Slashdot Mirror


Busting People for Pointing Out Security Flaws

gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"

2 of 350 comments (clear)

  1. You'll never work in this town again! by BadAnalogyGuy · · Score: -1, Redundant

    There are some things a professional should do and some things a professional shouldn't do. Unless the security flaw put lives in danger, it is best to just shut up about it and see what can be done to fix the issue.

    It sounds more like McDanel was a disgruntled employee who took his anger out on the company. Future employers don't need that kind of hassle.

    I wonder what line of work this ex-con will find himself in now that he is out on the streets again.

  2. Obvious by mtenhagen · · Score: 0, Redundant

    I know plenty of security 'faults' in my employers system. And I'am not obviously not allowed to make these public. I should fix them.

    Every ICT project has some flaws which are known to employees but not by the customers. This is just some employee trying to get revenge on his boss.

    --
    200GB/2TB $7.95 Coupon: SAVE90DOLLAR