Slashdot Mirror

← Back to Stories (view on slashdot.org)

Talk About A Security Hole, Go To Jail?

Posted by simoniker on from the be-vewy-vewy-careful dept.

Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.

32 of 472 comments (clear)

  1. I've figured this sort of thing would happen by phaetonic · · Score: 4, Interesting

    When doing wireless security assessments, I've noticed neighbooring companies with unencrypted WEP access points, but I don't bother telling them because of this sort of thing.

    1. Re:I've figured this sort of thing would happen by The+Kiloman · · Score: 5, Interesting

      Would you like to explain how someone manages to have Unencrypted WEP? That's kind of like saying that they have some dry water.

      WEP is encryption. I think you meant to say they had unencrypted networks, or networks without WEP.

      Why do I get the feeling that your 'security audits' involve looking for an open connection with which to connect to Kazaa?

      --
      You may disagree, but to be blunt, you're wrong. -tgd
  2. it's wrong by Tomji · · Score: 2, Interesting

    but he did kinda take extreme measures. But they did even worse by deleting the mails

    1. Re:it's wrong by Anonymous Coward · · Score: 1, Interesting

      "Hell, the customers could probably sue the company since they knew they weren't secure but kept advertising that they were. Damn marking droids."

      If that were true, M$ would be out of business. Remember "Trustworthy Computing"?

  3. Anonymous security listings then... by TWX · · Score: 5, Interesting

    Well, if it's too dangerous to disclose security holes when they know who you are, do it anonymously on Slashdot. That'll sure get their attention...

    --
    Do not look into laser with remaining eye.
  4. Email address database by AgentOJ · · Score: 5, Interesting

    One thing not mentioned in the article was where he got the list of email addresses of the Tornado clients. If he had taken this information when he left Tornado, there could be legalilty issues involved there as far as client privacy goes. Perhaps that weighed on the jury's decision...

    1. Re:Email address database by Aadain2001 · · Score: 3, Interesting

      How was the mass email a crime? He didn't DoS them. He even went above and beyond to spred out the load so the email servers would not be slowed down. How is this any more of crime than spam? Granted, we don't like spam, but sending mass emails in and of itself is not a crime. The article did not mention him hacking into anything or causing any disruption of service. He didn't everything by the book. They are only after him because he made the company look bad, and someone in the company has a friend in the government to get this kind of response.

      --
      Space for rent, inquire within
  5. Ugh. by Anonymous Coward · · Score: 1, Interesting

    I keep hearing stuff along the lines of this and it reminds me of things you used to only hear of in the former Soviet Union. What is this country coming to?

  6. In other words... by Dog+and+Pony · · Score: 5, Interesting

    "Sir, if you don't lock your car, someone could steal your stereo."

    "Officer! Arrest this man! He has figured out a way to steal my stereo!"

    Sign. Some people are just too stupid to live.

    1. Re:In other words... by el-spectre · · Score: 2, Interesting

      Thank you. This is _much_ closer to the case. It's not that the guy found a vulnerability, folks, it's that he was really irresponsible about it.

      --
      "Faith: Belief without evidence in what is told by one who speaks without knowledge, of things without parallel." - A.B.
  7. Not an entirely balanced story by Anonymous Coward · · Score: 1, Interesting

    Hate to say it, and I suppose I should prepare for the 'flamebait' moderation, but the editorial is a bit biased on this one. Will this really stop people posting to bugtraq? Not really... this man was not (like the bugtraq contributors) responsibly informing people who needed to know about the details of the bug. He distributed this information to thousands of potential attackers (i.e. random strangers, not the company involved), and in the process spamming thousands of people who just didn't want to know (yes, spam; I'm sure every spammer thinks his mail is absolutely crucial to every recipient, but it's still spam).

    1. Re:Not an entirely balanced story by Daniel_Staal · · Score: 3, Interesting

      I don't think it can be argued that he did the best thing in his case, but... What he did should be legal. He told people about a potential problem with a service they were using by using a public forum. If they had attacked him on spamming, I would at least be sympathetic, but all they have said (at least according to the article, which may well be biased) is that by telling their customers about a problem he breached the security of the network.

