Re: [Full-Disclosure] Disclose a bug, do not pass go, go directly to jail

From: Stephen Clowater (steve_at_stevesworld.hopto.org)
Date: 08/08/03

  • Next message: Richard M. Smith: "RE: [Full-Disclosure] Disclose a bug, do not pass go, go directly to jail" 
    To: "Richard M. Smith" <rms@computerbytesman.com>, <full-disclosure@lists.netsys.com>
Date: Fri, 8 Aug 2003 15:32:23 -0300

    No, Bret had fears that the bug may be exploited once it was disclosed on a
    List, so he emailed the customers to only let them know about the bug. In
    hopes of heading off a mass-owning of the software, while making sure the
    customers were informed. So that the bug would be fixed

    Or that was what he testified to when he took the stand, and he maintained
    it during cross-examniations.
    ----- Original Message -----
    From: "Richard M. Smith" <rms@computerbytesman.com>
    To: <full-disclosure@lists.netsys.com>
    Sent: Friday, August 08, 2003 11:18 AM
    Subject: [Full-Disclosure] Disclose a bug, do not pass go, go directly to
    jail

    > Does anyone know if this Tornado bug was ever disclosed on Bugtraq or
    > any other security list?
    >
    > For the description of this incident, it sounds to me like there might
    > be a civil case against Mr. McDanel, since he worked for Tornado and
    > likely signed some sort of employee agreement, but this hardly qualifies
    > as a criminal matter.
    >
    > Richard
    >
    > Jailbird appeals in bug disclosure case
    > http://www.theregister.co.uk/content/55/32237.html
    > By SecurityFocus
    > Posted: 08/08/2003 at 07:45 GMT
    >
    > Bret McDanel already served his 16 months in federal prison for
    > violating the Federal Computer Fraud and Abuse Act. Now he wants to
    > clear his record.
    >
    > McDanel was wrongly convicted under the federal computer fraud statute,
    > criminal code 18 U.S.C. 1030, claims a 62-page appeal filed on McDanel's
    > behalf by his new attorney, Jennifer Granick, clinical director for the
    > Center for Internet and Society at Stanford Law School. The criminal
    > code was misinterpreted to bring about his conviction, and McDanel's
    > public defender denied him a fair trial, asserts the brief, filed
    > Wednesday in the Ninth Circuit Court of Appeals.
    >
    > Between August 31 and September 5th, 2000, the 29-year-old McDanel,
    > under the moniker, "Secret Squirrel," sent 5,600 e-mail letters to
    > customers of his former employer, Tornado Development, Inc., a Los
    > Angeles-based unified messaging business that provided Web-based e-mail,
    > voice mail and other communications. McDanel's e-mails informed
    > Tornado's customers of a serious vulnerability in the e-mail system
    > which left e-mail login credentials, called Network Identifiers or NIDs,
    > in plain view in their Web browser address boxes, which could then be
    > scooped up by Web sites that harvest surfing information from visitors'
    > browsers.
    >
    > According to prosecutors, McDanel intended to cause damage to Tornado's
    > mail server by overloading it with too many messages, and caused a
    > costly public relations problem by making public confidential
    > information that was damaging to Tornado's reputation.
    >
    > But the appeal brief claims that the e-mails did not cause a denial of
    > service. Instead, the systems were taken down to repair the security
    > flaw, which McDanel had pointed out a year earlier at Tornado.
    >
    > The government's other argument was that McDaniel impaired system
    > integrity by exposing the vulnerability publicly. Granick says that
    > doesn't fly under existing law.
    >
    > ....
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Richard M. Smith: "RE: [Full-Disclosure] Disclose a bug, do not pass go, go directly to jail"

    Relevant Pages

    • Re: Larkin, Power BASIC cannot be THAT good:
      ... If they did not produce a product with *adequate* quality then customers would not buy it and the company would not make a profit. ... it is to change a product in the field, and Y axis is bug density. ... but when the in service fix is almost free to the supplier then they will exploit that to their advantage. ... On-screen programming is pretty much type and ignite and see what ...
      (sci.electronics.design)
    • Re: Special upgrade treatment
      ... If you search through this newsgroup, or google "LW 7.5 D morph mixer problems - HELP", you will find a request to confirm a bug in 7.5d, and your support department's "workaround", to wit, "... ... If technical support is recommending against any other | updates in that series or in any wider selected range of update | versions, then by all means I'd like to know about it, and I'd like to | know why. ... customers, and the quality of LW releases is of public interest. ...
      (comp.graphics.apps.lightwave)
    • PassthroughAPP and _ATL_DEBUG_INTERFACES
      ... Where does one find the most current copy of PassthroughAPP ... I am trying to hunt down a really random bug in the application. ... customers see it all the time; others have never had the problem. ... logging code in the application, both in the application and in the ...
      (microsoft.public.inetsdk.programming.webbrowser_ctl)
    • Re: [Full-Disclosure] Sapphire worm POC that fulldisclosure policies hurt everyone
      ... >If the ms-sql bug had never been disclosed, ... whitehats can find them and disclose them to the public. ... could find and exploit that hole and write a worm for it or admin 1000's ... someone released a worm for a bug that microsoft silently fixed. ...
      (Full-Disclosure)
    • Re: [patch 2/2] x86 amd fix cmpxchg read acquire barrier
      ... // pre-release versions, but not in versions released to customers, ... CPUs). ... Rev F only had the bug in pre-releases. ...
      (Linux-Kernel)
    • Quantcast