too. See McDanel was competing with this company (and the company found out like a month before this release that he was working on his own software in his spare time). Its not just email its unified messaging, integration of email, voicemail, fax, paging, etc. So it isnt something that you can just get for free. This company within weeks of McDanels initial raid had his secrets in their office, then hired consultants to use his secrets (which required totally rewriting EVERYTHING from the ground up). They then claimed that as damage as well.
So he lost 2 businesses (where he was working, which was his fiancees business, and the new one that he was starting), the ability to work, he had to refund money to all the current customers of the place he was working. Everything they could do to make sure that he couldnt afford a real defense.
Jan 12, 2000 Customer support at Tornado gets an email from an exempoyee saying there is a HTTP REFERER problem in their product (along with 15 other webmail providers hotmail included).
Jan 13, 2000 Development has written a fix and tested the fix (cgi redirect and code to cause all urls in the email to go through this redirect, nothing big).
Feb 1, 2000 McDanel quit (gave 2 weeks notice) because of problems with managment dealing with another employee.
Aug 24, 2000 McDanel contacts customer support (he is friends with this person) and asks if the problem is ever going to get fixed (McDanel was allowed to keep his account free after quitting, which shows that he didnt leave on horrible terms, and maintained friendships with many people in the company, infact some people in the company tossed work to his fiancees company).
Aug 27, 2000 McDanel was told no they were not going to fix the problem (unknown at that time was that the QA person closed this bug report months ago without applying the fix).
Aug 30, 2000 email from one of the managers at Tornado to McDanel regarding his web page
Aug 31, 2000 McDanel sent emails to the customers at the rate of 6.67/sec (10 rcpt's per body (so the body is effectivly 10% the size) delay 1.5 seconds between each body). The system logs showed NO impairment during this time.
Later the system was shut down (sendmail, web server, etc) *then* the system load went up (resumably when they were deleting the emails, which in itself is a crime).
McDanel was on the phone with admins just prior to sending and continued talking to one admin for 20 minutes, then called others and helped this company fix their system when it broke (turns out it broke cause they were deleting the emails, but none the less McDanel did whatever he could to try to help them, including spending several hours on the phone with them the night the emails were being sent).
In every instance that he sent emails (6.67/sec to a 8 cpu UE 4500 with a gig of ram, that in no way is a DoS) there was no downtime, the xdelay in the mail headers was 1 second or less, it was not suffering at all. The queue stayed below 30 mails most of the time (once for less than 1 minute it went over 30 mails but it quickly processed that and the queue was below 30 again).
Sendmail (which they used) will automatically queue the emails if the load is too high. The mere fact that the queue was empty (or nearly so they do not log if there is less than 30 in the queue) indicates that the system was not overloaded.
The fact that the cpu load reports (HP Openview) indicated that the load did not go up until AFTER services were shut down (if you kill sendmail, sendmail cannot cause load - period!) also shows that it was not a DoS.
What is worse is that McDanel was charged under the 1998 version of 18 USC 1030. The new version (patriot act) makes it tons easier for them to convict you. If you attempt to impair the integrity and are unsuccessful, you can still be guilty (before you actually had to do something, now you just have to attempt/intend to do it, and presumption of intent is easy for them to prove, they just have to say it).