Talk About A Security Hole, Go To Jail?

Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.

Gee, thats swell

[gizmoiscariot]

Makes you not want to even bother saying anything. Wait till the rest of the world decides that and you have security holes everywhere.

Of course, can you have holes within holes?

Hmmmm

[mao+che+minh]

That's a pretty tough one. The guy made it public knowledge that there was a flaw in the Tornado system (sending emails to all of the employees and even making a webpage that detailed the flaw), and even demonstrated how to exploit the flaw (on said web page). Normally demonstrating flaws and exploits shouldn't be an issue - but this guy showed an actively vulnerable target to the world and told them how they could crack it. That wasn't a very bright thing to do.

He reported it to management, like he should have. He should have left it alone there.

Scared corparations and governments kill the good.

[zoloto]

To put McDanel in jail, the government adopted a rather unique interpretation of the federal computer crime statute.

The applicable language in the Computer Fraud and Abuse Act make it a crime to "knowingly cause the transmission of information and as a result of such conduct, intentionally cause any impairment to the integrity or availability of data, a program, a system, or information without authorization." Ordinarily, this is used to go after people who distribute worms or viruses, mailbombs and Trojan horses: things that actually shut down or affect the computer system itself

Isn't this going a little too far. I thought a suggestion box was always welcome, or even a public message board where people could leave suggestions was A Good Thing(TM).

I may have been wrong. But this isn't right. no sir, it is not.

He whouldn't have e-mailed the customers.

[BrynM]

His big mistake was e-mailing the customers. On top of that, he shouldn't have directed users to his own site. True: the company screwed with the customers further by deleting their e-mail, but he should have found a better third party to apply pressure with. Messing with a company's customers is like talking smack about someone's Mom. It will get you into a fight.

Does anyone have any ideas as to what alternative third parties would be good for this kind of whistle blowing?

Re:Compulsory jail joke

[gnovos]

Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole

Guess whose hole will need tight security now ?

Ha ha, prison rape is funny! I'm so glad this country is civilized enough that we can not only condone it, but we can laugh at his humiliation!

Ha ha!

Man, I can't wait until society evolves to the point where we can laugh at normal rapes too, especially violent gang rape and child molestation. Ha ha, you got raped at gunpoint while walking to you car, maybe you have AIDS now! Ha ha, your uncle made you stick his little friend in your mouth when you were five, hopefully you are scared for life!

...the message was incorrect....

[jmors]

I particularly like this section of the article...

The government argued that the message was incorrect, useful to would-be attackers, and was intentionally designed to give Tornado trouble.

Either the message was incorrect (which would render it useless to would be attackers), OR the message was CORRECT if indeed the message could be useful to would be attackers. I see a real contradiction in the government's arguement here (yes I know, big surprise eh?).

Does this mean that when Microsoft issues a report warning of a vulnerability in their software and exactly where it is and what the vulnerability can cause along with a security advisory that they are breaking the law?

This, IMHO sets a very dangerous precedent. It reminds me of another reuters article I read today concerning corporate whistle blowers having trouble continuing their careers in other companies after exposing illegal activity.

The Matrix is real... but I'm only visiting!

Management will learn.

[rice_burners_suck]

This is my personal opinion on the matter of vulnerability disclosure:

I know that non-technical managers simply don't care how their systems work. They think in strategic and tactical terms. Buffer overflows are just an excuse why things can't get done. Managers hate those things. But there has to be a balance somewhere. Geeky technical issues cannot be ignored by managers. Granted, they don't need to personally learn the technical details. That's why they have tech guys working for them. But they need to invest the time, effort and resources into an ongoing technical systems maintenance program. This includes everything from cleaning dust out of computer chassis to maintaining security from the strategic level to the bits and bytes level. It is the technical department's duty to ensure that management understands the risks, like it or not. It is the management's responsibility to make sure the technical department is doing its job.

In nearly all businesses today, it is necessary to be on the Internet. Being on the Internet entails certain risks. In the course of its business, the company will need to address these risks on an ongoing basis. For these reasons, it is important that all but the smallest companies refrain from outsourcing their "IT" departments.

To make a long story short, corporate management unaware of the implications of their lack of attention to technical matters. This applies to computers as well as manufacturing processes. Since they fail to gain an understanding of the implications and since they fail to respect the technical field enough to invest the necessary time and effort into it, they should be subject to the consequences of their irresponsibility. Therefore, if you are aware of a security hole, you should do the following: Nothing. Let a black hat cracker break in, steal data and wreak havoc on their network. This is the only way they will learn.

