Busting People for Pointing Out Security Flaws

gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"

Something is Rotten

[eldavojohn]

If I were a customer of a company that had the mentality "anyone that helped developed the code is a threat to its security" then I would find another vendor--and fast!

There are practices and standards for developing secure code. If your programmers follow these, then even their knowledge of the source shouldn't matter if they go rogue or want to have fun in their free time. Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well. Perhaps companies should start to realize that if they produce code for Win32 applications, they're going to have to resort to the same tactics that Microsoft uses: Don't let the source code out or its true flaws will be revealed and exploited!

For the consumers of these companies, be wary that your product is only as secure as the company's relationship with its developers--kind of scary considering they're keeping them quiet via threat of lawsuit.

Re:Something is Rotten

[Akoma+The+Immortal]

Right. So all those web servers with apache, running linux account for how much % of the web (60,65,70 I dont know, check netcraft).

Image the botnet you can have if you can manage to compromise all of them, silently sending data, doing damages.

Numbers, numbers you said.

Try again.

Re:Something is Rotten

[PPGMD]

Numbers is one factor, the administrator is another factor.

The average home PC is administrated by someone that has no clue about security, while the average Apache admins, knows how to lock down a system, and doesn't use the system for everyday stuff, like viewing e-mails, and running programs randomly downloaded off the internet.

If we gave Linux machines to the same idiots that run Windows XP machines, you would have botnets, there might not be as many, but they would still be there because many virii are run via social engineering, not via operating system tricks. The dumb user is not something Linux can fix.

Re:Something is Rotten

[hullabalucination]

I'm pretty sure that that gigantic market share of Windows is the main reason that it's got so many viruses.

Right. The fact that Gates, Ballmer & Company decided to ignore practically every reputable security expert on the planet and release ActiveX, a completely unsandboxed tool for crackers, had nothing to do with it. Right-o, Matey.

First ActiveX exploit released: 1993. Latest ActiveX exploit: in the wild currently and unpatched. That's 13 years that Microsoft has ignored your security and refused to correct a huge, gaping security hole.

We won't even talk about the RPC processes (accessible through ports left open by default) that have traditionally been running in Windows (up until just a few months ago), with full Admin privileges, every time you log in, no matter how you log in.

The real reason Windows has more security problems: the head-in-the-sand, we'll-bend-over-and-take-more-of-this-same-old-cra p attitude of Microsoft customers.

But here, I'll let the Microsoft folks themselves tell you:
"Our products just aren't engineered for security," said Brian Valentine, Microsoft senior vice president for Windows development. Another Microsoft executive recently explained they never paid attention to security "Because customers wouldn't pay for it until recently."

Article (2003) quote from http://archive.corporatewatch.org/profiles/microso ft/microsoft1.htm#Crapsoftware

Re:Something is Rotten

[Irish_Samurai]

Man, this is something I sit up at night and try to figure out. How do you create a means of educating an ignorant end user to a satifactory point of sophistication all the while making the barrier to entry non existent.

The problem is also compounded by the fact that the tech behind the scenes is getting more complex by the minute as the concepts build on each other.

I think a cool idea whould be to create some sort of setting or application that runs on your windows box and proactively explains things when they come up. Somewhat like ESPN had going on about 3 years ago with Hockey games. Once a week a game was chosen to be the "learning" game. Whenever a penalty was called, the announcers would breifly explain and illustrate what the penalty was, how it occured, why it was a penalty, and the price to be paid.

I know they have a help file now, but no one is going to go out of their way to learn something like this. Maybe a little more comprehensive tool tip text type of thing would do the trick.

Just as long as it isn't animated and dosn't make noise.

Re:Something is Rotten

[Akoma+The+Immortal]

Yes. You are right.

But, (you saw that BUT coming did you :-P), when the social engineered mail bomb or trojan, uses a flaw in the OS to propagate itself, is it the fault of the user, or because of the bad OS design?

Like when Sasser, or Slammer, so many names I am mixing them up, was runnig wild on the internet, I had a dozen of email containing the trojan paylod and i opened them! thats right I opened them and nothing happen. Why? Because I was smart? No, I wished to make a point to my friend. I used Mozilla on Linux, nothing happen.I used Mozilla on Windows, same result, nada. Did I dared use Outlook? not in a million years. In fact, My wife, who is a computer newbie, use Windows XP has her OS, with full admin rights, because you know some programs just runs better, and has no problem surfing where ever she wants, reading emails from friends, even infected one. She dont use Outlook or IE, that is all I ask of her.

Anyway all this to say that no matter how competent you are, when your tools are broken, you will be broken. Period.

Number is factor. Competent user is another factor, and platforms are one more factor to consider.

