Slashdot Mirror

← Back to Stories (view on slashdot.org)

Busting People for Pointing Out Security Flaws

Posted by ryuzaki0 on

gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"

8 of 350 comments (clear)

  1. and? by schnits0r · · Score: 5, Interesting

    THis happens a lot. My friend used to work for an airline, and he had made comments about weak airline security to his coworkers and boss, and that he was concerned how easy it would be for someone on the inside to disrupt air traffic. They called the transport authority and they have basically black listed him from being at an airport and told him he was lucky they didn't press charges.

    --


    -------
    Support Indy Music. Buy
  2. It's like the full disclosure question by elronxenu · · Score: 5, Interesting
    Without taking any sides on the matter of full disclosure, there are interesting parallels with the quoted cases.

    Full disclosure: if I find a bug in, say, Windows, should I

    • Report it to Microsoft?
    • Announce it to the world?
    • Report it to CERT?
    • Send details to Oracle?

    If I find a bug in USC's website, should I

    • Report it to the USC administrators?
    • Announce it to the world?
    • Report it to SecurityFocus?
    • Send it to MIT?

    If I find a bug in my employer's systems, should I

    • Report it to my employer?
    • Announce it to the world?
    • Report it to CERT?
    • Send it to my employer's competitors?

    Enquiring minds wish to know ...

  3. My experience with an ASP by joshv · · Score: 5, Interesting

    When working for a company I shall not name, we used an ASP for our recruiting software, which company I will also decline to name. This software had a document upload functionality that would allow clients to upload offer letters and such. In trouble shooting an issue with our company's uploads we found it was quite easy to browse to other client's uploads by changing a client ID in a URL. Granted, you had to login to the system to be able to access this URL, but once logged in, there were apparently no security restrictions across clients. We had free access to the offer letters, job applications, any document having to do with the recruiting and hiring process, of other companies - some of them very big names.

    Did we do anything about it? Nope. We ignored it. I didn't even bring it up to our managers. Why? Because in documenting the issue we would have most certainly violated the licensing agreement, and a good argument could be made (especially in light of judgements like the one in the article) that we were conducting criminal computer trespass by changing the URL to knowingly access another client's repository. As stupid as that sounds, I was not willing to risk my job, or prison time, when I knew there were probably 15 other such security issues in the product, and my blowing the whistle on this one wasn't going to fix what was essentially a very crappy product.

  4. Same here by GmAz · · Score: 5, Interesting

    The school district where I work used to have its entire network wide open. Anyone could access everything, e-mail, grades, pernament record. You name it, they had it. They just has to browse to it through the Network Neighborhood icon. One student saw this and told the assistant principal several times and he was ignored. He finally printed off a bunch of student grades and gave them to the assistant principal showing him it was a real risk and that something should be done. He was a legitimate good kid trying to help. Instead, he was Expelled from the district and was given probation (he was a minor). After that, the district REALLY tightened up its security. I feel that kid shouldn't have had anything done other than a huge thank you.

    --
    Click Click Bloody Click PANCAKES!
  5. Real Fear by Anonymous Coward · · Score: 5, Interesting

    Sprint runs a 9-1-1 service for hundreds of jurisdictions around the United States. The heart of their system includes a Windows server that is left virtually wide open on the internet. This server is the repository of all the 9-1-1 data from telephone companies around the country. It would be trivial to add, delete, or alter the 9-1-1 data on that server and wreak havoc. The system does not even require a password.

    This has been reported to Sprint and various local 9-1-1 officials several times. Sprint denies it is vulnerable; local authorities are disinterested in investigating. Nobody will put any attention on this until that one day that a malicious party will cripple 9-1-1 systems throughout the U.S. Then there will be screams for congressional investigations and finger pointing galore.

    But the well-meaning party that performs a proof-of-concept exploit to make a point would be butchered as the terrorist they are trying to prevent.

    For now, there are people who know that the 9-1-1 system is extremely vulnerable, and they fear the day it gets exploited. But they are more afraid of ruining their lives and their families' lives by speaking out.

  6. Re:Something is Rotten by hullabalucination · · Score: 5, Interesting
    I'm pretty sure that that gigantic market share of Windows is the main reason that it's got so many viruses.

    Right. The fact that Gates, Ballmer & Company decided to ignore practically every reputable security expert on the planet and release ActiveX, a completely unsandboxed tool for crackers, had nothing to do with it. Right-o, Matey.

    First ActiveX exploit released: 1993. Latest ActiveX exploit: in the wild currently and unpatched. That's 13 years that Microsoft has ignored your security and refused to correct a huge, gaping security hole.

    We won't even talk about the RPC processes (accessible through ports left open by default) that have traditionally been running in Windows (up until just a few months ago), with full Admin privileges, every time you log in, no matter how you log in.

    The real reason Windows has more security problems: the head-in-the-sand, we'll-bend-over-and-take-more-of-this-same-old-cra p attitude of Microsoft customers.

    But here, I'll let the Microsoft folks themselves tell you:
    "Our products just aren't engineered for security," said Brian Valentine, Microsoft senior vice president for Windows development. Another Microsoft executive recently explained they never paid attention to security "Because customers wouldn't pay for it until recently."

    Article (2003) quote from http://archive.corporatewatch.org/profiles/microso ft/microsoft1.htm#Crapsoftware

  7. Re:Something is Rotten by blincoln · · Score: 5, Interesting

    It is a fact that programs get released with known bugs, it's actually an economic certainty for commercial programs.

    Bugs are going to happen. Incompetent design doesn't have to.

    There is an expensive (~$3000 license per machine) "enterprise" product that we use throughout the company. It needs to store usernames and passwords with reversible encryption. In the first version we deployed, the encryption was a substitution cipher - literally the level of "security" you'd get from a cereal box spy ring. We complained to the vendor. The next version used a one-time pad that was the same for every password on every machine where the software was installed in the world. I wrote a script that generated a decoding table in a few hours, and I'm not even a cryptography geek. We complained again, and they changed it to something that at least *appears* reasonably secure, I haven't had time to look into it.

    Even assuming it is decent this time, why did it take so long for them to do? Encryption isn't a new field. There were plenty of algorithms they could have used from the beginning instead of re-inventing ciphers from centuries ago.

    --
    "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  8. FreeMcCarty.com by OneByteOff · · Score: 5, Interesting

    Since it seems this article is primarily about me, I felt it was necessary to post here. My name is Eric McCarty and you can read up on the case from my perspective on my website :

    http://www.freemccarty.com/

    I am not a malicious hacker, i am not even a hacker, I am a security researcher who wanted to goto USC to get my degree, nothing more, nothing less. If you think about it, I am one person, if I goto prison for the offense I am accused of commiting then I can still look in the mirror and know that because of my action over 200,000 people won't be victims of identity theft.

    Thats the whole point of security research in my opinion, making the internet safer, not for notariety, not for fame, or for money. Please take a look at my website and feel free to contact me directly with any comments, suggestions or if you are willing to assist my case.

    Thanks,

    Eric C. McCarty
    admin@freemccarty.com
    http://www.freemccarty.com/