| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: steve at stevesworld.hopto.org (Stephen Clowater) Subject: Disclose a bug, do not pass go, go directly to jail ----- Original Message ----- From: "Richard M. Smith" <rms@...puterbytesman.com> To: "'Matthew McGehrin'" <mcgehrin@...erse.net>; "'Stephen Clowater'" <steve@...vesworld.hopto.org> Sent: Friday, August 08, 2003 1:51 PM Subject: RE: [Full-Disclosure] Disclose a bug, do not pass go, go directly to jail > My understanding is that the 14,000 messages went to Tornado's customer. > 14,000 messages doesn't sound like a lot of messages to deliver for a > company that was in the messaging business. Exactly, and they were all legitmate emails too. However, what they did charge him with was a ddos attack, so basically they just said that 14 000 emails was him attempting to dos the mail servers. And under that staute it was illegal. > > My impression is that this case was a misuse of the criminal justice > system. Tornado should have taken Bret to civil court if he went public > with company confidential information. This was my impression as well. While 'technically' it may have been legal, it was definatly a miscarriage of justice by any means. A civil suit, maybe, I doubt if you could sell something that sneaky to 12 people in a box, but at the same time, its a blatent miscarrage to send someone to jail for this. Based on the findings of the USC. > > Looks like Tornado was a typical dot-bomb company and is now out of > business. Yes, it was, any company who has plain text credienals going over the network has no business selling software. > > Richard > > -----Original Message----- > From: Matthew McGehrin [mailto:mcgehrin@...erse.net] > Sent: Friday, August 08, 2003 12:44 PM > To: Richard M. Smith; 'Stephen Clowater' > Subject: Re: [Full-Disclosure] Disclose a bug, do not pass go, go > directly to jail > > > Your missing the point. > > He's not a traditional spammer. He spammed his former employer to get > revenge on them firing him. The messages created a DoS for the company. I dont think this Was a spam, i think this was something else, if he wanted to dos the company, why send only 14 000 mails? Dos tools like octopus make well over a millon connections to take down send mail boxes. The company _said_ their servers went down because of the traffic, but an internal memo was leaked to cnn a few weeks later saying that they had takent he network down themseleves to fix the problem. And before the network went down the vunerability was there, and when it went back up it wasnt. Also, it dosnt make sense that 14 000 mails would kill a *inx based mail server, I'm not sure if they were using exchange or sendmail at the time, if it was an exchange box it probably would have been possible, but as Richard said, 14 000 messages isnt alot of messages for a comapny who is in the messageing business. These people definatly had a cluster of mailservers. No doubt. So it dosnt make sense by any logic that 14 000 emails would take down their network. > > -- Matthew > > He spammed his former company creating a DoS. > ----- Original Message ----- > From: "Richard M. Smith" <rms@...puterbytesman.com> > To: "'Stephen Clowater'" <steve@...vesworld.hopto.org>; > <full-disclosure@...ts.netsys.com> > Sent: Friday, August 08, 2003 11:51 AM > Subject: RE: [Full-Disclosure] Disclose a bug, do not pass go, go > directly > to jail > > > > I just found this FBI press release on the case which says something a > > bit different. It claims that Bret set up a Web site that give > details > > of the problem: > > > > http://www.fbi.gov/fieldnews/march/la032503.htm > >
Powered by blists - more mailing lists