Busting People for Pointing Out Security Flaws

gsch writes "'In 2004, Bret McDanel was convicted of violating section 1030 when he e-mailed truthful information about a security problem to the customers of his former employer. The prosecution argued that McDanel had accessed the company e-mail server by sending the messages, and that the access was unauthorized within the meaning of the law because the company didn't want this information distributed. They even claimed the integrity of the system was impaired because a lot more people (customers) now knew that the system was insecure. Notwithstanding the First Amendment's free speech guarantees, the trial judge convicted and sentenced McDanel to 16 months in prison. I represented him on appeal, and argued that reporting on security flaws doesn't impair the integrity of computer systems. In an extremely unusual turn of events, the prosecution did not defend its actions, but voluntarily moved to vacate the conviction.'"

Synopsis kind of misleading.

[Anonymous Coward]

I saw this, and was all ready to ask questions to the submitter, as I saw the line "I represented him on appeal". Read that whole synopsis once again. Doesn't it look like the submitter is the one doing the talking?

Next, click the link... you'll find that it is cut and pasted right out of the article. That generally wouldn't be so bad.... but is gsch "Jennifer Granick"? If not, the quote should be phrased in a way that this is evident, in cases where there is first-person content in the quote.

Call it grammar nazism, but for very obvious reasons, the synopsis as it currently reads, is misleading... if one wanted to be a dick about it, they could say that it even seems like this person is masquerading as the defendant's attorney. I won't go that far, but the point is made.

Re:Understandable

[SatanicPuppy]

A lot of the time it's not the same prosecutor, so the integrity of one is not necessarily the integrity of the other.

Additionally, this sort of action is morally indefensible, and no doubt the company took a great deal of flack from it's customers over it. It is entirely possible that the company asked the prosecutor to quietly drop charges, so it wouldn't be brought back to the forefront of its customers minds.

Or it could be that the court district is running out of money, and doesn't want to waste money on another trial...There is a district in N.C that is letting first and second degree murderers plead manslaughter because they can't afford murder trials.

Or it could just be that the public is getting more savvy, and the prosecutor felt uneasy about the jury selection.

*Former* employer's email

[AHumbleOpinion]

Basically, he used the company's smtp server to send the messages just like he uses it to send ANY email from work

You may have some re-reading to do yourself. It said he used his *former* employer's email server. That most likely is criminal. If he had sent the email from a personal account then he might only face a civil lawsuit for some sort of breach of confidentiality.

Re:*Former* employer's email

[Mr. Slippery]

It said he used his *former* employer's email server. That most likely is criminal.

If I send you e-mail, I'm apparently "accessing" your server within the meaning of the law. If he sent e-mail from a personal account to "customers@formeremployer.com", then there's no hax0ring involved. (And formeremployer.com might want to put some access restrictions on their mailing list, but if the mail goes through when sent through normal channels, ipso facto he's authorized to send it).

Re:It's like the full disclosure question

[fuzzybunny]

Full disclosure: if I find a bug in, say, Windows, should I

"Standard practice" among my colleagues who do vulnerability research is to report to the manufacturer of the product first, give them 30 days notice to fix and deploy patches (or _maybe_ longer if the manufacturer can come up with plausible reasons why not to release the vulnerability), then announce publicly to bugtraq or another forum. If you announce before that, it's considered sort of rude.

That said, remember that bug finding is at core a prestige game, so you want to make sure you get credit for finding this sort of stuff before, say, secunia or another group either stumbles on it, or the manufacturer decides to disclose on their own. I don't know how you'd go about this, to be honest.

If I find a bug in USC's website, should I

Report to USC; if they don't take action, report it to someone else at USC. USC is a private company and it's their prerogative to take action or not; unless the bug affects you directly or is in the public interest, let it lie. An example would be if you're a student and your personal data are at risk, in which case you should forward a paper trail to, say, someone at the California Dept. of Education's legal group, and only go public with it if they don't act.

Pretty much the same goes for your employer's systems.

If you mean "systems" in the sense of "services/products they sell to others", and your employer won't take action on a known flaw, that sort of goes under the category of "products", which you're probably going to be under an NDA not to disclose. If your employer is lame enough to not do anything about it, find another employer if you're unable to escalate it.

You can always pass it on anonymously to someone who will report it. Unless you're in it for the bragging rights, that is.

Re:and?

[Overly Critical Guy]

Yep, and the submitter's remark, "Notwithstanding the First Amendment's free speech guarantees," is silly because the First Amendment doesn't guarantee 100% free speech in all situations. It protects you from the government censoring your opinion, but when your speech begins to infringe on the rights of others (harassment, libel, revealing of trade secrets, etc.), it's not covered under the First Amendment. People have misinterpreted it over the years to mean you can say whatever the hell you want at all times.

