×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Busting People for Pointing Out Security Flaws

Hemos posted more than 7 years ago

350

gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

350 comments

Something is Rotten (5, Insightful)

eldavojohn (898314) | more than 7 years ago | (#15300268)

If I were a customer of a company that had the mentality "anyone that helped developed the code is a threat to its security" then I would find another vendor--and fast!

There are practices and standards for developing secure code. If your programmers follow these, then even their knowledge of the source shouldn't matter if they go rogue or want to have fun in their free time. Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well. Perhaps companies should start to realize that if they produce code for Win32 applications, they're going to have to resort to the same tactics that Microsoft uses: Don't let the source code out or its true flaws will be revealed and exploited!

For the consumers of these companies, be wary that your product is only as secure as the company's relationship with its developers--kind of scary considering they're keeping them quiet via threat of lawsuit.

Re:Something is Rotten (2, Interesting)

fabs64 (657132) | more than 7 years ago | (#15300319)

It is a fact that programs get released with known bugs, it's actually an economic certainty for commercial programs.
It is a SAD fact, that some of these known bugs are security vulnerabilities, one would hope that security bugs top the priority list but they do not, useability most often comes first.

Re:Something is Rotten (2, Insightful)

Splab (574204) | more than 7 years ago | (#15300670)

Since the customer is always right, the customer has to know what security problems means - and why he/she should care.

In my experience, moveing a piece of graphics one pixel has way more priority for a customer than to fix an SQL injection problem, and since the company developing the software gets money for moving the graphics around, but not for fixing the bug - guess what I'm being told to do...

Re:Something is Rotten (1, Insightful)

QuantumG (50515) | more than 7 years ago | (#15300340)

Meh. If I you don't demand source you should expect security flaws.

Re:Something is Rotten (1)

Nutria (679911) | more than 7 years ago | (#15300767)

Meh. If I you don't demand source you should expect security flaws.

I've got some bad news for you: Linux, FreeBSD, GNOME, KDE, OpenOffice, Firefox, pretty much every large app & library all have security flaws.

Re:Something is Rotten (0)

Anonymous Coward | more than 7 years ago | (#15300366)

If a former employee would contact me to tell me about security issues, I'd think that someone is on a vendetta. If you absolutely can't hold back, leak the information to a journalist, but don't try to make yourself look like the good guy by denouncing your former employer.

Re:Something is Rotten (2, Insightful)

Irish_Samurai (224931) | more than 7 years ago | (#15300486)

Why don't we see many viruses for Linux?

While I think that implementation may have a little to do with it, I think the driving factor is that Linux has no where close to the user base that Windows does.

The purpose of many of these viruses is to create a large botnet. That's alot easier to do when you targt an OS aimed at the everyman computer user who lacks sophisticated understanding of his box and how to maintain it. Linux on the other hand has no where close to the user base spread across so many different releases and distros that creating a virus for Linux is probably done just to prove a point. The numbers just don't warrant the attention yet.

Re:Something is Rotten (0)

garaged (579941) | more than 7 years ago | (#15300611)

the real reason is that it must be really smart to attack enough boxes, and even then most of them would keep infected for very few days at top, what's the point on infecting/cracking a box that will be patched really fast, you can even get detected and tracked back to your home, that's not good at all.

Re:Something is Rotten (2, Insightful)

slashname3 (739398) | more than 7 years ago | (#15300633)

It is partially a numbers game. However, if linux systems (or any unix system) had easily exploited security flaws then there would be huge numbers of worms and viruses targetting those systems that are out there. If nothing else they would be excellent platforms to launch attacks on the huge numbers of windows systems.

The real reason you don't see that many viruses or worms directed at linux systems is that the concept of least privilege was implemented at the start. Unlike most windows systems which users run with administrator privileges that allow a virus to do whatever it wants once it executes, linux systems users typically don't run everyday applications with admin or root privileges. As such it is much more difficult for a code that is executed on a linux system to gain complete control of the system.

There are exceptions to all this, some windows users have locked down there systems and some linux users run as root all the time. Both cases are relatively small groups.

And with the introduction of selinux security is getting even better on linux systems. But no matter how good the security tools are that are made available nothing can prevent a bad adminstrator from setting up an insecure system. The last few compromised linux systems I heard of all of them were owned because users utilized very poor passwords on the systems. Maybe someday when we can get rid of the users we can have real security. :)

Re:Something is Rotten (5, Insightful)

Akoma The Immortal (36474) | more than 7 years ago | (#15300645)

Right. So all those web servers with apache, running linux account for how much % of the web (60,65,70 I dont know, check netcraft).

Image the botnet you can have if you can manage to compromise all of them, silently sending data, doing damages.

Numbers, numbers you said.

Try again.

Re:Something is Rotten (2, Insightful)

Irish_Samurai (224931) | more than 7 years ago | (#15300746)

Well, I hardly think that the people maintaining web servers are technical idiots. SO targeting a set of systems that are constantly monitored and maintained by people who are generally neurotic about it isn't exactly the most vulnerable group for creating botnets is it? The home users are.

Thanks for playing.

MOD PARENT UP! (0, Troll)

linuxkrn (635044) | more than 7 years ago | (#15300762)

AH, where are the mod points when I need them. I was just thinking of replying to GP with this. Such typical FUD that fanboys want to use as an excuse that Windows is only infected all the time because it's so popular. Please

Ok, but let me get my gun... (0)

Anonymous Coward | more than 7 years ago | (#15300284)

.. and go out and shoot some of those pigs that are flying around!

BBL

and? (5, Interesting)

schnits0r (633893) | more than 7 years ago | (#15300290)

THis happens a lot. My friend used to work for an airline, and he had made comments about weak airline security to his coworkers and boss, and that he was concerned how easy it would be for someone on the inside to disrupt air traffic. They called the transport authority and they have basically black listed him from being at an airport and told him he was lucky they didn't press charges.

