lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: rms at computerbytesman.com (Richard M. Smith)
Subject: Disclose a bug, do not pass go, go directly to jail

Does anyone know if this Tornado bug was ever disclosed on Bugtraq or
any other security list?

For the description of this incident, it sounds to me like there might
be a civil case against Mr. McDanel, since he worked for Tornado and
likely signed some sort of employee agreement, but this hardly qualifies
as a criminal matter.

Richard

Jailbird appeals in bug disclosure case
http://www.theregister.co.uk/content/55/32237.html
By SecurityFocus
Posted: 08/08/2003 at 07:45 GMT
      
Bret McDanel already served his 16 months in federal prison for
violating the Federal Computer Fraud and Abuse Act. Now he wants to
clear his record. 

McDanel was wrongly convicted under the federal computer fraud statute,
criminal code 18 U.S.C. 1030, claims a 62-page appeal filed on McDanel's
behalf by his new attorney, Jennifer Granick, clinical director for the
Center for Internet and Society at Stanford Law School. The criminal
code was misinterpreted to bring about his conviction, and McDanel's
public defender denied him a fair trial, asserts the brief, filed
Wednesday in the Ninth Circuit Court of Appeals. 

Between August 31 and September 5th, 2000, the 29-year-old McDanel,
under the moniker, "Secret Squirrel," sent 5,600 e-mail letters to
customers of his former employer, Tornado Development, Inc., a Los
Angeles-based unified messaging business that provided Web-based e-mail,
voice mail and other communications. McDanel's e-mails informed
Tornado's customers of a serious vulnerability in the e-mail system
which left e-mail login credentials, called Network Identifiers or NIDs,
in plain view in their Web browser address boxes, which could then be
scooped up by Web sites that harvest surfing information from visitors'
browsers. 

According to prosecutors, McDanel intended to cause damage to Tornado's
mail server by overloading it with too many messages, and caused a
costly public relations problem by making public confidential
information that was damaging to Tornado's reputation. 

But the appeal brief claims that the e-mails did not cause a denial of
service. Instead, the systems were taken down to repair the security
flaw, which McDanel had pointed out a year earlier at Tornado. 

The government's other argument was that McDaniel impaired system
integrity by exposing the vulnerability publicly. Granick says that
doesn't fly under existing law. 

....

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