Forgot your password?
typodupeerror

Busting People for Pointing Out Security Flaws 350

Posted by Hemos
gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"
This discussion has been archived. No new comments can be posted.

Busting People for Pointing Out Security Flaws

Comments Filter:
  • by eldavojohn (898314) * <eldavojohn@gmFREEBSDail.com minus bsd> on Wednesday May 10, 2006 @09:09AM (#15300268) Journal
    If I were a customer of a company that had the mentality "anyone that helped developed the code is a threat to its security" then I would find another vendor--and fast!

    There are practices and standards for developing secure code. If your programmers follow these, then even their knowledge of the source shouldn't matter if they go rogue or want to have fun in their free time. Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well. Perhaps companies should start to realize that if they produce code for Win32 applications, they're going to have to resort to the same tactics that Microsoft uses: Don't let the source code out or its true flaws will be revealed and exploited!

    For the consumers of these companies, be wary that your product is only as secure as the company's relationship with its developers--kind of scary considering they're keeping them quiet via threat of lawsuit.
    • by fabs64 (657132)
      It is a fact that programs get released with known bugs, it's actually an economic certainty for commercial programs.
      It is a SAD fact, that some of these known bugs are security vulnerabilities, one would hope that security bugs top the priority list but they do not, useability most often comes first.
      • by Splab (574204)
        Since the customer is always right, the customer has to know what security problems means - and why he/she should care.

        In my experience, moveing a piece of graphics one pixel has way more priority for a customer than to fix an SQL injection problem, and since the company developing the software gets money for moving the graphics around, but not for fixing the bug - guess what I'm being told to do...
      • by blincoln (592401) on Wednesday May 10, 2006 @11:55AM (#15301489) Homepage Journal
        It is a fact that programs get released with known bugs, it's actually an economic certainty for commercial programs.

        Bugs are going to happen. Incompetent design doesn't have to.

        There is an expensive (~$3000 license per machine) "enterprise" product that we use throughout the company. It needs to store usernames and passwords with reversible encryption. In the first version we deployed, the encryption was a substitution cipher - literally the level of "security" you'd get from a cereal box spy ring. We complained to the vendor. The next version used a one-time pad that was the same for every password on every machine where the software was installed in the world. I wrote a script that generated a decoding table in a few hours, and I'm not even a cryptography geek. We complained again, and they changed it to something that at least *appears* reasonably secure, I haven't had time to look into it.

        Even assuming it is decent this time, why did it take so long for them to do? Encryption isn't a new field. There were plenty of algorithms they could have used from the beginning instead of re-inventing ciphers from centuries ago.
    • by QuantumG (50515)
      Meh. If I you don't demand source you should expect security flaws.
      • Meh. If I you don't demand source you should expect security flaws.

        I've got some bad news for you: Linux, FreeBSD, GNOME, KDE, OpenOffice, Firefox, pretty much every large app & library all have security flaws.
        • by HTH NE1 (675604) on Wednesday May 10, 2006 @11:28AM (#15301244)
          He said, "If... you don't".

          But I'll say, if you do demand source you should be able to find and fix any security flaws yourself and report them for the benefit of those who can't and/or don't.

          Fixing flaws will always be faster for open source users because users can be doing it for themselves, and they'll be found faster too since you'll have more users proactively looking for and fixing flaws than a closed source company will (waste of manpower better tasked to adding new features and enhancements (i.e. future profits)).
    • Why don't we see many viruses for Linux?

      While I think that implementation may have a little to do with it, I think the driving factor is that Linux has no where close to the user base that Windows does.

      The purpose of many of these viruses is to create a large botnet. That's alot easier to do when you targt an OS aimed at the everyman computer user who lacks sophisticated understanding of his box and how to maintain it. Linux on the other hand has no where close to the user base spread across so many differe
      • It is partially a numbers game. However, if linux systems (or any unix system) had easily exploited security flaws then there would be huge numbers of worms and viruses targetting those systems that are out there. If nothing else they would be excellent platforms to launch attacks on the huge numbers of windows systems.

        The real reason you don't see that many viruses or worms directed at linux systems is that the concept of least privilege was implemented at the start. Unlike most windows systems whic
        • by Y2 (733949)

          The real reason you don't see that many viruses or worms directed at linux systems is that the concept of least privilege was implemented at the start.

          No it wasn't. And it still hasn't been.

          Certainly it has a concept of "less than full privilege," and that was there from the start, having been copied from earlier systems. Windows has this concept also, but it's perhaps more honored in the breach than the observance. However, my email client, my video player, and my web browser still run with the full

          • by A.Gideon (136581)
            However, my email client, my video player, and my web browser still run with the full privilege of my user account, when something less would be sufficient.

            This is important, as many forms of malware (including that needed to build a 'bot) can be implemented w/o the requirement of root/superuser access. While the OS protecting itself is a Good Thing, this doesn't do anything to protect the computer itself against abuse (or to protect the Internet against abuse of this computer).

            This is a fact too often mis
      • by Akoma The Immortal (36474) <pascal@ a b e s solo.com> on Wednesday May 10, 2006 @10:05AM (#15300645) Homepage
        Right. So all those web servers with apache, running linux account for how much % of the web (60,65,70 I dont know, check netcraft).