Want to insist on doing "the right thing?" Send an anonymous letter to the company's IT department and to their management. State that if the vulnerability is not fixed within 48 hours, it will be posted on all the public disclosure sites. Do not include any identifying information.

Perverse Incentive, AKA Reward the Black hats

[Erik_the_Awful]

The government's actions (in this case) provides electronic security professionals (and "crackers" if you prefer) with a "perverse incentive."

"Why Information Security is Hard - An Economic Perspective."
http://www.acsac.org/2001/abstracts /thu-1530-b-and erson.html

"In a survey of fraud against autoteller machines [4], it was found that the patterns of fraud depended on who was liable for them. In the USA, if a customer disputed a transaction, the onus was on the bank to prove that the customer was mistaken or lying; this gave US banks a motive to protect their systems properly. But in Britain, Norway and the Netherlands, the burden of proof lay on the customer: the bank was right unless the customer could prove it wrong. Since this was almost impossible, the banks in these countries became careless. Eventually, epidemics of fraud demolish their complacency. US banks, meanwhile, suffered much less fraud; although they actually spent less money on security then their European counterparts, they spent it more effectively [4]."

If the government's goal is a more secure Internet, the government should encourage actions via incentive that result in more secure systems. It is clear that if Bret McDanel had not informed Tornado Development's customers of the security problem, Tornado would have done nothing to repair it.

If you subscribe to Ross Anderson's theories, the government's actions provide incentive for security technicians to take the following actions on the discovery of a security vulnerability:

1. Don't talk or write about it without obscuring the publishers identity.
2. Exploit the vulnerability for personal gain.

Heavy handed prosecution of people like Bret McDanel will lead to a less secure internet.

Re:Compulsory jail joke

[Cyno]

I think we can agree that all forms of rape are humorous, along with all forms of punishment, abuse, torture, etc. In fact people are simply funny, the way they run around their whole lives, slowly dying, pretending its not funny. But it really is.

Re:You're forgetting a few things

[sumbry]

It's not that you're forgetting a few things, is that you're forgetting one major thing. He discovered this exploit while he worked at the company. It doesn't matter that he felt the need to alert the world to this exploit after he left, he gained this knowledge while employed there.

In the same way that you can't work at a company, learn it's trade secrets, and then jump ship to another company, and disclose all of their trade secrets (similiar to an NDA except this pretty much applies anywhere you work) you also can't gain knowledge of security exploits while you're under their employment, leave, and then tell the entire world about it.

THe feds were completely right in going after this guy. Some of you are being blinded by the security aspects of this, and I would argue differently if he had never worked at the company in question and discovered this exploit as an outsider, but that is not the case.

He got what he deserved. I've worked at tons of companys where to this day I could tell you any number of ways to get back into their networks. Am I going to do that? Hell no. My best course of action is to alert the company of the exploit, and walk away.

That's exactly what he should have done. He didn't, and he paid the price.

Convicted for spamming not for the bug report

[sustik]

The following tidbits were turned up by a little search on the web.

The FBI says that: "COMPUTER SPAMMER SENTENCED TO FEDERAL PRISON". Yes, they advertise the conviction of Bret McDanel as a spammer sent to jail:
http://www.fbi.gov/fieldnews/march/la032503 .htm

The San-Diego union tribune(?) writes that:
"Prosecutors allege that McDanel hacked into his former employer's server and sent thousands of e-mail messages at practically the same time, forcing the company to shut down its computer system in August and September 2000." Link:
http://www.signonsandiego.com/news/business /200206 12-9999_1b12hacker.html

In the FBI note there was no mention of the security bug at all they said:
"Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there."

Now that is such a selective disclosure of information that I am inclined to equate it with telling an untruth. (Just like printing that some John Doe killed several people in 1967 in he is still not behind bars, omitting that he was acting in war...)

What alarms me that he was found guilty on spamming charges which damaged the mail server while that seems not to be the basis of his ex-employers discontent. I guess the prosecutor was not interested in bringing out the truth but rather just have a conviction based on the "Computer Fraud and Abuse Act" on his resume.

Note that the company (Tornado) went out of business.

Re:You're forgetting a few things

[Darth_Burrito]

Sorry to double reply but here's another point. If we were talking about a guy working for a tobacco company who found out the company was deliberately making their product more addictive while running a PR campaign saying the cigarette smoking was safe, would we even be having this debate?

I agree that the guy's actions sounded malicious, but when it comes down to it, he was a whistle blower. He demonstrated that the company continued to advertise its services as secure even while they knew about a blatant security flaw which they did nothing to fix for six months.