Slashdot Mirror
Feds Admit Error In McDanel Security Case
prostoalex writes "US federal prosecutors have admitted that an error was made in prosecuting Bret McDanel under the Computer Fraud and Abuse Act. McDanel discovered a security vulnerability on his former employer's server, and seeing that little efforts were put into repairing it, sent out e-mails to the customers of Tornado Development Inc. After the prosecution revised the court materials, they admitted there was no proof that McDanel intended to impair the system's integrity."
As a lawyer, I can tell you that civil suits require damages of some kind. Mr. McDanel caused no damages of any kind to the servers. He did not take down any machines. He did not post exploits to the Internet. Simply put, he is a perfectly harmless individual.
Frankly, I believe that the justice system fears individuals with computer knowledge. The judges presiding today are the same ignoramuses who have been on the bench since the 1970s. Now, I've been using computers since the 1980s (that's right, I said *80s*) and I can tell you a thing or two about judges.
Putting a man like Cheng in charge of justice is like putting Michael Sims in charge of a web site. You just don't do it.
I'm not Seth Finkelstein. I still speak the truth.
I can confirm that Bret McDanel is no hero. He's actually quite an asshole. The kind of guy who spits out a nasty insult about reading the man page when you ask him how to set up a VPN so you can help a customer. He seemed to really enjoy carrying grudges against people. I had the distinct displeasure of working with him at Tornado, I was the on-duty sysadmin when the attack occurred, and I was one of the witnesses at the trial against him.
Bret was not prosecuted for revealing a security vulnerability. He was prosecuted for DOS'ing our server. He sent 14,000 emails to our system, and it overloaded and stopped accepting mail. He did this several times, and knew it overloaded the system when he did it, and knew the FBI had been called after the first time, so nobody needs to feel sorry for him. Holding him up as a martyr or hero is just asinine, but it speaks volumes about how our media works these days.
Of course, there's plenty of culpability to go around...the main server was a Sun Enterprise 4500 with 4x450 CPU and 4Gb RAM. A machine like that should swallow 14,000 emails without a trace. Of course, Tornado's brain-dead custom system implementation meant that every single incoming email spawned off an SQL script to take the message apart and inject it into the database, and a shell process to control the SQL script. The system load went over 100. I had to write a script to kill off all the processes. Since the load was so high, sendmail stopped accepting incoming mail and the rest of the spam piled up on the backup server, where it was rm'd. So, it was Bret's fault for spamming us, but it was Tornado's fault for such a painfully bad email processing method. This actually raises the most interesting question of all, is it a crime to knock down a system that was incompetently implemented?
Of course, the email system was not the only part of the system that was breakable...we had system outages several times a week from different causes, and really, the Bret thing was not that bad, being in that it was easily identifiable and fixable.
Another fun thing was that Tornado initially claimed $300,000 in losses from the incident. This is important because the FBI will not get involved with anything under $50,000. This figure was later reduced (much, much later) to $9,000. Oh yeah, what else...Tornado's great email implementation also meant that we had to run an open relay, which was frequently abused. We sent out hundreds of thousands of nigerian bank account emails. A manager who took a stand and turned off the relaying one weekend was demoted and ultimately fired. Basically Tornado was a bunch of Windows developers you stupid faggot who couldn't use Windows to implement their custom email/fax/paging application because Windows wouldn't scale to the sizes they needed. So they had to use Unix, and they didn't know anything about Unix, and they made just about all of the predictable errors that the ignorant make.