        Image the botnet you can have if you can manage to compromise all of them, silently sending data, doing damages.

        Numbers, numbers you said.

        Try again.
        • Well, I hardly think that the people maintaining web servers are technical idiots. SO targeting a set of systems that are constantly monitored and maintained by people who are generally neurotic about it isn't exactly the most vulnerable group for creating botnets is it? The home users are.

          Thanks for playing.
          • by lordkuri (514498)
            Well, I hardly think that the people maintaining web servers are technical idiots.

            I've been in the webhosting industry for about 6 years... you have it quite backwards. Browse through the discussion threads on WebHostingTalk, and you'll see exactly what I mean.

            Granted, a lot of us are very on top of things, but there's also a swarm of 15 year olds that go get a dedicated server, and start up a hosting company with absolutely no clue what an SSH shell even is, let alone how to do anything but click links in
            • While I agree that there are planty of people in the hosting business who are ignorant on how to do it properly, I would also argue that these people at least have a technical proficiency above and beyond the average user.

              I'm not disagreeing with you, and many others here have made very valid points about other factors to viruses and the systems they run on - but I am only really qualified to make statements regarding end user proficiency.

              Taking your statement as true, I still believe that the number of clu
        • by PPGMD (679725) on Wednesday May 10, 2006 @10:53AM (#15300989) Journal
          Numbers is one factor, the administrator is another factor.

          The average home PC is administrated by someone that has no clue about security, while the average Apache admins, knows how to lock down a system, and doesn't use the system for everyday stuff, like viewing e-mails, and running programs randomly downloaded off the internet.

          If we gave Linux machines to the same idiots that run Windows XP machines, you would have botnets, there might not be as many, but they would still be there because many virii are run via social engineering, not via operating system tricks. The dumb user is not something Linux can fix.

          • by Akoma The Immortal (36474) <pascal@ a b e s solo.com> on Wednesday May 10, 2006 @11:33AM (#15301279) Homepage
            Yes. You are right.

            But, (you saw that BUT coming did you :-P), when the social engineered mail bomb or trojan, uses a flaw in the OS to propagate itself, is it the fault of the user, or because of the bad OS design?

            Like when Sasser, or Slammer, so many names I am mixing them up, was runnig wild on the internet, I had a dozen of email containing the trojan paylod and i opened them! thats right I opened them and nothing happen. Why? Because I was smart? No, I wished to make a point to my friend. I used Mozilla on Linux, nothing happen.I used Mozilla on Windows, same result, nada. Did I dared use Outlook? not in a million years. In fact, My wife, who is a computer newbie, use Windows XP has her OS, with full admin rights, because you know some programs just runs better, and has no problem surfing where ever she wants, reading emails from friends, even infected one. She dont use Outlook or IE, that is all I ask of her.

            Anyway all this to say that no matter how competent you are, when your tools are broken, you will be broken. Period.

            Number is factor. Competent user is another factor, and platforms are one more factor to consider.

            P.S: Sorry for my english mistakes. I am a Canadian born french african.

    • kind of scary considering they're keeping them quiet via threat of lawsuit

      But isn't this how a bank keeps its employees quiet about private data, or how a manufacturer keeps its trade secrets (spaghetti sauce recipe, engine tuning secrets, freight routing AI, etc)?

      And why do they have have to? Because relying on personal integrity routinely fails. Don't even start with "if they'd only treat employees fairly, by paying every 21-year-old new hire mid six-figures, a corner office, two months off their fi
  • and? (Score:5, Interesting)

    by schnits0r (633893) * <nathannd@sas[ ]l.net ['kte' in gap]> on Wednesday May 10, 2006 @09:12AM (#15300290) Homepage Journal
    THis happens a lot. My friend used to work for an airline, and he had made comments about weak airline security to his coworkers and boss, and that he was concerned how easy it would be for someone on the inside to disrupt air traffic. They called the transport authority and they have basically black listed him from being at an airport and told him he was lucky they didn't press charges.
    • Re:and? (Score:3, Insightful)

      by Anonymous Coward
      "My friend used to work for an airline, and he had made comments about .. how easy it would be for someone on the inside to disrupt air traffic .."

      I don't suppose you will corroberate this fictional anecdote with the name of the airport and the name and manufacturer of the security system.

      Surely in your country this is cause for a massive class action against the airport.
    • I have a strong suspicion that your "friend's story", with it's heartbreaking tale of the "good employee blacklisted for making safety-minded comments" should be a poster child for internet "you're only hearing one side of the story" arguments, with extra bonus for exaggeration.

      Yes, there are irrational and stupid people throughout the world, but I am guessing that your friend's crime was not simply "making comments about weak airline security to his coworkers and boss", but doing something, saying someth

    • Re:and? (Score:2, Interesting)

      by justthinkit (954982)
      I worked on the Canadian commercial and military Automated Air Traffic Systems (CAATS & MAATS). A co-worker who tested software tracked one particular bug daily to see if it had been fixed yet -- it never was in the year I was there. The major network design problem I inherited and verified was totally denied during my entire stint, but I heard later they switched things to the way that I had advocated. I also heard later that the biggest advocate of the flawed design was married to the top person on
  • Understandable (Score:5, Interesting)

    by BenEnglishAtHome (449670) * on Wednesday May 10, 2006 @09:14AM (#15300307)

    The first impression is that this is really weird. Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions. Do we actually have a prosecutor somewhere with integrity? How many times has hell frozen over this month?

