Slashdot Mirror
Busting People for Pointing Out Security Flaws
gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure.
Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"
If I were a customer of a company that had the mentality "anyone that helped developed the code is a threat to its security" then I would find another vendor--and fast!
There are practices and standards for developing secure code. If your programmers follow these, then even their knowledge of the source shouldn't matter if they go rogue or want to have fun in their free time. Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well. Perhaps companies should start to realize that if they produce code for Win32 applications, they're going to have to resort to the same tactics that Microsoft uses: Don't let the source code out or its true flaws will be revealed and exploited!
For the consumers of these companies, be wary that your product is only as secure as the company's relationship with its developers--kind of scary considering they're keeping them quiet via threat of lawsuit.
My work here is dung.
BBL
THis happens a lot. My friend used to work for an airline, and he had made comments about weak airline security to his coworkers and boss, and that he was concerned how easy it would be for someone on the inside to disrupt air traffic. They called the transport authority and they have basically black listed him from being at an airport and told him he was lucky they didn't press charges.
-------
Support Indy Music. Buy
The first impression is that this is really weird. Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions. Do we actually have a prosecutor somewhere with integrity? How many times has hell frozen over this month?
Take a minute to think about it, though, and things change. Prosecutors still just want convictions that stand on appeal. In this case, the conviction was eventually going to get tossed, so the prosecution gets to look like a hero by bailing out early.
As usual, what at first blush appears to be a noble action by a public servant turns out to be self-serving. There is still no chance of a prosecutor having integrity. All is, again, right with the world.
Vacating the conviction doesn't challenge the law, just the individual action. Looks like the company wanted the publicity from the conviction to reinforce their non-disclosure agreement but didn't want to take the risk that the law would be rolled back later on appeal.
(IANAL, but my uncle is.)
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
And as long as we're slinging around prissy "Will they ever learn?"s, the other poor victim of persecution, McCarty (what's up with all these Celts?) is a real case of failure to learn. Has it not sunk in yet that you simply can't intrude on systems or files without permission, however helpful your intentions? How freaking difficult is that for people to grasp?
What I'm listening to now on Pandora...
The problem with prosecutors regarding cases pertaining to technology is that the prosecution does not understand technology firstly, secondly many are trying to make names for themselves so they're often hell bent on pressing charges. "Technology is hip"... So is it hip to be the prosecutor who stopped that evil little sixteen year old with a 100,000 botnet. I just slapped together a document on how to Break Lojack for Laptops and expect a call any minute now... http://cryptome.org/lojack-hack.pdf
This kind of trend is only gonna end when something catatrophic happens and it's traced back to someone that could have said something but didn't out of fear of losing their job or prosecution. It wouldn't suprise me if the whole FEMA/Katrina fiasco was this kind of situation.
Can a federal law be passed to correct this? DOes congress even care?
---- You have been programmed by the Illuminati to not see the word ""!
New technologies often require changes in the law and in the legal system itself, and computer technology is far from being an exception to that. As a society, we really need to have more specific legal definitions of what is and what is not black-hat hacking, defined by people who truly understand the technology... namely, white-hat hackers. Until this happens, we will continue to see people unjustly prosecuted for pointing out their local emperor's nudity, and we will continue to see nonsensical bills bouncing around Washington, D.C., written by and debated by people who don't understand them and who have no clue what stand to take on them. Senatards and Congresscritters simply are not qualified to make these decisions for us, but they will continue to do so until the ubergeeks get organized into a Congressional subcommittee or something, and take the reins.
I know plenty of security 'faults' in my employers system. And I'am not obviously not allowed to make these public. I should fix them.
Every ICT project has some flaws which are known to employees but not by the customers. This is just some employee trying to get revenge on his boss.
200GB/2TB $7.95 Coupon: SAVE90DOLLAR
I saw this, and was all ready to ask questions to the submitter, as I saw the line "I represented him on appeal". Read that whole synopsis once again. Doesn't it look like the submitter is the one doing the talking?
Next, click the link... you'll find that it is cut and pasted right out of the article. That generally wouldn't be so bad.... but is gsch "Jennifer Granick"? If not, the quote should be phrased in a way that this is evident, in cases where there is first-person content in the quote.
Call it grammar nazism, but for very obvious reasons, the synopsis as it currently reads, is misleading... if one wanted to be a dick about it, they could say that it even seems like this person is masquerading as the defendant's attorney. I won't go that far, but the point is made.
What does the first Amendmant have to do with the private sector?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
look guys!! A microsoft employee!.. *stare* 8)
Just a quick word of congratulations to Mr McDanel and yourself, finally some common sense rears its head in this case.
The image a prosecuter wants to project is one of infallibility: if the prosecuter isn't sure himself that the suspect is guilty, then he wouldn't go to trial. The image a prosecutor wants to have is that of a guy that is fair, and doesn't waste time or money prosecuting innocents.
That said, I think I ought to reiterate that I'm talking about image, not whether the prosecutor is actually fair. Far too many prosecutors are willing to tar innocents rather than admit they nabbed the wrong guy.