Does the TSA have a place for him to complain? (0)

Anonymous Coward | more than 7 years ago | (#15300394)

This is scary that known airline security problems can be covered up with threats like that.


Seems he should call the TSA and get his boss boss blacklisted for covering up these security problems and not taking approprite measures to fix them.

Re:and? (3, Insightful)

Anonymous Coward | more than 7 years ago | (#15300458)

"My friend used to work for an airline, and he had made comments about .. how easy it would be for someone on the inside to disrupt air traffic .."

I don't suppose you will corroberate this fictional anecdote with the name of the airport and the name and manufacturer of the security system.

Surely in your country this is cause for a massive class action against the airport.

Re:and? (1)

mumblestheclown (569987) | more than 7 years ago | (#15300506)

I have a strong suspicion that your "friend's story", with it's heartbreaking tale of the "good employee blacklisted for making safety-minded comments" should be a poster child for internet "you're only hearing one side of the story" arguments, with extra bonus for exaggeration.

Yes, there are irrational and stupid people throughout the world, but I am guessing that your friend's crime was not simply "making comments about weak airline security to his coworkers and boss", but doing something, saying something, and/or having personality traits that rang alarm bells with a bunch of people.

Re:and? (2, Interesting)

justthinkit (954982) | more than 7 years ago | (#15300582)

I worked on the Canadian commercial and military Automated Air Traffic Systems (CAATS & MAATS). A co-worker who tested software tracked one particular bug daily to see if it had been fixed yet -- it never was in the year I was there. The major network design problem I inherited and verified was totally denied during my entire stint, but I heard later they switched things to the way that I had advocated. I also heard later that the biggest advocate of the flawed design was married to the top person on the project.

It is quite an unforgettable experience to be the "Junior Barnes" in a room full of high level types working for a 100,000 person corporation who turn on you like a pack of dogs when you state that the design won't work. The most senior person in the room said just one thing, "Why wasn't I told of this earlier?" [I had been invited to this meeting almost on a whim, to help explain something if my boss floundered.]

Understandable (4, Interesting)

BenEnglishAtHome (449670) | more than 7 years ago | (#15300307)

The first impression is that this is really weird. Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions. Do we actually have a prosecutor somewhere with integrity? How many times has hell frozen over this month?

Take a minute to think about it, though, and things change. Prosecutors still just want convictions that stand on appeal. In this case, the conviction was eventually going to get tossed, so the prosecution gets to look like a hero by bailing out early.

As usual, what at first blush appears to be a noble action by a public servant turns out to be self-serving. There is still no chance of a prosecutor having integrity. All is, again, right with the world.

Re:Understandable (1, Insightful)

ArsenneLupin (766289) | more than 7 years ago | (#15300342)

Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions.

Well, that's their fucking job! They represent the accusation, after all.

I'd be more concerned if the judge just wanted convictions. That's the guy who is supposed to be impartial, not the prosecution.

It goes deeper than that (3, Insightful)

Saint Fnordius (456567) | more than 7 years ago | (#15300391)

The image a prosecuter wants to project is one of infallibility: if the prosecuter isn't sure himself that the suspect is guilty, then he wouldn't go to trial. The image a prosecutor wants to have is that of a guy that is fair, and doesn't waste time or money prosecuting innocents.

That said, I think I ought to reiterate that I'm talking about image, not whether the prosecutor is actually fair. Far too many prosecutors are willing to tar innocents rather than admit they nabbed the wrong guy.

That said, it may be that this prosecutor actually may have learned something, and decided to cut his losses rather than look like a bully working for the company (instead of the public interest). This was a criminal case after all, not a civil lawsuit.

Re:It goes deeper than that (0)

Anonymous Coward | more than 7 years ago | (#15300587)

"... if the prosecuter isn't sure himself that the suspect is guilty, then he wouldn't go to trial"

It's not the prosecuters job to decide whether he/she thinks the accused is guilty. Their job is to present the evidence that suggests the accused is guilty. The judge/jury then makes the decision of guilt/non-guilt.

Prosecuters don't care whether the accused is actually guilty or not, all they care about is 'is there enough evidence to secure a conviction? - if so, go ahead and prosecute, if not, give up'.

Re:Understandable (1)

Asic Eng (193332) | more than 7 years ago | (#15300591)

It's unethical for a prosecutor to accuse someone who they know is not guilty. I don't think it's their job to get the number of convictions up either - they are supposed to convict the right people. Why should we ask anything less from prosecutors?

Point taken... (2, Interesting)

BenEnglishAtHome (449670) | more than 7 years ago | (#15300652)

...but not completely. There's a saying where I live that the County Prosecutor can get a grand jury to indict a ham sandwich. Any grand jury that doesn't do exactly what the prosecutor wants will find itself the subject of a carefully orchestrated smear campaign, complete with local news stories (planted by guess who) investigating the problem of "runaway grand juries."

My point is that prosecutors have a lot of power and any public servant with lots of power should always be willing to step outside the game and do what's right before they start punishing people. And yes, prosecutors punish people long before trials happen before supposedly impartial judges. Just being indicted for a serious crime, something the prosecution does essentially without oversight, is usually a life-wrecking event no matter how innocent the accused. Normally, prosecutors who exercise their power with an eye toward justice, declining to prosecute marginal cases or cases where a bad law could be enforced, wind up simultaneously serving two goals: they serve their public mandate and they don't wind up looking like idiots in the end.

In this case, the prosecution actually did something that was right and sacrificed a little of the "We're perfect" vibe they normally work so hard to maintain. I simply chose to think less of them for being so slow to reach the conclusion such was the right thing to do. By being so slow to act, they have punished someone who ought not to have been punished.

