Slashdot Mirror
Busting People for Pointing Out Security Flaws
gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure.
Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"
If I were a customer of a company that had the mentality "anyone that helped developed the code is a threat to its security" then I would find another vendor--and fast!
There are practices and standards for developing secure code. If your programmers follow these, then even their knowledge of the source shouldn't matter if they go rogue or want to have fun in their free time. Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well. Perhaps companies should start to realize that if they produce code for Win32 applications, they're going to have to resort to the same tactics that Microsoft uses: Don't let the source code out or its true flaws will be revealed and exploited!
For the consumers of these companies, be wary that your product is only as secure as the company's relationship with its developers--kind of scary considering they're keeping them quiet via threat of lawsuit.
My work here is dung.
THis happens a lot. My friend used to work for an airline, and he had made comments about weak airline security to his coworkers and boss, and that he was concerned how easy it would be for someone on the inside to disrupt air traffic. They called the transport authority and they have basically black listed him from being at an airport and told him he was lucky they didn't press charges.
-------
Support Indy Music. Buy
The first impression is that this is really weird. Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions. Do we actually have a prosecutor somewhere with integrity? How many times has hell frozen over this month?
Take a minute to think about it, though, and things change. Prosecutors still just want convictions that stand on appeal. In this case, the conviction was eventually going to get tossed, so the prosecution gets to look like a hero by bailing out early.
As usual, what at first blush appears to be a noble action by a public servant turns out to be self-serving. There is still no chance of a prosecutor having integrity. All is, again, right with the world.
Vacating the conviction doesn't challenge the law, just the individual action. Looks like the company wanted the publicity from the conviction to reinforce their non-disclosure agreement but didn't want to take the risk that the law would be rolled back later on appeal.
(IANAL, but my uncle is.)
TLR
A man no more knows his destiny than a tea leaf knows the history of the East India Company
And as long as we're slinging around prissy "Will they ever learn?"s, the other poor victim of persecution, McCarty (what's up with all these Celts?) is a real case of failure to learn. Has it not sunk in yet that you simply can't intrude on systems or files without permission, however helpful your intentions? How freaking difficult is that for people to grasp?
What I'm listening to now on Pandora...
This kind of trend is only gonna end when something catatrophic happens and it's traced back to someone that could have said something but didn't out of fear of losing their job or prosecution. It wouldn't suprise me if the whole FEMA/Katrina fiasco was this kind of situation.
Can a federal law be passed to correct this? DOes congress even care?
---- You have been programmed by the Illuminati to not see the word ""!
New technologies often require changes in the law and in the legal system itself, and computer technology is far from being an exception to that. As a society, we really need to have more specific legal definitions of what is and what is not black-hat hacking, defined by people who truly understand the technology... namely, white-hat hackers. Until this happens, we will continue to see people unjustly prosecuted for pointing out their local emperor's nudity, and we will continue to see nonsensical bills bouncing around Washington, D.C., written by and debated by people who don't understand them and who have no clue what stand to take on them. Senatards and Congresscritters simply are not qualified to make these decisions for us, but they will continue to do so until the ubergeeks get organized into a Congressional subcommittee or something, and take the reins.
I saw this, and was all ready to ask questions to the submitter, as I saw the line "I represented him on appeal". Read that whole synopsis once again. Doesn't it look like the submitter is the one doing the talking?
Next, click the link... you'll find that it is cut and pasted right out of the article. That generally wouldn't be so bad.... but is gsch "Jennifer Granick"? If not, the quote should be phrased in a way that this is evident, in cases where there is first-person content in the quote.
Call it grammar nazism, but for very obvious reasons, the synopsis as it currently reads, is misleading... if one wanted to be a dick about it, they could say that it even seems like this person is masquerading as the defendant's attorney. I won't go that far, but the point is made.
Just a quick word of congratulations to Mr McDanel and yourself, finally some common sense rears its head in this case.
The image a prosecuter wants to project is one of infallibility: if the prosecuter isn't sure himself that the suspect is guilty, then he wouldn't go to trial. The image a prosecutor wants to have is that of a guy that is fair, and doesn't waste time or money prosecuting innocents.
That said, I think I ought to reiterate that I'm talking about image, not whether the prosecutor is actually fair. Far too many prosecutors are willing to tar innocents rather than admit they nabbed the wrong guy.
That said, it may be that this prosecutor actually may have learned something, and decided to cut his losses rather than look like a bully working for the company (instead of the public interest). This was a criminal case after all, not a civil lawsuit.