That said, it may be that this prosecutor actually may have learned something, and decided to cut his losses rather than look like a bully working for the company (instead of the public interest). This was a criminal case after all, not a civil lawsuit.
FTA:
A third [solution] might be to define unlawful access as the circumvention of some kind of security measure.
I'm not so sure about this one. After, we're talking specifically about criminal liability for researchers who demonstrate that the security of a system is broken. Criminalizing the circumvention of security is exactly the problem many people have with laws such as the DMCA.
Seems he should call the TSA and get his boss boss blacklisted for covering up these security problems and not taking approprite measures to fix them.
The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent.
Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant."
But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them.
Ok, so there are two ways to look at this:
I doubt a jury will convict him, though, this being a technical argument mainly and a computer crime, any jury they seat is bound to wind up confused and the best the prosecution can hope is that someone on the jury will have enough savvy to explain it to the others. Or they may convict him for being a wily, young whippersnapper. Who knows?
GetOuttaMySpace - The Anti-Social Network
The thing that may have raised eyebrows is he found a fault and sent the information to a 3rd party who then contacted the owner. The owner then checked logs to find out who breached the system.
If he found the problem and contacted them directly they may have been more willing to patch and say thanks.
The truth shall set you free!
After reading tfa it seems that the McDanel case is different from the other two in one very important way: intent.
- McCarty notified security professionals about the issue.
- Puffer notified the system owner/operator of the security issues.
- McDanel notified the customers of his former employer.
TFA does not go into detail as to why McDanel was no longer employed by the company, but its not a huge leap to assume that he did not leave willingly. Was he really concerned about the information security of the customers he contacted or was he more interested in causing damage to his former employer? Did he notify his company of the security issues before he left?
This isn't about pointing out security flaws. McCarty was sued for accessing data in his former employer's email system.
Did the guy do this after he quit his job? If he emailed the customers using a company server after he left, I can see the company having a legitimate case. Another thing, did he bring these problems up to management and get the ball rolling on a fix or did he just drop the bomb on his employer after he left? There have been enough guys who seem innocent on the surface on slashdot, that I'm now hesitant to not believe there may be some malfeasance on the guy's part.
If he quit his job and then emailed the customers on his own time/equipment with a polite notice saying that he used to work for them and wanted to alert them to problems that management refused to fix, that could cause substantial harm to the clients, I seriously don't think a judge would have given his former employer the time of day.
What effect does vacating a conviction like this have on precedent? That is, if the appeal proceded and the original conviction was overturned, the precedent would clearly side with McDanel, under some legal theory to be articulated in the judgment handed down by the appellate court. But, given that the conviction was vacated, does that mean the case sets no precedent whatsoever? How does this work?
(It should be clear IANAL.)
--JoeProgram Intellivision!
Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal
Thank god, the prosecution did not defend the action on appeal.
Because the defendent seems to have been represented by someone who doesn't
seem to know that the 1st amendment isn't relevant here.
GREEN: "Mr. White, you shouldn't trust Mr. Brown with your data. The locks on his filing cabinets can be bypassed with a bent paper clip."
WHITE: "That's a stiff accusation. Before I believe you, I'm going to need proof. What evidence do you have?"
GREEN: "Here. I was able to take these files with no problems."
WHITE: "By golly, you're right!" (Runs to take Mr. Brown to task)
BROWN: "Green! How dare you intrude! I'll have you arrested for breaking and entering!"
The first amendment only applies to government actors. Private corporations deal with an extraconsitutional "wrongful discharge" statute which is far weaker.
of Shoot the Messenger.
That seems to be the only solution businesses and politicians can come up with for their self-caused problems anymore.
Sheesh, evil *and* a jerk. -- Jade
As it is, he just came out looking like a disgruntled ex-employee who used commercial in confidence information to harm the company as much as possible by poisoning its relationship with its customers.
Basically, he used the company's smtp server to send the messages just like he uses it to send ANY email from work
You may have some re-reading to do yourself. It said he used his *former* employer's email server. That most likely is criminal. If he had sent the email from a personal account then he might only face a civil lawsuit for some sort of breach of confidentiality.
Don't get involved in any police, fire, medical or rescue situation unless you want to introduce grief in your life. If your computer security sucks it isn't my problem.
When asked the unexpected vacation, Bret McDanel said "It's was all I ever wanted," then excused himself, saying he had to "get away". When asked what he meant by this, he indicated he desire to have some time spent alone.
These are simply undocumented features!!!
Those who can, do.
Those who can't, sue.
Is it me or does this become more and more common? As soon as someone's not doing what a company would like him to do, he's slapped some trial on his back, hoping that he'll either back down or that a company (with quite some funds) can easily get a better lawyer than Joe Average.
Another often repeated phrase I use: There is no techical solution for a social problem. In this case, there is no legal solution for a technical one. Shutting people up does not create more security, it just means nobody dares to talk about it anymore.
