lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <ILEPILDHBOLAHHEIMALBKECGGJAA.jasonc@science.org>
Date: Wed, 20 Aug 2003 09:10:07 -1000
From: "Jason Coombs" <jasonc@...ence.org>
To: "InfoSec News" <isn@....org>, <isn@...rition.org>
Cc: "Bugtraq@...urityfocus. Com" <bugtraq@...urityfocus.com>,
   <full-disclosure@...ts.netsys.com>
Subject: RE: [ISN] The sad tale of a security whistleblower


This e-mail is in response to the following opinion article about the Bret
McDanel "Secret Squirrel" prosecution by Tornado Development, Inc.

> By Mark Rasch
> SecurityFocus
> Posted: 18/08/2003

> There is little doubt that what McDanel did was
> irresponsible and malicious.

Mark Rasch made a grave mistake when he came to the conclusion that McDanel's
"Secret Squirrel" e-mail to Tornado's customers was "irresponsible and
malicious". There is significant doubt that the act was malicious. As for
irresponsible, there is less doubt that McDanel's act was irresponsible --
McDanel should not have attempted to take the matter into his own hands by
communicating directly with Tornado's customers. He should have disclosed the
vulnerability in a public forum, instead.

> And posting the vulnerability to a newsgroup or security
> organisation, instead of the customers, would be a fruitless exercise
> unless he detailed the entity that was suffering from the hole, and
> then would-be attackers would know who to attack, and Tornado would be
> in a worse position.

Tornado would have been in a worse position but McDanel would have been in a
much better position. By attempting to communicate directly with affected
individuals through private correspondence, McDanel's act of disclosure became
something unusual. If not for the unusual nature of this communication, which
was outside the norm for information security research whose aim and goal is
to inform, educate, and find solutions to security problems, the prosecution
would have had a more difficult time pressing forward with the case. Even if a
trial did result, the jury would have been presented with a very different
scenario.

We can't know for sure that the verdict would have been different, of course,
but when I'm arrested and prosecuted for disclosing the details of a security
vulnerability, I personally want the jury to be forced to contemplate the fact
that convicting me is the same as convicting every single other honest
information security professional for doing our jobs and following a
reasonable standard of practice.

The slippery slope we should all be most concerned about is the one that
attempts to equate full disclosure with criminal activity. The slippery slope
in the McDanel case is a more conventional abuse of power, malicious
prosecution, and people and businesses who don't give proper consideration to
the civil liability they create for themselves when they attempt to interfere
with other people's rights and other people's opportunities to avail
themselves of the protections of law. The law was supposed to protect McDanel
in this circumstance and other people's practice of law and abuse of process
let him down.

But he should have known that posting the vulnerability to a public forum was
the right and proper course of action. Unfortunately, there are vocal people
and companies who try to conceal this truth in mumbo jumbo, and by so doing
gain additional power and legal leverage for themselves to the extent that
anyone else believes in it.

Sincerely,

Jason Coombs
jasonc@...ence.org

-----Original Message-----
From: owner-isn@...rition.org [mailto:owner-isn@...rition.org]On Behalf
Of InfoSec News
Sent: Tuesday, August 19, 2003 2:10 AM
To: isn@...rition.org
Subject: [ISN] The sad tale of a security whistleblower


http://www.theregister.co.uk/content/55/32381.html

By Mark Rasch
SecurityFocus
Posted: 18/08/2003

...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