Busting People for Pointing Out Security Flaws

gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"

Something is Rotten

[eldavojohn]

If I were a customer of a company that had the mentality "anyone that helped developed the code is a threat to its security" then I would find another vendor--and fast!

There are practices and standards for developing secure code. If your programmers follow these, then even their knowledge of the source shouldn't matter if they go rogue or want to have fun in their free time. Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well. Perhaps companies should start to realize that if they produce code for Win32 applications, they're going to have to resort to the same tactics that Microsoft uses: Don't let the source code out or its true flaws will be revealed and exploited!

For the consumers of these companies, be wary that your product is only as secure as the company's relationship with its developers--kind of scary considering they're keeping them quiet via threat of lawsuit.

Re:Something is Rotten

[Akoma+The+Immortal]

Right. So all those web servers with apache, running linux account for how much % of the web (60,65,70 I dont know, check netcraft).

Image the botnet you can have if you can manage to compromise all of them, silently sending data, doing damages.

Numbers, numbers you said.

Try again.

Re:Something is Rotten

[PPGMD]

Numbers is one factor, the administrator is another factor.

The average home PC is administrated by someone that has no clue about security, while the average Apache admins, knows how to lock down a system, and doesn't use the system for everyday stuff, like viewing e-mails, and running programs randomly downloaded off the internet.

If we gave Linux machines to the same idiots that run Windows XP machines, you would have botnets, there might not be as many, but they would still be there because many virii are run via social engineering, not via operating system tricks. The dumb user is not something Linux can fix.

Re:Something is Rotten

[HTH+NE1]

He said, "If... you don't".

But I'll say, if you do demand source you should be able to find and fix any security flaws yourself and report them for the benefit of those who can't and/or don't.

Fixing flaws will always be faster for open source users because users can be doing it for themselves, and they'll be found faster too since you'll have more users proactively looking for and fixing flaws than a closed source company will (waste of manpower better tasked to adding new features and enhancements (i.e. future profits)).

Re:Something is Rotten

[Irish_Samurai]

Man, this is something I sit up at night and try to figure out. How do you create a means of educating an ignorant end user to a satifactory point of sophistication all the while making the barrier to entry non existent.

The problem is also compounded by the fact that the tech behind the scenes is getting more complex by the minute as the concepts build on each other.

I think a cool idea whould be to create some sort of setting or application that runs on your windows box and proactively explains things when they come up. Somewhat like ESPN had going on about 3 years ago with Hockey games. Once a week a game was chosen to be the "learning" game. Whenever a penalty was called, the announcers would breifly explain and illustrate what the penalty was, how it occured, why it was a penalty, and the price to be paid.

I know they have a help file now, but no one is going to go out of their way to learn something like this. Maybe a little more comprehensive tool tip text type of thing would do the trick.

Just as long as it isn't animated and dosn't make noise.

Re:Something is Rotten

[Akoma+The+Immortal]

Yes. You are right.

But, (you saw that BUT coming did you :-P), when the social engineered mail bomb or trojan, uses a flaw in the OS to propagate itself, is it the fault of the user, or because of the bad OS design?

Like when Sasser, or Slammer, so many names I am mixing them up, was runnig wild on the internet, I had a dozen of email containing the trojan paylod and i opened them! thats right I opened them and nothing happen. Why? Because I was smart? No, I wished to make a point to my friend. I used Mozilla on Linux, nothing happen.I used Mozilla on Windows, same result, nada. Did I dared use Outlook? not in a million years. In fact, My wife, who is a computer newbie, use Windows XP has her OS, with full admin rights, because you know some programs just runs better, and has no problem surfing where ever she wants, reading emails from friends, even infected one. She dont use Outlook or IE, that is all I ask of her.

Anyway all this to say that no matter how competent you are, when your tools are broken, you will be broken. Period.

Number is factor. Competent user is another factor, and platforms are one more factor to consider.

P.S: Sorry for my english mistakes. I am a Canadian born french african.

Re:Something is Rotten

[A.Gideon]

However, my email client, my video player, and my web browser still run with the full privilege of my user account, when something less would be sufficient.

This is important, as many forms of malware (including that needed to build a 'bot) can be implemented w/o the requirement of root/superuser access. While the OS protecting itself is a Good Thing, this doesn't do anything to protect the computer itself against abuse (or to protect the Internet against abuse of this computer).

