Slashdot Mirror
Talk About A Security Hole, Go To Jail?
Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.
Makes you not want to even bother saying anything. Wait till the rest of the world decides that and you have security holes everywhere.
Of course, can you have holes within holes?
Gizmo
He reported it to management, like he should have. He should have left it alone there.
Isn't this going a little too far. I thought a suggestion box was always welcome, or even a public message board where people could leave suggestions was A Good Thing(TM).
I may have been wrong. But this isn't right. no sir, it is not.
Does anyone have any ideas as to what alternative third parties would be good for this kind of whistle blowing?
US Democracy:The best person for the job (among These pre-selected choices...)
putting excutives in jail for creating software that is buggy and insecure allowing 14yr olds to cost buisness millions of dollars
responsibility and accountability seems to be forgotton words thesedays, if you do bad and your an excutive you just walkaway and collect your golden parachute
This is so stupid. If we were to leave the finding and patching of security holes, etc. to the companies in question, attacks, virii, etc. would be even more prevalent then they are today. By increasing the number of sources for reporting these flaws to basically the population of the world, we significantly increase the chances that these problems will be discovered before they can be exploited.
The DMCA (which IIRC correctly makes pointing out security flaws illegal) needs to be severely looked over or things like the MS Blaster virus are only going to be the beginning of a much larger, nastier problem. Thankfully, it's only applicable in the U.S.
In C++, friends can touch each others private parts.
Obligatory 1984 paraphrase:
This is doubleplusungood.
Also, to quote Winston Smith:
who do i tell when i find out my credit card company's website is not secure? ...or do i just wait for the charges to start appearing on the card?
No more of these disruptive "warnings" of vulnerabilities. If you warn people about the real dangers they face instead of giving them vague color-coded faux-warnings, then the terrorists win.
Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole
Guess whose hole will need tight security now ?
Ha ha, prison rape is funny! I'm so glad this country is civilized enough that we can not only condone it, but we can laugh at his humiliation!
Ha ha!
Man, I can't wait until society evolves to the point where we can laugh at normal rapes too, especially violent gang rape and child molestation. Ha ha, you got raped at gunpoint while walking to you car, maybe you have AIDS now! Ha ha, your uncle made you stick his little friend in your mouth when you were five, hopefully you are scared for life!
"Your superior intellect is no match for our puny weapons!"
"Sir, if you don't lock your car, someone could steal your stereo... HEY EVERYONE!! This car is unlocked.. I'll open the door and hold it open for everyone to take a look in!"
The government argued that the message was incorrect, useful to would-be attackers, and was intentionally designed to give Tornado trouble.
Either the message was incorrect (which would render it useless to would be attackers), OR the message was CORRECT if indeed the message could be useful to would be attackers. I see a real contradiction in the government's arguement here (yes I know, big surprise eh?).
Does this mean that when Microsoft issues a report warning of a vulnerability in their software and exactly where it is and what the vulnerability can cause along with a security advisory that they are breaking the law?
This, IMHO sets a very dangerous precedent. It reminds me of another reuters article I read today concerning corporate whistle blowers having trouble continuing their careers in other companies after exposing illegal activity.
The Matrix is real... but I'm only visiting!
The Matrix is real... but I'm only visiting!
That is not a troll. It is true. Why is it OK to make jokes about something like prison rape? It pisses me off, this double standard, if a woman is raped in a parking garage it is this horrible thing but if a man is raped in prison then it is a joke for us all to laugh about. Fucking hypocrites.
Prison rape jokes on Slashdot, or in the pub, is perfectly acceptable, and maybe even funny...
What's not funny, is that prison rape jokes are considered great material for prime time family entertainment in the US. That's not only disgusting, but fucking scary.
How small a thought it takes to fill a whole life
That's why you do it from a public computer in your local library. (of course, my IP address changes almost every time I go on the net, so I'm not too worried about that aspect personally). Then there is the other issue-----had I been on that jury, "not guilty" all the way
i don't intend to troll, but in this case, the truth IS a troll. In the FUD-ruled USA, only officials & big corps are alowed to fud. Any individual or small organisation that spreads fud si considered a threat. Probably to prove that the govt is not allowing fud.
