| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jasonc at science.org (Jason Coombs) Subject: RE: [ISN] The sad tale of a security whistleblower This e-mail is in response to the following opinion article about the Bret McDanel "Secret Squirrel" prosecution by Tornado Development, Inc. > By Mark Rasch > SecurityFocus > Posted: 18/08/2003 > There is little doubt that what McDanel did was > irresponsible and malicious. Mark Rasch made a grave mistake when he came to the conclusion that McDanel's "Secret Squirrel" e-mail to Tornado's customers was "irresponsible and malicious". There is significant doubt that the act was malicious. As for irresponsible, there is less doubt that McDanel's act was irresponsible -- McDanel should not have attempted to take the matter into his own hands by communicating directly with Tornado's customers. He should have disclosed the vulnerability in a public forum, instead. > And posting the vulnerability to a newsgroup or security > organisation, instead of the customers, would be a fruitless exercise > unless he detailed the entity that was suffering from the hole, and > then would-be attackers would know who to attack, and Tornado would be > in a worse position. Tornado would have been in a worse position but McDanel would have been in a much better position. By attempting to communicate directly with affected individuals through private correspondence, McDanel's act of disclosure became something unusual. If not for the unusual nature of this communication, which was outside the norm for information security research whose aim and goal is to inform, educate, and find solutions to security problems, the prosecution would have had a more difficult time pressing forward with the case. Even if a trial did result, the jury would have been presented with a very different scenario. We can't know for sure that the verdict would have been different, of course, but when I'm arrested and prosecuted for disclosing the details of a security vulnerability, I personally want the jury to be forced to contemplate the fact that convicting me is the same as convicting every single other honest information security professional for doing our jobs and following a reasonable standard of practice. The slippery slope we should all be most concerned about is the one that attempts to equate full disclosure with criminal activity. The slippery slope in the McDanel case is a more conventional abuse of power, malicious prosecution, and people and businesses who don't give proper consideration to the civil liability they create for themselves when they attempt to interfere with other people's rights and other people's opportunities to avail themselves of the protections of law. The law was supposed to protect McDanel in this circumstance and other people's practice of law and abuse of process let him down. But he should have known that posting the vulnerability to a public forum was the right and proper course of action. Unfortunately, there are vocal people and companies who try to conceal this truth in mumbo jumbo, and by so doing gain additional power and legal leverage for themselves to the extent that anyone else believes in it. Sincerely, Jason Coombs jasonc@...ence.org -----Original Message----- From: owner-isn@...rition.org [mailto:owner-isn@...rition.org]On Behalf Of InfoSec News Sent: Tuesday, August 19, 2003 2:10 AM To: isn@...rition.org Subject: [ISN] The sad tale of a security whistleblower http://www.theregister.co.uk/content/55/32381.html By Mark Rasch SecurityFocus Posted: 18/08/2003 ...
Powered by blists - more mailing lists