So, now mod me redundant.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
was somebody's pride. This "form over function" thing is starting to get out of hand both in the gov't and in the private sectors. True story: I once took a military medical course that was teaching information many years out of date. Using the appropriate forms, I submitted detailed critiques complete with sources and references. Rather than fix the problem, I was called on the carpet and ordered to stop submitting critiques because they "questioned the integrity of the course." This strikes me as very similar to "They even claimed the integrity of the system was impaired..." Yes Virginia, that's exactly what we're doing! You can't fix it if you don't admit it's broken.
He who would be a man, must be a nonconformist. -- Emerson
...but not completely. There's a saying where I live that the County Prosecutor can get a grand jury to indict a ham sandwich. Any grand jury that doesn't do exactly what the prosecutor wants will find itself the subject of a carefully orchestrated smear campaign, complete with local news stories (planted by guess who) investigating the problem of "runaway grand juries."
My point is that prosecutors have a lot of power and any public servant with lots of power should always be willing to step outside the game and do what's right before they start punishing people. And yes, prosecutors punish people long before trials happen before supposedly impartial judges. Just being indicted for a serious crime, something the prosecution does essentially without oversight, is usually a life-wrecking event no matter how innocent the accused. Normally, prosecutors who exercise their power with an eye toward justice, declining to prosecute marginal cases or cases where a bad law could be enforced, wind up simultaneously serving two goals: they serve their public mandate and they don't wind up looking like idiots in the end.
In this case, the prosecution actually did something that was right and sacrificed a little of the "We're perfect" vibe they normally work so hard to maintain. I simply chose to think less of them for being so slow to reach the conclusion such was the right thing to do. By being so slow to act, they have punished someone who ought not to have been punished.
Full disclosure: if I find a bug in, say, Windows, should I
If I find a bug in USC's website, should I
If I find a bug in my employer's systems, should I
Enquiring minds wish to know ...
So the appeal continued the bad publicity, the company wised up and dropped the case to put a stop to it before losing anymore customers.
Brought to you by Carl's Junior.
Is gsch Jenifer Granick? Why no.
Hard job, copying and pasting, isn't it?
There seems to be a pattern. Of the cases like this that I am aware of (there have been quite a few), those whose case is decided by a jury seem to always be acquitted. Those tried by a judge don't always fare so well.
The issue here, I think, is that the security researcher is working for the benefit of the common person at the expense of the company. The members of the jury see themselves as that common person, and don't relate so well to the company. The judge, on the other hand, tries to be more "impartial" and is more likely to rule in favor of the company at the people's expense.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
Notwithstanding the First Amendment's free speech guarantees
When you have NDA's, TOA's that specify what is allowed on a system that does not belong to you, you are foreiting your 1st Amendment right to access the system. This guy did not need to access that system to live. He broke into a private system.
I mod down so you can mod up. Your welcome.
When working for a company I shall not name, we used an ASP for our recruiting software, which company I will also decline to name. This software had a document upload functionality that would allow clients to upload offer letters and such. In trouble shooting an issue with our company's uploads we found it was quite easy to browse to other client's uploads by changing a client ID in a URL. Granted, you had to login to the system to be able to access this URL, but once logged in, there were apparently no security restrictions across clients. We had free access to the offer letters, job applications, any document having to do with the recruiting and hiring process, of other companies - some of them very big names.
Did we do anything about it? Nope. We ignored it. I didn't even bring it up to our managers. Why? Because in documenting the issue we would have most certainly violated the licensing agreement, and a good argument could be made (especially in light of judgements like the one in the article) that we were conducting criminal computer trespass by changing the URL to knowingly access another client's repository. As stupid as that sounds, I was not willing to risk my job, or prison time, when I knew there were probably 15 other such security issues in the product, and my blowing the whistle on this one wasn't going to fix what was essentially a very crappy product.
AH, where are the mod points when I need them. I was just thinking of replying to GP with this. Such typical FUD that fanboys want to use as an excuse that Windows is only infected all the time because it's so popular. Please
You have kids trying to "make a name" by breaking things. You have companies paying these kids to find vulnerabilities, I've heard that there is a 6-figure type bounty on certain specific vulnerabilities. At the same time you have big corporations that are taking a beating in the media because vulnerabilities are disclosed before they have time to react; you also have big corporations being told about problems (whether or not it is through proper channels remains to be seen, I don't expect that the new Windows bug is going to get fixed when you tell MS Sales about it.) You have security companies like eEye publishing every vulnerability they can find to give their company some "street cred." You have companies like Foundstone (now Symantec) pirating software to search for holes in it. There is this whole rationalization in the "hacker community" that they are some how doing the software vendors favors by finding the stuff; so just randomly postscanning hosts is really "research," huh? Dispite your lack of any publishing, education and any agreements with anybody that you're "researching" on? You have frauds like Steve Gibson saying that big corporations are putting backdoors in to code on purpose. You have opensource tools changing their license and close sourcing because of companies that are simply packaging their work can charging a lot of money for it; who can blame them? There are companies that now sell exploits and "0days." You have a whole OS "designed" around security, yet they cannot publish any of the changes they've actually made and explain why they have made them (come on guys, this would be a best seller of a book, just lists of code, this is the bug, this is why it's a bug, this is how we fixed it...) At the same time, I don't want Apple and MS pushing out patches minutes after they hear about things, I want the code QAed.