Re:Understandable (1)

Lord Kano (13027) | more than 7 years ago | (#15300784)

Well, that's their fucking job! They represent the accusation, after all.

I don't know about you, but I prefer that prosecutors are first and foremost concerned with justice. I want the right people convicted and sent to prison, not just the ones that the prosecutors can convict.

LK

Re:Understandable (2, Informative)

SatanicPuppy (611928) | more than 7 years ago | (#15300488)

A lot of the time it's not the same prosecutor, so the integrity of one is not necessarily the integrity of the other.

Additionally, this sort of action is morally indefensible, and no doubt the company took a great deal of flack from it's customers over it. It is entirely possible that the company asked the prosecutor to quietly drop charges, so it wouldn't be brought back to the forefront of its customers minds.

Or it could be that the court district is running out of money, and doesn't want to waste money on another trial...There is a district in N.C that is letting first and second degree murderers plead manslaughter because they can't afford murder trials.

Or it could just be that the public is getting more savvy, and the prosecutor felt uneasy about the jury selection.

Re:Understandable (1)

troon (724114) | more than 7 years ago | (#15300656)

Additionally, this sort of action is morally indefensible, and no doubt the company took a great deal of flack from it's customers over it.

A fair point, but do consider this: the impersonal possessive pronoun does not take an apostrophe.

Re:Understandable (0)

Anonymous Coward | more than 7 years ago | (#15300647)

Do we actually have a prosecutor somewhere with integrity?

A prosecutor is a lawyer who happens to work for the government.

You'll never work in this town again! (-1, Redundant)

BadAnalogyGuy (945258) | more than 7 years ago | (#15300315)

There are some things a professional should do and some things a professional shouldn't do. Unless the security flaw put lives in danger, it is best to just shut up about it and see what can be done to fix the issue.

It sounds more like McDanel was a disgruntled employee who took his anger out on the company. Future employers don't need that kind of hassle.

I wonder what line of work this ex-con will find himself in now that he is out on the streets again.

oh!... (0)

Anonymous Coward | more than 7 years ago | (#15300379)

look guys!! A microsoft employee!.. *stare* 8)

Vacation vs. Repeal (4, Interesting)

Gallenod (84385) | more than 7 years ago | (#15300318)

Vacating the conviction doesn't challenge the law, just the individual action. Looks like the company wanted the publicity from the conviction to reinforce their non-disclosure agreement but didn't want to take the risk that the law would be rolled back later on appeal.

(IANAL, but my uncle is.)

Re:Vacation vs. Repeal (2, Interesting)

cdrudge (68377) | more than 7 years ago | (#15300401)

No publicity is bad publicity...or something like that. However, if I were a company executive, I'm not sure if I would like my company being in the news because I went after a former employee for pointing out a security flaw in my software. It draws attention to the fact that my software had a flaw in it, that our policies aren't keeping confidental information confidental, etc.

How to properly expose an MS SQL security hole... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#15300323)

... post a picture of it [goatse.ca] on the affected website.

SCNR...

C'mon.... (4, Insightful)

Otter (3800) | more than 7 years ago | (#15300326)

Jail time for McDanel is almost certainly excessive, but that doesn't mean that accessing (or hax0ring -- it's not clear what he did) your ex-employer's email server to write to all their customers isn't a stupid idea, let alone that it's a protected First Amendment matter.

And as long as we're slinging around prissy "Will they ever learn?"s, the other poor victim of persecution, McCarty (what's up with all these Celts?) is a real case of failure to learn. Has it not sunk in yet that you simply can't intrude on systems or files without permission, however helpful your intentions? How freaking difficult is that for people to grasp?

Re:C'mon.... (3, Interesting)

goldspider (445116) | more than 7 years ago | (#15300412)

"...however helpful your intentions?"

I think you mis-spelled "vindictive".

Afterall, we're talking about a former employee, and considering how far things were taken, it doesn't sound like it was an amicable separation.

Re:C'mon.... (0)

Anonymous Coward | more than 7 years ago | (#15300453)

He didn't "hack" the mail server. Re-read the blurb: it says that he emailed all the customers, and that it was "unauthorized within the meaning of the law because the company didn't want this information distributed." Basically, he used the company's smtp server to send the messages just like he uses it to send ANY email from work, and the company claimed that since it wasn't a message they wanted released, he was unlawfully using his work email account to send it.

*Former* employer's email (3, Informative)

AHumbleOpinion (546848) | more than 7 years ago | (#15300603)

Basically, he used the company's smtp server to send the messages just like he uses it to send ANY email from work

You may have some re-reading to do yourself. It said he used his *former* employer's email server. That most likely is criminal. If he had sent the email from a personal account then he might only face a civil lawsuit for some sort of breach of confidentiality.

Re:*Former* employer's email (1)

ajs318 (655362) | more than 7 years ago | (#15300701)

But the phrase "former employer" is ambiguous because it is not clear whether he had already left their employment at the time when the mail sending occurred.

Re:*Former* employer's email (2, Informative)

Mr. Slippery (47854) | more than 7 years ago | (#15300755)

It said he used his *former* employer's email server. That most likely is criminal.

If I send you e-mail, I'm apparently "accessing" your server within the meaning of the law. If he sent e-mail from a personal account to "customers@formeremployer.com", then there's no hax0ring involved. (And formeremployer.com might want to put some access restrictions on their mailing list, but if the mail goes through when sent through normal channels, ipso facto he's authorized to send it).

