Slashdot Mirror

← Back to Stories (view on slashdot.org)

Busting People for Pointing Out Security Flaws

Posted by ryuzaki0 on

gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"

5 of 350 comments (clear)

  1. Something is Rotten by eldavojohn · · Score: 5, Insightful

    If I were a customer of a company that had the mentality "anyone that helped developed the code is a threat to its security" then I would find another vendor--and fast!

    There are practices and standards for developing secure code. If your programmers follow these, then even their knowledge of the source shouldn't matter if they go rogue or want to have fun in their free time. Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well. Perhaps companies should start to realize that if they produce code for Win32 applications, they're going to have to resort to the same tactics that Microsoft uses: Don't let the source code out or its true flaws will be revealed and exploited!

    For the consumers of these companies, be wary that your product is only as secure as the company's relationship with its developers--kind of scary considering they're keeping them quiet via threat of lawsuit.

    --
    My work here is dung.
    1. Re:Something is Rotten by Akoma+The+Immortal · · Score: 5, Insightful

      Right. So all those web servers with apache, running linux account for how much % of the web (60,65,70 I dont know, check netcraft).

      Image the botnet you can have if you can manage to compromise all of them, silently sending data, doing damages.

      Numbers, numbers you said.

      Try again.

      --
      assert(expired(knowldege)); core dump
    2. Re:Something is Rotten by Akoma+The+Immortal · · Score: 5, Insightful

      Yes. You are right.

      But, (you saw that BUT coming did you :-P), when the social engineered mail bomb or trojan, uses a flaw in the OS to propagate itself, is it the fault of the user, or because of the bad OS design?

      Like when Sasser, or Slammer, so many names I am mixing them up, was runnig wild on the internet, I had a dozen of email containing the trojan paylod and i opened them! thats right I opened them and nothing happen. Why? Because I was smart? No, I wished to make a point to my friend. I used Mozilla on Linux, nothing happen.I used Mozilla on Windows, same result, nada. Did I dared use Outlook? not in a million years. In fact, My wife, who is a computer newbie, use Windows XP has her OS, with full admin rights, because you know some programs just runs better, and has no problem surfing where ever she wants, reading emails from friends, even infected one. She dont use Outlook or IE, that is all I ask of her.

      Anyway all this to say that no matter how competent you are, when your tools are broken, you will be broken. Period.

      Number is factor. Competent user is another factor, and platforms are one more factor to consider.

      P.S: Sorry for my english mistakes. I am a Canadian born french african.

      --
      assert(expired(knowldege)); core dump
    3. Re:Something is Rotten by Fareq · · Score: 5, Insightful

      That sounds very good, however you might want to think about these two facts, and how they interact:

      1: All software has some number of bugs.

      2: A VM is a piece of software

      --

      Also realize that in order to be effective, each such piece of software would have to execute inside its own VM in complete isolation from other applications... no IPC, no shared memory, no networking -- after all, a bug in one application could be exploited by a "properly" invalid network request... While highly secure, this is not the most useful of configurations...

  2. An important detail seems to be missing by MikeRT · · Score: 5, Insightful

    Did the guy do this after he quit his job? If he emailed the customers using a company server after he left, I can see the company having a legitimate case. Another thing, did he bring these problems up to management and get the ball rolling on a fix or did he just drop the bomb on his employer after he left? There have been enough guys who seem innocent on the surface on slashdot, that I'm now hesitant to not believe there may be some malfeasance on the guy's part.

    If he quit his job and then emailed the customers on his own time/equipment with a polite notice saying that he used to work for them and wanted to alert them to problems that management refused to fix, that could cause substantial harm to the clients, I seriously don't think a judge would have given his former employer the time of day.