FTA:
A third [solution] might be to define unlawful access as the circumvention of some kind of security measure.
I'm not so sure about this one. After, we're talking specifically about criminal liability for researchers who demonstrate that the security of a system is broken. Criminalizing the circumvention of security is exactly the problem many people have with laws such as the DMCA.
The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent.
Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant."
But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them.
Ok, so there are two ways to look at this:
I doubt a jury will convict him, though, this being a technical argument mainly and a computer crime, any jury they seat is bound to wind up confused and the best the prosecution can hope is that someone on the jury will have enough savvy to explain it to the others. Or they may convict him for being a wily, young whippersnapper. Who knows?
GetOuttaMySpace - The Anti-Social Network
The thing that may have raised eyebrows is he found a fault and sent the information to a 3rd party who then contacted the owner. The owner then checked logs to find out who breached the system.
If he found the problem and contacted them directly they may have been more willing to patch and say thanks.
The truth shall set you free!
After reading tfa it seems that the McDanel case is different from the other two in one very important way: intent.
- McCarty notified security professionals about the issue.
- Puffer notified the system owner/operator of the security issues.
- McDanel notified the customers of his former employer.
TFA does not go into detail as to why McDanel was no longer employed by the company, but its not a huge leap to assume that he did not leave willingly. Was he really concerned about the information security of the customers he contacted or was he more interested in causing damage to his former employer? Did he notify his company of the security issues before he left?
That said, I wouldn't want to hire a lawyer who thinks that the 1st Amendment is likely to be interpreted by any court as protecting speech that reveals "secret" information, especially if it's done by breaking into a computer system in the process.
The fact that the charges were later vacated by the prosecution might indicate that they didn't really have a case, but I don't think the 1st Amendment is likely to be the reason why.
Don't blame me; I'm never given mod points.
Did the guy do this after he quit his job? If he emailed the customers using a company server after he left, I can see the company having a legitimate case. Another thing, did he bring these problems up to management and get the ball rolling on a fix or did he just drop the bomb on his employer after he left? There have been enough guys who seem innocent on the surface on slashdot, that I'm now hesitant to not believe there may be some malfeasance on the guy's part.
If he quit his job and then emailed the customers on his own time/equipment with a polite notice saying that he used to work for them and wanted to alert them to problems that management refused to fix, that could cause substantial harm to the clients, I seriously don't think a judge would have given his former employer the time of day.
Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal
Thank god, the prosecution did not defend the action on appeal.
Because the defendent seems to have been represented by someone who doesn't
seem to know that the 1st amendment isn't relevant here.
of Shoot the Messenger.
That seems to be the only solution businesses and politicians can come up with for their self-caused problems anymore.
Sheesh, evil *and* a jerk. -- Jade
Basically, he used the company's smtp server to send the messages just like he uses it to send ANY email from work
You may have some re-reading to do yourself. It said he used his *former* employer's email server. That most likely is criminal. If he had sent the email from a personal account then he might only face a civil lawsuit for some sort of breach of confidentiality.
was somebody's pride. This "form over function" thing is starting to get out of hand both in the gov't and in the private sectors. True story: I once took a military medical course that was teaching information many years out of date. Using the appropriate forms, I submitted detailed critiques complete with sources and references. Rather than fix the problem, I was called on the carpet and ordered to stop submitting critiques because they "questioned the integrity of the course." This strikes me as very similar to "They even claimed the integrity of the system was impaired..." Yes Virginia, that's exactly what we're doing! You can't fix it if you don't admit it's broken.
He who would be a man, must be a nonconformist. -- Emerson
...but not completely. There's a saying where I live that the County Prosecutor can get a grand jury to indict a ham sandwich. Any grand jury that doesn't do exactly what the prosecutor wants will find itself the subject of a carefully orchestrated smear campaign, complete with local news stories (planted by guess who) investigating the problem of "runaway grand juries."
My point is that prosecutors have a lot of power and any public servant with lots of power should always be willing to step outside the game and do what's right before they start punishing people. And yes, prosecutors punish people long before trials happen before supposedly impartial judges. Just being indicted for a serious crime, something the prosecution does essentially without oversight, is usually a life-wrecking event no matter how innocent the accused. Normally, prosecutors who exercise their power with an eye toward justice, declining to prosecute marginal cases or cases where a bad law could be enforced, wind up simultaneously serving two goals: they serve their public mandate and they don't wind up looking like idiots in the end.
