Re: Disclose a bug, do not pass go, go directly to jail

["Stephen Clowater" <steve () stevesworld hopto org>]

The FBI has been giving alot of bullshit in this case. I read the actual
court transcripts when it was going down.

Bottom line here, the FBI made sure bret was stuck with the public defender
with the biggest docket. They presented incoherent and evidence that just
plain wasnt possible at trial and it never was challeneged. The charge, and
the convition both go way outside of criminal code 18 U.S.C. 1030, wich the
original charge was made under. The actuall apeal he is making know is based
on inadequet represenation of council, however, I think that he could
challenege the judge's decision, after all the United States Surpreme court
decisons basically ban this kind of sentance. However, I think this may just
be easier to challenge, and Jennifer Granick (his new lawer) dosnt have to
go up agianst a judge and make an enemy in the 9th circut.

Even if he did spam (wich was not on the original inditement) at the time
there was no anti-spam laws that applied, so even if it was trye that he had
sent out mass spam, by the law he was indited under, he couldnt have been
sent to jail for it. Ironically they say he sent out 14,000 spam messages,
and there were 14,000 customers, so basicaly what the FBI did in order to
make themselves look just a little better was to change the terminology from
"advisory" to "spam"

Theres alot of bullshit flying around from both camps on this one, A visit
to the courthouse and reading the actual records is really the only way to
get the full story of what happened [legally wise] on this one.
----- Original Message ----- 
From: "Richard M. Smith" <rms () computerbytesman com>
To: "'Stephen Clowater'" <steve () stevesworld hopto org>;
<full-disclosure () lists netsys com>
Sent: Friday, August 08, 2003 12:51 PM
Subject: RE: [Full-disclosure] Disclose a bug, do not pass go, go directly
to jail


> I just found this FBI press release on the case which says something a
> bit different.  It claims that Bret set up a Web site that give details
> of the problem:
>
> http://www.fbi.gov/fieldnews/march/la032503.htm
>
> The FBI also portrays Bret as a spammer for sending out 14,000 email
> messages on three occasions.  How come none of the real spammers who
> send out millions of unsolicited spam email messages everyday aren't in
> jail for overloading email servers?  For example, two years ago Verizon
> email basically stopped working for a week because of a spammer attack.
>
> Richard
>
> -----Original Message-----
> From: Stephen Clowater [mailto:steve () stevesworld hopto org]
> Sent: Friday, August 08, 2003 2:32 PM
> To: Richard M. Smith; full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Disclose a bug, do not pass go, go
> directly to jail
>
>
> No, Bret had fears that the bug may be exploited once it was disclosed
> on a
> List, so he emailed the customers to only let them know about the bug.
> In
> hopes of heading off a mass-owning of the software, while making sure
> the
> customers were informed. So that the bug would be fixed
>
> Or that was what he testified to when he took the stand, and he
> maintained
> it during cross-examniations.
> ----- Original Message ----- 
> From: "Richard M. Smith" <rms () computerbytesman com>
> To: <full-disclosure () lists netsys com>
> Sent: Friday, August 08, 2003 11:18 AM
> Subject: [Full-disclosure] Disclose a bug, do not pass go, go directly
> to
> jail
>
>
> > Does anyone know if this Tornado bug was ever disclosed on Bugtraq or
> > any other security list?
> >
> > For the description of this incident, it sounds to me like there might
> > be a civil case against Mr. McDanel, since he worked for Tornado and
> > likely signed some sort of employee agreement, but this hardly
> qualifies
> > as a criminal matter.
> >
> > Richard
> >
> > Jailbird appeals in bug disclosure case
> > http://www.theregister.co.uk/content/55/32237.html
> > By SecurityFocus
> > Posted: 08/08/2003 at 07:45 GMT
> >
> > Bret McDanel already served his 16 months in federal prison for
> > violating the Federal Computer Fraud and Abuse Act. Now he wants to
> > clear his record.
> >
> > McDanel was wrongly convicted under the federal computer fraud
> statute,
> > criminal code 18 U.S.C. 1030, claims a 62-page appeal filed on
> McDanel's
> > behalf by his new attorney, Jennifer Granick, clinical director for
> the
> > Center for Internet and Society at Stanford Law School. The criminal
> > code was misinterpreted to bring about his conviction, and McDanel's
> > public defender denied him a fair trial, asserts the brief, filed
> > Wednesday in the Ninth Circuit Court of Appeals.
> >
> > Between August 31 and September 5th, 2000, the 29-year-old McDanel,
> > under the moniker, "Secret Squirrel," sent 5,600 e-mail letters to
> > customers of his former employer, Tornado Development, Inc., a Los
> > Angeles-based unified messaging business that provided Web-based
> e-mail,
> > voice mail and other communications. McDanel's e-mails informed
> > Tornado's customers of a serious vulnerability in the e-mail system
> > which left e-mail login credentials, called Network Identifiers or
> NIDs,
> > in plain view in their Web browser address boxes, which could then be
> > scooped up by Web sites that harvest surfing information from
> visitors'
> > browsers.
> >
> > According to prosecutors, McDanel intended to cause damage to
> Tornado's
> > mail server by overloading it with too many messages, and caused a
> > costly public relations problem by making public confidential
> > information that was damaging to Tornado's reputation.
> >
> > But the appeal brief claims that the e-mails did not cause a denial of
> > service. Instead, the systems were taken down to repair the security
> > flaw, which McDanel had pointed out a year earlier at Tornado.
> >
> > The government's other argument was that McDaniel impaired system
> > integrity by exposing the vulnerability publicly. Granick says that
> > doesn't fly under existing law.
> >
> > ....
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html