Whistle Blower in Prison for Disclosing Security Hole? (fwd)

[Dave Farber <dave () farber net>]

> Date: Tue, 19 Aug 2003 17:51:27 -0400 (EDT)
> From: Miles Fidelman <mfidelman () civicnet org>
> Subject: Whistle Blower in Prison for Disclosing Security Hole? (fwd)
>
> To: Dave Farber <dave () farber net>
>
>
> Dave, This one is pretty scary... Miles
>
> http://www.securityfocus.com/columnists/179
>
> The Sad Tale of a Security Whistleblower
> Federal prosecutors in California went too far when they put a man in prison
> for disclosing a website security hole to the people at risk from it.
> By Mark Rasch Aug 18 2003 05:00AM PT
>
> Previous articles in this space have discussed whether security professionals
> can go to jail for doing things like demonstrating the insecurity of a
> wireless network, or conducting a throughput test on a system without 
> permission.
> Now, a new and unwarranted extension of the U.S. computer crime law shows that
> you can go to jail for simply telling potential victims that their data is
> vulnerable.
>
> By explaining how the vulnerability worked, and why customer data was at
> risk, prosecutors asserted, the security specialist "impaired the 
> integrity" of
> the affected network. It is now up to a federal appellate court to determine
> whether this interpretation of the law is to stand. If it does, it could 
> mean a
> dramatic decline in postings to Bugtraq, CERT, or other public fora.
>
> Bret McDanel was dissatisfied with his former employer, Tornado Development,
> Inc. Tornado provided internet access and web-based e-mail to its clients.
> However, McDanel apparently discovered a flaw in the web-mail that would 
> permit
> malicious users to piggyback a previous secure session, grab the unique 
> session
> ID and thereby read a user's e-mail-- despite the fact that the site promised
> that e-mail was secure. Dissatisfied with the pace at which Tornado addressed
> the issue (and for other reasons, undoubtedly), McDanel severed his
> employment with them, and went to work for another company.
>
> About six months later, according to defensive filings, McDanel discovered
> that Tornado had never fixed the vulnerability he discovered. Using the 
> moniker
> "Secret Squirrel" he sent a single e-mail to about 5,600 of Tornado's
> customers over the course of three days, staggering the release each day 
> to prevent
> flooding Tornado's e-mail servers.
> To put McDanel in jail, the government adopted a rather unique interpretation
> of the federal computer crime statute.
> The e-mail told Tornado's customers about the vulnerability, and directed
> them to his own website for information about it.
>
> So what did Tornado? First, they scrambled to delete their own customer's
> e-mails (without their permission) to prevent them from learning about the
> vulnerability. Then they took other steps to conceal the hole. Ultimately, 
> they
> fixed the vulnerability, and upgraded their general security.
>
> For his efforts, McDanel was arrested, tried, convicted and sentenced to
> sixteen months in the federal pokey, which he has now served. He has 
> appealed his
> conviction to the federal Ninth Circuit Court of Appeals.
>
> It's important to note that McDanel was prosecuted not for a denial of
> service attack against Tornado by an e-mail flood, but apparently because 
> Tornado,
> and the government, were unhappy with the content of the e-mail message and
> associated webpage -- content that is presumptively protected by the First
> Amendment. The "losses" suffered by Tornado, were only in lost reputation 
> and lost
> clients. There was no evidence that McDanel or anyone else ever exploited the
> vulnerability.
>
> To put McDanel in jail, the government adopted a rather unique interpretation
> of the federal computer crime statute.
>
> The applicable language in the Computer Fraud and Abuse Act make it a crime
> to "knowingly cause the transmission of information and as a result of such
> conduct, intentionally cause any impairment to the integrity or 
> availability of
> data, a program, a system, or information without authorization." Ordinarily,
> this is used to go after people who distribute worms or viruses, mailbombs and
> Trojan horses: things that actually shut down or affect the computer system
> itself.
>
> More Oversight Needed
> In this case, the government argued that the Secret Squirrel's missive itself
> -- whether posted on his own webpage or e-mailed to Tornado's customers (or,
> presumably, posted to any other public source) "impaired the integrity" of
> Tornado's computers or network. The government argued that the message was
> incorrect, useful to would-be attackers, and was intentionally designed to 
> give
> Tornado trouble.
>
