Slashdot Mirror
Talk About A Security Hole, Go To Jail?
Nu11.org writes "According to a SecurityFocus article, 'Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.'" According to the article, "...by explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist 'impaired the integrity' of the affected network", citing the case of Bret McDanel and his former employer, Tornado Development, Inc. We've discussed the disclosure of software exploits recently.
Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole
Guess whose hole will need tight security now ?
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Makes you not want to even bother saying anything. Wait till the rest of the world decides that and you have security holes everywhere.
Of course, can you have holes within holes?
Gizmo
When doing wireless security assessments, I've noticed neighbooring companies with unencrypted WEP access points, but I don't bother telling them because of this sort of thing.
He reported it to management, like he should have. He should have left it alone there.
but he did kinda take extreme measures. But they did even worse by deleting the mails
Well, if it's too dangerous to disclose security holes when they know who you are, do it anonymously on Slashdot. That'll sure get their attention...
Do not look into laser with remaining eye.
Nice network you got there. It'd be a shame if something happened to it. Like a security hole getting exploited, right Vinnie?
... the land of free speech.
Isn't this going a little too far. I thought a suggestion box was always welcome, or even a public message board where people could leave suggestions was A Good Thing(TM).
I may have been wrong. But this isn't right. no sir, it is not.
Does anyone have any ideas as to what alternative third parties would be good for this kind of whistle blowing?
US Democracy:The best person for the job (among These pre-selected choices...)
One thing not mentioned in the article was where he got the list of email addresses of the Tornado clients. If he had taken this information when he left Tornado, there could be legalilty issues involved there as far as client privacy goes. Perhaps that weighed on the jury's decision...
Talk About A Security Hole, Go To Jail?
Man, 90% of Microsoft's employees must be working out of prison...
The coolest voice ever.
This is so stupid. If we were to leave the finding and patching of security holes, etc. to the companies in question, attacks, virii, etc. would be even more prevalent then they are today. By increasing the number of sources for reporting these flaws to basically the population of the world, we significantly increase the chances that these problems will be discovered before they can be exploited.
The DMCA (which IIRC correctly makes pointing out security flaws illegal) needs to be severely looked over or things like the MS Blaster virus are only going to be the beginning of a much larger, nastier problem. Thankfully, it's only applicable in the U.S.
In C++, friends can touch each others private parts.
Obligatory 1984 paraphrase:
This is doubleplusungood.
Also, to quote Winston Smith:
"Sir, if you don't lock your car, someone could steal your stereo."
"Officer! Arrest this man! He has figured out a way to steal my stereo!"
Sign. Some people are just too stupid to live.
guy: "you're using Microsoft products, right?"
customer: "yes, that's correct"
guy: "well that's a huge security hole!"
customer: "no way! we have to keep this secret! come on Jeff, let's put this guy in jail before he tells anyone else!"
No more of these disruptive "warnings" of vulnerabilities. If you warn people about the real dangers they face instead of giving them vague color-coded faux-warnings, then the terrorists win.
He actually could have done it in a more subtle way. Doing Jailtime for what he did is harsh and so typical US-insane, I agree, but he actually did probably break law never the less.
We suffer more in our imagination than in reality. - Seneca
'ta
b) They continued to advertise their webmail services as secure despite knowing that they were vulnerable.
He should get all of the users of the service together and class-action sue Tornado for knowingly lying to them about the security of their service.
The government argued that the message was incorrect, useful to would-be attackers, and was intentionally designed to give Tornado trouble.
Either the message was incorrect (which would render it useless to would be attackers), OR the message was CORRECT if indeed the message could be useful to would be attackers. I see a real contradiction in the government's arguement here (yes I know, big surprise eh?).
Does this mean that when Microsoft issues a report warning of a vulnerability in their software and exactly where it is and what the vulnerability can cause along with a security advisory that they are breaking the law?
This, IMHO sets a very dangerous precedent. It reminds me of another reuters article I read today concerning corporate whistle blowers having trouble continuing their careers in other companies after exposing illegal activity.
The Matrix is real... but I'm only visiting!
The Matrix is real... but I'm only visiting!
That would be a very interesting exercise. It would be facinating to see just how fast OSDN would roll over and cough up the "Anonymous" IP address to the feds.
He went to jail for sending emails? Perhaps he should have just sent a death-threat to his somebody by email, probably would have netted him less time.