Now the lawyers are getting involved. We need to check ourselves as an industry. We are a stones throw away from developers being held responsible for damages caused by software, there are already people in favor of that. Just stop and think about that. There is no union, there is no protection for the worker here, we're held in contempt at a lot of places, because of the highly paid prima donnas jerking around writing shitty code. It will only get worse right now.
It's a sort of hot area right now, the feds are spending money. You can't be involved with software or networking and not have some kind of concern for security. This may sound old fashioned but to get a cert, whatever certs the security world wants to embrace, there should be an oath that encourages security always, encourages openess, discourages black market tactics for trading viruses and exploits, discourages this whole notion of "black magic," and discourages profiting from secrecy regarding security. I'd even go one better and add to the oath that there should be a certain and accepted public disclosure process for when a vulnerability is found in a network or application, the owner is told and then after 90 days the whole world is told, all of the time. I know of companies that have found problems in networks and then extorted money for information regarding them. That's just wrong and that should be criminal.
There are no security best practices, not in any formal sense. You can pull 100 consultants or CISSPs off the street and you'll get a 100 different sets of things you should and shouldn't do. We need to formalize the discipline. We need to encourage practices during the writing of software and constuction of networks for security.
A /. contributor who actually is a lawyer?
Science fiction for grown-ups...
For example, I use my laptop all over the city, if I can get on an open WiFi link I'll use it, which could either 'A' be a vulnerability because they "forgot" to set a password or 'B' they intentially left it open. And if they have shared files on the network, I might just browse through them. So if I leave them a nice little note explaining the possible vulnerability of their node and they come back saying I broke into thier network, which I did not, where does that leave me? Obviously a over simplified example but the idea is there.
I think something definately has to be done about this and on another note, there is IMO, a difference between simply accessing a system and destroying/stealing data. I'm not upto date on all the "Tech" laws that have been imposed on us but nothing pisses me off more then the lawmakers setting rules for things that they know nothing about or don't research enough to know the implications of the laws they place. I could go on and on...'nough said.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. ~Albert Einstein
The summary was written by the lawyer representing this guy (as others in this thread have pointed out), so there's obvious spin going on. The real kicker of all this is his lame "Free Speech Rights" claim.
The government didn't do a freaking thing to limit his "free speech". The guy did something vindictive against his former employer, got caught at it, and they went after him.
It's stupid statements like that which don't put this guy (or the lawyer) in a very good light. It sounds like he's grasping at straws, looking for some way to vindicate his client for doing something really stupid.
Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well.
I think you mean a GNU/Linux virus. Very little malicious Linux code relies only on kernel exploits to do their bad stuff. Credit where credit is due, and all that. ;^)
Weaselmancer
rediculous.
The school district where I work used to have its entire network wide open. Anyone could access everything, e-mail, grades, pernament record. You name it, they had it. They just has to browse to it through the Network Neighborhood icon. One student saw this and told the assistant principal several times and he was ignored. He finally printed off a bunch of student grades and gave them to the assistant principal showing him it was a real risk and that something should be done. He was a legitimate good kid trying to help. Instead, he was Expelled from the district and was given probation (he was a minor). After that, the district REALLY tightened up its security. I feel that kid shouldn't have had anything done other than a huge thank you.
Click Click Bloody Click PANCAKES!
I would say that prosecution of this guy is warrented only if the parties responsible for security administration at the company are also subject to prosecution for letting security flaws go.
For a private sector company, who would you first inform of system vulnerabilities? The company, itself, I would imagine. After that (assuming no action is taken)? Not really my call to make, but there must be some amount of culpability laid at the feet of those responsible for security, particularly if they are made aware of vulnerabilities.
Until there are laws regarding the fixing of flawed security, there should be relaxations of rules for those who, in good faith and effort, inform the possible victims of software vulnerabilities, particularly when the system is engaged in online commerce (makes for a big target).
Not being a lawyer, I still believe in what I'll call "fairness". Given two examples:
#1 Sysadmin/former sysadmin informs customers of possible vulnerabilities or exploitation of personal/financial/medical information = possible jail term
#2 Sysadmin/company is aware of vulnerabilities, but either can not or will not inform customers/fix problems/make anyone outside the company aware of problem = unhappy customer base
I see a disparity here. One example risks the walfare of the company, the other, it's user base.
I worked for an Army contractor in the 80's. I found flaws weekly. I caught flack for each one I pointed out. In the end they made me data security manager so I would just fix them and stop pointing them out to the customer. I was told I would go to jail more than once. You have to do what is right for the customer. In this case the customer was the US Army. Any company should see this is the only way to to fix holes. See them, report them, fix them. -Steve
"Freedom of speech is the right to cry theatre in a crowded fire."
What I wonder if, if they employee had a list of customers, and emailed them from a personal server, would he have been convicted in the first place?