    Take a minute to think about it, though, and things change. Prosecutors still just want convictions that stand on appeal. In this case, the conviction was eventually going to get tossed, so the prosecution gets to look like a hero by bailing out early.

    As usual, what at first blush appears to be a noble action by a public servant turns out to be self-serving. There is still no chance of a prosecutor having integrity. All is, again, right with the world.

    • Re:Understandable (Score:2, Insightful)

      by ArsenneLupin (766289)
      Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions.

      Well, that's their fucking job! They represent the accusation, after all.

      I'd be more concerned if the judge just wanted convictions. That's the guy who is supposed to be impartial, not the prosecution.

      • by Saint Fnordius (456567) on Wednesday May 10, 2006 @09:29AM (#15300391) Homepage Journal
        The image a prosecuter wants to project is one of infallibility: if the prosecuter isn't sure himself that the suspect is guilty, then he wouldn't go to trial. The image a prosecutor wants to have is that of a guy that is fair, and doesn't waste time or money prosecuting innocents.

        That said, I think I ought to reiterate that I'm talking about image, not whether the prosecutor is actually fair. Far too many prosecutors are willing to tar innocents rather than admit they nabbed the wrong guy.

        That said, it may be that this prosecutor actually may have learned something, and decided to cut his losses rather than look like a bully working for the company (instead of the public interest). This was a criminal case after all, not a civil lawsuit.
      • It's unethical for a prosecutor to accuse someone who they know is not guilty. I don't think it's their job to get the number of convictions up either - they are supposed to convict the right people. Why should we ask anything less from prosecutors?
      • Point taken... (Score:3, Interesting)

        ...but not completely. There's a saying where I live that the County Prosecutor can get a grand jury to indict a ham sandwich. Any grand jury that doesn't do exactly what the prosecutor wants will find itself the subject of a carefully orchestrated smear campaign, complete with local news stories (planted by guess who) investigating the problem of "runaway grand juries."

        My point is that prosecutors have a lot of power and any public servant with lots of power should always be willing to step outside the

      • Well, that's their fucking job! They represent the accusation, after all.

        I don't know about you, but I prefer that prosecutors are first and foremost concerned with justice. I want the right people convicted and sent to prison, not just the ones that the prosecutors can convict.

        LK
      • It is their job to find the truth of a crime. In practice, it seems that the office is often just a jumping off point for a political career. To meet that goal, the prosecutor needs a high conviction rate.
      • Re:Understandable (Score:5, Informative)

        by ninewands (105734) on Wednesday May 10, 2006 @11:38AM (#15301334)
        Quoth the grandparent:
        Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions.,/b>


        Quoth the parent:
        Well, that's their fucking job! They represent the accusation, after all.

        Errrmmmm ... actually no. The prosecutor represents the State, not the complainant, who is merely an accusing witness. The prosecutor has NO obligation whatsoever to the victim of a crime. His/her obligation is to represent the peace and dignity of the State and to seek justice.

        Quoted from the Texas Disciplinary Rules of Professional Conduct:
        (Tex. Disciplinary R. Prof. Conduct, (1989) reprinted in Tex. Govt Code Ann., tit. 2, subtit. G, app. (Vernon Supp. 1995)(State Bar Rules art X [[section]]9))

        3.09 Special Responsibilities of a Prosecutor

                The prosecutor in a criminal case shall:

                (a) refrain from prosecuting or threatening to prosecute a charge that the prosecutor knows is not supported by probable cause;

                (b) refrain from conducting or assisting in a custodial interrogation of an accused unless the prosecutor has made reasonable efforts to be assured that the accused has been advised of any right to, and the procedure for obtaining, counsel and has been given reasonable opportunity to obtain counsel;

                (c) not initiate or encourage efforts to obtain from an unrepresented accused a waiver of important pre-trial, trial or post-trial rights;

                (d) make timely disclosure to the defense of all evidence or information known to the prosecutor that tends to negate the guilt of the accused or mitigates the offense, and, in connection with sentencing, disclose to the defense and to the tribunal all unprivileged mitigating information known to the prosecutor, except when the prosecutor is relieved of this responsibility by a protective order of the tribunal; and

                (e) exercise reasonable care to prevent persons employed or controlled by the prosecutor in a criminal case from making an extrajudicial statement that the prosecutor would be prohibited from making under Rule 3.07.

                Comment:

                Source and Scope of Obligations

                1. A prosecutor has the responsibility to see that justice is done, and not simply to be an advocate. This responsibility carries with it a number of specific obligations(emphasis added). Among these is to see that no person is threatened with or subjected to the rigors of a criminal prosecution without good cause. See paragraph (a). In addition a prosecutor should not initiate or exploit any violation of a suspects right to counsel, nor should he initiate or encourage efforts to obtain waivers of important pre-trial, trial, or post-trial rights from unrepresented persons. See paragraphs (b) and (c). In addition, a prosecutor is obliged to see that the defendant is accorded procedural justice, that the defendants guilt is decided upon the basis of sufficient evidence, and that any sentence imposed is based on all unprivileged information known to the prosecutor. See paragraph (d). Finally, a prosecutor is obliged by this rule to take reasonable measures to see that persons employed or controlled by him refrain from making extrajudicial statements that are prejudicial to the accused. See paragraph (e) and Rule 3.07. See also Rule 3.03(a)(3), governing ex parte proceedings, among which grand jury proceedings are included. Applicable law may require other measures by the prosecutor and knowing disregard of those obligations or a systematic abuse of prosecutorial discretion could constitute a violation of Rule 8.04.
        <END of quoted material>

        Almost every state has the same, or similar rules, in place, as does the federal court system. Care to try again, ArsenneLupin?