Seriously, more and more nowadays you read about people being incarcerated for defying authority, the government, of worse: corporations. Real crime is being pardoned, especially corporate white-collar criminals, while the jails are being filled with people just trying to exercise their rights.
America strikes me as a very odd country. There, you have a right to bear arms, based on the revolution against the government sometime ago. Yet somehow, say one wrong thing, against the government, or against their sleazy funders (big business) and your screwed. Give us another 10-15 years, and the crime for whistleblowing with be more than murder - and you'd be better off solving your problems with a gun than making an honest attempt at helping your fellow countrymen.
Its interesting that other professions actually have a duty to inform others of their vulnarability - while in IT you can be punished for it.
As a physician, if I find that a patient presents a danger to another person (for example, a man has a psychotic break and intends to kill his wife), I have a legal and ethical obligation to inform that person (whom I have never met.) If I fail to do so, I can be thrown in jail.
Its not hard to envision a future scenario in information security where one could have legal obligations both to inform and _not_ inform -- thus finding a security hole would guarentee punishment no matter the road taken.
+--------------------- You idiot! I told you we were facing the wrong way!
Isn't this type of action protected by whistle blower protection laws?
i don't intend to troll, but in this case, the truth IS a troll. In the FUD-ruled USA, only officials & big corps are alowed to fud. Any individual or small organisation that spreads fud si considered a threat. Probably to prove that the govt is not allowing fud.
The only way to disclose security holes is by letting big corps do it, or by doing it as anon as possible. Currently, europe is a tad better, but I expect this evil practice to fly our way in no time, as DRM is apparently doing. Sigh. It's so sad to see capitalism failing. I guess this must be a bit how the commies felt after they were proven wrong. Our only hope is that the future will come up with something better.
When will I end this grieving ? When will my future begin ?
Go directly to jail. Do not pass go. Do not collect 200 dollars. Do not tell others what you found. Let the hole be there for years. Let someone else find it and exploit it and collect 200 dollars.
[alk]
Still, the point is that if I was a customer at said bank, I would very much like to see that sign and immediatly close my account with the bank and move to some place that will secure my money at least a bit. And I would personaly thank whoever posted this sign.
I know that non-technical managers simply don't care how their systems work. They think in strategic and tactical terms. Buffer overflows are just an excuse why things can't get done. Managers hate those things. But there has to be a balance somewhere. Geeky technical issues cannot be ignored by managers. Granted, they don't need to personally learn the technical details. That's why they have tech guys working for them. But they need to invest the time, effort and resources into an ongoing technical systems maintenance program. This includes everything from cleaning dust out of computer chassis to maintaining security from the strategic level to the bits and bytes level. It is the technical department's duty to ensure that management understands the risks, like it or not. It is the management's responsibility to make sure the technical department is doing its job.
In nearly all businesses today, it is necessary to be on the Internet. Being on the Internet entails certain risks. In the course of its business, the company will need to address these risks on an ongoing basis. For these reasons, it is important that all but the smallest companies refrain from outsourcing their "IT" departments.
To make a long story short, corporate management unaware of the implications of their lack of attention to technical matters. This applies to computers as well as manufacturing processes. Since they fail to gain an understanding of the implications and since they fail to respect the technical field enough to invest the necessary time and effort into it, they should be subject to the consequences of their irresponsibility. Therefore, if you are aware of a security hole, you should do the following: Nothing. Let a black hat cracker break in, steal data and wreak havoc on their network. This is the only way they will learn.
Want to insist on doing "the right thing?" Send an anonymous letter to the company's IT department and to their management. State that if the vulnerability is not fixed within 48 hours, it will be posted on all the public disclosure sites. Do not include any identifying information.
For capitalism to work, it requires consumers to be able to make informed choices about the goods and services they purchase. By criminalizing the distribution of security information, the federal courts are preventing consumers from making truly informed decisions regarding security, which is arguably an important element of a purchase decision. If it were not, then why would Tornado be so miffed? Two end results, if this decision runs its course. First, security will fall through the floor as companies realize that they do not need to invest in it to get customers. Second, consumers will only be able to choose based on who presents the best front; advertising wins. I'm fine with advertising, but it should not replace informed discourse in the marketplace.
They complain that the editorial says this might cause a reduction in posts to Bugtraq, and this might not be true. So what? It could equally BE true. You don't know, so how is that a valid criticism of the editorial?