      He didn't breach the security of the network. He tried to inform the people who could fix it, they did nothing. He then informed the people affected. He didn't do it in a nice way, but it needs to be legal.

      --
      'Sensible' is a curse word.
  8. Re:Hmmmm by mrcparker · · Score: 2, Interesting

    From the article:

    He could have explained to the customers that their information was at risk, without revealing quite so much detail. But according to the government's theory of liability, this would not have prevented his prosecution. Moreover, as is frequently the case with security vulnerabilities, this likely would have prompted a quick denial by Tornado that any such bug existed -- and they may or may not have fixed them.

    It looks like just saying that there was a flaw would have gotten the guy thrown into jail.

  9. This is a Serious Problem by Montgomery+Burns+III · · Score: 4, Interesting
    In order to obtain a security certification, I had to write a paper on an aspect of security(insecurity).

    I chose to write in detail about the particular implementation of a Remote control software for Windows. In order to demonstrate that I was not a loser, I needed to include packet traces, hex dumps, etc. to show detail of the password storage mechanism of the software in question.
    To be honest, I was nervous submitting this paper.... It would be nice for people to be able to disclose such information without having to worry about joining the Witness Relocation Program.
    --

    'ta
  10. Company not whistleblower impaired network by Anonymous Coward · · Score: 1, Interesting

    It was the company who "impaired the security of the network" by not fixing the vulnerability once they were informed of it. The whistleblower did nothing to impair the security of the network, he merely informed the users of the impaired security status of the network,

  11. You're forgetting a few things by burgburgburg · · Score: 5, Interesting
    a) The company did nothing about the flaw for over six months after it was reported
    b) They continued to advertise their webmail services as secure despite knowing that they were vulnerable.

    He should get all of the users of the service together and class-action sue Tornado for knowingly lying to them about the security of their service.

    1. Re:You're forgetting a few things by Darth_Burrito · · Score: 4, Interesting

      you also can't gain knowledge of security exploits while you're under their employment, leave, and then tell the entire world about it... THe feds were completely right in going after this guy.

      This sounds very much like a civil matter. An NDA would definitely be a civil matter. Why would the feds be involved at all?

  12. RTFA by Anonymous Coward · · Score: 1, Interesting

    It's pretty clear most of you haven't read the article. All the police state/hat the USA/Big brother comments prove this. The guy was stupid. He went way beyond what normally is done to disclose major security flaw.

  13. Intereting indeed. by FreeLinux · · Score: 5, Interesting

    That would be a very interesting exercise. It would be facinating to see just how fast OSDN would roll over and cough up the "Anonymous" IP address to the feds.

  14. So basically by phorm · · Score: 4, Interesting

    He went to jail for sending emails? Perhaps he should have just sent a death-threat to his somebody by email, probably would have netted him less time.

    Seriously, more and more nowadays you read about people being incarcerated for defying authority, the government, of worse: corporations. Real crime is being pardoned, especially corporate white-collar criminals, while the jails are being filled with people just trying to exercise their rights.

    America strikes me as a very odd country. There, you have a right to bear arms, based on the revolution against the government sometime ago. Yet somehow, say one wrong thing, against the government, or against their sleazy funders (big business) and your screwed. Give us another 10-15 years, and the crime for whistleblowing with be more than murder - and you'd be better off solving your problems with a gun than making an honest attempt at helping your fellow countrymen.

  15. Re:Gee, thats swell by WTFmonkey · · Score: 4, Interesting

    Thirty spokes share the wheel's hub,
    But it is the center hole that makes is useful.
    Shape clay into a vessel, it is the space within that makes it useful.
    Cut doors and windows for a house, it is the emptiness that makes them useful.
    Therefore, profit comes from what is there,
    usefulness from what is not there.

    ~Lau Tsu, Tao te Ching

  16. IT vrs other professions by DarthBobo · · Score: 5, Interesting

    Its interesting that other professions actually have a duty to inform others of their vulnarability - while in IT you can be punished for it.