The only way to disclose security holes is by letting big corps do it, or by doing it as anon as possible. Currently, europe is a tad better, but I expect this evil practice to fly our way in no time, as DRM is apparently doing. Sigh. It's so sad to see capitalism failing. I guess this must be a bit how the commies felt after they were proven wrong. Our only hope is that the future will come up with something better.
When will I end this grieving ? When will my future begin ?
No shit.
BTW, the moderation on this post is amazing. Interesting?!?! Insighftull?!?! He can't fucking spell, and it's obvious he doesn't know what he's talking about. But all hail the script kiddie that's ready with a glib comment! Mod him up!
*grumbles* where are my metamod points when I need them...
You may disagree, but to be blunt, you're wrong. -tgd
Still, the point is that if I was a customer at said bank, I would very much like to see that sign and immediatly close my account with the bank and move to some place that will secure my money at least a bit. And I would personaly thank whoever posted this sign.
a bit proper way:
-"Mr. Locksmith, your locks suck, they can be opened with a straw"
-"grumble grumble*snooze* yeah whatever"
-> 6months.
-"Mr. Locksmith, your locks still suck and you advertise them as secure! I can't stand it anymore, I must tell your clients that they can't trust your locks!"
-"ah lad, you're going to prison then!"
actually.. the company itself did something illeagal as well(deleted mails, which, can be in some places much higher crime than telling how to get to those mails because it is in effect breach of communications secrecy the customers expected). speaking of the vulnurability to anyone else than the customers would have been more malicious as well(posting on a security webpage or similar). i'd be making investigation requests(on why they manipulated the mail) if i was customer of that said company..
world was created 5 seconds before this post as it is.
Yah, but this is America we're talking about! 100% of all our prisoners are guilty, and 100% of those crimes were committed against the laws of God - like those people smoking and eating plants created by Satan. Torture in forign jails such as those in China is bad because their government is evil and jails good people. Turture in our jails is funny because we know that all our prisoners are evil and deserving of torture.
this wasnt a breach per se, just the potential for one.
and while this is not a happy precedent, the guy didnt handle it in the coolest way possible.
I know that non-technical managers simply don't care how their systems work. They think in strategic and tactical terms. Buffer overflows are just an excuse why things can't get done. Managers hate those things. But there has to be a balance somewhere. Geeky technical issues cannot be ignored by managers. Granted, they don't need to personally learn the technical details. That's why they have tech guys working for them. But they need to invest the time, effort and resources into an ongoing technical systems maintenance program. This includes everything from cleaning dust out of computer chassis to maintaining security from the strategic level to the bits and bytes level. It is the technical department's duty to ensure that management understands the risks, like it or not. It is the management's responsibility to make sure the technical department is doing its job.
In nearly all businesses today, it is necessary to be on the Internet. Being on the Internet entails certain risks. In the course of its business, the company will need to address these risks on an ongoing basis. For these reasons, it is important that all but the smallest companies refrain from outsourcing their "IT" departments.
To make a long story short, corporate management unaware of the implications of their lack of attention to technical matters. This applies to computers as well as manufacturing processes. Since they fail to gain an understanding of the implications and since they fail to respect the technical field enough to invest the necessary time and effort into it, they should be subject to the consequences of their irresponsibility. Therefore, if you are aware of a security hole, you should do the following: Nothing. Let a black hat cracker break in, steal data and wreak havoc on their network. This is the only way they will learn.
Want to insist on doing "the right thing?" Send an anonymous letter to the company's IT department and to their management. State that if the vulnerability is not fixed within 48 hours, it will be posted on all the public disclosure sites. Do not include any identifying information.
I think both of those things point to a better course of action. While, personally, my opinion on bug disclosure is tell the vendor, wait two weeks, then tell the world--another, safer, avenue WAS available.
Simply call the State Attorney General and try to open a fraud case. They are advertising a secure service while knowingly ignoring large security holes. It's simple fraud. And are you going to go to jail for talking to the Attorney General? Who exactly is going to prosecute you? It's the safe choice.
Nevertheless, I believe he had the absolute right to do what he did. He just could have chosen a safer, smarter path.