> Because McDanel revealed the flaw publicly (having previously revealed it
> privately to Tornado to no avail) he could be prosecuted, because, 
> according to
> the government, "the public now knew about a flaw in the Tornado system, how
> that flaw worked, what that flaw could get somebody who exploited the 
> flaw, and
> in fact a how-to manual about how to exploit that flaw."
>
> Had the government merely gone after McDanel for a spam denial of service, or
> "e-mail bomb" theory, and had they proven that the e-mails themselves slowed
> down or materially impaired the availability of Tornado's computers, there
> would likely be little chance on appeal (though a California State Supreme 
> Court
> decision recently held that a massive e-mail sent by an ex-Intel employee to
> his former colleagues was protected free speech where the effect on the mail
> servers was minimal.) If the e-mail was intended to, and actually operated 
> as, a
> denial of service attack -- well, case closed.
>
> But the government here has stretched the federal computer crime statute to
> include not only attacks on computers or networks, but the dissemination of
> information about vulnerabilities. They've expanding the definition of 
> "impairing
> the integrity" of such affected systems. This is a dangerously slippery
> slope.
>
> There is little doubt that what McDanel did was irresponsible and malicious.
> But, assuming the vulnerability existed, what were his alternatives? He had
> already told senior management about the hole, and they did not fix it. He 
> could
> have told them again, and hoped that they took it more seriously. If he
> threatened to expose the vulnerability to force them to fix it, he could be
> prosecuted for extortion. And posting the vulnerability to a newsgroup or 
> security
> organization, instead of the customers, would be a fruitless exercise 
> unless he
> detailed the entity that was suffering from the hole, and then would-be
> attackers would know who to attack, and Tornado would be in a worse position.
>
> He likewise could have notified some governmental agency -- but frankly,
> there is no government agency with a mandate to provide security advice to 
> e-mail
> carriers. So, he notified Tornado customers directly that their e-mail
> accounts were at risk. He didn't exploit the vulnerability, encourage or 
> conspire
> with others to exploit it. He didn't reveal the vulnerability to an 
> underground
> hacker organization. He told the affected people. For this, he went to jail.
>
> He could have explained to the customers that their information was at risk,
> without revealing quite so much detail. But according to the government's
> theory of liability, this would not have prevented his prosecution. 
> Moreover, as
> is frequently the case with security vulnerabilities, this likely would have
> prompted a quick denial by Tornado that any such bug existed -- and they 
> may or
> may not have fixed them.
>
> Under the theory articulated by the government, the transmission of any
> information that can be used by others to impair the integrity of a 
> computer system
> (or cause loss of reputation) if done without authorization (and who would
> authorize it?) is a federal crime.
>
> The law requires the impairment to be "intentional," but under U.S. case law
> a person is presumed to intend "the natural and probably consequences of his
> or her actions." You know that revealing the vulnerability will embarrass the
> company, and this fact alone "impairs the integrity" of the network, according
> to the government's theory.
>
> If you were to come into my office and ask my legal opinion about whether you
> should reveal a vulnerability under this interpretation of "impairing the
> integrity" of a computer, I would have to tell you that it was a federal 
> felony
> to do so.
>
> What we really need is for Congress to produce stringent guidelines for
> prosecutors about what kinds of conduct "impairs" integrity, and therefore 
> runs
> afoul of the criminal law. These guidelines should be binding on all 
> federal and
> state prosecutors so there is a clear understanding about what people in
> McDanel's position are permitted to do.
>
> A code of conduct for security specialists with clear guidelines on what they
> can do when a company or entity refuses to fix a vulnerability would be
> helpful as well. Until then, as the canny desk sergeant in Hill Street 
> Blues used
> to say, "Let's be careful out there."
>
>
>
>
>
>
>
>
> SecurityFocus columnist Mark D. Rasch, J.D., is a former head of the Justice
> Department's computer crime unit, and now serves as Senior Vice President and
> Chief Security Counsel at Solutionary Inc.

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/