Re:C'mon.... (2, Interesting)

russellh (547685) | more than 7 years ago | (#15300460)

Well as the article points out, it is the murky definition of "access" that is troublesome, such as the case where emailing a company was ruled as "unauthorized access" - not only to the company's email server, but to all the computers on the route. This is fear based on ignorance. The trouble is that there are no good analogies to the real world - it's all hidden, it's all geek magic. And of course the juries are composed of mostly regular joes with spyware-ridden computers and who hate the IT guy. And the lawyers, lobbyists, politicians, corporate executives were the ones who stuffed the geeks in the lockers back in school. There is not a lot of money to be made in just letting people do what they want. So there is a bright future for convictions.

Has it not sunk in yet that you simply can't intrude on systems or files without permission, however helpful your intentions? How freaking difficult is that for people to grasp?

I admire your idealism. But you had better keep your head up and pay attention to the motives of the people we are reading about. It has little to do with whether you are doing right or wrong, or "accessing" with or without "permission".

A weak analogy... (0)

Saint Fnordius (456567) | more than 7 years ago | (#15300481)

GREEN: "Mr. White, you shouldn't trust Mr. Brown with your data. The locks on his filing cabinets can be bypassed with a bent paper clip."

WHITE: "That's a stiff accusation. Before I believe you, I'm going to need proof. What evidence do you have?"

GREEN: "Here. I was able to take these files with no problems."

WHITE: "By golly, you're right!" (Runs to take Mr. Brown to task)

BROWN: "Green! How dare you intrude! I'll have you arrested for breaking and entering!"

Been there done that... (0)

Anonymous Coward | more than 7 years ago | (#15300332)

The problem with prosecutors regarding cases pertaining to technology is that the prosecution does not understand technology firstly, secondly many are trying to make names for themselves so they're often hell bent on pressing charges. "Technology is hip"... So is it hip to be the prosecutor who stopped that evil little sixteen year old with a 100,000 botnet. I just slapped together a document on how to Break Lojack for Laptops and expect a call any minute now... http://cryptome.org/lojack-hack.pdf [cryptome.org]

Security through Prosecution? (3, Interesting)

Mobster (306973) | more than 7 years ago | (#15300337)

This kind of trend is only gonna end when something catatrophic happens and it's traced back to someone that could have said something but didn't out of fear of losing their job or prosecution. It wouldn't suprise me if the whole FEMA/Katrina fiasco was this kind of situation.

Can a federal law be passed to correct this? DOes congress even care?

Re:Security through Prosecution? (1)

jimicus (737525) | more than 7 years ago | (#15300631)

This kind of trend is only gonna end when something catatrophic happens and it's traced back to someone that could have said something but didn't out of fear of losing their job

The problem with that is that when the catastrophic thing does happen, the person who could have said something will remain quiet out of fear of losing their job.

ISAGN (2, Interesting)

MOtisBeard (693145) | more than 7 years ago | (#15300341)

New technologies often require changes in the law and in the legal system itself, and computer technology is far from being an exception to that. As a society, we really need to have more specific legal definitions of what is and what is not black-hat hacking, defined by people who truly understand the technology... namely, white-hat hackers. Until this happens, we will continue to see people unjustly prosecuted for pointing out their local emperor's nudity, and we will continue to see nonsensical bills bouncing around Washington, D.C., written by and debated by people who don't understand them and who have no clue what stand to take on them. Senatards and Congresscritters simply are not qualified to make these decisions for us, but they will continue to do so until the ubergeeks get organized into a Congressional subcommittee or something, and take the reins.

Re:ISAGN (1)

91degrees (207121) | more than 7 years ago | (#15300465)

The problem seems to be the judicial system. Did congress really mean that sending an email withoutpermission should count as unauthorised access to a network? Does it include downloading something onto your employer's computer from the web? It seems unlikely, but courts seem to consider it to be.

Obvious (0, Redundant)

mtenhagen (450608) | more than 7 years ago | (#15300348)

I know plenty of security 'faults' in my employers system. And I'am not obviously not allowed to make these public. I should fix them.

Every ICT project has some flaws which are known to employees but not by the customers. This is just some employee trying to get revenge on his boss.

Re:Obvious (1)

kent_eh (543303) | more than 7 years ago | (#15300729)

I know plenty of security 'faults' in my employers system. And I'am not obviously not allowed to make these public. I should fix them.

Yes, you (the collective you, not nescessarily you personally) should fix them.
How many times have these security "faults" been pointed out to management, and the answer has been "we don't have the budget to deal with that right now" , or variations on that theme?

Most of us know the "proper" way to do things - the way to do things that makes whatever we are working on more reliable, secure, or fault-tolerant. Unfortunately, in business, there is a trade-off that often has to be made.

Quality - Cost - Speed
Pick 2.

Unfortunately, cost and speed are the two that are easiest to fit on a spreadsheet, and that's how most projects get run in today's business world.

Synopsis kind of misleading. (5, Informative)

Anonymous Coward | more than 7 years ago | (#15300359)

I saw this, and was all ready to ask questions to the submitter, as I saw the line "I represented him on appeal". Read that whole synopsis once again. Doesn't it look like the submitter is the one doing the talking?

Next, click the link... you'll find that it is cut and pasted right out of the article. That generally wouldn't be so bad.... but is gsch "Jennifer Granick"? If not, the quote should be phrased in a way that this is evident, in cases where there is first-person content in the quote.

Call it grammar nazism, but for very obvious reasons, the synopsis as it currently reads, is misleading... if one wanted to be a dick about it, they could say that it even seems like this person is masquerading as the defendant's attorney. I won't go that far, but the point is made.

Re:Synopsis kind of misleading. (1)

numatrix (242325) | more than 7 years ago | (#15300779)

No grammar nazism involved at all -- I wondered that myself. Jennifer probably is on Slashdot, and I'm sure she doesn't mind her wired articles being quoted, but I did wonder who exactly this "gsch" feller was appears to be masquerading as her with some really crappy blog that has nothing to do with Jennifer's actual homepage [granick.com].