Rape is an acceptable form of punishment? WTF is wrong with you?
Yes, I have to agree with CausticWindow. Somehow the culture evolved so that a man getting raped or having his teeth smashed out to give another prisoner a blow job, is funny. Naturally, nobody would even dare to suggest that if the same happened to a woman that would be funny. But then again, one of the main sources of jokes on TV are men getting punched or kicked in the groin. Again, if a woman was ... you get the picture. So before making another joke like that think how it would sound if you replaced "man" by "woman" and then by "human being" ...
A religious war is an adult version of a fight over who has the best imaginary friend
They complain that the editorial says this might cause a reduction in posts to Bugtraq, and this might not be true. So what? It could equally BE true. You don't know, so how is that a valid criticism of the editorial?
The morons complain that the guy "spammed" the ISP's customers. He sent ONE email, staggered out over three days to different people, so he wouldn't overload the email servers. Sounds responsible to me. How much spam do these customers get from Tornado anyway? You don't know, do you? I get spam from Yahoo occasionally just because I have SBC DSL.
They complain he was "irresponsible" because he didn't use "other channels". Like what? If he posts it ANYWHERE in public, he gets hit with the same charge. What PRIVATE channels are there that would work if talking directly to the ISP management did not work? Does he call Ahh-nold and get him to pressure the ISP?
Face it, you right-wing, statist-worshipping geek pussies. The guy did the right thing. HE BLEW THE WHISTLE. The government did the wrong thing. THEY PUT HIM IN JAIL FOR WHISTLE-BLOWING.
Now fuck off.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
It was definetly not a very bright thing to do, but I dont think keeping quite about it would be the right thing either. Maybe like some other poster stated, it might have been better if he posted something about it on BugTraq (or similar).
I see this guy as a whistle-blower, who like most other wistle-blowers, got screwed (In his case the Government and inmates did the screwing).
Also when will software companies start being held accountable for this kinda crap. Its about time the government stops making examples of people like Mr. McDanels and starts makeing examples of corporations.
my IP address changes almost every time I go on the net
So does mine, I don't live in an area that has high speed. But your ISP still logs who is using what IP addresses. Don't think that dynamic IP keeps you hidden, friend.
Stealing the customer list from an employer, leaving the company, and then using the list is cause enough to throw someone in jail. Normally such people are fined, but when coupled with a "I know how to hack into you." threat, it gives a justification If you don't wanna be thrown in jail, don't be a criminal.
The government's actions (in this case) provides electronic security professionals (and "crackers" if you prefer) with a "perverse incentive."
s /thu-1530-b-and erson.html
"Why Information Security is Hard - An Economic Perspective."
http://www.acsac.org/2001/abstract
"In a survey of fraud against autoteller machines [4], it was found that the patterns of fraud depended on who was liable for them. In the USA, if a customer disputed a transaction, the onus was on the bank to prove that the customer was mistaken or lying; this gave US banks a motive to protect their systems properly. But in Britain, Norway and the Netherlands, the burden of proof lay on the customer: the bank was right unless the customer could prove it wrong. Since this was almost impossible, the banks in these countries became careless. Eventually, epidemics of fraud demolish their complacency. US banks, meanwhile, suffered much less fraud; although they actually spent less money on security then their European counterparts, they spent it more effectively [4]."
If the government's goal is a more secure Internet, the government should encourage actions via incentive that result in more secure systems. It is clear that if Bret McDanel had not informed Tornado Development's customers of the security problem, Tornado would have done nothing to repair it.
If you subscribe to Ross Anderson's theories, the government's actions provide incentive for security technicians to take the following actions on the discovery of a security vulnerability:
1. Don't talk or write about it without obscuring the publishers identity.
2. Exploit the vulnerability for personal gain.
Heavy handed prosecution of people like Bret McDanel will lead to a less secure internet.
Where in this did he contact Intel about his intentions? From what you write here it sounds like their internal security team noticed his trespass and reported it to the correct authorities.
Running password crackers on a company network without written authorization is Criminally stupid.
Sipping on Jolt and Dew. Laid back. With my mind of my cubicle and my cubicle on my mind.
Maybe this little clue will help.