        Oh, and while we are on the subject IAAL I just don't practice law.
    • Re:Understandable (Score:3, Informative)

      by SatanicPuppy (611928)
      A lot of the time it's not the same prosecutor, so the integrity of one is not necessarily the integrity of the other.

      Additionally, this sort of action is morally indefensible, and no doubt the company took a great deal of flack from it's customers over it. It is entirely possible that the company asked the prosecutor to quietly drop charges, so it wouldn't be brought back to the forefront of its customers minds.

      Or it could be that the court district is running out of money, and doesn't want to waste money
      • Additionally, this sort of action is morally indefensible, and no doubt the company took a great deal of flack from it's customers over it.

        A fair point, but do consider this: the impersonal possessive pronoun does not take an apostrophe.

  • Vacation vs. Repeal (Score:5, Interesting)

    by Gallenod (84385) on Wednesday May 10, 2006 @09:16AM (#15300318)
    Vacating the conviction doesn't challenge the law, just the individual action. Looks like the company wanted the publicity from the conviction to reinforce their non-disclosure agreement but didn't want to take the risk that the law would be rolled back later on appeal.

    (IANAL, but my uncle is.)
    • by cdrudge (68377)
      No publicity is bad publicity...or something like that. However, if I were a company executive, I'm not sure if I would like my company being in the news because I went after a former employee for pointing out a security flaw in my software. It draws attention to the fact that my software had a flaw in it, that our policies aren't keeping confidental information confidental, etc.
  • C'mon.... (Score:5, Insightful)

    by Otter (3800) on Wednesday May 10, 2006 @09:17AM (#15300326) Journal
    Jail time for McDanel is almost certainly excessive, but that doesn't mean that accessing (or hax0ring -- it's not clear what he did) your ex-employer's email server to write to all their customers isn't a stupid idea, let alone that it's a protected First Amendment matter.

    And as long as we're slinging around prissy "Will they ever learn?"s, the other poor victim of persecution, McCarty (what's up with all these Celts?) is a real case of failure to learn. Has it not sunk in yet that you simply can't intrude on systems or files without permission, however helpful your intentions? How freaking difficult is that for people to grasp?

    • Re:C'mon.... (Score:4, Interesting)

      by goldspider (445116) <ardrake79NO@SPAMgmail.com> on Wednesday May 10, 2006 @09:32AM (#15300412) Homepage
      "...however helpful your intentions?"

      I think you mis-spelled "vindictive".

      Afterall, we're talking about a former employee, and considering how far things were taken, it doesn't sound like it was an amicable separation.
    • Re:C'mon.... (Score:3, Interesting)

      by russellh (547685)
      Well as the article points out, it is the murky definition of "access" that is troublesome, such as the case where emailing a company was ruled as "unauthorized access" - not only to the company's email server, but to all the computers on the route. This is fear based on ignorance. The trouble is that there are no good analogies to the real world - it's all hidden, it's all geek magic. And of course the juries are composed of mostly regular joes with spyware-ridden computers and who hate the IT guy. And th
  • by Mobster (306973) on Wednesday May 10, 2006 @09:18AM (#15300337) Homepage
    This kind of trend is only gonna end when something catatrophic happens and it's traced back to someone that could have said something but didn't out of fear of losing their job or prosecution. It wouldn't suprise me if the whole FEMA/Katrina fiasco was this kind of situation.

    Can a federal law be passed to correct this? DOes congress even care?
    • This kind of trend is only gonna end when something catatrophic happens and it's traced back to someone that could have said something but didn't out of fear of losing their job

      The problem with that is that when the catastrophic thing does happen, the person who could have said something will remain quiet out of fear of losing their job.
  • ISAGN (Score:2, Interesting)

    by MOtisBeard (693145)
    New technologies often require changes in the law and in the legal system itself, and computer technology is far from being an exception to that. As a society, we really need to have more specific legal definitions of what is and what is not black-hat hacking, defined by people who truly understand the technology... namely, white-hat hackers. Until this happens, we will continue to see people unjustly prosecuted for pointing out their local emperor's nudity, and we will continue to see nonsensical bills b
  • by Anonymous Coward on Wednesday May 10, 2006 @09:22AM (#15300359)
    I saw this, and was all ready to ask questions to the submitter, as I saw the line "I represented him on appeal". Read that whole synopsis once again. Doesn't it look like the submitter is the one doing the talking?

    Next, click the link... you'll find that it is cut and pasted right out of the article. That generally wouldn't be so bad.... but is gsch "Jennifer Granick"? If not, the quote should be phrased in a way that this is evident, in cases where there is first-person content in the quote.

