Whistle Blower in Prison for Disclosing Security Hole? More insightfull details from an insider (unconfirmed yet)

[Dave Farber <dave () farber net>]

> Date: Wed, 20 Aug 2003 22:11:34 +0200
> From: Egor Kobylkin <egor () kobylkin com>
> Subject: For IP: Whistle Blower in Prison for Disclosing Security Hole? More
>  insightfull details from an insider (unconfirmed yet)
> To: dave () farber net
>
>
> >
> ----------------------------------------------------------------------
> > From: Dave Farber <dave () farber net>
> > Subject: Whistle Blower in Prison for Disclosing
> >   Security Hole? (fwd)
> > Date: Tue, 19 Aug 2003 18:03:35 -0400
> ....
> > >The Sad Tale of a Security Whistleblower
> > >Federal prosecutors in California went too far when they put a man
> in prison
> > >for disclosing a website security hole to the people at risk from
> it.
> > >By Mark Rasch Aug 18 2003 05:00AM PT
> > > ....
>
> Dave, there is a very interesting and insightfull comment posted to
> the same site by somebody claiming to be an insider. I want to point
> your attention, because the fact that the Whistleblower (former
> employee) was able to collect 5,600 user email addresses of his
> former employer to sent his email to, itself raises serious doubts of
> his personal integrity. So I would rather take the content of the
> article with a grain of salt and pay attention to the comment below:
>
> http://www.securityfocus.com/columnists/179/comment/21596#MSG
> I was there when this happened
> by Anonymous
> Aug 19 2003 6:46AM
>
> I can confirm that Bret McDanel is no hero. He's actually quite an
> asshole. The kind of guy who spits out a nasty insult about reading
> the man page when you ask him how to set up a VPN so you can help a
> customer. He seemed to really enjoy carrying grudges against people.
> I had the distinct displeasure of working with him at Tornado, I was
> the on-duty sysadmin when the attack occurred, and I was one of the
> witnesses at the trial against him.
>
> Bret was not prosecuted for revealing a security vulnerability. He was
> prosecuted for DOS'ing our server. He sent 14,000 emails to our
> system, and it overloaded and stopped accepting mail. He did this
> several times, and knew it overloaded the system when he did it, and
> knew the FBI had been called after the first time, so nobody needs to
> feel sorry for him. Holding him up as a martyr or hero is just
> asinine, but it speaks volumes about how our media works these days.
>
> Of course, there's plenty of culpability to go around...the main
> server was a Sun Enterprise 4500 with 4x450 CPU and 4Gb RAM. A
> machine like that should swallow 14,000 emails without a trace. Of
> course, Tornado's brain-dead custom system implementation meant that
> every single incoming email spawned off an SQL script to take the
> message apart and inject it into the database, and a shell process to
> control the SQL script. The system load went over 100. I had to write
> a script to kill off all the processes. Since the load was so high,
> sendmail stopped accepting incoming mail and the rest of the spam
> piled up on the backup server, where it was rm'd. So, it was Bret's
> fault for spamming us, but it was Tornado's fault for such a
> painfully bad email processing method. This actually raises the most
> interesting question of all, is it a crime to knock down a system
> that was incompetently implemented?
>
> Of course, the email system was not the only part of the system that
> was breakable...we had system outages several times a week from
> different causes, and really, the Bret thing was not that bad, being
> in that it was easily identifiable and fixable.
>
> Another fun thing was that Tornado initially claimed $300,000 in
> losses from the incident. This is important because the FBI will not
> get involved with anything under $50,000. This figure was later
> reduced (much, much later) to $9,000. Oh yeah, what else...Tornado's
> great email implementation also meant that we had to run an open
> relay, which was frequently abused. We sent out hundreds of thousands
> of nigerian bank account emails. A manager who took a stand and
> turned off the relaying one weekend was demoted and ultimately fired.
> Basically Tornado was a bunch of Windows developers who couldn't use
> Windows to implement their custom email/fax/paging application
> because Windows wouldn't scale to the sizes they needed. So they had
> to use Unix, and they didn't know anything about Unix, and they made
> just about all of the predictable errors that the ignorant make.
>
> In conclusion, it's scary that every time this story comes up, there's
> a different (wrong) angle on it.
> --
> Egor Kobylkin.com
> Emails welcome in English, German, Russian and Spanish

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/