Re:Understandable

[ninewands]

Quoth the grandparent:

Prosecutors, at least in my neck of the woods, don't give two shits about justice or truth. They just want convictions.,/b>

Quoth the parent:

Well, that's their fucking job! They represent the accusation, after all.

Errrmmmm ... actually no. The prosecutor represents the State, not the complainant, who is merely an accusing witness. The prosecutor has NO obligation whatsoever to the victim of a crime. His/her obligation is to represent the peace and dignity of the State and to seek justice.

Quoted from the Texas Disciplinary Rules of Professional Conduct:
(Tex. Disciplinary R. Prof. Conduct, (1989) reprinted in Tex. Govt Code Ann., tit. 2, subtit. G, app. (Vernon Supp. 1995)(State Bar Rules art X [[section]]9))

3.09 Special Responsibilities of a Prosecutor

        The prosecutor in a criminal case shall:

        (a) refrain from prosecuting or threatening to prosecute a charge that the prosecutor knows is not supported by probable cause;

        (b) refrain from conducting or assisting in a custodial interrogation of an accused unless the prosecutor has made reasonable efforts to be assured that the accused has been advised of any right to, and the procedure for obtaining, counsel and has been given reasonable opportunity to obtain counsel;

        (c) not initiate or encourage efforts to obtain from an unrepresented accused a waiver of important pre-trial, trial or post-trial rights;

        (d) make timely disclosure to the defense of all evidence or information known to the prosecutor that tends to negate the guilt of the accused or mitigates the offense, and, in connection with sentencing, disclose to the defense and to the tribunal all unprivileged mitigating information known to the prosecutor, except when the prosecutor is relieved of this responsibility by a protective order of the tribunal; and

        (e) exercise reasonable care to prevent persons employed or controlled by the prosecutor in a criminal case from making an extrajudicial statement that the prosecutor would be prohibited from making under Rule 3.07.

        Comment:

        Source and Scope of Obligations

        1. A prosecutor has the responsibility to see that justice is done, and not simply to be an advocate. This responsibility carries with it a number of specific obligations(emphasis added). Among these is to see that no person is threatened with or subjected to the rigors of a criminal prosecution without good cause. See paragraph (a). In addition a prosecutor should not initiate or exploit any violation of a suspects right to counsel, nor should he initiate or encourage efforts to obtain waivers of important pre-trial, trial, or post-trial rights from unrepresented persons. See paragraphs (b) and (c). In addition, a prosecutor is obliged to see that the defendant is accorded procedural justice, that the defendants guilt is decided upon the basis of sufficient evidence, and that any sentence imposed is based on all unprivileged information known to the prosecutor. See paragraph (d). Finally, a prosecutor is obliged by this rule to take reasonable measures to see that persons employed or controlled by him refrain from making extrajudicial statements that are prejudicial to the accused. See paragraph (e) and Rule 3.07. See also Rule 3.03(a)(3), governing ex parte proceedings, among which grand jury proceedings are included. Applicable law may require other measures by the prosecutor and knowing disregard of those obligations or a systematic abuse of prosecutorial discretion could constitute a violation of Rule 8.04.
<END of quoted material>

Almost every state has the same, or similar rules, in place, as does the federal court system. Care to try again, ArsenneLupin?

Oh, and while we are on the subject IAAL I just don't practice law.

Look closely

[debest]

The submission is entirely within quotes. "gsch" simply put in a portion of the article into quotes, and sent it to /. It gets posted with another set of quotes. If you look closely, you will see that there are three little marks around the submitted text, not two (meaning a quote within a quote). Could have been formatted better, though.

it is not about justice...

[targ3t]

It is not justice that our legal system is set up for... it is to maintain order in our society. Justice does occasionally run afoul of societal order and for that reason justice is NOT the primary duty of our legal system.Also, the USA is NOT a democracy... it is a republic... democracy just sounds better even if it is inaccurate.

Re:FreeMcCarty.com

[zCyl]

Why did you change your name from Bret McDanel to Eric McCarty in the first place? That seems a bit extreme and fishy to me.

If you read the article [wired.com] carefully, you'll note that they switch names from McCarty to McDanel and then back to McCarty, and then compare the two cases.

Read the brief and the decision

[Kanaka Kid]

You can find the brief [stanford.edu] and a copy of the circuit court's decision [stanford.edu]. The brief argues (on page 31) "The trial court unconstitutionally punished McDanel for the content of his email and website. As the court applied 18 U.S.C. 1030 to McDanel, this verdict singles out the viewpoint McDanel expressed and the information he disclosed, that Tornado security is flawed, for criminal sanction. The First Amendment prohibits this conviction based on McDanel's speech."

Interestingly, the circuit court remanded the case back to district court with the order that the case be dismissed with prejudice for lack of evidence.

I would say that Ms. Granick is quite qualified to make the submissions which seem to be well thought out.