    Call it grammar nazism, but for very obvious reasons, the synopsis as it currently reads, is misleading... if one wanted to be a dick about it, they could say that it even seems like this person is masquerading as the defendant's attorney. I won't go that far, but the point is made.
    • No grammar nazism involved at all -- I wondered that myself. Jennifer probably is on Slashdot, and I'm sure she doesn't mind her wired articles being quoted, but I did wonder who exactly this "gsch" feller was appears to be masquerading as her with some really crappy blog that has nothing to do with Jennifer's actual homepage [granick.com].
    • Look closely (Score:3, Informative)

      by debest (471937)
      The submission is entirely within quotes. "gsch" simply put in a portion of the article into quotes, and sent it to /. It gets posted with another set of quotes. If you look closely, you will see that there are three little marks around the submitted text, not two (meaning a quote within a quote). Could have been formatted better, though.
  • Congrats! (Score:3, Interesting)

    by DamienMcKenna (181101) <damien@@@mc-kenna...com> on Wednesday May 10, 2006 @09:27AM (#15300382)
    Just a quick word of congratulations to Mr McDanel and yourself, finally some common sense rears its head in this case.
  • Solution? (Score:2, Insightful)

    by Uncle Rummy (943608)
    FTA:

    A third [solution] might be to define unlawful access as the circumvention of some kind of security measure.

    I'm not so sure about this one. After, we're talking specifically about criminal liability for researchers who demonstrate that the security of a system is broken. Criminalizing the circumvention of security is exactly the problem many people have with laws such as the DMCA.
    • Criminalizing the circumvention of security is exactly the problem many people have with laws such as the DMCA.

      I thought the problem people had with the DMCA was that it prevents consumers from exercising rights (fair use copying) over content that they would have if they purchased it in an older, non-DRMed format without breaking the law.

      I'd think that very few people would be opposed to criminalizing circumvention of security per se, in cases where there wasn't assumed to be some underlying right to do

      • Would you be opposed to criminal penalties for someone who picks the lock on your front door, as long as he doesn't actually come in and steal anything?

        The DMCA criminalizes the equivalent of picking the lock on your own house, or having a locksmith do it for you.
        • That was exactly my point. The problem isn't with laws that make it illegal to circumvent security, but with those that make it illegal to do something you have a right to do in the first place (like enter your own home or format shift some copyrighted content for your own use) because there happens to be some form of security-breaking involved in the process.

          Laws against breaking someone else's security to do something you wouldn't be allowed to do even if there was no security apparatus in place aren't

  • Of two minds (Score:4, Interesting)

    by Billosaur (927319) * <wgrother@op t o nline.net> on Wednesday May 10, 2006 @09:31AM (#15300403) Journal

    The McCarty prosecution, brought by the same office that so egregiously mishandled the McDanel incident, is in the same vein. As with Puffer and McDanel, the government will have to prove not only that McCarty accessed the school system without authorization, but also that he had some kind of criminal intent.

    Likely, they will point to the fact that McCarty copied some applicant records. "It wasn't that he could access the database and showed that it could be bypassed," Michael Zweiback, an assistant attorney for the Department of Justice's cybercrime and intellectual property crimes section, told the SecurityFocus reporter. "He went beyond that and gained additional information regarding the personal records of the applicant."

    But if he wanted to reveal USC's security gaffe, it's not clear what else he could have done. He had to get a sampling of the exposed records to prove that his claims were true. SecurityFocus reported that USC administrators initially claimed that only two database records were exposed, and only acknowledged that the entire database was threatened after additional records were shown to them.

    Ok, so there are two ways to look at this:

    1. He did commit a crime. He broke their security, using a known flaw. Happens all the time to anyone running Windows when some virus or Trojan uses a known exploit to mess round with data on your PC. They're guilty, mainly for then using your PC for other nefarious purposes. This argument is weak because all he did was reveal the information to a reporter, and while that's a dubious move at best, it really ended up in little harm.
    2. He didn't commit a crime. He exposed a major college's security lapse and did something with that knowledge that allowed the problem to be solved. I don't agree with his methods -- it would have been far easier to simply go to USC, tell them of the flaw, and then leave them to their own devices. Knowing USC, they would have hemmed and hawed, until some enterprising hacker, out for a little fun, discovered the flaw and did more than steal the records of seven people. He probably felt that this needed to be publicized to force USC's hand, but I still think that smacks of lack of common sense.

    I doubt a jury will convict him, though, this being a technical argument mainly and a computer crime, any jury they seat is bound to wind up confused and the best the prosecution can hope is that someone on the jury will have enough savvy to explain it to the others. Or they may convict him for being a wily, young whippersnapper. Who knows?

  • by Technician (215283) on Wednesday May 10, 2006 @09:33AM (#15300417)
    The thing that may have raised eyebrows is he found a fault and sent the information to a 3rd party who then contacted the owner. The owner then checked logs to find out who breached the system.

    If he found the problem and contacted them directly they may have been more willing to patch and say thanks.
    • That's a good point. In the "precedent" cited by the author, the defendant demonstrated a security flaw to the owner of the system, not to a third party. In this case, the defendant discovered the flaw, and rather than notify his employer and work towards fixing the problem, he went straight to a third party.