The morons complain that the guy "spammed" the ISP's customers. He sent ONE email, staggered out over three days to different people, so he wouldn't overload the email servers. Sounds responsible to me. How much spam do these customers get from Tornado anyway? You don't know, do you? I get spam from Yahoo occasionally just because I have SBC DSL.
They complain he was "irresponsible" because he didn't use "other channels". Like what? If he posts it ANYWHERE in public, he gets hit with the same charge. What PRIVATE channels are there that would work if talking directly to the ISP management did not work? Does he call Ahh-nold and get him to pressure the ISP?
Face it, you right-wing, statist-worshipping geek pussies. The guy did the right thing. HE BLEW THE WHISTLE. The government did the wrong thing. THEY PUT HIM IN JAIL FOR WHISTLE-BLOWING.
Now fuck off.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Everyone knows that the best way to let a company know about a security hole is to write a worm that exploits it and release it into the wild.
-R
It was definetly not a very bright thing to do, but I dont think keeping quite about it would be the right thing either. Maybe like some other poster stated, it might have been better if he posted something about it on BugTraq (or similar).
I see this guy as a whistle-blower, who like most other wistle-blowers, got screwed (In his case the Government and inmates did the screwing).
Also when will software companies start being held accountable for this kinda crap. Its about time the government stops making examples of people like Mr. McDanels and starts makeing examples of corporations.
The government's actions (in this case) provides electronic security professionals (and "crackers" if you prefer) with a "perverse incentive."
s /thu-1530-b-and erson.html
"Why Information Security is Hard - An Economic Perspective."
http://www.acsac.org/2001/abstract
"In a survey of fraud against autoteller machines [4], it was found that the patterns of fraud depended on who was liable for them. In the USA, if a customer disputed a transaction, the onus was on the bank to prove that the customer was mistaken or lying; this gave US banks a motive to protect their systems properly. But in Britain, Norway and the Netherlands, the burden of proof lay on the customer: the bank was right unless the customer could prove it wrong. Since this was almost impossible, the banks in these countries became careless. Eventually, epidemics of fraud demolish their complacency. US banks, meanwhile, suffered much less fraud; although they actually spent less money on security then their European counterparts, they spent it more effectively [4]."
If the government's goal is a more secure Internet, the government should encourage actions via incentive that result in more secure systems. It is clear that if Bret McDanel had not informed Tornado Development's customers of the security problem, Tornado would have done nothing to repair it.
If you subscribe to Ross Anderson's theories, the government's actions provide incentive for security technicians to take the following actions on the discovery of a security vulnerability:
1. Don't talk or write about it without obscuring the publishers identity.
2. Exploit the vulnerability for personal gain.
Heavy handed prosecution of people like Bret McDanel will lead to a less secure internet.
I don't think it can be argued that he did the best thing in his case, but... What he did should be legal. He told people about a potential problem with a service they were using by using a public forum. If they had attacked him on spamming, I would at least be sympathetic, but all they have said (at least according to the article, which may well be biased) is that by telling their customers about a problem he breached the security of the network.
He didn't breach the security of the network. He tried to inform the people who could fix it, they did nothing. He then informed the people affected. He didn't do it in a nice way, but it needs to be legal.
'Sensible' is a curse word.
you're using the system password as part of your data security on your Win98 box.
Did you know that the entire password system can be aborted by simply hitting escape?
Have I just commited a federal crime, and if so, why?
KFG
I call BS on three points.
1) The company could DEFINITLY fix this problem.
2) The company was informed of this problem prior to the emails being sent out, and did nothing.
3) Our arrested subject in question did not inform the general public, he informed only patrons of said company, who could use this information to protect their privacy by switching ISPs.
But the analogy at the end is very good. Is the integrity of the bank's security impaired by them leaving the front door open, thus allowing armed robers entry, or is it impaired by someone informing *potentialy* armed robbers that they leave their doors open and you can walk in with a gun?
"Under the theory articulated by the government, the transmission of any information that can be used by others to impair the integrity of a computer system (or cause loss of reputation) if done without authorization (and who would authorize it?) is a federal crime."
I have several college profs that taught me how a hash table works. I also have a couple of math teachers that taught me all about prime numbers. Then I read a book or two on how to build some basic encryption routines. Now, should these people go to jail because they have given me what I need (assuming I am smart enough to do something with it) to crack any security software? How about if I threaten to use this information to take advantage of some security hole? Where does it stop?
No man is an island... But I wouldn't mind having a bigger moat.
