Busting People for Pointing Out Security Flaws

gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"

Something is Rotten

[eldavojohn]

If I were a customer of a company that had the mentality "anyone that helped developed the code is a threat to its security" then I would find another vendor--and fast!

There are practices and standards for developing secure code. If your programmers follow these, then even their knowledge of the source shouldn't matter if they go rogue or want to have fun in their free time. Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well. Perhaps companies should start to realize that if they produce code for Win32 applications, they're going to have to resort to the same tactics that Microsoft uses: Don't let the source code out or its true flaws will be revealed and exploited!

For the consumers of these companies, be wary that your product is only as secure as the company's relationship with its developers--kind of scary considering they're keeping them quiet via threat of lawsuit.

Re:Something is Rotten

[Akoma+The+Immortal]

Right. So all those web servers with apache, running linux account for how much % of the web (60,65,70 I dont know, check netcraft).

Image the botnet you can have if you can manage to compromise all of them, silently sending data, doing damages.

Numbers, numbers you said.

Try again.

Re:Something is Rotten

[PPGMD]

Numbers is one factor, the administrator is another factor.

The average home PC is administrated by someone that has no clue about security, while the average Apache admins, knows how to lock down a system, and doesn't use the system for everyday stuff, like viewing e-mails, and running programs randomly downloaded off the internet.

If we gave Linux machines to the same idiots that run Windows XP machines, you would have botnets, there might not be as many, but they would still be there because many virii are run via social engineering, not via operating system tricks. The dumb user is not something Linux can fix.

Re:Something is Rotten

[Irish_Samurai]

Man, this is something I sit up at night and try to figure out. How do you create a means of educating an ignorant end user to a satifactory point of sophistication all the while making the barrier to entry non existent.

The problem is also compounded by the fact that the tech behind the scenes is getting more complex by the minute as the concepts build on each other.

I think a cool idea whould be to create some sort of setting or application that runs on your windows box and proactively explains things when they come up. Somewhat like ESPN had going on about 3 years ago with Hockey games. Once a week a game was chosen to be the "learning" game. Whenever a penalty was called, the announcers would breifly explain and illustrate what the penalty was, how it occured, why it was a penalty, and the price to be paid.

I know they have a help file now, but no one is going to go out of their way to learn something like this. Maybe a little more comprehensive tool tip text type of thing would do the trick.

Just as long as it isn't animated and dosn't make noise.

Re:Something is Rotten

[Akoma+The+Immortal]

Yes. You are right.

But, (you saw that BUT coming did you :-P), when the social engineered mail bomb or trojan, uses a flaw in the OS to propagate itself, is it the fault of the user, or because of the bad OS design?

Like when Sasser, or Slammer, so many names I am mixing them up, was runnig wild on the internet, I had a dozen of email containing the trojan paylod and i opened them! thats right I opened them and nothing happen. Why? Because I was smart? No, I wished to make a point to my friend. I used Mozilla on Linux, nothing happen.I used Mozilla on Windows, same result, nada. Did I dared use Outlook? not in a million years. In fact, My wife, who is a computer newbie, use Windows XP has her OS, with full admin rights, because you know some programs just runs better, and has no problem surfing where ever she wants, reading emails from friends, even infected one. She dont use Outlook or IE, that is all I ask of her.

Anyway all this to say that no matter how competent you are, when your tools are broken, you will be broken. Period.

Number is factor. Competent user is another factor, and platforms are one more factor to consider.

P.S: Sorry for my english mistakes. I am a Canadian born french african.

Re:Something is Rotten

[Fareq]

That sounds very good, however you might want to think about these two facts, and how they interact:

1: All software has some number of bugs.

2: A VM is a piece of software

--

Also realize that in order to be effective, each such piece of software would have to execute inside its own VM in complete isolation from other applications... no IPC, no shared memory, no networking -- after all, a bug in one application could be exploited by a "properly" invalid network request... While highly secure, this is not the most useful of configurations...

C'mon....

[Otter]

Jail time for McDanel is almost certainly excessive, but that doesn't mean that accessing (or hax0ring -- it's not clear what he did) your ex-employer's email server to write to all their customers isn't a stupid idea, let alone that it's a protected First Amendment matter.

And as long as we're slinging around prissy "Will they ever learn?"s, the other poor victim of persecution, McCarty (what's up with all these Celts?) is a real case of failure to learn. Has it not sunk in yet that you simply can't intrude on systems or files without permission, however helpful your intentions? How freaking difficult is that for people to grasp?

An important detail seems to be missing

[MikeRT]

Did the guy do this after he quit his job? If he emailed the customers using a company server after he left, I can see the company having a legitimate case. Another thing, did he bring these problems up to management and get the ball rolling on a fix or did he just drop the bomb on his employer after he left? There have been enough guys who seem innocent on the surface on slashdot, that I'm now hesitant to not believe there may be some malfeasance on the guy's part.

If he quit his job and then emailed the customers on his own time/equipment with a polite notice saying that he used to work for them and wanted to alert them to problems that management refused to fix, that could cause substantial harm to the clients, I seriously don't think a judge would have given his former employer the time of day.

We're living in the Age

[Black+Parrot]

of Shoot the Messenger.

That seems to be the only solution businesses and politicians can come up with for their self-caused problems anymore.