Sprint runs a 9-1-1 service for hundreds of jurisdictions around the United States. The heart of their system includes a Windows server that is left virtually wide open on the internet. This server is the repository of all the 9-1-1 data from telephone companies around the country. It would be trivial to add, delete, or alter the 9-1-1 data on that server and wreak havoc. The system does not even require a password.
This has been reported to Sprint and various local 9-1-1 officials several times. Sprint denies it is vulnerable; local authorities are disinterested in investigating. Nobody will put any attention on this until that one day that a malicious party will cripple 9-1-1 systems throughout the U.S. Then there will be screams for congressional investigations and finger pointing galore.
But the well-meaning party that performs a proof-of-concept exploit to make a point would be butchered as the terrorist they are trying to prevent.
For now, there are people who know that the 9-1-1 system is extremely vulnerable, and they fear the day it gets exploited. But they are more afraid of ruining their lives and their families' lives by speaking out.
Since anyone pointing out the bugs in the administration's activities is declared a traitor/terrorist/communist.
Sorry for the political spew, but it seems every bad thing in the world somehow mirrors American politics lately.
There are similar incidences in India For example http://www.skdubeyfoundation.org/index.php They murdered him because he found out the corruption Now India is enacting a stringent law to protect whistle blowers like Satyendra
Chris ,
Php Programmers.
Wow, that's one big gaping security hole!
Didnt his employment contract have something about not disclosing sensitive corporate information.
I'd sue the piss out of this punk if he told my customers that the system he used to work on sucked.
We don't need more and more and more specific language.
It will be ignored by any judge with an axe grind.
We need more intelligent judges. We need strict constructionsist judges, like the ones the Dems want to filibuster.
We need to cut jury voir dir, so we can have smart people on a jury.
We need to understand that "cyberspace" is NOT A MAGICAL REALM.
The rules of behaviour apply there, the same as meatspace.
You can't go into a business and steal the envelopes and postage,
you can use the mail server either.
It would have been simpler to interview with a competitor and
explain the problems to them. NDAs are out when you get canned.
Just don't take the severance package.
I'm inclined to agree with the defense here, but I can see how the opposite view could be taken if one were using a different set of considerations when determining "security."
That is, I would argue that if, in any system, there exist conditions that would allow someone to achieve undesireable effects, then that system is inherently insecure. Whether or not there is anyone who knows how to do it, or even know that the hole exists, the system is insecure -- because the existence of such an informed user is accidental to the system itself.
On the other hand, a more simple view might place the question of security entirely in human will: If there is such a system, and everyone knows how it could be exploited, but no one would dare do so, then the system could be said to be secure inasmuch as the chances of actual exploitation are very small. This line of reckoning is both reckless and foolish, but not necessarily unreasoned.
If a system has a weakness , but no one has heard about it , is the system secure?
If a tree falls in a forest, but no one is there to hear it, does it make a sound?
In order to ensure security through obscurity all developers working on a project should be killed when its completed. Much like the architects of the pyramids. That way no one knows the Ins and Outs of the system.
;)
This may hinder releasing a 2.0, but its for the good of the company
If a vendor gets notification of a security breach and doesn't fix it within x-number of days, you should be allowed to sue them if you are a customer and must use that insecure software. Not they get to sue you or the other guy who found out about it, or the state prosecutes. That's what this article case was about. Bogus. The guy who did it could have been a little smoother in how he went about it, but really...
Yes, that should apply to operating systems and applications as well.
That would slow down code bloat and new features in favor of writing secure code and having secure access.
I work on cars sometimes. If I notice a defect that looks like it could be a serious design flaw, and notify acme motors, and they still keep shipping cars with that defect,and people get hurt...well, they get nailed in court then, and the law falls pretty well on the side of the customers and the people who found out about it. That's with the car I have access to. If I have to break into their factory to do this,to find out, that's another story.
I think the difference is normal access as opposed to extra-ordinary access. If it is normal access, I see no probs, the other, gets to be a tricky call when it comes to code. We need a legal definition of what is access. If it is a web facing page, and no hacks are involved in accessing it, then I say there should be no threat to the accesser, looking for security breaches or anything else. If a glitch is found that seems to offer the potential to elevate access permissions, I think a proper response is some way to have a verified notification to the vendor, (we need a legally verifiable way to do this, a public bulletin board recognized by industry, something like the notices in your local classified paper for example) (doesn't exist in the software world that I am aware of),then x-days later publish it publically, no matter fixed or not. X-days does not have to be a long time either, a few days to a week should be sufficient, and no way charge the poor guy with anything for doing that.
We have very little accountability for software now,none basically, or to the people who use it and sell it to "make money" with. They offer a product, it shouldd have a warranty, it is that simple, all other products out there come with warranties "suitable for purpose and free from defects that would allow significant harm". All other products out there stilol have some defects, our laws identify BAD ones that cause harm.
Until we get software warranties,to balance all the patent and other legal protections they have for their "products" in order to transfer cash from your wallet to their's, security will remain dismal and abusers and profiteers from bad code will remain reluctant to develop or deploy greatly enhanced/audited for security code.