First Amendment? (1)

the_Bionic_lemming (446569) | more than 7 years ago | (#15300363)

What does the first Amendmant have to do with the private sector?

Re:First Amendment? (1)

tomstdenis (446163) | more than 7 years ago | (#15300396)

Didn't you know? It allows you to break all sorts of civil law so long as the truthiness is intact.

There are "whistleblower" statuses which basically involves stuff of public good that won't otherwise come out [e.g. insecure banking, pills that are unsafe, etc].

I won't pretend to know the facts of the case. Just chiming in to say Free Kevin!

Tom

Re:First Amendment? (0)

Anonymous Coward | more than 7 years ago | (#15300445)

No, there are whistleblower laws and defenses to certain civil crimes that involve the fact something is the truth. It has nothing to do with the first amendment, which only protects you from government sanction for your speech.

Re:First Amendment? (1)

the_Bionic_lemming (446569) | more than 7 years ago | (#15300459)

I don't think "Whistleblower" applies here, there was no illegal activity, but there is a tinge of "Get evenism" reeking from his actions.

Nevertheless - if a NDA was signed then he'd be totally in the wrong.

Re:First Amendment? (1)

the_Bionic_lemming (446569) | more than 7 years ago | (#15300492)

Whistleblower
Yep, Whistlblower does not apply - he never alerted the government/state, nor was he fired for his revelations, nor was what going on meriting the need to reveal since (sadly) some places rely on securirity thru obscurity.

Re:First Amendment? (1)

Rob T Firefly (844560) | more than 7 years ago | (#15300424)

What does the first Amendmant have to do with the private sector?

Quite a lot, assuming it's the American private sector. IANAL, but as I understand it a company may be able to fire or seek civil charges against an employee who leaks private info, and things get more complex if things like contracts or nondisclosure agreements are thrown into the mix, but they aren't normally able to ship him off to prison.

Re:First Amendment? (0)

Anonymous Coward | more than 7 years ago | (#15300429)

I had that same question. It's always been my understanding that the Constitution governs relations between the government and its citizens, and nothing else. If I want to keep white supremacists from distributing literature in my store, for example, then I can, and the First Amendment wouldn't apply.

Given that the attorney for the defense wrote TFA, either you and I or wrong or somebody needs to go back to law school and retake Constitutional Law.

Re:First Amendment? (1)

KarmaMB84 (743001) | more than 7 years ago | (#15300549)

You can make them leave or sue them for trespass if they don't leave, but the distribution of literature is 100% lawful. The first amendment says that Congress (and later applied to all federal and state government) may pass no law abridging freedom of speech and press. This means a law allowing other entities to sue you based on something you said will have to tread lightly and will often err on the side of free speech. More often than not, you'd have to have broken another law to obtain the material you leaked in order to be sued for the leak. The broken law here is supposedly unauthorized access.

Re:First Amendment? (2, Insightful)

geoffspear (692508) | more than 7 years ago | (#15300435)

The case was a criminal prosecution.

That said, I wouldn't want to hire a lawyer who thinks that the 1st Amendment is likely to be interpreted by any court as protecting speech that reveals "secret" information, especially if it's done by breaking into a computer system in the process.

The fact that the charges were later vacated by the prosecution might indicate that they didn't really have a case, but I don't think the 1st Amendment is likely to be the reason why.

Re:First Amendment? (1)

bigdavex (155746) | more than 7 years ago | (#15300449)


What does the first Amendmant have to do with the private sector?

Contrary to what you might think, the government runs the jails.

Re:First Amendment? (1)

AHumbleOpinion (546848) | more than 7 years ago | (#15300668)

"What does the first Amendmant have to do with the private sector?"

Contrary to what you might think, the government runs the jails.


Contrary to what you think the first ammendment is about free speech, not free access to someone else's private server and private email lists.

Contrary to what you think the government employees who run the jail check your conviction status, they do not evaluate your arguments of constitutional rights. The latter would be done by an appeals court while your butt was in jail, unless you were fortunate enough to have your sentence delayed and receive bail pending the appeal.

Congrats! (2, Interesting)

DamienMcKenna (181101) | more than 7 years ago | (#15300382)

Just a quick word of congratulations to Mr McDanel and yourself, finally some common sense rears its head in this case.

Solution? (2, Insightful)

Uncle Rummy (943608) | more than 7 years ago | (#15300393)

FTA:

A third [solution] might be to define unlawful access as the circumvention of some kind of security measure.

I'm not so sure about this one. After, we're talking specifically about criminal liability for researchers who demonstrate that the security of a system is broken. Criminalizing the circumvention of security is exactly the problem many people have with laws such as the DMCA.

Re:Solution? (1)

geoffspear (692508) | more than 7 years ago | (#15300502)

Criminalizing the circumvention of security is exactly the problem many people have with laws such as the DMCA.

I thought the problem people had with the DMCA was that it prevents consumers from exercising rights (fair use copying) over content that they would have if they purchased it in an older, non-DRMed format without breaking the law.

I'd think that very few people would be opposed to criminalizing circumvention of security per se, in cases where there wasn't assumed to be some underlying right to do whatever the security is preventing you from doing.

Would you be opposed to criminal penalties for someone who picks the lock on your front door, as long as he doesn't actually come in and steal anything?

Re:Solution? (1)

catman (1412) | more than 7 years ago | (#15300589)

Would you be opposed to criminal penalties for someone who picks the lock on your front door, as long as he doesn't actually come in and steal anything?

The DMCA criminalizes the equivalent of picking the lock on your own house, or having a locksmith do it for you.

Re:Solution? (1)

geoffspear (692508) | more than 7 years ago | (#15300715)

That was exactly my point. The problem isn't with laws that make it illegal to circumvent security, but with those that make it illegal to do something you have a right to do in the first place (like enter your own home or format shift some copyrighted content for your own use) because there happens to be some form of security-breaking involved in the process.