      The guy was basicaly looking for an ego boost. he figured he could get his name in the paper and look like a hero. In the end, he essentially gave away personal information on applicants without eve
  • by Anonymous Coward
    After reading tfa it seems that the McDanel case is different from the other two in one very important way: intent.

    - McCarty notified security professionals about the issue.

    - Puffer notified the system owner/operator of the security issues.

    - McDanel notified the customers of his former employer.

    TFA does not go into detail as to why McDanel was no longer employed by the company, but its not a huge leap to assume that he did not leave willingly. Was he really concerned about the information security of the cu
  • by MikeRT (947531) on Wednesday May 10, 2006 @09:39AM (#15300454) Homepage
    Did the guy do this after he quit his job? If he emailed the customers using a company server after he left, I can see the company having a legitimate case. Another thing, did he bring these problems up to management and get the ball rolling on a fix or did he just drop the bomb on his employer after he left? There have been enough guys who seem innocent on the surface on slashdot, that I'm now hesitant to not believe there may be some malfeasance on the guy's part.

    If he quit his job and then emailed the customers on his own time/equipment with a polite notice saying that he used to work for them and wanted to alert them to problems that management refused to fix, that could cause substantial harm to the clients, I seriously don't think a judge would have given his former employer the time of day.
  • First Amendment.? (Score:4, Interesting)

    by Frankie70 (803801) on Wednesday May 10, 2006 @09:41AM (#15300470)
    Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal

    Thank god, the prosecution did not defend the action on appeal.
    Because the defendent seems to have been represented by someone who doesn't
    seem to know that the 1st amendment isn't relevant here.
  • The first amendment only applies to government actors. Private corporations deal with an extraconsitutional "wrongful discharge" statute which is far weaker.
    • Okay, since I know people are going to jump on the ambiguity, there's nothing in the constitution that protects you from speech that harms other people, depending on the circumstances. It's all insanely complicated, and I find all the first-amendment waving ridiculous. There have only been two absolutist justices in the history of the Supreme Court. It's not a magic bullet.
  • by Black Parrot (19622) on Wednesday May 10, 2006 @09:52AM (#15300544)
    of Shoot the Messenger.

    That seems to be the only solution businesses and politicians can come up with for their self-caused problems anymore.
  • When asked the unexpected vacation, Bret McDanel said "It's was all I ever wanted," then excused himself, saying he had to "get away". When asked what he meant by this, he indicated he desire to have some time spent alone.
  • Those who can, do.
    Those who can't, sue.

    Is it me or does this become more and more common? As soon as someone's not doing what a company would like him to do, he's slapped some trial on his back, hoping that he'll either back down or that a company (with quite some funds) can easily get a better lawyer than Joe Average.

    Another often repeated phrase I use: There is no techical solution for a social problem. In this case, there is no legal solution for a technical one. Shutting people up does not create more s
    • Actually, there's a term for this, and it's illegal in some places. It's called SLAPP [wikipedia.org], and it's generally abuse of the legal system to shut someone up.
      You can't exactly have free speech when in fear of someone suing you for doing so, and companies know and exploit this to their advantage.
  • was somebody's pride. This "form over function" thing is starting to get out of hand both in the gov't and in the private sectors. True story: I once took a military medical course that was teaching information many years out of date. Using the appropriate forms, I submitted detailed critiques complete with sources and references. Rather than fix the problem, I was called on the carpet and ordered to stop submitting critiques because they "questioned the integrity of the course." This strikes me as ve
  • by elronxenu (117773) on Wednesday May 10, 2006 @10:07AM (#15300660) Homepage
    Without taking any sides on the matter of full disclosure, there are interesting parallels with the quoted cases.

    Full disclosure: if I find a bug in, say, Windows, should I

    • Report it to Microsoft?
    • Announce it to the world?
    • Report it to CERT?
    • Send details to Oracle?

    If I find a bug in USC's website, should I

    • Report it to the USC administrators?
    • Announce it to the world?
    • Report it to SecurityFocus?
    • Send it to MIT?

    If I find a bug in my employer's systems, should I

    • Report it to my employer?
    • Announce it to the world?
    • Report it to CERT?
    • Send it to my employer's competitors?

    Enquiring minds wish to know ...

    • by fuzzybunny (112938) on Wednesday May 10, 2006 @10:29AM (#15300811) Homepage Journal
      Full disclosure: if I find a bug in, say, Windows, should I

      "Standard practice" among my colleagues who do vulnerability research is to report to the manufacturer of the product first, give them 30 days notice to fix and deploy patches (or _maybe_ longer if the manufacturer can come up with plausible reasons why not to release the vulnerability), then announce publicly to bugtraq or another forum. If you announce before that, it's considered sort of rude.

      That said, remember that bug finding is at core a prestige game, so you want to make sure you get credit for finding this sort of stuff before, say, secunia or another group either stumbles on it, or the manufacturer decides to disclose on their own. I don't know how you'd go about this, to be honest.

      If I find a bug in USC's website, should I

      Report to USC; if they don't take action, report it to someone else at USC. USC is a private company and it's their prerogative to take action or not; unless the bug affects you directly or is in the public interest, let it lie. An example would be if you're a student and your personal data are at risk, in which case you should forward a paper trail to, say, someone at the California Dept. of Education's legal group, and only go public with it if they don't act.