This is 2006, I think it is safe to point out this is the case with the vast majority of code out there now, and has been for a long long time unitl it has become the industry mantra and miondset that "it can't be done". I saw rubbish. Before we had legally enforced warranties for tangible products, "the industry" claimed the same thibng, that "it couldn't be done". We have proven it is possible to reduce the defect rate to a point where all other industries manage to survife, yes?
Software companies *don't give a crap* because they aren't LIABLE for any bad code, no matter what happnes to YOU if you use it. That's because they have no legally enforced warranties. End.Stop.
There is no stick to go with the carrot in this situation, unlike the vast majority of other products and services to products. Software has gotten a completely free ride for too long a time now.
In fact, no one on the entire planet has been able to "write a pretty good Linux worm" as of yet.
Are you so naive as to think that a few thousand folks haven't already tried?
That ought to point to a considerable truth right there.
The submission is entirely within quotes. "gsch" simply put in a portion of the article into quotes, and sent it to /. It gets posted with another set of quotes. If you look closely, you will see that there are three little marks around the submitted text, not two (meaning a quote within a quote). Could have been formatted better, though.
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
Not revealing security holes should be the crime, and not the reverse. Only a well-informed consumer has a realistic chance of protecting themselves.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I thought everyone learned at a very early age if you dare tell the Emperor he's stark raving naked, then you'll get your head chopped off.
It is not justice that our legal system is set up for... it is to maintain order in our society. Justice does occasionally run afoul of societal order and for that reason justice is NOT the primary duty of our legal system.Also, the USA is NOT a democracy... it is a republic... democracy just sounds better even if it is inaccurate.
[NDA = Non-disclosure agreement]
I've read through every NDA I've signed, and I strongly doubt that statement is correct. Though I admit, IANAL.
The Internet is full. Go away.
But then I started using Mail.app on a Mac, and I can't see quite so easily how to do it.
ian
Since it seems this article is primarily about me, I felt it was necessary to post here. My name is Eric McCarty and you can read up on the case from my perspective on my website :
http://www.freemccarty.com/
I am not a malicious hacker, i am not even a hacker, I am a security researcher who wanted to goto USC to get my degree, nothing more, nothing less. If you think about it, I am one person, if I goto prison for the offense I am accused of commiting then I can still look in the mirror and know that because of my action over 200,000 people won't be victims of identity theft.
Thats the whole point of security research in my opinion, making the internet safer, not for notariety, not for fame, or for money. Please take a look at my website and feel free to contact me directly with any comments, suggestions or if you are willing to assist my case.
Thanks,
Eric C. McCarty
admin@freemccarty.com
http://www.freemccarty.com/
Why did he even bother? Correct me if I'm wrong, but wasn't this his EX-employer? Why did he bother then? If he didn't work for them anymore, why did he care? Was he going to make any more money off of this action? Sorry, but as far as I'm concerned, once my employer is an ex-employer, I could care less is their entire business crashed, or if their programs caused trains to run into each other. They're not paying me anymore, so I could care less about them or their product.
I've read through every NDA I've signed, and I strongly doubt that statement is correct. Though I admit, IANAL.
It is when you think about. An NDA is simply a contract. There may not even be a seperate provision in your contract that says the NDA continues even if employment doesn't.
Finally, you have to remember this. In contract law, the law must be mutually benefital to both sides. After your employment ends, what benefit do you get from keeping up your NDA?
Listen, we business people are, on the whole, very conservative folks. And Microsoft did something you should never, ever, ever do: ignore your customers' safety to pursue an ego trip. This is an unpardonable sin and good business people will pick up their briefcases and go do business elsewhere.
At least, smart business people will do so. As many have, already.
http://www.infoworld.com/articles/hn/xml/02/11/27/ 021127hnerniball.html?s=IDGNS
That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop.
If a shop owner tells you to get out of his store, then you must comply or the police will be called. Why? Because if you do not comply with the wishes of the owner, its called trespass. But on the other side, the shop owner must notify the customer that they need to leave before calling the cops, otherwise its harrasment.
Just because you know something about computer systems doesn't give you the right to invade them and show the owner what you found. How would you like a home security firm to break into your house and then publish in the local paper that you keep a key under the doormat? Yes, my house is 'publicly available' given that its not behind any gates or walls, but that is not an invitation for everyone to come in.
What needs to happen is for security professionals as an industry to have more savvy contracts with the companys they consult for. With clauses stating that the consultant will be free from prosecution if a) they notify the company and give time to repsond and b) if the company doesn't take action and the risk is great to the public or the company's clients then c) the consultant has the right to go public with the information.
Of course there are more clauses you might want to add, but it seems like a lot of this could be solved in the contracting steps of taking the job. If you can't get a good contract, don't take the job.
Vigalante justice is illegal. Robin Hood was a good guy, as were the American Revolutionaries, but from a criminal law perspective they were all guilty of many crimes. They chose to break the law because of their personal convictions but they also more or less accepted the risks of doing so.
