[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] The sad tale of a security whistleblower
Und hier die Original-Meldung auf Securityfocus.
The sad tale of a security whistleblower
By Mark Rasch, SecurityFocus
Posted: 18/08/2003 at 12:19 GMT
Previous articles in this space have discussed whether security
professionals can go to jail for doing things like demonstrating the
insecurity of a wireless network, or conducting a throughput test on a
system without permission. Now, a new and unwarranted extension of the
US computer crime law shows that you can go to jail for simply telling
potential victims that their data is vulnerable.
By explaining how the vulnerability worked, and why customer data was at
risk, prosecutors asserted, the security specialist "impaired the
integrity" of the affected network. It is now up to a federal appellate
court to determine whether this interpretation of the law is to stand.
If it does, it could mean a dramatic decline in postings to Bugtraq,
CERT, or other public fora.
Bret McDanel was dissatisfied with his former employer, Tornado
Development, Inc. Tornado provided Internet access and web-based email
to its clients. However, McDanel apparently discovered a flaw in the
web-mail that would permit malicious users to piggyback a previous
secure session, grab the unique session ID and thereby read a user's
email - despite the fact that the site promised that email was secure.
Dissatisfied with the pace at which Tornado addressed the issue (and for
other reasons, undoubtedly), McDanel severed his employment with them,
and went to work for another company.
About six months later, according to defensive filings, McDanel
discovered that Tornado had never fixed the vulnerability he discovered.
Using the moniker "Secret Squirrel" he sent a single email to about 5600
of Tornado's customers over the course of three days, staggering the
release each day to prevent flooding Tornado's email servers.
The email told Tornado's customers about the vulnerability, and directed
them to his own website for information about it.
So what did Tornado? First, they scrambled to delete their own
customer's emails (without their permission) to prevent them from
learning about the vulnerability. Then they took other steps to conceal
the hole. Ultimately, the fixed the vulnerability, and upgraded their
For his efforts, McDanel was arrested, tried, convicted and sentenced to
16 months in the federal pokey, which he has now served. He has appealed
his conviction to the federal Ninth Circuit Court of Appeals.
It's important to note that McDanel was prosecuted not for a denial of
service attack against Tornado by an email flood, but apparently because
Tornado, and the government, were unhappy with the content of the email
message and associated web page - content that is presumptively
protected by the First Amendment. The "losses" suffered by Tornado, were
only in lost reputation and lost clients. There was no evidence that
McDanel or anyone else ever exploited the vulnerability.
To put McDanel in jail, the government adopted a rather unique
interpretation of the federal computer crime statute.
The applicable language in the Computer Fraud and Abuse Act make it a
crime to "knowingly cause the transmission of information and as a
result of such conduct, intentionally cause any impairment to the
integrity or availability of data, a program, a system, or information
without authorisation." Ordinarily, this is used to go after people who
distribute worms or viruses, mailbombs and Trojan horses: things that
actually shut down or affect the computer system itself.
More Oversight Needed
In this case, the government argued that the Secret Squirrel's missive
itself - whether posted on his own webpage or emailed to Tornado's
customers (or, presumably, posted to any other public source) "impaired
the integrity" of Tornado's computers or network. The government argued
that the message was incorrect, useful to would-be attackers, and was
intentionally designed to give Tornado trouble.
Because McDanel revealed the flaw publicly (having previously revealed
it privately to Tornado to no avail) he could be prosecuted, because,
according to the government, "the public now knew about a flaw in the
Tornado system, how that flaw worked, what that flaw could get somebody
who exploited the flaw, and in fact a how-to manual about how to exploit
Had the government merely gone after McDanel for a spam denial of
service, or "email bomb" theory, and had they proven that the emails
themselves slowed down or materially impaired the availability of
Tornado's computers, there would likely be little chance on appeal
(though a California State Supreme Court decision recently held that a
massive email sent by an ex-Intel employee to his former colleagues was
protected free speech where the effect on the mail servers was minimal.)
If the email was intended to, and actually operated as, a denial of
service attack - well, case closed.
But the government here has stretched the federal computer crime statute
to include not only attacks on computers or networks, but the
dissemination of information about vulnerabilities. They've expanding
the definition of "impairing the integrity" of such affected systems.
This is a dangerously slippery slope.
There is little doubt that what McDanel did was irresponsible and
malicious. But, assuming the vulnerability existed, what were his
alternatives? He had already told senior management about the hole, and
they did not fix it. He could have told them again, and hoped that they
took it more seriously. If he threatened to expose the vulnerability to
force them to fix it, he could be prosecuted for extortion. And posting
the vulnerability to a newsgroup or security organisation, instead of
the customers, would be a fruitless exercise unless he detailed the
entity that was suffering from the hole, and then would-be attackers
would know who to attack, and Tornado would be in a worse position.
He likewise could have notified some governmental agency - but frankly,
there is no government agency with a mandate to provide security advice
to email carriers. So, he notified Tornado customers directly that their
email accounts were at risk. He didn't exploit the vulnerability,
encourage or conspire with others to exploit it. He didn't reveal the
vulnerability to an underground hacker organisation. He told the
affected people. For this, he went to jail.
He could have explained to the customers that their information was at
risk, without revealing quite so much detail. But according to the
government's theory of liability, this would not have prevented his
prosecution. Moreover, as is frequently the case with security
vulnerabilities, this likely would have prompted a quick denial by
Tornado that any such bug existed - and they may or may not have fixed
Under the theory articulated by the government, the transmission of any
information that can be used by others to impair the integrity of a
computer system (or cause loss of reputation) if done without
authorisation (and who would authorise it?) is a federal crime.
The law requires the impairment to be "intentional," but under US case
law a person is presumed to intend "the natural and probably
consequences of his or her actions." You know that revealing the
vulnerability will embarrass the company, and this fact alone "impairs
the integrity" of the network, according to the government's theory.
If you were to come into my office and ask my legal opinion about
whether you should reveal a vulnerability under this interpretation of
"impairing the integrity" of a computer, I would have to tell you that
it was a federal felony to do so.
What we really need is for Congress to produce stringent guidelines for
prosecutors about what kinds of conduct "impairs" integrity, and
therefore runs afoul of the criminal law. These guidelines should be
binding on all federal and state prosecutors so there is a clear
understanding about what people in McDanel's position are permitted to
A code of conduct for security specialists with clear guidelines on what
they can do when a company or entity refuses to fix a vulnerability
would be helpful as well. Until then, as the canny desk sergeant in Hill
Street Blues used to say, "Let's be careful out there." R
SecurityFocus columnist Mark D Rasch, J.D., is a former head of the
Justice Department's computer crime unit, and now serves as Senior VP
and Chief Security Counsel at Solutionary, Inc.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.