Interesting People mailing list archives
Whistle Blower in Prison for Disclosing Security Hole? (fwd)
From: Dave Farber <dave () farber net>
Date: Tue, 19 Aug 2003 18:03:35 -0400
Date: Tue, 19 Aug 2003 17:51:27 -0400 (EDT) From: Miles Fidelman <mfidelman () civicnet org> Subject: Whistle Blower in Prison for Disclosing Security Hole? (fwd) To: Dave Farber <dave () farber net> Dave, This one is pretty scary... Miles http://www.securityfocus.com/columnists/179 The Sad Tale of a Security Whistleblower Federal prosecutors in California went too far when they put a man in prison for disclosing a website security hole to the people at risk from it. By Mark Rasch Aug 18 2003 05:00AM PT Previous articles in this space have discussed whether security professionals can go to jail for doing things like demonstrating the insecurity of awireless network, or conducting a throughput test on a system without permission.Now, a new and unwarranted extension of the U.S. computer crime law shows that you can go to jail for simply telling potential victims that their data is vulnerable. By explaining how the vulnerability worked, and why customer data was atrisk, prosecutors asserted, the security specialist "impaired the integrity" ofthe affected network. It is now up to a federal appellate court to determinewhether this interpretation of the law is to stand. If it does, it could mean adramatic decline in postings to Bugtraq, CERT, or other public fora. Bret McDanel was dissatisfied with his former employer, Tornado Development, Inc. Tornado provided internet access and web-based e-mail to its clients.However, McDanel apparently discovered a flaw in the web-mail that would permit malicious users to piggyback a previous secure session, grab the unique sessionID and thereby read a user's e-mail-- despite the fact that the site promised that e-mail was secure. Dissatisfied with the pace at which Tornado addressed the issue (and for other reasons, undoubtedly), McDanel severed his employment with them, and went to work for another company. About six months later, according to defensive filings, McDanel discoveredthat Tornado had never fixed the vulnerability he discovered. Using the moniker"Secret Squirrel" he sent a single e-mail to about 5,600 of Tornado'scustomers over the course of three days, staggering the release each day to preventflooding Tornado's e-mail servers. To put McDanel in jail, the government adopted a rather unique interpretation of the federal computer crime statute. The e-mail told Tornado's customers about the vulnerability, and directed them to his own website for information about it. So what did Tornado? First, they scrambled to delete their own customer's e-mails (without their permission) to prevent them from learning about thevulnerability. Then they took other steps to conceal the hole. Ultimately, theyfixed the vulnerability, and upgraded their general security. For his efforts, McDanel was arrested, tried, convicted and sentenced tosixteen months in the federal pokey, which he has now served. He has appealed hisconviction to the federal Ninth Circuit Court of Appeals. It's important to note that McDanel was prosecuted not for a denial ofservice attack against Tornado by an e-mail flood, but apparently because Tornado,and the government, were unhappy with the content of the e-mail message and associated webpage -- content that is presumptively protected by the FirstAmendment. The "losses" suffered by Tornado, were only in lost reputation and lostclients. There was no evidence that McDanel or anyone else ever exploited the vulnerability. To put McDanel in jail, the government adopted a rather unique interpretation of the federal computer crime statute. The applicable language in the Computer Fraud and Abuse Act make it a crime to "knowingly cause the transmission of information and as a result of suchconduct, intentionally cause any impairment to the integrity or availability ofdata, a program, a system, or information without authorization." Ordinarily, this is used to go after people who distribute worms or viruses, mailbombs and Trojan horses: things that actually shut down or affect the computer system itself. More Oversight Needed In this case, the government argued that the Secret Squirrel's missive itself -- whether posted on his own webpage or e-mailed to Tornado's customers (or, presumably, posted to any other public source) "impaired the integrity" of Tornado's computers or network. The government argued that the message wasincorrect, useful to would-be attackers, and was intentionally designed to giveTornado trouble. Because McDanel revealed the flaw publicly (having previously revealed itprivately to Tornado to no avail) he could be prosecuted, because, according tothe government, "the public now knew about a flaw in the Tornado system, howthat flaw worked, what that flaw could get somebody who exploited the flaw, andin fact a how-to manual about how to exploit that flaw." Had the government merely gone after McDanel for a spam denial of service, or "e-mail bomb" theory, and had they proven that the e-mails themselves slowed down or materially impaired the availability of Tornado's computers, therewould likely be little chance on appeal (though a California State Supreme Courtdecision recently held that a massive e-mail sent by an ex-Intel employee to his former colleagues was protected free speech where the effect on the mailservers was minimal.) If the e-mail was intended to, and actually operated as, adenial of service attack -- well, case closed. But the government here has stretched the federal computer crime statute to include not only attacks on computers or networks, but the dissemination ofinformation about vulnerabilities. They've expanding the definition of "impairingthe integrity" of such affected systems. This is a dangerously slippery slope. There is little doubt that what McDanel did was irresponsible and malicious. But, assuming the vulnerability existed, what were his alternatives? He hadalready told senior management about the hole, and they did not fix it. He couldhave told them again, and hoped that they took it more seriously. If he threatened to expose the vulnerability to force them to fix it, he could beprosecuted for extortion. And posting the vulnerability to a newsgroup or security organization, instead of the customers, would be a fruitless exercise unless hedetailed the entity that was suffering from the hole, and then would-be attackers would know who to attack, and Tornado would be in a worse position. He likewise could have notified some governmental agency -- but frankly,there is no government agency with a mandate to provide security advice to e-mailcarriers. So, he notified Tornado customers directly that their e-mailaccounts were at risk. He didn't exploit the vulnerability, encourage or conspire with others to exploit it. He didn't reveal the vulnerability to an undergroundhacker organization. He told the affected people. For this, he went to jail. He could have explained to the customers that their information was at risk, without revealing quite so much detail. But according to the government'stheory of liability, this would not have prevented his prosecution. Moreover, asis frequently the case with security vulnerabilities, this likely would haveprompted a quick denial by Tornado that any such bug existed -- and they may ormay not have fixed them. Under the theory articulated by the government, the transmission of anyinformation that can be used by others to impair the integrity of a computer system(or cause loss of reputation) if done without authorization (and who would authorize it?) is a federal crime. The law requires the impairment to be "intentional," but under U.S. case law a person is presumed to intend "the natural and probably consequences of his or her actions." You know that revealing the vulnerability will embarrass the company, and this fact alone "impairs the integrity" of the network, according to the government's theory. If you were to come into my office and ask my legal opinion about whether you should reveal a vulnerability under this interpretation of "impairing theintegrity" of a computer, I would have to tell you that it was a federal felonyto do so. What we really need is for Congress to produce stringent guidelines forprosecutors about what kinds of conduct "impairs" integrity, and therefore runs afoul of the criminal law. These guidelines should be binding on all federal andstate prosecutors so there is a clear understanding about what people in McDanel's position are permitted to do. A code of conduct for security specialists with clear guidelines on what they can do when a company or entity refuses to fix a vulnerability would behelpful as well. Until then, as the canny desk sergeant in Hill Street Blues usedto say, "Let's be careful out there." SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc.
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Whistle Blower in Prison for Disclosing Security Hole? (fwd) Dave Farber (Aug 19)