What happened to whistle blower protection laws, wouldn't those apply in these situations?
He got lucky. He should have been arrested and convicted.
The problem is not that he found a bug.
The problem is not that he tried to report it.
The problem (found in the second paragraph) is that HE EXPLOITED IT.
Even if he did it as "proof", it is still exploitation and theft.
Making matters worse: He didn't do the proof for the owners of the info! No! He did the proof for a reporter. He couldn't even claim having permission to exploit the system.
If a reporter asked him to shoplift, and he did it as proof, it is no less illegal.
I am curious to hear from the attorneys out there: how does this fit (or not fit) into whistleblower statutes?
Could someone publicly release bug info and claim they are a whistleblower?
Whistleblowers enjoy a special legal status so I am curious if that could be applied to disclosing software bugs.
What do readers of slashdot have to report on the statistics of such events occuring? What do you surmise is the number of times such "ethical hacking" takes place and the "victim" responds in a fair manner? How many times does the "victim" claim judicial intervention? Is this a one off case that is highlighted? I know that the McKinnon case is still hot and is more or less a problem of the same degree.
-----------------
Q: What would it be called to hire a security expert to hack your system?
A: Entrapment!
This is sort of like the prosecutor who arrested two guys for the same murder and then tried each one of them at the same time.
In each case, he told the jury "my theory is... xxxxx" basically saying that this guy did the murder alone, himself, for his own reasons.
When both of them were convicted of the same murder, by the same prosecutor, who claimed he "knew" how it went down (but in two different ways for each guy), both convictions were thrown out and the DA got re-elected the next term.
He KNEW damn well one of them was innocent. They couldn't possibly have both done the crime seperately, alone, as they knew it was carried out... but he argued that both were guilty with enough fire that they were both convicted.
Scary.
If he really really believes a guy is guilty, fine, I guess he can argue that, but this guy stood in front of two different juries and said "I know this guy is guilty" and he basically lied because he couldn't possible believe that they both were.
Scary.
When questioned, he actually claimed that he did the right thing and that both men should remain in jail because a jury found them both guilty.
Scary.
There are 10 kinds of people in the world. Those who understand binary and those who don't.
First Amendment doesn't guarantee 100% free speech in all situations. It protects you from the government censoring your opinion,
Actually, what it does is protect you from the government blocking your speech BEFORE you emit it.
Once you've said something it does just about zero to protect you from legal repercussions for any harm your speech may have caused.
(There are a few subjects where it does give SOME coverage For instance: Truth is an absolute defense against claims of libel - though not against claims of extortion. Political speech is especially well protected, slippery slope arguments bias in favor of speech in some cases, and so on. IANAL so don't take this as legal advice or absolute truth.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
From A.C Hobbs (Charles Tomlinson, ed.), Locks and Safes: The Construction of Locks. Published by Virtue & Co., London, 1853 (revised 1868).
quote:
------
A commercial, and in some respects a social doubt has been started within the last year or two, whether or not it is right to discuss so openly the security or insecurity of locks. Many well-meaning persons suppose that the discussion respecting the means for baffling the supposed safety of locks offers a premium for dishonesty, by showing others how to be dishonest. This is a fallacy. Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery.
Rogues knew a good deal about lock-picking long before locksmiths discussed it among themselves, as they have lately done. If a lock, let it have been made in whatever country, or by whatever maker, is not so inviolable as it has hitherto been deemed to be, surely it is to the interest of honest persons to know this fact, because the dishonest are tolerably certain to apply the knowledge practically; and the spread of the knowledge is necessary to give fair play to those who might suffer by ignorance.
It cannot be too earnestly urged that an acquaintance with real facts will, in the end, be better for all parties. Some time ago, when the reading public was alarmed at being told how London milk is adulterated, timid persons deprecated the exposure, on the plea that it would give instructions in the art of adulterating milk; a vain fear, milkmen knew all about it before, whether they practiced it or not; and the exposure only taught purchasers the necessity of a little scrutiny and caution, leaving them to obey this necessity or not, as they pleased.
-------
unquote
We have *better* locks today because locksmiths learned to DISCUSS problems instead of hiding from them.
The exception, of course, is if you make the discovery by noticing someone else already actively exploiting the vulnerability against your systems; then it's a judgement call.
//Information does not want to be free; it wants to breed.
You should have one-time in quotes; if it's used more than once, it's just an XOR pad, not a one-time XOR pad. But as you say, you're not a cryptography geek. :-)
Not questioning your word but could you help me make a few things add up?
If this server has an IP address (and you say it's wide open on the Internet) then it's getting scanned thousands of times a day. Unless it has been well locked down locally, wouldn't it be compromised already?
This kind of thing is exactly the reason I tell any client willing to listen that they should have a security reporting hotline that's safe for the employee.
>The First Amendment refers to the government's ability to pass laws to restrict speech. It has limited effect on states, cities, villages and other municipalities.
Not very limited. After the Civil War the federal government took on the job of forcing states to honor the civil rights of their citizens.
As parent comments, there's the law and there's justice. They are very different, although most people would probably rather have a just society than a lawful one.