    As a physician, if I find that a patient presents a danger to another person (for example, a man has a psychotic break and intends to kill his wife), I have a legal and ethical obligation to inform that person (whom I have never met.) If I fail to do so, I can be thrown in jail.

    Its not hard to envision a future scenario in information security where one could have legal obligations both to inform and _not_ inform -- thus finding a security hole would guarentee punishment no matter the road taken.

    --
    +--------------------- You idiot! I told you we were facing the wrong way!
  17. Isn't think protected by YoDave · · Score: 2, Interesting

    Isn't this type of action protected by whistle blower protection laws?

  18. Re:Hmmmm by wytcld · · Score: 4, Interesting

    There's a question of whose data was at risk. In this case, it was the customers who had data at risk. His notifying them was proper to the cause of enabling those with possibly sensitive data to protect it. To repeat: It was not the data of the e-mail provider that was at risk, it was instead data belonging to the customers, and the provider which was putting that data at risk.

    Define the "system" for purposes of interpreting the law in virtual terms, as a data-space. Consider that primary rights in that space belong to whoever leases it. If you break into a business office, the breakin is against the occupant of that office, not the landlord. And if you discover that the landlord has left the master key to the building's offices where thieves can make copies, your moral responsibility is to the tenants, to warn them the locks are insecure, rather than to the landlord, to help cover up the collusion with thieves.

    --
    "with their freedom lost all virtue lose" - Milton
  19. Re:He whouldn't have e-mailed the customers. by rossjudson · · Score: 3, Interesting

    Excuse me, but exactly WHY do you think he shouldn't have emailed the customers? We have the right in this country to say whatever the fuck we want, to whoever we want to say it to. And the point of the justice system is exactly that: Justice. It's not supposed to be about who has the most money -- it's supposed to be about who's right.

    This guy didn't do anything wrong. If you're not revealing classified information you can say whatever the hell you want. What we're dealing with is a vicious, stupid, unethical prosecution, if the facts in the security focus article are accurate.

  20. Excuse me sir, but I notice that. . . by kfg · · Score: 4, Interesting

    you're using the system password as part of your data security on your Win98 box.

    Did you know that the entire password system can be aborted by simply hitting escape?

    Have I just commited a federal crime, and if so, why?

    KFG

  21. Re:the obligatory analogy by kiltedtaco · · Score: 2, Interesting

    I call BS on three points.

    1) The company could DEFINITLY fix this problem.

    2) The company was informed of this problem prior to the emails being sent out, and did nothing.

    3) Our arrested subject in question did not inform the general public, he informed only patrons of said company, who could use this information to protect their privacy by switching ISPs.

    But the analogy at the end is very good. Is the integrity of the bank's security impaired by them leaving the front door open, thus allowing armed robers entry, or is it impaired by someone informing *potentialy* armed robbers that they leave their doors open and you can walk in with a gun?

  22. Re:He whouldn't have e-mailed the customers. by OeLeWaPpErKe · · Score: 3, Interesting

    Because this is capitalism.

    He was paid by the company to (amongst other things) find out wether or not the site was secure.

    He was paid to leave it at that.

    He didn't.

    Corporations don't care about you, they don't care about people stealing your data. They DO care about employees telling people bad things about the company ("your data can be stolen when it's with us", I'm sure you understand why they'd want to contain this), and they will use the legal system to prevent it.

    Big surprise. Now change the law or stop whining.

  23. Misinterrpretation by the revengeful... by thepacketmaster · · Score: 5, Interesting
    After reading the article, it seems pretty plain that the case against McDanel is flawed. They say that he "impaired the integrity" of the system. But the "impairment of integrity" was already there, it just wasn't public.

    While I don't agree with what he did, I certainly don't think he did anything illegal. Why isn't the government going after Tornado for exposing their customers to a risk that could breach the confidentiality of their emails?

    This is another example of "Security through obscurity". Someone makes a broken piece of code, doesn't want to bother to fix it, and then gets pissed off when someone forces their hand.

