The Sad Tale of a Security Whistleblower
Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it.

By Mark Rasch Aug 18 2003 05:00AM PT
Previous articles in this space have discussed whether security professionals can go to jail for doing things like demonstrating the insecurity of a wireless network, or conducting a throughput test on a system without permission. Now, a new and unwarranted extension of the U.S. computer crime law shows that you can go to jail for simply telling potential victims that their data is vulnerable.

By explaining how the vulnerability worked, and why customer data was at risk, prosecutors asserted, the security specialist "impaired the integrity" of the affected network. It is now up to a federal appellate court to determine whether this interpretation of the law is to stand. If it does, it could mean a dramatic decline in postings to Bugtraq, CERT, or other public fora.

Bret McDanel was dissatisfied with his former employer, Tornado Development, Inc. Tornado provided internet access and web-based e-mail to its clients. However, McDanel apparently discovered a flaw in the web-mail that would permit malicious users to piggyback a previous secure session, grab the unique session ID and thereby read a user's e-mail-- despite the fact that the site promised that e-mail was secure. Dissatisfied with the pace at which Tornado addressed the issue (and for other reasons, undoubtedly), McDanel severed his employment with them, and went to work for another company.

About six months later, according to defensive filings, McDanel discovered that Tornado had never fixed the vulnerability he discovered. Using the moniker "Secret Squirrel" he sent a single e-mail to about 5,600 of Tornado's customers over the course of three days, staggering the release each day to prevent flooding Tornado's e-mail servers.

The e-mail told Tornado's customers about the vulnerability, and directed them to his own website for information about it.

So what did Tornado? First, they scrambled to delete their own customer's e-mails (without their permission) to prevent them from learning about the vulnerability. Then they took other steps to conceal the hole. Ultimately, they fixed the vulnerability, and upgraded their general security.

For his efforts, McDanel was arrested, tried, convicted and sentenced to sixteen months in the federal pokey, which he has now served. He has appealed his conviction to the federal Ninth Circuit Court of Appeals.