In this case, the prosecution actually did something that was right and sacrificed a little of the "We're perfect" vibe they normally work so hard to maintain. I simply chose to think less of them for being so slow to reach the conclusion such was the right thing to do. By being so slow to act, they have punished someone who ought not to have been punished.
Full disclosure: if I find a bug in, say, Windows, should I
If I find a bug in USC's website, should I
If I find a bug in my employer's systems, should I
Enquiring minds wish to know ...
When working for a company I shall not name, we used an ASP for our recruiting software, which company I will also decline to name. This software had a document upload functionality that would allow clients to upload offer letters and such. In trouble shooting an issue with our company's uploads we found it was quite easy to browse to other client's uploads by changing a client ID in a URL. Granted, you had to login to the system to be able to access this URL, but once logged in, there were apparently no security restrictions across clients. We had free access to the offer letters, job applications, any document having to do with the recruiting and hiring process, of other companies - some of them very big names.
Did we do anything about it? Nope. We ignored it. I didn't even bring it up to our managers. Why? Because in documenting the issue we would have most certainly violated the licensing agreement, and a good argument could be made (especially in light of judgements like the one in the article) that we were conducting criminal computer trespass by changing the URL to knowingly access another client's repository. As stupid as that sounds, I was not willing to risk my job, or prison time, when I knew there were probably 15 other such security issues in the product, and my blowing the whistle on this one wasn't going to fix what was essentially a very crappy product.
The First Amendment refers to the government's ability to pass laws to restrict speech. It has limited effect on states, cities, villages and other municipalities.
It has no effect on companies, contract law, or anything else.
There is no "first amendment right to access the system". Period. You do not have any rights at all - you have privileges that the operator of the system gives you. And these can be revoked at any time. Without cause or explanation.
Yes, that means AOL can cancel your account without telling you why.
Yes, that means when your employer says not to do something and you do it anyway you are exposing yourself to consequences. Sometimes legal consequences in addition to just getting fired.
The summary was written by the lawyer representing this guy (as others in this thread have pointed out), so there's obvious spin going on. The real kicker of all this is his lame "Free Speech Rights" claim.
The government didn't do a freaking thing to limit his "free speech". The guy did something vindictive against his former employer, got caught at it, and they went after him.
It's stupid statements like that which don't put this guy (or the lawyer) in a very good light. It sounds like he's grasping at straws, looking for some way to vindicate his client for doing something really stupid.
Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well.
I think you mean a GNU/Linux virus. Very little malicious Linux code relies only on kernel exploits to do their bad stuff. Credit where credit is due, and all that. ;^)
Weaselmancer
rediculous.
The school district where I work used to have its entire network wide open. Anyone could access everything, e-mail, grades, pernament record. You name it, they had it. They just has to browse to it through the Network Neighborhood icon. One student saw this and told the assistant principal several times and he was ignored. He finally printed off a bunch of student grades and gave them to the assistant principal showing him it was a real risk and that something should be done. He was a legitimate good kid trying to help. Instead, he was Expelled from the district and was given probation (he was a minor). After that, the district REALLY tightened up its security. I feel that kid shouldn't have had anything done other than a huge thank you.
Click Click Bloody Click PANCAKES!
I would say that prosecution of this guy is warrented only if the parties responsible for security administration at the company are also subject to prosecution for letting security flaws go.
For a private sector company, who would you first inform of system vulnerabilities? The company, itself, I would imagine. After that (assuming no action is taken)? Not really my call to make, but there must be some amount of culpability laid at the feet of those responsible for security, particularly if they are made aware of vulnerabilities.
Until there are laws regarding the fixing of flawed security, there should be relaxations of rules for those who, in good faith and effort, inform the possible victims of software vulnerabilities, particularly when the system is engaged in online commerce (makes for a big target).
Not being a lawyer, I still believe in what I'll call "fairness". Given two examples:
#1 Sysadmin/former sysadmin informs customers of possible vulnerabilities or exploitation of personal/financial/medical information = possible jail term
#2 Sysadmin/company is aware of vulnerabilities, but either can not or will not inform customers/fix problems/make anyone outside the company aware of problem = unhappy customer base
I see a disparity here. One example risks the walfare of the company, the other, it's user base.
