Busting People for Pointing Out Security Flaws 350
gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure.
Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"
Synopsis kind of misleading. (Score:5, Informative)
Next, click the link... you'll find that it is cut and pasted right out of the article. That generally wouldn't be so bad.... but is gsch "Jennifer Granick"? If not, the quote should be phrased in a way that this is evident, in cases where there is first-person content in the quote.
Call it grammar nazism, but for very obvious reasons, the synopsis as it currently reads, is misleading... if one wanted to be a dick about it, they could say that it even seems like this person is masquerading as the defendant's attorney. I won't go that far, but the point is made.
Re:Understandable (Score:3, Informative)
Additionally, this sort of action is morally indefensible, and no doubt the company took a great deal of flack from it's customers over it. It is entirely possible that the company asked the prosecutor to quietly drop charges, so it wouldn't be brought back to the forefront of its customers minds.
Or it could be that the court district is running out of money, and doesn't want to waste money on another trial...There is a district in N.C that is letting first and second degree murderers plead manslaughter because they can't afford murder trials.
Or it could just be that the public is getting more savvy, and the prosecutor felt uneasy about the jury selection.
*Former* employer's email (Score:4, Informative)
You may have some re-reading to do yourself. It said he used his *former* employer's email server. That most likely is criminal. If he had sent the email from a personal account then he might only face a civil lawsuit for some sort of breach of confidentiality.
Re:*Former* employer's email (Score:2, Informative)
If I send you e-mail, I'm apparently "accessing" your server within the meaning of the law. If he sent e-mail from a personal account to "customers@formeremployer.com", then there's no hax0ring involved. (And formeremployer.com might want to put some access restrictions on their mailing list, but if the mail goes through when sent through normal channels, ipso facto he's authorized to send it).
Re:It's like the full disclosure question (Score:4, Informative)
"Standard practice" among my colleagues who do vulnerability research is to report to the manufacturer of the product first, give them 30 days notice to fix and deploy patches (or _maybe_ longer if the manufacturer can come up with plausible reasons why not to release the vulnerability), then announce publicly to bugtraq or another forum. If you announce before that, it's considered sort of rude.
That said, remember that bug finding is at core a prestige game, so you want to make sure you get credit for finding this sort of stuff before, say, secunia or another group either stumbles on it, or the manufacturer decides to disclose on their own. I don't know how you'd go about this, to be honest.
If I find a bug in USC's website, should I
Report to USC; if they don't take action, report it to someone else at USC. USC is a private company and it's their prerogative to take action or not; unless the bug affects you directly or is in the public interest, let it lie. An example would be if you're a student and your personal data are at risk, in which case you should forward a paper trail to, say, someone at the California Dept. of Education's legal group, and only go public with it if they don't act.
Pretty much the same goes for your employer's systems.
If you mean "systems" in the sense of "services/products they sell to others", and your employer won't take action on a known flaw, that sort of goes under the category of "products", which you're probably going to be under an NDA not to disclose. If your employer is lame enough to not do anything about it, find another employer if you're unable to escalate it.
You can always pass it on anonymously to someone who will report it. Unless you're in it for the bragging rights, that is.
Re:and? (Score:2, Informative)
Re:Understandable (Score:5, Informative)
Quoth the parent:
Errrmmmm
Quoted from the Texas Disciplinary Rules of Professional Conduct:
(Tex. Disciplinary R. Prof. Conduct, (1989) reprinted in Tex. Govt Code Ann., tit. 2, subtit. G, app. (Vernon Supp. 1995)(State Bar Rules art X [[section]]9))
3.09 Special Responsibilities of a Prosecutor
The prosecutor in a criminal case shall:
(a) refrain from prosecuting or threatening to prosecute a charge that the prosecutor knows is not supported by probable cause;
(b) refrain from conducting or assisting in a custodial interrogation of an accused unless the prosecutor has made reasonable efforts to be assured that the accused has been advised of any right to, and the procedure for obtaining, counsel and has been given reasonable opportunity to obtain counsel;
(c) not initiate or encourage efforts to obtain from an unrepresented accused a waiver of important pre-trial, trial or post-trial rights;
(d) make timely disclosure to the defense of all evidence or information known to the prosecutor that tends to negate the guilt of the accused or mitigates the offense, and, in connection with sentencing, disclose to the defense and to the tribunal all unprivileged mitigating information known to the prosecutor, except when the prosecutor is relieved of this responsibility by a protective order of the tribunal; and
(e) exercise reasonable care to prevent persons employed or controlled by the prosecutor in a criminal case from making an extrajudicial statement that the prosecutor would be prohibited from making under Rule 3.07.
Comment:
Source and Scope of Obligations
1. A prosecutor has the responsibility to see that justice is done, and not simply to be an advocate. This responsibility carries with it a number of specific obligations(emphasis added). Among these is to see that no person is threatened with or subjected to the rigors of a criminal prosecution without good cause. See paragraph (a). In addition a prosecutor should not initiate or exploit any violation of a suspects right to counsel, nor should he initiate or encourage efforts to obtain waivers of important pre-trial, trial, or post-trial rights from unrepresented persons. See paragraphs (b) and (c). In addition, a prosecutor is obliged to see that the defendant is accorded procedural justice, that the defendants guilt is decided upon the basis of sufficient evidence, and that any sentence imposed is based on all unprivileged information known to the prosecutor. See paragraph (d). Finally, a prosecutor is obliged by this rule to take reasonable measures to see that persons employed or controlled by him refrain from making extrajudicial statements that are prejudicial to the accused. See paragraph (e) and Rule 3.07. See also Rule 3.03(a)(3), governing ex parte proceedings, among which grand jury proceedings are included. Applicable law may require other measures by the prosecutor and knowing disregard of those obligations or a systematic abuse of prosecutorial discretion could constitute a violation of Rule 8.04.
<END of quoted material>
Almost every state has the same, or similar rules, in place, as does the federal court system. Care to try again, ArsenneLupin?
Oh, and while we are on the subject IAAL I just don't practice law.
Look closely (Score:3, Informative)
it is not about justice... (Score:2, Informative)
Re:FreeMcCarty.com (Score:3, Informative)
If you read the article [wired.com] carefully, you'll note that they switch names from McCarty to McDanel and then back to McCarty, and then compare the two cases.
Read the brief and the decision (Score:2, Informative)
Interestingly, the circuit court remanded the case back to district court with the order that the case be dismissed with prejudice for lack of evidence.
I would say that Ms. Granick is quite qualified to make the submissions which seem to be well thought out.