Man in prison = criminal, deserving of punishment.
And if the man gets his conviction turned over on appeal, then it's no longer funny if he's raped in prison? Or if the woman secretly got away with stealing from the office or whatever then her rape is now riotously funny?
"Your superior intellect is no match for our puny weapons!"
I seriously doubt that either of those things are the case - it's much more likely that there's a mirror address or online phone book of some kind. Why do I think this? Because he wasn't arrested and convicted for sending the message (RTFA). He was arrested because for the CONTENT of his email. I certainly hope this is overturned on appeal - it's a massively dangerous precedent (there's nothing special about Bugtraq postings, given that the facts in the article are true and complete - you'd be just as liable for posting there as this guy was). It'd amount to the overturning of Federal Whistleblower laws and be an enormous blow to consumer rights.
I think we can agree that all forms of rape are humorous, along with all forms of punishment, abuse, torture, etc. In fact people are simply funny, the way they run around their whole lives, slowly dying, pretending its not funny. But it really is.
"Under the theory articulated by the government, the transmission of any information that can be used by others to impair the integrity of a computer system (or cause loss of reputation) if done without authorization (and who would authorize it?) is a federal crime."
I have several college profs that taught me how a hash table works. I also have a couple of math teachers that taught me all about prime numbers. Then I read a book or two on how to build some basic encryption routines. Now, should these people go to jail because they have given me what I need (assuming I am smart enough to do something with it) to crack any security software? How about if I threaten to use this information to take advantage of some security hole? Where does it stop?
No man is an island... But I wouldn't mind having a bigger moat.
It's not that you're forgetting a few things, is that you're forgetting one major thing. He discovered this exploit while he worked at the company. It doesn't matter that he felt the need to alert the world to this exploit after he left, he gained this knowledge while employed there.
In the same way that you can't work at a company, learn it's trade secrets, and then jump ship to another company, and disclose all of their trade secrets (similiar to an NDA except this pretty much applies anywhere you work) you also can't gain knowledge of security exploits while you're under their employment, leave, and then tell the entire world about it.
THe feds were completely right in going after this guy. Some of you are being blinded by the security aspects of this, and I would argue differently if he had never worked at the company in question and discovered this exploit as an outsider, but that is not the case.
He got what he deserved. I've worked at tons of companys where to this day I could tell you any number of ways to get back into their networks. Am I going to do that? Hell no. My best course of action is to alert the company of the exploit, and walk away.
That's exactly what he should have done. He didn't, and he paid the price.
What if you change your MAC address? How is your ISP even going to know your MAC address if you route through a gateway device?
They have to cache some indentifiable data somewhere. If they cache a false MAC address then the only thing they can prove is it came from your connection to their network. Now if you have a wireless AP on your network or any other form of anonymous access, then you're innocent until proven guilty.
You're still the number 1 suspect, tho, which is why I recommend posting anonymously from a cyber cafe with DHCP and a modified MAC, just in case.
Consider the possible outcomes. Let's say some on-board digital electronic unit within a popular automobile contained some sort of flaw that could ultimately result in accident, injury or even death. Given than the manufacturer was informed and failed to issue a recall, if someone decided to tell everyone potentially affected by this flaw, do you think it would be moral for the whistleblower to be sent to prison?
I hardly think so. In this case, it's something far less "deadly." It's only privacy (something 'they' don't want us to have anyway) and potentially identity fraud and theft. These are growing into huge issues.
According to the article, the man has already served his time but he wants his conviction reversed. I believe justice should be served by reversing this conviction... and in the future possibly preventing any such "backlash" from companies in the future for "felony embarassment."
From the article: The government argued that the message was incorrect, useful to would-be attackers...
How can it be wrong and useful to attackers? Man, the prosecution lawyers must have had fun with that one:
"Your Honour, the security flaw described here does not exist. You can see how dangerous it would be for hackers to know about this non-existent flaw."
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Well, that kind of exaggerating would be preferable to anybody. The bigger the case, the more stupid this law would look in public.
But major case is really needed in that part, otherwise, lonely suckers will just get screwed.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
I can't wait until society evolves to the point where it's not possible to communicate anything to anyone due to the remote possibility of offending someone somewhere somehow. Actually, I think I *can* wait.
