[Full-Disclosure] RE: [ISN] The sad tale of a security whistleblower

From: Jason Coombs (jasonc_at_science.org)
Date: 08/20/03

  • Next message: Michael Mueller: "Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?" 
    To: "InfoSec News" <isn@c4i.org>, <isn@attrition.org>
Date: Wed, 20 Aug 2003 09:10:07 -1000

    This e-mail is in response to the following opinion article about the Bret
    McDanel "Secret Squirrel" prosecution by Tornado Development, Inc.

    > By Mark Rasch
    > SecurityFocus
    > Posted: 18/08/2003

    > There is little doubt that what McDanel did was
    > irresponsible and malicious.

    Mark Rasch made a grave mistake when he came to the conclusion that McDanel's
    "Secret Squirrel" e-mail to Tornado's customers was "irresponsible and
    malicious". There is significant doubt that the act was malicious. As for
    irresponsible, there is less doubt that McDanel's act was irresponsible --
    McDanel should not have attempted to take the matter into his own hands by
    communicating directly with Tornado's customers. He should have disclosed the
    vulnerability in a public forum, instead.

    > And posting the vulnerability to a newsgroup or security
    > organisation, instead of the customers, would be a fruitless exercise
    > unless he detailed the entity that was suffering from the hole, and
    > then would-be attackers would know who to attack, and Tornado would be
    > in a worse position.

    Tornado would have been in a worse position but McDanel would have been in a
    much better position. By attempting to communicate directly with affected
    individuals through private correspondence, McDanel's act of disclosure became
    something unusual. If not for the unusual nature of this communication, which
    was outside the norm for information security research whose aim and goal is
    to inform, educate, and find solutions to security problems, the prosecution
    would have had a more difficult time pressing forward with the case. Even if a
    trial did result, the jury would have been presented with a very different
    scenario.

    We can't know for sure that the verdict would have been different, of course,
    but when I'm arrested and prosecuted for disclosing the details of a security
    vulnerability, I personally want the jury to be forced to contemplate the fact
    that convicting me is the same as convicting every single other honest
    information security professional for doing our jobs and following a
    reasonable standard of practice.

    The slippery slope we should all be most concerned about is the one that
    attempts to equate full disclosure with criminal activity. The slippery slope
    in the McDanel case is a more conventional abuse of power, malicious
    prosecution, and people and businesses who don't give proper consideration to
    the civil liability they create for themselves when they attempt to interfere
    with other people's rights and other people's opportunities to avail
    themselves of the protections of law. The law was supposed to protect McDanel
    in this circumstance and other people's practice of law and abuse of process
    let him down.

    But he should have known that posting the vulnerability to a public forum was
    the right and proper course of action. Unfortunately, there are vocal people
    and companies who try to conceal this truth in mumbo jumbo, and by so doing
    gain additional power and legal leverage for themselves to the extent that
    anyone else believes in it.

    Sincerely,

    Jason Coombs
    jasonc@science.org

    -----Original Message-----
    From: owner-isn@attrition.org [mailto:owner-isn@attrition.org]On Behalf
    Of InfoSec News
    Sent: Tuesday, August 19, 2003 2:10 AM
    To: isn@attrition.org
    Subject: [ISN] The sad tale of a security whistleblower

    http://www.theregister.co.uk/content/55/32381.html

    By Mark Rasch
    SecurityFocus
    Posted: 18/08/2003

    ...

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Michael Mueller: "Re: [Full-Disclosure] W32/Welchia, W32/Nachi backdoor?"

    Relevant Pages

    • [Full-Disclosure] Disclose a bug, do not pass go, go directly to jail
      ... Does anyone know if this Tornado bug was ever disclosed on Bugtraq or ... Jailbird appeals in bug disclosure case ... Bret McDanel already served his 16 months in federal prison for ... the systems were taken down to repair the security ...
      (Full-Disclosure)
    • Re: That Old Anthrax Case
      ... are some people at Ft. Detrick who should also be prosecuted. ... And thus would be a perfect choice to pin the anthrax ... criminal prosecution, it destroys any sense in me that justice ... Evidently security was so lax at Ft. Detrick that even ...
      (soc.retirement)
    • Re: AVERT Low-Profiled Threat Notice: W64/Rugrat
      ... Oh, you mean THIS is where, in the USA, 'Homeland Security' got its model ... of terrorism activity color warnings? ... Resulting in a 'critical' warning ... "tornado warning" and "tornado alert", it is not immediately obvious which ...
      (microsoft.public.security.virus)