P.S: Sorry for my english mistakes. I am a Canadian born french african.

Re:Something is Rotten

[blincoln]

It is a fact that programs get released with known bugs, it's actually an economic certainty for commercial programs.

Bugs are going to happen. Incompetent design doesn't have to.

There is an expensive (~$3000 license per machine) "enterprise" product that we use throughout the company. It needs to store usernames and passwords with reversible encryption. In the first version we deployed, the encryption was a substitution cipher - literally the level of "security" you'd get from a cereal box spy ring. We complained to the vendor. The next version used a one-time pad that was the same for every password on every machine where the software was installed in the world. I wrote a script that generated a decoding table in a few hours, and I'm not even a cryptography geek. We complained again, and they changed it to something that at least *appears* reasonably secure, I haven't had time to look into it.

Even assuming it is decent this time, why did it take so long for them to do? Encryption isn't a new field. There were plenty of algorithms they could have used from the beginning instead of re-inventing ciphers from centuries ago.

Re:Something is Rotten

[Fareq]

That sounds very good, however you might want to think about these two facts, and how they interact:

1: All software has some number of bugs.

2: A VM is a piece of software

--

Also realize that in order to be effective, each such piece of software would have to execute inside its own VM in complete isolation from other applications... no IPC, no shared memory, no networking -- after all, a bug in one application could be exploited by a "properly" invalid network request... While highly secure, this is not the most useful of configurations...

and?

[schnits0r]

THis happens a lot. My friend used to work for an airline, and he had made comments about weak airline security to his coworkers and boss, and that he was concerned how easy it would be for someone on the inside to disrupt air traffic. They called the transport authority and they have basically black listed him from being at an airport and told him he was lucky they didn't press charges.

Re:and?

[Fulcrum+of+Evil]

Yep, and the submitter's remark, "Notwithstanding the First Amendment's free speech guarantees," is silly because the First Amendment doesn't guarantee 100% free speech in all situations.

How do you get from there to criminal prosecution for pointing out security flaws?

Understandable

[BenEnglishAtHome]

The first impression is that this is really weird. Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions. Do we actually have a prosecutor somewhere with integrity? How many times has hell frozen over this month?

Take a minute to think about it, though, and things change. Prosecutors still just want convictions that stand on appeal. In this case, the conviction was eventually going to get tossed, so the prosecution gets to look like a hero by bailing out early.

As usual, what at first blush appears to be a noble action by a public servant turns out to be self-serving. There is still no chance of a prosecutor having integrity. All is, again, right with the world.

Re:Understandable

[ninewands]

Quoth the grandparent:

Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions.,/b>

Quoth the parent:

Well, that's their fucking job! They represent the accusation, after all.

Errrmmmm ... actually no. The prosecutor represents the State, not the complainant, who is merely an accusing witness. The prosecutor has NO obligation whatsoever to the victim of a crime. His/her obligation is to represent the peace and dignity of the State and to seek justice.

Quoted from the Texas Disciplinary Rules of Professional Conduct:
(Tex. Disciplinary R. Prof. Conduct, (1989) reprinted in Tex. Govt Code Ann., tit. 2, subtit. G, app. (Vernon Supp. 1995)(State Bar Rules art X [[section]]9))

3.09 Special Responsibilities of a Prosecutor

        The prosecutor in a criminal case shall:

        (a) refrain from prosecuting or threatening to prosecute a charge that the prosecutor knows is not supported by probable cause;

        (b) refrain from conducting or assisting in a custodial interrogation of an accused unless the prosecutor has made reasonable efforts to be assured that the accused has been advised of any right to, and the procedure for obtaining, counsel and has been given reasonable opportunity to obtain counsel;

        (c) not initiate or encourage efforts to obtain from an unrepresented accused a waiver of important pre-trial, trial or post-trial rights;

        (d) make timely disclosure to the defense of all evidence or information known to the prosecutor that tends to negate the guilt of the accused or mitigates the offense, and, in connection with sentencing, disclose to the defense and to the tribunal all unprivileged mitigating information known to the prosecutor, except when the prosecutor is relieved of this responsibility by a protective order of the tribunal; and

        (e) exercise reasonable care to prevent persons employed or controlled by the prosecutor in a criminal case from making an extrajudicial statement that the prosecutor would be prohibited from making under Rule 3.07.