The following tidbits were turned up by a little search on the web.
3 .htm
s /200206 12-9999_1b12hacker.html
The FBI says that: "COMPUTER SPAMMER SENTENCED TO FEDERAL PRISON". Yes, they advertise the conviction of Bret McDanel as a spammer sent to jail:
http://www.fbi.gov/fieldnews/march/la03250
The San-Diego union tribune(?) writes that:
"Prosecutors allege that McDanel hacked into his former employer's server and sent thousands of e-mail messages at practically the same time, forcing the company to shut down its computer system in August and September 2000." Link:
http://www.signonsandiego.com/news/busines
In the FBI note there was no mention of the security bug at all they said:
"Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there."
Now that is such a selective disclosure of information that I am inclined to equate it with telling an untruth. (Just like printing that some John Doe killed several people in 1967 in he is still not behind bars, omitting that he was acting in war...)
What alarms me that he was found guilty on spamming charges which damaged the mail server while that seems not to be the basis of his ex-employers discontent. I guess the prosecutor was not interested in bringing out the truth but rather just have a conviction based on the "Computer Fraud and Abuse Act" on his resume.
Note that the company (Tornado) went out of business.
Understand your effing Constitution! Jail inmates have no legal role in deciding how much punishment their fellow prisoners get. Jail rape and other jail abuse (up to and including murder!) is plain evil. It is patently illegal, unjust and should be stamped out. Anyone who thinks otherwise has obviously not thought through the issues.
If you really think jail rape is a just punishment, lobby your Congressman to pass a law which allows a Judge to impose it as a sentence. And you'll probably need to get your Constitution (which outlaws "cruel and unusual punishment") ammended too ...
Sorry to double reply but here's another point. If we were talking about a guy working for a tobacco company who found out the company was deliberately making their product more addictive while running a PR campaign saying the cigarette smoking was safe, would we even be having this debate?
I agree that the guy's actions sounded malicious, but when it comes down to it, he was a whistle blower. He demonstrated that the company continued to advertise its services as secure even while they knew about a blatant security flaw which they did nothing to fix for six months.
If you want to check your neighbor's security, you ASK YOUR NEIGHBOR and then TELL YOUR NEIGHBOR what weaknesses you found.
Um, you're not very good at analogies.
It's more like an apartment building, and this guy was the Super. He knew that the locks on all the apartments could be opened with a butter knife, but the landlord said he'd fix it- then fired him.
6 months later, the super checks- still butterknifable. He distributes leaflets throughout the apartment complex by sliding them under the doors.
The Landlord starts busting into people's apartments and taking the leaflets away and has the Super arrested not for breaking and entering (which *maybe* he's guilty of), but for telling the tenants that their own (and by extension, their neighbors) apartments are unsafe due to the negligence of the landlord, so they should guard their stuff until the situation is resolved.
microsoftword.mp3 - it doesn't care that they're not words...
So it's wrong to draw the line at making fun of rape victims?
I agree that almost everything has become politically incorrect, but that doesn't lessen the vulgarity of rape jokes.
Correctly, but the problems the legislation was intended to address were the problems of keeping problems secret from the users so they wouldn't have to be fixed.
That is the corporate security problem.
Protecting user privacy is something for a marketing department to use in advertising.
Tech Public Policy stuff
Well, people shouldn't have to go to jail because they're assholes.
Okay, he sent a lot of mails. Would he have received the same sentence if he was a garden variety spammer?
Clearly it has something to do with the content of the mail or with the intent of the "attack".
If it disclosed some confidential information, it could be tried in a civil court I guess, if there was a confidentiality clause in his contract which was still in effect. But even then, he could be considered a whistleblower.
The only thing that they could try him on would be his intention to use some sort of DOS attack against the mailservers, but considering he didn't use anything special (just email) it begs the question: what's the difference with a bulk-emailer. Also, if he was really trying to disclose this info to the customers, I don't think his intention was to bring down his channel of communication to them (the mailservers).
Either way, I don't see anything that warrants jail time. I just see an incompetent ISP, and someone that's probably a bit too annoying for his own good.