Laws against breaking someone else's security to do something you wouldn't be allowed to do even if there was no security apparatus in place aren't really susceptible to the some sort of objections.

Re:Solution? (0)

Anonymous Coward | more than 7 years ago | (#15300758)

The DMCA criminalizes the equivalent of picking the lock on your own house

The DMCA does not outlaw circumvention. It outlaws distributing tools for circumvention. Just like it's legal to pick the locks on your home, but not legal to buy lock picks (without a license in most states).

Of two minds (3, Interesting)

Billosaur (927319) | more than 7 years ago | (#15300403)

The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent.

Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant."

But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them.

Ok, so there are two ways to look at this:

  1. He did commit a crime. He broke their security, using a known flaw. Happens all the time to anyone running Windows when some virus or Trojan uses a known exploit to mess round with data on your PC. They're guilty, mainly for then using your PC for other nefarious purposes. This argument is weak because all he did was reveal the information to a reporter, and while that's a dubious move at best, it really ended up in little harm.
  2. He didn't commit a crime. He exposed a major college's security lapse and did something with that knowledge that allowed the problem to be solved. I don't agree with his methods -- it would have been far easier to simply go to USC, tell them of the flaw, and then leave them to their own devices. Knowing USC, they would have hemmed and hawed, until some enterprising hacker, out for a little fun, discovered the flaw and did more than steal the records of seven people. He probably felt that this needed to be publicized to force USC's hand, but I still think that smacks of lack of common sense.

I doubt a jury will convict him, though, this being a technical argument mainly and a computer crime, any jury they seat is bound to wind up confused and the best the prosecution can hope is that someone on the jury will have enough savvy to explain it to the others. Or they may convict him for being a wily, young whippersnapper. Who knows?

3rd party disclosure may be a factor. (2, Insightful)

Technician (215283) | more than 7 years ago | (#15300417)

The thing that may have raised eyebrows is he found a fault and sent the information to a 3rd party who then contacted the owner. The owner then checked logs to find out who breached the system.

If he found the problem and contacted them directly they may have been more willing to patch and say thanks.

Re:3rd party disclosure may be a factor. (1)

rockhome (97505) | more than 7 years ago | (#15300524)

That's a good point. In the "precedent" cited by the author, the defendant demonstrated a security flaw to the owner of the system, not to a third party. In this case, the defendant discovered the flaw, and rather than notify his employer and work towards fixing the problem, he went straight to a third party.

The guy was basicaly looking for an ego boost. he figured he could get his name in the paper and look like a hero. In the end, he essentially gave away personal information on applicants without ever notifying his employer.

Stop using security as a shield! (2, Insightful)

Anonymous Coward | more than 7 years ago | (#15300426)

After reading tfa it seems that the McDanel case is different from the other two in one very important way: intent.

- McCarty notified security professionals about the issue.

- Puffer notified the system owner/operator of the security issues.

- McDanel notified the customers of his former employer.

TFA does not go into detail as to why McDanel was no longer employed by the company, but its not a huge leap to assume that he did not leave willingly. Was he really concerned about the information security of the customers he contacted or was he more interested in causing damage to his former employer? Did he notify his company of the security issues before he left?

Nice writeup, wrong headline (1)

harvey_peterson (658039) | more than 7 years ago | (#15300438)

This isn't about pointing out security flaws. McCarty was sued for accessing data in his former employer's email system.

An important detail seems to be missing (5, Insightful)

MikeRT (947531) | more than 7 years ago | (#15300454)

Did the guy do this after he quit his job? If he emailed the customers using a company server after he left, I can see the company having a legitimate case. Another thing, did he bring these problems up to management and get the ball rolling on a fix or did he just drop the bomb on his employer after he left? There have been enough guys who seem innocent on the surface on slashdot, that I'm now hesitant to not believe there may be some malfeasance on the guy's part.

If he quit his job and then emailed the customers on his own time/equipment with a polite notice saying that he used to work for them and wanted to alert them to problems that management refused to fix, that could cause substantial harm to the clients, I seriously don't think a judge would have given his former employer the time of day.

Consequences of vacating the conviction? (1)

Mr Z (6791) | more than 7 years ago | (#15300468)

What effect does vacating a conviction like this have on precedent? That is, if the appeal proceded and the original conviction was overturned, the precedent would clearly side with McDanel, under some legal theory to be articulated in the judgment handed down by the appellate court. But, given that the conviction was vacated, does that mean the case sets no precedent whatsoever? How does this work?

(It should be clear IANAL.)

--Joe

Re:Consequences of vacating the conviction? (1)

geoffspear (692508) | more than 7 years ago | (#15300540)

Legal precedents are only made by actual court opinions. Some random prosecutor can't create precendent by his choice of whether to prosecute a case, or our entire legal system would be (even more than it is) hopelessly broken.

If someone convicted of murder appeals, and before the appeal is heard the prosecuter becomes aware of new evidence that exonerates the defendant and moves to vacate the conviction, do you think that all future murders in the relevant jurisdiction should suddenly become legal?

Re:Consequences of vacating the conviction? (1)

Mr Z (6791) | more than 7 years ago | (#15300638)

If someone convicted of murder appeals, and before the appeal is heard the prosecuter becomes aware of new evidence that exonerates the defendant and moves to vacate the conviction, do you think that all future murders in the relevant jurisdiction should suddenly become legal?

Oh, certainly not! But what happens to any precedent established by the initial conviction? Does that evaporate, or does it remain based on the merits of the case and available evidence at the time it was decided?

The reason I raise the question is that one possible motivation for vacating a conviction is that it doesn't set the precedent you want, or that it establishes the precendent weakly and you'd prefer a stronger case to underpin it. I suspect the latter was the motivation here.