Engineering is the art of compromise.
I worked with a salesman who was laid off. Before he left, he used his company cell phone to call customers just to say "I won't be your salesman anymore, you'll be getting a new company salesman". The company tried to sue him for that (the customers were angry with the company for laying him off) and revoke his severance package. He fought and won, but it costs him a chunk of his severance.
His excuse was that he wanted to leave his customers on good terms in case he every had to sell to them again. It was a good move. He later got a job selling a similar product and called upon those same customers. They wee very supportive of him.
So, if we apply your logic: What then, gives telemarketers the right to call you? Your number is publically accessable, and no password is needed to call your number and have the phone at your end ring because the phone lines go right into your house. In short, there's NO SECURITY between you and the telemarketer.
However; that doesn't mean that they now have the right to invade your privacy and call you. And yet, they do. How is it that your logic will apply to a security firm breaking into your house, but ignores a telemarketer that does, essentially the same thing? They call on a regular basis and really, that's as much "breaking in" as any other computer analogy.
Now, we all hate the telemarketers, and laws have been enacted to prevent them from harassment; but really, technically it *IS* legal for someone to "break in" to your house via the telephone, so I cannot say that your logic is flawless.
TTYL
If telephones are outlawed, then only outlaws will have telephones.
Interestingly, the circuit court remanded the case back to district court with the order that the case be dismissed with prejudice for lack of evidence.
I would say that Ms. Granick is quite qualified to make the submissions which seem to be well thought out.
The argument is that finding McDanel guilty for putting up a website and sending email is a violation of his rights, not the "breaking into" a system.
The same sort of thing happened to me. I was wardriving one day, and came across a hot spot. After connecting to it and not being able to browse the internet, I did a little more investigation. Turns out that I discovered an unsecured POS terminal. Not just any POS terminal, but this was part of a nation-wide store chain. Any monkey with the slightest computer knowledge would have been able to sniff credit card numbers, account numbers, etc. with little to no problem. The odds of being caught were also slim to none. I made all the contacts I needed to, and recieved a phone call a half hour later. "Why did you breach my computer system? You DO know what you did is illegal, right?" "Look sir, it could have been me or a person sniffing credit card numbers. I am helping you." And yes, there are still honest people in the world...
The circuit's instructions to the district were to dismiss the charges for "insufficient evidence". See the decision of the court. Furthermore, the decision refers to the "government's confession of error."
http://yro.slashdot.org/article.pl?sid=05/06/30/18 54228
/. for doing what seemed to me to be an ethical - if naive - thing.
Of course, he was savaged on
Is your point that "if it happens a lot then there's nothing wrong with it?" If not, what's your point? You didn't really make it clear...
I'm not really sure where you got that out of my argument. I was using the 'home=castle' approach, and the telephone falls under that. I think my arguments stand just fine against invasion by telemarketers, but perhaps you were responding to some other poster's ideas and not to mine?
The telemarketer is a wonderful analogy. Just because my number is publicly available doesn't mean you have the right to call it. Depending on your use, that would be harassment, which telemarketers can be convicted of. Similarly, the Statue of Liberty is a public artifice, but that does not mean that any member of the public is free to use or abuse it in any manner they wish.
I would argue that they do Not have the right to call me at home since that right has been revoked by the national do-not-call list. There is also a difference between distraction and distruction. A solicitor is free to knock on my door and be told to go away (unless she's a girl scout with cookies). They are not, however, allowed to enter my home without invitation. Picking up the phone is the same as answering the door. You're free to refuse to parley with the other person at the gateway to your domain.
Whats different between the telemarketer and the invasive security firm? Destructiveness. It may be true that I keep my backdoor unlocked; that is my perogative. But if someone publishes that I do so, they have substantially increased the risk of my choice. I am Less secure than before they arrived. Their actions, however well meaning, have increased my personal risk, and that is destructive. However, if they simply tell me that it is not wise to leave the door unlocked, then the risk of my choice is unchanged. It may be a stupid risk, but its my risk to take.
Now, if I'm a guardian of a public treasure and I leave it vulnerable, then I am accountable for that vulnerability. But since there is no perfect shield, I cannot defend it from every possible attack. Let us assume that my protection is sub-par, sub-minimal in fact, but I project an image of total security. That image may be enough to differ all but the most determinied, who, it might be reasoned, could circumvent even the strongest defense. If you expose the weakness of my protection without having a plan to replace me, then you have made the public treasure vulnerable. Even though you did not attack, you provided intelligence to the attacker, and thus were an accomplice, albeit unknowningly so.
"With great access (freedom) comes great responsibility."
So what's the solution? You don't trust my protection, and I won't listen to what you see are basic precautions. You make noise, you tell my bosses: he isn't guarding the treasure well, it will be stolen, you should have an independant party examine his security, we can do it, but if you don't trust us, you must allow someone to challenge him and see if he is guarding the treasure well.
Ultimately its about permission. I will never trust anyone, (security firm especially) who feels free to violate my permission. I would hope that large corporations would act the same way.