Slashdot Mirror

← Back to Stories (view on slashdot.org)

Talk About A Security Hole, Go To Jail?

Posted by simoniker on from the be-vewy-vewy-careful dept.

Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.

9 of 472 comments (clear)

  1. Anonymous security listings then... by TWX · · Score: 5, Interesting

    Well, if it's too dangerous to disclose security holes when they know who you are, do it anonymously on Slashdot. That'll sure get their attention...

    --
    Do not look into laser with remaining eye.
  2. Email address database by AgentOJ · · Score: 5, Interesting

    One thing not mentioned in the article was where he got the list of email addresses of the Tornado clients. If he had taken this information when he left Tornado, there could be legalilty issues involved there as far as client privacy goes. Perhaps that weighed on the jury's decision...

  3. In other words... by Dog+and+Pony · · Score: 5, Interesting

    "Sir, if you don't lock your car, someone could steal your stereo."

    "Officer! Arrest this man! He has figured out a way to steal my stereo!"

    Sign. Some people are just too stupid to live.

  4. You're forgetting a few things by burgburgburg · · Score: 5, Interesting
    a) The company did nothing about the flaw for over six months after it was reported
    b) They continued to advertise their webmail services as secure despite knowing that they were vulnerable.

    He should get all of the users of the service together and class-action sue Tornado for knowingly lying to them about the security of their service.

  5. Re:I've figured this sort of thing would happen by The+Kiloman · · Score: 5, Interesting

    Would you like to explain how someone manages to have Unencrypted WEP? That's kind of like saying that they have some dry water.

    WEP is encryption. I think you meant to say they had unencrypted networks, or networks without WEP.

    Why do I get the feeling that your 'security audits' involve looking for an open connection with which to connect to Kazaa?

    --
    You may disagree, but to be blunt, you're wrong. -tgd
  6. Intereting indeed. by FreeLinux · · Score: 5, Interesting

    That would be a very interesting exercise. It would be facinating to see just how fast OSDN would roll over and cough up the "Anonymous" IP address to the feds.

  7. IT vrs other professions by DarthBobo · · Score: 5, Interesting

    Its interesting that other professions actually have a duty to inform others of their vulnarability - while in IT you can be punished for it.

    As a physician, if I find that a patient presents a danger to another person (for example, a man has a psychotic break and intends to kill his wife), I have a legal and ethical obligation to inform that person (whom I have never met.) If I fail to do so, I can be thrown in jail.

    Its not hard to envision a future scenario in information security where one could have legal obligations both to inform and _not_ inform -- thus finding a security hole would guarentee punishment no matter the road taken.

    --
    +--------------------- You idiot! I told you we were facing the wrong way!
  8. Misinterrpretation by the revengeful... by thepacketmaster · · Score: 5, Interesting
    After reading the article, it seems pretty plain that the case against McDanel is flawed. They say that he "impaired the integrity" of the system. But the "impairment of integrity" was already there, it just wasn't public.

    While I don't agree with what he did, I certainly don't think he did anything illegal. Why isn't the government going after Tornado for exposing their customers to a risk that could breach the confidentiality of their emails?

    This is another example of "Security through obscurity". Someone makes a broken piece of code, doesn't want to bother to fix it, and then gets pissed off when someone forces their hand.

    If the U.S. eventually passes a law that makes software publishers liable for these flaws, there will probably be a huge backlash from sloppy programmers because it interferes with their Consitutional rights for the "Pursuit of Happiness", since they are stuck at work fixing their unsecure code.

    --

    --

    Luck is just skill you didn't know you had.

  9. Re:Convicted for spamming not for the bug report by DNS-and-BIND · · Score: 5, Interesting
    I can confirm that Bret McDanel is no hero. He's actually quite an asshole. The kind of guy who spits out a nasty insult about reading the man page when you ask him how to set up a VPN so you can help a customer. He seemed to really enjoy carrying grudges against people. I had the distinct displeasure of working with him at Tornado, I was the on-duty sysadmin when the attack occurred, and I was one of the witnesses at the trial against him.

    Bret was not prosecuted for revealing a security vulnerability. He was prosecuted for DOS'ing our server. He sent 14,000 emails to our system, and it overloaded and stopped accepting mail. He did this several times, and knew it overloaded the system when he did it, and knew the FBI had been called after the first time, so nobody needs to feel sorry for him. Holding him up as a martyr or hero is just asinine, but it speaks volumes about how our media works these days.

    Of course, there's plenty of culpability to go around...the main server was a Sun Enterprise 4500 with 4x450 CPU and 4Gb RAM. A machine like that should swallow 14,000 emails without a trace. Of course, Tornado's brain-dead custom system implementation meant that every single incoming email spawned off an SQL script to take the message apart and inject it into the database, and a shell process to control the SQL script. The system load went over 100. I had to write a script to kill off all the processes. Since the load was so high, sendmail stopped accepting incoming mail and the rest of the spam piled up on the backup server, where it was rm'd. So, it was Bret's fault for spamming us, but it was Tornado's fault for such a painfully bad email processing method. This actually raises the most interesting question of all, is it a crime to knock down a system that was incompetently implemented?

    Of course, the email system was not the only part of the system that was breakable...we had system outages several times a week from different causes, and really, the Bret thing was not that bad, being in that it was easily identifiable and fixable.

    Another fun thing was that Tornado initially claimed $300,000 in losses from the incident. This is important because the FBI will not get involved with anything under $50,000. This figure was later reduced (much, much later) to $9,000. Oh yeah, what else...Tornado's great email implementation also meant that we had to run an open relay, which was frequently abused. We sent out hundreds of thousands of nigerian bank account emails. A manager who took a stand and turned off the relaying one weekend was demoted and ultimately fired. Basically Tornado was a bunch of Windows developers who couldn't use Windows to implement their custom email/fax/paging application because Windows wouldn't scale to the sizes they needed. So they had to use Unix, and they didn't know anything about Unix, and they made just about all of the predictable errors that the ignorant make.

    In conclusion, it's scary that every time this story comes up, there's a different (wrong) angle on it.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!