--Joe

Re:Consequences of vacating the conviction? (1)

geoffspear (692508) | more than 7 years ago | (#15300688)

Convictions don't set precedents at all. Your worry about prosecutors getting convictions vacated based on what precedents they might set is completely groundless, and you can rest assured that the motivation behind vacating this sentence had nothing to do with it.

Re:Consequences of vacating the conviction? (1)

Mr Z (6791) | more than 7 years ago | (#15300745)

Convictions don't set precedents? I thought that was the basis of common law. [wikipedia.org] Are you saying precedents only apply in civil procedings?

--Joe

First Amendment.? (3, Interesting)

Frankie70 (803801) | more than 7 years ago | (#15300470)

Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal

Thank god, the prosecution did not defend the action on appeal.
Because the defendent seems to have been represented by someone who doesn't
seem to know that the 1st amendment isn't relevant here.

First Amendment (1)

Rydia (556444) | more than 7 years ago | (#15300521)

The first amendment only applies to government actors. Private corporations deal with an extraconsitutional "wrongful discharge" statute which is far weaker.

Re:First Amendment (1)

Rydia (556444) | more than 7 years ago | (#15300535)

Okay, since I know people are going to jump on the ambiguity, there's nothing in the constitution that protects you from speech that harms other people, depending on the circumstances. It's all insanely complicated, and I find all the first-amendment waving ridiculous. There have only been two absolutist justices in the history of the Supreme Court. It's not a magic bullet.

We're living in the Age (4, Insightful)

Black Parrot (19622) | more than 7 years ago | (#15300544)

of Shoot the Messenger.

That seems to be the only solution businesses and politicians can come up with for their self-caused problems anymore.

Contacting the customers was the wrong move (0)

Anonymous Coward | more than 7 years ago | (#15300558)

Contacting the customers directly was his wrong move. Rather, he should have reported the security bugs to an acknowledged security list which would have (a) Reported the bugs on his behalf if he needed to be anonymous, (b) Given the company a reasonable timeframe to fix the bugs before disclosure, (c) Disclosed the bugs widely if they weren't fixed or near fixed by the due date.

As it is, he just came out looking like a disgruntled ex-employee who used commercial in confidence information to harm the company as much as possible by poisoning its relationship with its customers.

Don't Get Involved in Anything (0)

Anonymous Coward | more than 7 years ago | (#15300612)

Years ago I reported my neighbor down the street car tires slashed to the police and became the prime suspect. Now if I see anything I don't report it to the police or neighbors. There was a case in Idaho where a Doctor stopped to help numerous victims in a car accident then was criminally charged, it was later dismissed costing him $50,000 in criminal defense attorney fees. He also was sued by the family members of accident members and his insurance company settled out of court with them.

Don't get involved in any police, fire, medical or rescue situation unless you want to introduce grief in your life. If your computer security sucks it isn't my problem.

Bret McDanel's reaction (1)

Chris Pimlott (16212) | more than 7 years ago | (#15300616)

When asked the unexpected vacation, Bret McDanel said "It's was all I ever wanted," then excused himself, saying he had to "get away". When asked what he meant by this, he indicated he desire to have some time spent alone.

At the risk of repeating myself... (1)

Opportunist (166417) | more than 7 years ago | (#15300630)

Those who can, do.
Those who can't, sue.

Is it me or does this become more and more common? As soon as someone's not doing what a company would like him to do, he's slapped some trial on his back, hoping that he'll either back down or that a company (with quite some funds) can easily get a better lawyer than Joe Average.

Another often repeated phrase I use: There is no techical solution for a social problem. In this case, there is no legal solution for a technical one. Shutting people up does not create more security, it just means nobody dares to talk about it anymore.

So, now mod me redundant.

Re:At the risk of repeating myself... (1)

Pichu0102 (916292) | more than 7 years ago | (#15300738)

Actually, there's a term for this, and it's illegal in some places. It's called SLAPP [wikipedia.org], and it's generally abuse of the legal system to shut someone up.
You can't exactly have free speech when in fear of someone suing you for doing so, and companies know and exploit this to their advantage.

The only thing broken here.... (2, Interesting)

Asklepius M.D. (877835) | more than 7 years ago | (#15300640)

was somebody's pride. This "form over function" thing is starting to get out of hand both in the gov't and in the private sectors. True story: I once took a military medical course that was teaching information many years out of date. Using the appropriate forms, I submitted detailed critiques complete with sources and references. Rather than fix the problem, I was called on the carpet and ordered to stop submitting critiques because they "questioned the integrity of the course." This strikes me as very similar to "They even claimed the integrity of the system was impaired..." Yes Virginia, that's exactly what we're doing! You can't fix it if you don't admit it's broken.

It's like the full disclosure question (5, Interesting)

elronxenu (117773) | more than 7 years ago | (#15300660)

Without taking any sides on the matter of full disclosure, there are interesting parallels with the quoted cases.

Full disclosure: if I find a bug in, say, Windows, should I

  • Report it to Microsoft?
  • Announce it to the world?
  • Report it to CERT?
  • Send details to Oracle?

If I find a bug in USC's website, should I

  • Report it to the USC administrators?
  • Announce it to the world?
  • Report it to SecurityFocus?
  • Send it to MIT?

If I find a bug in my employer's systems, should I

  • Report it to my employer?
  • Announce it to the world?
  • Report it to CERT?
  • Send it to my employer's competitors?

Enquiring minds wish to know ...

It makes sense to me (1)

wjcofkc (964165) | more than 7 years ago | (#15300706)

I mean think about it. Prosecuting this case at all was a dumb move. The company only managed to draw attention to itself as a vendor of insecure software. The only company that can get away with that is MS.