I worked for an Army contractor in the 80's. I found flaws weekly. I caught flack for each one I pointed out. In the end they made me data security manager so I would just fix them and stop pointing them out to the customer. I was told I would go to jail more than once. You have to do what is right for the customer. In this case the customer was the US Army. Any company should see this is the only way to to fix holes. See them, report them, fix them. -Steve
Sprint runs a 9-1-1 service for hundreds of jurisdictions around the United States. The heart of their system includes a Windows server that is left virtually wide open on the internet. This server is the repository of all the 9-1-1 data from telephone companies around the country. It would be trivial to add, delete, or alter the 9-1-1 data on that server and wreak havoc. The system does not even require a password.
This has been reported to Sprint and various local 9-1-1 officials several times. Sprint denies it is vulnerable; local authorities are disinterested in investigating. Nobody will put any attention on this until that one day that a malicious party will cripple 9-1-1 systems throughout the U.S. Then there will be screams for congressional investigations and finger pointing galore.
But the well-meaning party that performs a proof-of-concept exploit to make a point would be butchered as the terrorist they are trying to prevent.
For now, there are people who know that the 9-1-1 system is extremely vulnerable, and they fear the day it gets exploited. But they are more afraid of ruining their lives and their families' lives by speaking out.
If a vendor gets notification of a security breach and doesn't fix it within x-number of days, you should be allowed to sue them if you are a customer and must use that insecure software. Not they get to sue you or the other guy who found out about it, or the state prosecutes. That's what this article case was about. Bogus. The guy who did it could have been a little smoother in how he went about it, but really...
Yes, that should apply to operating systems and applications as well.
That would slow down code bloat and new features in favor of writing secure code and having secure access.
I work on cars sometimes. If I notice a defect that looks like it could be a serious design flaw, and notify acme motors, and they still keep shipping cars with that defect,and people get hurt...well, they get nailed in court then, and the law falls pretty well on the side of the customers and the people who found out about it. That's with the car I have access to. If I have to break into their factory to do this,to find out, that's another story.
I think the difference is normal access as opposed to extra-ordinary access. If it is normal access, I see no probs, the other, gets to be a tricky call when it comes to code. We need a legal definition of what is access. If it is a web facing page, and no hacks are involved in accessing it, then I say there should be no threat to the accesser, looking for security breaches or anything else. If a glitch is found that seems to offer the potential to elevate access permissions, I think a proper response is some way to have a verified notification to the vendor, (we need a legally verifiable way to do this, a public bulletin board recognized by industry, something like the notices in your local classified paper for example) (doesn't exist in the software world that I am aware of),then x-days later publish it publically, no matter fixed or not. X-days does not have to be a long time either, a few days to a week should be sufficient, and no way charge the poor guy with anything for doing that.
We have very little accountability for software now,none basically, or to the people who use it and sell it to "make money" with. They offer a product, it shouldd have a warranty, it is that simple, all other products out there come with warranties "suitable for purpose and free from defects that would allow significant harm". All other products out there stilol have some defects, our laws identify BAD ones that cause harm.
Until we get software warranties,to balance all the patent and other legal protections they have for their "products" in order to transfer cash from your wallet to their's, security will remain dismal and abusers and profiteers from bad code will remain reluctant to develop or deploy greatly enhanced/audited for security code.
This is 2006, I think it is safe to point out this is the case with the vast majority of code out there now, and has been for a long long time unitl it has become the industry mantra and miondset that "it can't be done". I saw rubbish. Before we had legally enforced warranties for tangible products, "the industry" claimed the same thibng, that "it couldn't be done". We have proven it is possible to reduce the defect rate to a point where all other industries manage to survife, yes?
Software companies *don't give a crap* because they aren't LIABLE for any bad code, no matter what happnes to YOU if you use it. That's because they have no legally enforced warranties. End.Stop.
There is no stick to go with the carrot in this situation, unlike the vast majority of other products and services to products. Software has gotten a completely free ride for too long a time now.
It's a defence to any crime that you only carried it out in order to prevent a greater crime. Like the old "dog in distress" scenario: it's perfectly OK to force entry into a vehicle or building in order to rescue a trapped animal in serious distress. By committing criminal damage {a crime against property} you have stopped an act of cruelty to animals {a crime against living things, therefore by definition a much greater offence}.
If analogies from outside the computing world applied within the computing world, then it would be a valid defence for McDanel to say that his {fairly minor} offence of sending an e-mail to employees of a company was done in order to prevent a much greater crime involving exploiting a security flaw in that company's products. As things stand today, however, non-computer analogies don't translate well to computerised situations.
