firehand

Prometheus 6   

Do not make the mistake of thinking that because my conclusion is the same as another person's that my reasoning is the same

August 19, 2003

 

Impaired integrity

integrity n 1. possession of firm principles: the quality of possessing and steadfastly adhering to high moral principles or professional standards
2. completeness: the state of being complete or undivided (formal)
the territorial integrity of a nation.
3. wholeness: the state of being sound or undamaged (formal)
Their refusal to participate in the experiment will undermine its integrity.

The Feds should have used the third definition. Instead, they used the first.

The Sad Tale of a Security Whistleblower
Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.

By Mark Rasch Aug 18 2003 05:00AM PT
Previous articles in this space have discussed whether security professionals can go to jail for doing things like demonstrating the insecurity of a wireless network, or conducting a throughput test on a system without permission. Now, a new and unwarranted extension of the U.S. computer crime law shows that you can go to jail for simply telling potential victims that their data is vulnerable.

By explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist "impaired the integrity" of the affected network. It is now up to a federal appellate court to determine whether this interpretation of the law is to stand. If it does, it could mean a dramatic decline in postings to Bugtraq, CERT, or other public fora.

Bret McDanel was dissatisfied with his former employer, Tornado Development, Inc. Tornado provided internet access and web-based e-mail to its clients. However, McDanel apparently discovered a flaw in the web-mail that would permit malicious users to piggyback a previous secure session, grab the unique session ID and thereby read a user's e-mail-- despite the fact that the site promised that e-mail was secure. Dissatisfied with the pace at which Tornado addressed the issue (and for other reasons, undoubtedly), McDanel severed his employment with them, and went to work for another company.

About six months later, according to defensive filings, McDanel discovered that Tornado had never fixed the vulnerability he discovered. Using the moniker "Secret Squirrel" he sent a single e-mail to about 5,600 of Tornado's customers over the course of three days, staggering the release each day to prevent flooding Tornado's e-mail servers.

The e-mail told Tornado's customers about the vulnerability, and directed them to his own website for information about it.

So what did Tornado? First, they scrambled to delete their own customer's e-mails (without their permission) to prevent them from learning about the vulnerability. Then they took other steps to conceal the hole. Ultimately, they fixed the vulnerability, and upgraded their general security.

For his efforts, McDanel was arrested, tried, convicted and sentenced to sixteen months in the federal pokey, which he has now served. He has appealed his conviction to the federal Ninth Circuit Court of Appeals.

posted by Prometheus 6 at 8/19/2003 01:03:12 AM |

Posted by P6 at August 19, 2003 01:03 AM | Trackback URL: http://www.prometheus6.org/mt/mt-tb.cgi/190
Comments
Post a comment
WARNING:I have no problems altering your message to something personally embarrassing if you're rude









Remember personal info?