      Pretty much the same goes for your employer's systems.

      If you mean "systems" in the sense of "services/products they sell to others", and your employer won't take action on a known flaw, that sort of goes under the category of "products", which you're probably going to be under an NDA not to disclose. If your employer is lame enough to not do anything about it, find another employer if you're unable to escalate it.

      You can always pass it on anonymously to someone who will report it. Unless you're in it for the bragging rights, that is.
  • There seems to be a pattern. Of the cases like this that I am aware of (there have been quite a few), those whose case is decided by a jury seem to always be acquitted. Those tried by a judge don't always fare so well.

    The issue here, I think, is that the security researcher is working for the benefit of the common person at the expense of the company. The members of the jury see themselves as that common person, and don't relate so well to the company. The judge, on the other hand, tries to be more "impar

  • Notwithstanding the First Amendment's free speech guarantees

    When you have NDA's, TOA's that specify what is allowed on a system that does not belong to you, you are foreiting your 1st Amendment right to access the system. This guy did not need to access that system to live. He broke into a private system.
    • Re:First amendment? (Score:5, Interesting)

      by cdrguru (88047) on Wednesday May 10, 2006 @10:26AM (#15300790) Homepage
      The First Amendment refers to the government's ability to pass laws to restrict speech. It has limited effect on states, cities, villages and other municipalities.

      It has no effect on companies, contract law, or anything else.

      There is no "first amendment right to access the system". Period. You do not have any rights at all - you have privileges that the operator of the system gives you. And these can be revoked at any time. Without cause or explanation.

      Yes, that means AOL can cancel your account without telling you why.

      Yes, that means when your employer says not to do something and you do it anyway you are exposing yourself to consequences. Sometimes legal consequences in addition to just getting fired.
  • by joshv (13017) on Wednesday May 10, 2006 @10:21AM (#15300757)
    When working for a company I shall not name, we used an ASP for our recruiting software, which company I will also decline to name. This software had a document upload functionality that would allow clients to upload offer letters and such. In trouble shooting an issue with our company's uploads we found it was quite easy to browse to other client's uploads by changing a client ID in a URL. Granted, you had to login to the system to be able to access this URL, but once logged in, there were apparently no security restrictions across clients. We had free access to the offer letters, job applications, any document having to do with the recruiting and hiring process, of other companies - some of them very big names.

    Did we do anything about it? Nope. We ignored it. I didn't even bring it up to our managers. Why? Because in documenting the issue we would have most certainly violated the licensing agreement, and a good argument could be made (especially in light of judgements like the one in the article) that we were conducting criminal computer trespass by changing the URL to knowingly access another client's repository. As stupid as that sounds, I was not willing to risk my job, or prison time, when I knew there were probably 15 other such security issues in the product, and my blowing the whistle on this one wasn't going to fix what was essentially a very crappy product.
  • A /. contributor who actually is a lawyer?
  • by deanj (519759) on Wednesday May 10, 2006 @10:44AM (#15300931)
    The summary was written by the lawyer representing this guy (as others in this thread have pointed out), so there's obvious spin going on. The real kicker of all this is his lame "Free Speech Rights" claim.

    The government didn't do a freaking thing to limit his "free speech". The guy did something vindictive against his former employer, got caught at it, and they went after him.

    It's stupid statements like that which don't put this guy (or the lawyer) in a very good light. It sounds like he's grasping at straws, looking for some way to vindicate his client for doing something really stupid.
  • by Weaselmancer (533834) on Wednesday May 10, 2006 @10:49AM (#15300959)

    Look at Linux. An operating system used by millions and every hacker in the world can get their hands on the source code. Why don't we see many viruses for Linux? Because it was implemented well.

    I think you mean a GNU/Linux virus. Very little malicious Linux code relies only on kernel exploits to do their bad stuff. Credit where credit is due, and all that. ;^)

  • Same here (Score:5, Interesting)

    by GmAz (916505) on Wednesday May 10, 2006 @10:54AM (#15300995) Journal
    The school district where I work used to have its entire network wide open. Anyone could access everything, e-mail, grades, pernament record. You name it, they had it. They just has to browse to it through the Network Neighborhood icon. One student saw this and told the assistant principal several times and he was ignored. He finally printed off a bunch of student grades and gave them to the assistant principal showing him it was a real risk and that something should be done. He was a legitimate good kid trying to help. Instead, he was Expelled from the district and was given probation (he was a minor). After that, the district REALLY tightened up its security. I feel that kid shouldn't have had anything done other than a huge thank you.
    • Re:Same here (Score:3, Interesting)

      by koshatul (198070)
      Back when I was at school, I lost my Subject Captaincy, and almost got expelled over realising the system administrator had used a simple formula to turn all our student numbers into all our passwords.

      When I came forward with it, they called in my parents and were threatening me with explusion if I didn't tell them how I hacked the password list as "figuring out they're a formula from noticing a pattern in myown and my friends passwords" was considered impossible.