Je fume. Tu fumes. Nous fûmes!
The submission is entirely within quotes. "gsch" simply put in a portion of the article into quotes, and sent it to /. It gets posted with another set of quotes. If you look closely, you will see that there are three little marks around the submitted text, not two (meaning a quote within a quote). Could have been formatted better, though.
Look at the tomato! Isn't it sad? He can't dance! Poor tomato!
Not revealing security holes should be the crime, and not the reverse. Only a well-informed consumer has a realistic chance of protecting themselves.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
It is not justice that our legal system is set up for... it is to maintain order in our society. Justice does occasionally run afoul of societal order and for that reason justice is NOT the primary duty of our legal system.Also, the USA is NOT a democracy... it is a republic... democracy just sounds better even if it is inaccurate.
Since it seems this article is primarily about me, I felt it was necessary to post here. My name is Eric McCarty and you can read up on the case from my perspective on my website :
http://www.freemccarty.com/
I am not a malicious hacker, i am not even a hacker, I am a security researcher who wanted to goto USC to get my degree, nothing more, nothing less. If you think about it, I am one person, if I goto prison for the offense I am accused of commiting then I can still look in the mirror and know that because of my action over 200,000 people won't be victims of identity theft.
Thats the whole point of security research in my opinion, making the internet safer, not for notariety, not for fame, or for money. Please take a look at my website and feel free to contact me directly with any comments, suggestions or if you are willing to assist my case.
Thanks,
Eric C. McCarty
admin@freemccarty.com
http://www.freemccarty.com/
That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop.
If a shop owner tells you to get out of his store, then you must comply or the police will be called. Why? Because if you do not comply with the wishes of the owner, its called trespass. But on the other side, the shop owner must notify the customer that they need to leave before calling the cops, otherwise its harrasment.
Just because you know something about computer systems doesn't give you the right to invade them and show the owner what you found. How would you like a home security firm to break into your house and then publish in the local paper that you keep a key under the doormat? Yes, my house is 'publicly available' given that its not behind any gates or walls, but that is not an invitation for everyone to come in.
What needs to happen is for security professionals as an industry to have more savvy contracts with the companys they consult for. With clauses stating that the consultant will be free from prosecution if a) they notify the company and give time to repsond and b) if the company doesn't take action and the risk is great to the public or the company's clients then c) the consultant has the right to go public with the information.
Of course there are more clauses you might want to add, but it seems like a lot of this could be solved in the contracting steps of taking the job. If you can't get a good contract, don't take the job.
Vigalante justice is illegal. Robin Hood was a good guy, as were the American Revolutionaries, but from a criminal law perspective they were all guilty of many crimes. They chose to break the law because of their personal convictions but they also more or less accepted the risks of doing so.
What happened to whistle blower protection laws, wouldn't those apply in these situations?
So, if we apply your logic: What then, gives telemarketers the right to call you? Your number is publically accessable, and no password is needed to call your number and have the phone at your end ring because the phone lines go right into your house. In short, there's NO SECURITY between you and the telemarketer.
However; that doesn't mean that they now have the right to invade your privacy and call you. And yet, they do. How is it that your logic will apply to a security firm breaking into your house, but ignores a telemarketer that does, essentially the same thing? They call on a regular basis and really, that's as much "breaking in" as any other computer analogy.
Now, we all hate the telemarketers, and laws have been enacted to prevent them from harassment; but really, technically it *IS* legal for someone to "break in" to your house via the telephone, so I cannot say that your logic is flawless.
TTYL
If telephones are outlawed, then only outlaws will have telephones.
Interestingly, the circuit court remanded the case back to district court with the order that the case be dismissed with prejudice for lack of evidence.
I would say that Ms. Granick is quite qualified to make the submissions which seem to be well thought out.
The same sort of thing happened to me. I was wardriving one day, and came across a hot spot. After connecting to it and not being able to browse the internet, I did a little more investigation. Turns out that I discovered an unsecured POS terminal. Not just any POS terminal, but this was part of a nation-wide store chain. Any monkey with the slightest computer knowledge would have been able to sniff credit card numbers, account numbers, etc. with little to no problem. The odds of being caught were also slim to none. I made all the contacts I needed to, and recieved a phone call a half hour later. "Why did you breach my computer system? You DO know what you did is illegal, right?" "Look sir, it could have been me or a person sniffing credit card numbers. I am helping you." And yes, there are still honest people in the world...