        Comment:

        Source and Scope of Obligations

        1. A prosecutor has the responsibility to see that justice is done, and not simply to be an advocate. This responsibility carries with it a number of specific obligations(emphasis added). Among these is to see that no person is threatened with or subjected to the rigors of a criminal prosecution without good cause. See paragraph (a). In addition a prosecutor should not initiate or exploit any violation of a suspects right to counsel, nor should he initiate or encourage efforts to obtain waivers of important pre-trial, trial, or post-trial rights from unrepresented persons. See paragraphs (b) and (c). In addition, a prosecutor is obliged to see that the defendant is accorded procedural justice, that the defendants guilt is decided upon the basis of sufficient evidence, and that any sentence imposed is based on all unprivileged information known to the prosecutor. See paragraph (d). Finally, a prosecutor is obliged by this rule to take reasonable measures to see that persons employed or controlled by him refrain from making extrajudicial statements that are prejudicial to the accused. See paragraph (e) and Rule 3.07. See also Rule 3.03(a)(3), governing ex parte proceedings, among which grand jury proceedings are included. Applicable law may require other measures by the prosecutor and knowing disregard of those obligations or a systematic abuse of prosecutorial discretion could constitute a violation of Rule 8.04.
<END of quoted material>

Almost every state has the same, or similar rules, in place, as does the federal court system. Care to try again, ArsenneLupin?

Oh, and while we are on the subject IAAL I just don't practice law.

Vacation vs. Repeal

[Gallenod]

Vacating the conviction doesn't challenge the law, just the individual action. Looks like the company wanted the publicity from the conviction to reinforce their non-disclosure agreement but didn't want to take the risk that the law would be rolled back later on appeal.

(IANAL, but my uncle is.)

C'mon....

[Otter]

Jail time for McDanel is almost certainly excessive, but that doesn't mean that accessing (or hax0ring -- it's not clear what he did) your ex-employer's email server to write to all their customers isn't a stupid idea, let alone that it's a protected First Amendment matter.

And as long as we're slinging around prissy "Will they ever learn?"s, the other poor victim of persecution, McCarty (what's up with all these Celts?) is a real case of failure to learn. Has it not sunk in yet that you simply can't intrude on systems or files without permission, however helpful your intentions? How freaking difficult is that for people to grasp?

Synopsis kind of misleading.

I saw this, and was all ready to ask questions to the submitter, as I saw the line "I represented him on appeal". Read that whole synopsis once again. Doesn't it look like the submitter is the one doing the talking?

Next, click the link... you'll find that it is cut and pasted right out of the article. That generally wouldn't be so bad.... but is gsch "Jennifer Granick"? If not, the quote should be phrased in a way that this is evident, in cases where there is first-person content in the quote.

Call it grammar nazism, but for very obvious reasons, the synopsis as it currently reads, is misleading... if one wanted to be a dick about it, they could say that it even seems like this person is masquerading as the defendant's attorney. I won't go that far, but the point is made.

An important detail seems to be missing

[MikeRT]

Did the guy do this after he quit his job? If he emailed the customers using a company server after he left, I can see the company having a legitimate case. Another thing, did he bring these problems up to management and get the ball rolling on a fix or did he just drop the bomb on his employer after he left? There have been enough guys who seem innocent on the surface on slashdot, that I'm now hesitant to not believe there may be some malfeasance on the guy's part.

If he quit his job and then emailed the customers on his own time/equipment with a polite notice saying that he used to work for them and wanted to alert them to problems that management refused to fix, that could cause substantial harm to the clients, I seriously don't think a judge would have given his former employer the time of day.

We're living in the Age

[Black+Parrot]

of Shoot the Messenger.

That seems to be the only solution businesses and politicians can come up with for their self-caused problems anymore.

It's like the full disclosure question

[elronxenu]

Without taking any sides on the matter of full disclosure, there are interesting parallels with the quoted cases.

Full disclosure: if I find a bug in, say, Windows, should I

• Report it to Microsoft?
• Announce it to the world?
• Report it to CERT?
• Send details to Oracle?

If I find a bug in USC's website, should I

• Report it to the USC administrators?
• Announce it to the world?
• Report it to SecurityFocus?
• Send it to MIT?

If I find a bug in my employer's systems, should I

• Report it to my employer?
• Announce it to the world?
• Report it to CERT?
• Send it to my employer's competitors?

Enquiring minds wish to know ...

My experience with an ASP

[joshv]

When working for a company I shall not name, we used an ASP for our recruiting software, which company I will also decline to name. This software had a document upload functionality that would allow clients to upload offer letters and such. In trouble shooting an issue with our company's uploads we found it was quite easy to browse to other client's uploads by changing a client ID in a URL. Granted, you had to login to the system to be able to access this URL, but once logged in, there were apparently no security restrictions across clients. We had free access to the offer letters, job applications, any document having to do with the recruiting and hiring process, of other companies - some of them very big names.