This is a fact too often missed during these discussions. And it's why we do need "least privilege", sandboxing, etc. for applications which execute untrusted content.

Re:Something is Rotten

[Fareq]

That sounds very good, however you might want to think about these two facts, and how they interact:

1: All software has some number of bugs.

2: A VM is a piece of software

--

Also realize that in order to be effective, each such piece of software would have to execute inside its own VM in complete isolation from other applications... no IPC, no shared memory, no networking -- after all, a bug in one application could be exploited by a "properly" invalid network request... While highly secure, this is not the most useful of configurations...

C'mon....

[Otter]

Jail time for McDanel is almost certainly excessive, but that doesn't mean that accessing (or hax0ring -- it's not clear what he did) your ex-employer's email server to write to all their customers isn't a stupid idea, let alone that it's a protected First Amendment matter.

And as long as we're slinging around prissy "Will they ever learn?"s, the other poor victim of persecution, McCarty (what's up with all these Celts?) is a real case of failure to learn. Has it not sunk in yet that you simply can't intrude on systems or files without permission, however helpful your intentions? How freaking difficult is that for people to grasp?

It goes deeper than that

[Saint+Fnordius]

The image a prosecuter wants to project is one of infallibility: if the prosecuter isn't sure himself that the suspect is guilty, then he wouldn't go to trial. The image a prosecutor wants to have is that of a guy that is fair, and doesn't waste time or money prosecuting innocents.

That said, I think I ought to reiterate that I'm talking about image, not whether the prosecutor is actually fair. Far too many prosecutors are willing to tar innocents rather than admit they nabbed the wrong guy.

That said, it may be that this prosecutor actually may have learned something, and decided to cut his losses rather than look like a bully working for the company (instead of the public interest). This was a criminal case after all, not a civil lawsuit.

An important detail seems to be missing

[MikeRT]

Did the guy do this after he quit his job? If he emailed the customers using a company server after he left, I can see the company having a legitimate case. Another thing, did he bring these problems up to management and get the ball rolling on a fix or did he just drop the bomb on his employer after he left? There have been enough guys who seem innocent on the surface on slashdot, that I'm now hesitant to not believe there may be some malfeasance on the guy's part.

If he quit his job and then emailed the customers on his own time/equipment with a polite notice saying that he used to work for them and wanted to alert them to problems that management refused to fix, that could cause substantial harm to the clients, I seriously don't think a judge would have given his former employer the time of day.

Re:and?

"My friend used to work for an airline, and he had made comments about .. how easy it would be for someone on the inside to disrupt air traffic .."

I don't suppose you will corroberate this fictional anecdote with the name of the airport and the name and manufacturer of the security system.

Surely in your country this is cause for a massive class action against the airport.

We're living in the Age

[Black+Parrot]

of Shoot the Messenger.

That seems to be the only solution businesses and politicians can come up with for their self-caused problems anymore.

Re:and?

[pant]

I don't think it is all that silly. The classic limiting of the First Amendment is that it does not allow you to yell "FIRE!!!" in a crowded movie theater. This seems a little like the opposite, where there really is a fire in the movie theater and their lawyers sued you because you didn't keep your mouth shut.

True, this is an analogy that may not fit, but if it comes down to one group being able to continue to make money at the expense of many other groups due to sheer negligence,(Gee, hope nobody finds out!) then they should be called to task.

To me, this sounds like someone reinterpreting the First Amendment to whatever the hell they don't want at all times.

Re:The other, other side

[tekrat]

So, if we apply your logic: What then, gives telemarketers the right to call you? Your number is publically accessable, and no password is needed to call your number and have the phone at your end ring because the phone lines go right into your house. In short, there's NO SECURITY between you and the telemarketer.

However; that doesn't mean that they now have the right to invade your privacy and call you. And yet, they do. How is it that your logic will apply to a security firm breaking into your house, but ignores a telemarketer that does, essentially the same thing? They call on a regular basis and really, that's as much "breaking in" as any other computer analogy.

Now, we all hate the telemarketers, and laws have been enacted to prevent them from harassment; but really, technically it *IS* legal for someone to "break in" to your house via the telephone, so I cannot say that your logic is flawless.

TTYL