      We'll never live in a society where the peop
  • This is nothing new. (Score:3, Interesting)

    by Optifark (973981) on Wednesday May 10, 2006 @11:03AM (#15301064)
    I worked for an Army contractor in the 80's. I found flaws weekly. I caught flack for each one I pointed out. In the end they made me data security manager so I would just fix them and stop pointing them out to the customer. I was told I would go to jail more than once. You have to do what is right for the customer. In this case the customer was the US Army. Any company should see this is the only way to to fix holes. See them, report them, fix them. -Steve
  • Real Fear (Score:5, Interesting)

    by Anonymous Coward on Wednesday May 10, 2006 @11:09AM (#15301100)
    Sprint runs a 9-1-1 service for hundreds of jurisdictions around the United States. The heart of their system includes a Windows server that is left virtually wide open on the internet. This server is the repository of all the 9-1-1 data from telephone companies around the country. It would be trivial to add, delete, or alter the 9-1-1 data on that server and wreak havoc. The system does not even require a password.

    This has been reported to Sprint and various local 9-1-1 officials several times. Sprint denies it is vulnerable; local authorities are disinterested in investigating. Nobody will put any attention on this until that one day that a malicious party will cripple 9-1-1 systems throughout the U.S. Then there will be screams for congressional investigations and finger pointing galore.

    But the well-meaning party that performs a proof-of-concept exploit to make a point would be butchered as the terrorist they are trying to prevent.

    For now, there are people who know that the 9-1-1 system is extremely vulnerable, and they fear the day it gets exploited. But they are more afraid of ruining their lives and their families' lives by speaking out.
  • by Nom du Keyboard (633989) on Wednesday May 10, 2006 @12:14PM (#15301631)
    Not revealing security holes should be the crime, and not the reverse. Only a well-informed consumer has a realistic chance of protecting themselves.
  • FreeMcCarty.com (Score:5, Interesting)

    by OneByteOff (817710) on Wednesday May 10, 2006 @01:03PM (#15302036)
    Since it seems this article is primarily about me, I felt it was necessary to post here. My name is Eric McCarty and you can read up on the case from my perspective on my website :

    http://www.freemccarty.com/ [freemccarty.com]

    I am not a malicious hacker, i am not even a hacker, I am a security researcher who wanted to goto USC to get my degree, nothing more, nothing less. If you think about it, I am one person, if I goto prison for the offense I am accused of commiting then I can still look in the mirror and know that because of my action over 200,000 people won't be victims of identity theft.

    Thats the whole point of security research in my opinion, making the internet safer, not for notariety, not for fame, or for money. Please take a look at my website and feel free to contact me directly with any comments, suggestions or if you are willing to assist my case.

    Thanks,

    Eric C. McCarty
    admin@freemccarty.com
    http://www.freemccarty.com/ [freemccarty.com]
  • The other side (Score:5, Interesting)

    by geekyMD (812672) on Wednesday May 10, 2006 @02:00PM (#15302563)
    FTFA:

    That means the law frequently rests on the definition of "authorization." Many cases suggest that if the owner doesn't want you to use the system, for whatever reason, your use is unauthorized. In one case I took on appeal, the trial court had held that searching for airline fares on a publicly available, unprotected website was unauthorized access because the airline had asked the searcher to stop.


    If a shop owner tells you to get out of his store, then you must comply or the police will be called. Why? Because if you do not comply with the wishes of the owner, its called trespass. But on the other side, the shop owner must notify the customer that they need to leave before calling the cops, otherwise its harrasment.

    Just because you know something about computer systems doesn't give you the right to invade them and show the owner what you found. How would you like a home security firm to break into your house and then publish in the local paper that you keep a key under the doormat? Yes, my house is 'publicly available' given that its not behind any gates or walls, but that is not an invitation for everyone to come in.

    What needs to happen is for security professionals as an industry to have more savvy contracts with the companys they consult for. With clauses stating that the consultant will be free from prosecution if a) they notify the company and give time to repsond and b) if the company doesn't take action and the risk is great to the public or the company's clients then c) the consultant has the right to go public with the information.

    Of course there are more clauses you might want to add, but it seems like a lot of this could be solved in the contracting steps of taking the job. If you can't get a good contract, don't take the job.

    Vigalante justice is illegal. Robin Hood was a good guy, as were the American Revolutionaries, but from a criminal law perspective they were all guilty of many crimes. They chose to break the law because of their personal convictions but they also more or less accepted the risks of doing so.

    What happened to whistle blower protection laws, wouldn't those apply in these situations?

    • by tekrat (242117) on Wednesday May 10, 2006 @10:12PM (#15305765) Homepage Journal
      So, if we apply your logic: What then, gives telemarketers the right to call you? Your number is publically accessable, and no password is needed to call your number and have the phone at your end ring because the phone lines go right into your house. In short, there's NO SECURITY between you and the telemarketer.

      However; that doesn't mean that they now have the right to invade your privacy and call you. And yet, they do. How is it that your logic will apply to a security firm breaking into your house, but ignores a telemarketer that does, essentially the same thing? They call on a regular basis and really, that's as much "breaking in" as any other computer analogy.

      Now, we all hate the telemarketers, and laws have been enacted to prevent them from harassment; but really, technically it *IS* legal for someone to "break in" to your house via the telephone, so I cannot say that your logic is flawless.

      TTYL

When someone says "I want a programming language in which I need only say what I wish done," give him a lollipop.

Working...