Did we do anything about it? Nope. We ignored it. I didn't even bring it up to our managers. Why? Because in documenting the issue we would have most certainly violated the licensing agreement, and a good argument could be made (especially in light of judgements like the one in the article) that we were conducting criminal computer trespass by changing the URL to knowingly access another client's repository. As stupid as that sounds, I was not willing to risk my job, or prison time, when I knew there were probably 15 other such security issues in the product, and my blowing the whistle on this one wasn't going to fix what was essentially a very crappy product.

Re:First amendment?

[cdrguru]

The First Amendment refers to the government's ability to pass laws to restrict speech. It has limited effect on states, cities, villages and other municipalities.

It has no effect on companies, contract law, or anything else.

There is no "first amendment right to access the system". Period. You do not have any rights at all - you have privileges that the operator of the system gives you. And these can be revoked at any time. Without cause or explanation.

Yes, that means AOL can cancel your account without telling you why.

Yes, that means when your employer says not to do something and you do it anyway you are exposing yourself to consequences. Sometimes legal consequences in addition to just getting fired.

Not to go all Stallman on you, but...

[Weaselmancer]

Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well.

I think you mean a GNU/Linux virus. Very little malicious Linux code relies only on kernel exploits to do their bad stuff. Credit where credit is due, and all that. ;^)

Same here

[GmAz]

The school district where I work used to have its entire network wide open. Anyone could access everything, e-mail, grades, pernament record. You name it, they had it. They just has to browse to it through the Network Neighborhood icon. One student saw this and told the assistant principal several times and he was ignored. He finally printed off a bunch of student grades and gave them to the assistant principal showing him it was a real risk and that something should be done. He was a legitimate good kid trying to help. Instead, he was Expelled from the district and was given probation (he was a minor). After that, the district REALLY tightened up its security. I feel that kid shouldn't have had anything done other than a huge thank you.

Real Fear

Sprint runs a 9-1-1 service for hundreds of jurisdictions around the United States. The heart of their system includes a Windows server that is left virtually wide open on the internet. This server is the repository of all the 9-1-1 data from telephone companies around the country. It would be trivial to add, delete, or alter the 9-1-1 data on that server and wreak havoc. The system does not even require a password.

This has been reported to Sprint and various local 9-1-1 officials several times. Sprint denies it is vulnerable; local authorities are disinterested in investigating. Nobody will put any attention on this until that one day that a malicious party will cripple 9-1-1 systems throughout the U.S. Then there will be screams for congressional investigations and finger pointing galore.

But the well-meaning party that performs a proof-of-concept exploit to make a point would be butchered as the terrorist they are trying to prevent.

For now, there are people who know that the 9-1-1 system is extremely vulnerable, and they fear the day it gets exploited. But they are more afraid of ruining their lives and their families' lives by speaking out.

FreeMcCarty.com

[OneByteOff]

Since it seems this article is primarily about me, I felt it was necessary to post here. My name is Eric McCarty and you can read up on the case from my perspective on my website :

http://www.freemccarty.com/

I am not a malicious hacker, i am not even a hacker, I am a security researcher who wanted to goto USC to get my degree, nothing more, nothing less. If you think about it, I am one person, if I goto prison for the offense I am accused of commiting then I can still look in the mirror and know that because of my action over 200,000 people won't be victims of identity theft.

Thats the whole point of security research in my opinion, making the internet safer, not for notariety, not for fame, or for money. Please take a look at my website and feel free to contact me directly with any comments, suggestions or if you are willing to assist my case.

Thanks,

Eric C. McCarty
admin@freemccarty.com
http://www.freemccarty.com/

The other side

[geekyMD]

FTFA:

That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop.

If a shop owner tells you to get out of his store, then you must comply or the police will be called. Why? Because if you do not comply with the wishes of the owner, its called trespass. But on the other side, the shop owner must notify the customer that they need to leave before calling the cops, otherwise its harrasment.

Just because you know something about computer systems doesn't give you the right to invade them and show the owner what you found. How would you like a home security firm to break into your house and then publish in the local paper that you keep a key under the doormat? Yes, my house is 'publicly available' given that its not behind any gates or walls, but that is not an invitation for everyone to come in.

What needs to happen is for security professionals as an industry to have more savvy contracts with the companys they consult for. With clauses stating that the consultant will be free from prosecution if a) they notify the company and give time to repsond and b) if the company doesn't take action and the risk is great to the public or the company's clients then c) the consultant has the right to go public with the information.

Of course there are more clauses you might want to add, but it seems like a lot of this could be solved in the contracting steps of taking the job. If you can't get a good contract, don't take the job.

Vigalante justice is illegal. Robin Hood was a good guy, as were the American Revolutionaries, but from a criminal law perspective they were all guilty of many crimes. They chose to break the law because of their personal convictions but they also more or less accepted the risks of doing so.

What happened to whistle blower protection laws, wouldn't those apply in these situations?