Consider the possible outcomes. Let's say some on-board digital electronic unit within a popular automobile contained some sort of flaw that could ultimately result in accident, injury or even death. Given than the manufacturer was informed and failed to issue a recall, if someone decided to tell everyone potentially affected by this flaw, do you think it would be moral for the whistleblower to be sent to prison?
I hardly think so. In this case, it's something far less "deadly." It's only privacy (something 'they' don't want us to have anyway) and potentially identity fraud and theft. These are growing into huge issues.
According to the article, the man has already served his time but he wants his conviction reversed. I believe justice should be served by reversing this conviction... and in the future possibly preventing any such "backlash" from companies in the future for "felony embarassment."
From the article: The government argued that the message was incorrect, useful to would-be attackers...
How can it be wrong and useful to attackers? Man, the prosecution lawyers must have had fun with that one:
"Your Honour, the security flaw described here does not exist. You can see how dangerous it would be for hackers to know about this non-existent flaw."
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
Well, that kind of exaggerating would be preferable to anybody. The bigger the case, the more stupid this law would look in public.
But major case is really needed in that part, otherwise, lonely suckers will just get screwed.
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
The following tidbits were turned up by a little search on the web.
3 .htm
s /200206 12-9999_1b12hacker.html
The FBI says that: "COMPUTER SPAMMER SENTENCED TO FEDERAL PRISON". Yes, they advertise the conviction of Bret McDanel as a spammer sent to jail:
http://www.fbi.gov/fieldnews/march/la03250
The San-Diego union tribune(?) writes that:
"Prosecutors allege that McDanel hacked into his former employer's server and sent thousands of e-mail messages at practically the same time, forcing the company to shut down its computer system in August and September 2000." Link:
http://www.signonsandiego.com/news/busines
In the FBI note there was no mention of the security bug at all they said:
"Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there."
Now that is such a selective disclosure of information that I am inclined to equate it with telling an untruth. (Just like printing that some John Doe killed several people in 1967 in he is still not behind bars, omitting that he was acting in war...)
What alarms me that he was found guilty on spamming charges which damaged the mail server while that seems not to be the basis of his ex-employers discontent. I guess the prosecutor was not interested in bringing out the truth but rather just have a conviction based on the "Computer Fraud and Abuse Act" on his resume.
Note that the company (Tornado) went out of business.
While I don't agree with what he did, I certainly don't think he did anything illegal. Why isn't the government going after Tornado for exposing their customers to a risk that could breach the confidentiality of their emails?
This is another example of "Security through obscurity". Someone makes a broken piece of code, doesn't want to bother to fix it, and then gets pissed off when someone forces their hand.
If the U.S. eventually passes a law that makes software publishers liable for these flaws, there will probably be a huge backlash from sloppy programmers because it interferes with their Consitutional rights for the "Pursuit of Happiness", since they are stuck at work fixing their unsecure code.
--
Luck is just skill you didn't know you had.
The following tidbits were turned up by a little search on the web.
3 .htm
s /200206 12-9999_1b12hacker.html
The FBI says that: "COMPUTER SPAMMER SENTENCED TO FEDERAL PRISON". Yes, they advertise the conviction of Bret McDanel as a spammer sent to jail:
http://www.fbi.gov/fieldnews/march/la03250
The San-Diego union tribune(?) writes that:
"Prosecutors allege that McDanel hacked into his former employer's server and sent thousands of e-mail messages at practically the same time, forcing the company to shut down its computer system in August and September 2000." Link:
http://www.signonsandiego.com/news/busines
In the FBI note there was no mention of the security bug at all they said:
"Additionally, the emails he sent contained a link to a web site he had created where he revealed confidential information about Tornado technology that McDanel had learned while employed there."
Now that is such a selective disclosure of information that I am inclined to equate it with telling an untruth. (Just like printing that some John Doe killed several people in 1967 in he is still not behind bars, omitting that he was acting in war...)
What alarms me that he was found guilty on spamming charges which damaged the mail server while that seems not to be the basis of his ex-employers discontent. I guess the prosecutor was not interested in bringing out the truth but rather just have a conviction based on the "Computer Fraud and Abuse Act" on his resume.
Note that the company (Tornado) went out of business.
All further 1, 2, n, n+1 Profit jokes are now obsolete.
Not quite...
4. Sell next version w/fix and new holes
5. Profit (Again)
6. Repeat as needed.
This post is an attempt at humor. If you are lacking in humor and have mod points please see parent post.
