[prev in list] [next in list] [prev in thread] [next in thread] 

List:       dmca-discuss
Subject:    [DMCA_Discuss] Vague laws make high-tech whistle-blowers wary
From:       Vladimir Katalov <vkatalov () elcomsoft ! com>
Date:       2003-10-27 9:45:20
[Download RAW message or body]


Vague laws make high-tech whistle-blowers wary
By Matthew Fordahl, Associated Press
October 27, 2003

http://www.rockymountainnews.com/drmn/technology/article/0,1299,DRMN_49_2378877,00.html


SAN JOSE, Calif. - Computer administrator Bret McDanel discovered a
security flaw in his company's software. He warned his managers. They
ignored his pleas. So he quit and fired off thousands of e-mails
alerting customers to the problem.

The vulnerability at Tornado Development Inc. finally got fixed. But
McDanel was charged and convicted of causing damage under the federal
Computer Fraud and Abuse Act.

McDanel, 30, maintains he was merely a whistle-blower doing the right
thing. More remarkable is that prosecutors now agree. Earlier this
month, after McDanel served his sentence of 16 months in a federal
lockup, they asked an appeals court to reverse his conviction.

The case illustrates the danger that vague laws pose in attempting to
govern the tangled complexities of technology. And though Mc-Danel's
plight is on the verge of resolution, his experience has had a
chilling effect on open discussions of computer security, experts say.

That can be dangerous because malicious hackers have proven to be quite capable of \
discovering and exploiting flaws that are kept secret from everyone else. 

"Security researchers have to think that speaking out is dangerous
when they hear about a prosecution like this," said Jennifer Granick,
the attorney handling Mc-Danel's appeal.

Ignorance of the intricacies of high-tech has led to laws that are
easy to misinterpret. Lawmakers, prosecutors and judges often don't
understand the difference between bona fide security research and
hacking.

It can be very difficult for people who barely understand e-mail to
grasp the difference between ethically sound network vulnerability
research and the public disclosure of vulnerabilities, said Daniel
Ingevaldson, engineering manager of Internet Security Systems, a
computer security firm.

And that, Granick says, is at the heart of McDanel's case. 

In 1999 and early 2000, McDanel worked at El Segundo, Calif.-based
Tornado, which offered a unified messaging service that let customers
retrieve e-mail, voice mail and faxes through a single Web site. The
company went out of business in 2002.

McDanel discovered that if a user sent a Web address as part of an
e-mail, recipients and other outsiders would be able gain access to
the sender's account. Everyone agrees that McDanel warned his
supervisors and that they declined to fix the problem.

After leaving the company for other reasons, McDanel learned that the
problem still had not been fixed and decided to launch his e-mails to
customers.

During the trial, prosecutors described the barrage - 5,600 e-mails
sent in late summer 2000 - as a crippling attack that crashed
Tornado's e-mail servers and caused more than $5,000 in damage, a
threshold in the law.

In her appeal, Granick said the dollar amount was inflated because it
included the cost of Tornado's own efforts to hide the problem.

McDanel was convicted in a nonjury trial on June 25, 2002. His
sentence of 16 months was the maximum at the time; the limit is now
two years.

"What's happened here is you have this perfect storm of a vague
statute, a kind of general ignorance about computers and computer
security and a system where prosecutors get a lot of press and money
for pursuing computer crime cases," Granick said.

For instance, the Computer Fraud and Abuse Act bars anyone from
sending information, with the intent to cause damage, to a protected
computer. But the law's definition of damage includes "impairment to
integrity" of a system or data - a phrase so ambiguous that a judge in
an unrelated 2000 case resorted to a dictionary for clarification.

In McDanel's case, prosecutors claimed and the judge agreed that
"impairment to integrity" includes the publication of a security
vulnerability.

In other words, the conviction hinged on McDanel's message, not just
his method.

"He let people know it was insecure," said Granick, who is executive
director of Stanford Law School's Center for Internet and Society.
"And that required them to fix it and deal with angry customers - the
theory being they didn't have to fix it as long as nobody knew about
it."

Such no-fix practices are disparagingly known among techies as
"security through obscurity." But now that worms, viruses and hackers
are repeatedly exploiting vulnerabilities that had been kept quiet for
years, many companies have had a change of heart.

The Justice Department's approach to such cases is now apparently
evolving as well, as evidenced by prosecutors' motion with the 9th
U.S. Circuit Court of Appeals in San Francisco to have McDanel's
conviction overturned.

"This case was brought in good faith. It was litigated in good faith.
It resulted in a conviction by a federal judge," said Thom Mrozek,
U.S. attorney's spokesman in Los Angeles. "Our good faith is
demonstrated again by our steps to have this conviction reversed."

McDanel didn't have a clean record before the Tornado incident. 

He was indicted for allegedly changing the passwords of servers
operated by Morristown, N.J., Internet service provider GTI, where he
once worked. He allegedly refused to disclose the passwords until he
received pay for his final days at work.

That case is still pending. 

A woman who answered the phone at McDanel's parents' house, where he
has been living since his release from prison in Los Angeles, said he
was not speaking to reporters.

Christopher Wolf, an Internet law specialist at Proskauer Rose, a firm
in Washington, D.C., said the Tornado case is unusual but should make
prosecutors think twice.

"It will likely put prosecutors on more notice that you can't assume
that somebody doing what this guy did is necessarily a bad actor," he
said.

Would-be whistle-blowers also need to worry about the Digital
Millennium Copyright Act, which restricts discussion of technology
used to protect digital content. Several legal rights groups have
questioned that law's wide powers.

_______________________________________________


------------------------
http://www.anti-dmca.org
------------------------

DMCA_Discuss mailing list
DMCA_Discuss@lists.microshaft.org
http://lists.microshaft.org/mailman/listinfo/dmca_discuss


[prev in list] [next in list] [prev in thread] [next in thread]