So the appeal continued the bad publicity, the company wised up and dropped the case to put a stop to it before losing anymore customers.

"I represented him on appeal" (0)

Anonymous Coward | more than 7 years ago | (#15300707)

Is gsch Jenifer Granick? Why no.

Hard job, copying and pasting, isn't it?

Jury Trial (1)

tyler_larson (558763) | more than 7 years ago | (#15300717)

There seems to be a pattern. Of the cases like this that I am aware of (there have been quite a few), those whose case is decided by a jury seem to always be acquitted. Those tried by a judge don't always fare so well.

The issue here, I think, is that the security researcher is working for the benefit of the common person at the expense of the company. The members of the jury see themselves as that common person, and don't relate so well to the company. The judge, on the other hand, tries to be more "impartial" and is more likely to rule in favor of the company at the people's expense.

First amendment? (1)

AviLazar (741826) | more than 7 years ago | (#15300719)

Notwithstanding the First Amendment's free speech guarantees

When you have NDA's, TOA's that specify what is allowed on a system that does not belong to you, you are foreiting your 1st Amendment right to access the system. This guy did not need to access that system to live. He broke into a private system.

Re:First amendment? (4, Interesting)

cdrguru (88047) | more than 7 years ago | (#15300790)

The First Amendment refers to the government's ability to pass laws to restrict speech. It has limited effect on states, cities, villages and other municipalities.

It has no effect on companies, contract law, or anything else.

There is no "first amendment right to access the system". Period. You do not have any rights at all - you have privileges that the operator of the system gives you. And these can be revoked at any time. Without cause or explanation.

Yes, that means AOL can cancel your account without telling you why.

Yes, that means when your employer says not to do something and you do it anyway you are exposing yourself to consequences. Sometimes legal consequences in addition to just getting fired.

My experience with an ASP (5, Interesting)

joshv (13017) | more than 7 years ago | (#15300757)

When working for a company I shall not name, we used an ASP for our recruiting software, which company I will also decline to name. This software had a document upload functionality that would allow clients to upload offer letters and such. In trouble shooting an issue with our company's uploads we found it was quite easy to browse to other client's uploads by changing a client ID in a URL. Granted, you had to login to the system to be able to access this URL, but once logged in, there were apparently no security restrictions across clients. We had free access to the offer letters, job applications, any document having to do with the recruiting and hiring process, of other companies - some of them very big names.

Did we do anything about it? Nope. We ignored it. I didn't even bring it up to our managers. Why? Because in documenting the issue we would have most certainly violated the licensing agreement, and a good argument could be made (especially in light of judgements like the one in the article) that we were conducting criminal computer trespass by changing the URL to knowingly access another client's repository. As stupid as that sounds, I was not willing to risk my job, or prison time, when I knew there were probably 15 other such security issues in the product, and my blowing the whistle on this one wasn't going to fix what was essentially a very crappy product.

This is a problem with the "security" field (1, Interesting)

Anonymous Coward | more than 7 years ago | (#15300781)

There is no code of ethics.


You have kids trying to "make a name" by breaking things. You have companies [idefense.com] paying these kids to find vulnerabilities, I've heard that there is a 6-figure type bounty on certain specific vulnerabilities. At the same time you have big corporations that are taking a beating in the media because vulnerabilities are disclosed before they have time to react; you also have big corporations being told about problems (whether or not it is through proper channels remains to be seen, I don't expect that the new Windows bug is going to get fixed when you tell MS Sales about it.) You have security companies like eEye publishing every vulnerability they can find to give their company some "street cred." You have companies like Foundstone (now Symantec) pirating software [governmentsecurity.org] to search for holes in it. There is this whole rationalization in the "hacker community" that they are some how doing the software vendors favors by finding the stuff; so just randomly postscanning hosts is really "research," huh? Dispite your lack of any publishing, education and any agreements with anybody that you're "researching" on? You have frauds like Steve Gibson saying that big corporations are putting backdoors in to code on purpose [thisweekintech.com]. You have opensource tools changing their license [nessus.org] and close sourcing because of companies that are simply packaging their work can charging a lot of money for it; who can blame them? There are companies [immunitysec.com] that now sell exploits [gleg.net] and "0days." You have a whole OS [openbsd.org] "designed" around security, yet they cannot publish any of the changes they've actually made and explain why they have made them (come on guys, this would be a best seller of a book, just lists of code, this is the bug, this is why it's a bug, this is how we fixed it...) At the same time, I don't want Apple and MS pushing out patches minutes after they hear about things, I want the code QAed.


Now the lawyers are getting involved. We need to check ourselves as an industry. We are a stones throw away from developers being held responsible for damages caused by software, there are already people in favor of that. Just stop and think about that. There is no union, there is no protection for the worker here, we're held in contempt at a lot of places, because of the highly paid prima donnas jerking around writing shitty code. It will only get worse right now.


It's a sort of hot area right now, the feds are spending money. You can't be involved with software or networking and not have some kind of concern for security. This may sound old fashioned but to get a cert, whatever certs the security world wants to embrace, there should be an oath that encourages security always, encourages openess, discourages black market tactics for trading viruses and exploits, discourages this whole notion of "black magic," and discourages profiting from secrecy regarding security. I'd even go one better and add to the oath that there should be a certain and accepted public disclosure process for when a vulnerability is found in a network or application, the owner is told and then after 90 days the whole world is told, all of the time. I know of companies that have found problems in networks and then extorted money for information regarding them. That's just wrong and that should be criminal.


There are no security best practices, not in any formal sense. You can pull 100 consultants or CISSPs off the street and you'll get a 100 different sets of things you should and shouldn't do. We need to formalize the discipline. We need to encourage practices during the writing of software and constuction of networks for security. Basically, very few players in the game are legitimately working for advance the industry and the state-of-the-art, most are profiteers.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...