    If the U.S. eventually passes a law that makes software publishers liable for these flaws, there will probably be a huge backlash from sloppy programmers because it interferes with their Consitutional rights for the "Pursuit of Happiness", since they are stuck at work fixing their unsecure code.

    --

    --

    Luck is just skill you didn't know you had.

  24. Re:Compulsory jail joke by yo5oy · · Score: 2, Interesting

    getting punched or kicked in the groin is funny because it works on so many levels. heck, Homer thinks it is funny. i don't really know why pain has become funny to so many people. people watch those amerika'sfunniest home videos, eXtreme crashes, or NASCAR to be entertained by the hoped for electrocution, impalement, or explosion. sometimes the entertainment becomes a reflection of how fouled and stilted the society is today. Mods: yes, please mod this down to flame bait or troll.

    --
    a slut did tulsa
  25. Re:Compulsory jail joke by kotj.mf · · Score: 3, Interesting
    What about nonviolent peace protesters or drug offenders? It sure as hell isn't the badass muthas who get to be the bitch. Read the obit above, if you think you've got the stomach. I know people who knew the guy, and he was no fucking punch line.

    If you've got a younger brother or cousin or son who ever happens to spend time locked up, I'm sure you'll laugh your ass off when he gets brutalized.

    Really, would you chuckle at the thought of, say, Susan Smith being gang raped?

    Sorry for the disjointedness... longest post ever from my Zaurus...

    --
    hang brain.
  26. Re:Convicted for spamming not for the bug report by DNS-and-BIND · · Score: 5, Interesting
    I can confirm that Bret McDanel is no hero. He's actually quite an asshole. The kind of guy who spits out a nasty insult about reading the man page when you ask him how to set up a VPN so you can help a customer. He seemed to really enjoy carrying grudges against people. I had the distinct displeasure of working with him at Tornado, I was the on-duty sysadmin when the attack occurred, and I was one of the witnesses at the trial against him.

    Bret was not prosecuted for revealing a security vulnerability. He was prosecuted for DOS'ing our server. He sent 14,000 emails to our system, and it overloaded and stopped accepting mail. He did this several times, and knew it overloaded the system when he did it, and knew the FBI had been called after the first time, so nobody needs to feel sorry for him. Holding him up as a martyr or hero is just asinine, but it speaks volumes about how our media works these days.

    Of course, there's plenty of culpability to go around...the main server was a Sun Enterprise 4500 with 4x450 CPU and 4Gb RAM. A machine like that should swallow 14,000 emails without a trace. Of course, Tornado's brain-dead custom system implementation meant that every single incoming email spawned off an SQL script to take the message apart and inject it into the database, and a shell process to control the SQL script. The system load went over 100. I had to write a script to kill off all the processes. Since the load was so high, sendmail stopped accepting incoming mail and the rest of the spam piled up on the backup server, where it was rm'd. So, it was Bret's fault for spamming us, but it was Tornado's fault for such a painfully bad email processing method. This actually raises the most interesting question of all, is it a crime to knock down a system that was incompetently implemented?

    Of course, the email system was not the only part of the system that was breakable...we had system outages several times a week from different causes, and really, the Bret thing was not that bad, being in that it was easily identifiable and fixable.

    Another fun thing was that Tornado initially claimed $300,000 in losses from the incident. This is important because the FBI will not get involved with anything under $50,000. This figure was later reduced (much, much later) to $9,000. Oh yeah, what else...Tornado's great email implementation also meant that we had to run an open relay, which was frequently abused. We sent out hundreds of thousands of nigerian bank account emails. A manager who took a stand and turned off the relaying one weekend was demoted and ultimately fired. Basically Tornado was a bunch of Windows developers who couldn't use Windows to implement their custom email/fax/paging application because Windows wouldn't scale to the sizes they needed. So they had to use Unix, and they didn't know anything about Unix, and they made just about all of the predictable errors that the ignorant make.

    In conclusion, it's scary that every time this story comes up, there's a different (wrong) angle on it.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!