If you want to check your neighbor's security, you ASK YOUR NEIGHBOR and then TELL YOUR NEIGHBOR what weaknesses you found.
Um, you're not very good at analogies.
It's more like an apartment building, and this guy was the Super. He knew that the locks on all the apartments could be opened with a butter knife, but the landlord said he'd fix it- then fired him.
6 months later, the super checks- still butterknifable. He distributes leaflets throughout the apartment complex by sliding them under the doors.
The Landlord starts busting into people's apartments and taking the leaflets away and has the Super arrested not for breaking and entering (which *maybe* he's guilty of), but for telling the tenants that their own (and by extension, their neighbors) apartments are unsafe due to the negligence of the landlord, so they should guard their stuff until the situation is resolved.
microsoftword.mp3 - it doesn't care that they're not words...
Further they wouldnt let McDanel work for (now) 3 years (he wasnt allowed to work while on bail). They make sure that you have no money before the trial starts.
They gave McDanels secrets to this company too. See McDanel was competing with this company (and the company found out like a month before this release that he was working on his own software in his spare time). Its not just email its unified messaging, integration of email, voicemail, fax, paging, etc. So it isnt something that you can just get for free. This company within weeks of McDanels initial raid had his secrets in their office, then hired consultants to use his secrets (which required totally rewriting EVERYTHING from the ground up). They then claimed that as damage as well.
So he lost 2 businesses (where he was working, which was his fiancees business, and the new one that he was starting), the ability to work, he had to refund money to all the current customers of the place he was working. Everything they could do to make sure that he couldnt afford a real defense.
Jan 12, 2000 Customer support at Tornado gets an email from an exempoyee saying there is a HTTP REFERER problem in their product (along with 15 other webmail providers hotmail included).
Jan 13, 2000 Development has written a fix and tested the fix (cgi redirect and code to cause all urls in the email to go through this redirect, nothing big).
Feb 1, 2000 McDanel quit (gave 2 weeks notice) because of problems with managment dealing with another employee.
Aug 24, 2000 McDanel contacts customer support (he is friends with this person) and asks if the problem is ever going to get fixed (McDanel was allowed to keep his account free after quitting, which shows that he didnt leave on horrible terms, and maintained friendships with many people in the company, infact some people in the company tossed work to his fiancees company).
Aug 27, 2000 McDanel was told no they were not going to fix the problem (unknown at that time was that the QA person closed this bug report months ago without applying the fix).
Aug 30, 2000 email from one of the managers at Tornado to McDanel regarding his web page
Aug 31, 2000 McDanel sent emails to the customers at the rate of 6.67/sec (10 rcpt's per body (so the body is effectivly 10% the size) delay 1.5 seconds between each body). The system logs showed NO impairment during this time.
Later the system was shut down (sendmail, web server, etc) *then* the system load went up (resumably when they were deleting the emails, which in itself is a crime).
McDanel was on the phone with admins just prior to sending and continued talking to one admin for 20 minutes, then called others and helped this company fix their system when it broke (turns out it broke cause they were deleting the emails, but none the less McDanel did whatever he could to try to help them, including spending several hours on the phone with them the night the emails were being sent).
In every instance that he sent emails (6.67/sec to a 8 cpu UE 4500 with a gig of ram, that in no way is a DoS) there was no downtime, the xdelay in the mail headers was 1 second or less, it was not suffering at all. The queue stayed below 30 mails most of the time (once for less than 1 minute it went over 30 mails but it quickly processed that and the queue was below 30 again).
Sendmail (which they used) will automatically queue the emails if the load is too high. The mere fact that the queue was empty (or nearly so they do not log if there is less than 30 in the queue) indicates that the system was not overloaded.
The fact that the cpu load reports (HP Openview) indicated that the load did not go up until AFTER services were shut down (if you kill sendmail, sendmail cannot cause load - period!) also shows that it was not a DoS.
What is worse is that McDanel was charged under the 1998 version of 18 USC 1030. The new version (patriot act) makes it tons easier for them to convict you. If you attempt to impair the integrity and are unsuccessful, you can still be guilty (before you actually had to do something, now you just have to attempt/intend to do it, and presumption of intent is easy for them to prove, they just have to say it).
Correctly, but the problems the legislation was intended to address were the problems of keeping problems secret from the users so they wouldn't have to be fixed.
That is the corporate security problem.
Protecting user privacy is something for a marketing department to use in advertising.
Tech Public Policy stuff