[ISN] The sad tale of a security whistleblower

From: InfoSec News (isnat_private)
Date: Tue Aug 19 2003 - 05:09:45 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - August 18th 2003"

    http://www.theregister.co.uk/content/55/32381.html
    
    By Mark Rasch
    SecurityFocus
    Posted: 18/08/2003
    
    Opinon 
    
    Previous articles in this space have discussed whether security
    professionals can go to jail for doing things like demonstrating the
    insecurity of a wireless network, or conducting a throughput test on a
    system without permission. Now, a new and unwarranted extension of the
    US computer crime law shows that you can go to jail for simply telling
    potential victims that their data is vulnerable.
    
    By explaining how the vulnerability worked, and why customer data was
    at risk, prosecutors asserted, the security specialist "impaired the
    integrity" of the affected network. It is now up to a federal
    appellate court to determine whether this interpretation of the law is
    to stand. If it does, it could mean a dramatic decline in postings to
    Bugtraq, CERT, or other public fora.
    
    Bret McDanel was dissatisfied with his former employer, Tornado
    Development, Inc. Tornado provided Internet access and web-based email
    to its clients. However, McDanel apparently discovered a flaw in the
    web-mail that would permit malicious users to piggyback a previous
    secure session, grab the unique session ID and thereby read a user's
    email - despite the fact that the site promised that email was secure.  
    Dissatisfied with the pace at which Tornado addressed the issue (and
    for other reasons, undoubtedly), McDanel severed his employment with
    them, and went to work for another company.
    
    About six months later, according to defensive filings, McDanel
    discovered that Tornado had never fixed the vulnerability he
    discovered. Using the moniker "Secret Squirrel" he sent a single email
    to about 5600 of Tornado's customers over the course of three days,
    staggering the release each day to prevent flooding Tornado's email
    servers.
    
    The email told Tornado's customers about the vulnerability, and
    directed them to his own website for information about it.
    
    So what did Tornado? First, they scrambled to delete their own
    customer's emails (without their permission) to prevent them from
    learning about the vulnerability. Then they took other steps to
    conceal the hole. Ultimately, the fixed the vulnerability, and
    upgraded their general security.
    
    For his efforts, McDanel was arrested, tried, convicted and sentenced
    to 16 months in the federal pokey, which he has now served. He has
    appealed his conviction to the federal Ninth Circuit Court of Appeals.
    
    It's important to note that McDanel was prosecuted not for a denial of
    service attack against Tornado by an email flood, but apparently
    because Tornado, and the government, were unhappy with the content of
    the email message and associated web page - content that is
    presumptively protected by the First Amendment. The "losses" suffered
    by Tornado, were only in lost reputation and lost clients. There was
    no evidence that McDanel or anyone else ever exploited the
    vulnerability.
    
    To put McDanel in jail, the government adopted a rather unique
    interpretation of the federal computer crime statute.
    
    The applicable language in the Computer Fraud and Abuse Act make it a
    crime to "knowingly cause the transmission of information and as a
    result of such conduct, intentionally cause any impairment to the
    integrity or availability of data, a program, a system, or information
    without authorisation." Ordinarily, this is used to go after people
    who distribute worms or viruses, mailbombs and Trojan horses: things
    that actually shut down or affect the computer system itself.
    
    
    More Oversight Needed
    
    In this case, the government argued that the Secret Squirrel's missive
    itself - whether posted on his own webpage or emailed to Tornado's
    customers (or, presumably, posted to any other public source)  
    "impaired the integrity" of Tornado's computers or network. The
    government argued that the message was incorrect, useful to would-be
    attackers, and was intentionally designed to give Tornado trouble.
    
    Because McDanel revealed the flaw publicly (having previously revealed
    it privately to Tornado to no avail) he could be prosecuted, because,
    according to the government, "the public now knew about a flaw in the
    Tornado system, how that flaw worked, what that flaw could get
    somebody who exploited the flaw, and in fact a how-to manual about how
    to exploit that flaw".
    
    Had the government merely gone after McDanel for a spam denial of
    service, or "email bomb" theory, and had they proven that the emails
    themselves slowed down or materially impaired the availability of
    Tornado's computers, there would likely be little chance on appeal
    (though a California State Supreme Court decision recently held that a
    massive email sent by an ex-Intel employee to his former colleagues
    was protected free speech where the effect on the mail servers was
    minimal.) If the email was intended to, and actually operated as, a
    denial of service attack - well, case closed.
    
    But the government here has stretched the federal computer crime
    statute to include not only attacks on computers or networks, but the
    dissemination of information about vulnerabilities. They've expanding
    the definition of "impairing the integrity" of such affected systems.  
    This is a dangerously slippery slope.
    
    There is little doubt that what McDanel did was irresponsible and
    malicious. But, assuming the vulnerability existed, what were his
    alternatives? He had already told senior management about the hole,
    and they did not fix it. He could have told them again, and hoped that
    they took it more seriously. If he threatened to expose the
    vulnerability to force them to fix it, he could be prosecuted for
    extortion. And posting the vulnerability to a newsgroup or security
    organisation, instead of the customers, would be a fruitless exercise
    unless he detailed the entity that was suffering from the hole, and
    then would-be attackers would know who to attack, and Tornado would be
    in a worse position.
    
    He likewise could have notified some governmental agency - but
    frankly, there is no government agency with a mandate to provide
    security advice to email carriers. So, he notified Tornado customers
    directly that their email accounts were at risk. He didn't exploit the
    vulnerability, encourage or conspire with others to exploit it. He
    didn't reveal the vulnerability to an underground hacker organisation.  
    He told the affected people. For this, he went to jail.
    
    He could have explained to the customers that their information was at
    risk, without revealing quite so much detail. But according to the
    government's theory of liability, this would not have prevented his
    prosecution. Moreover, as is frequently the case with security
    vulnerabilities, this likely would have prompted a quick denial by
    Tornado that any such bug existed - and they may or may not have fixed
    them.
    
    Under the theory articulated by the government, the transmission of
    any information that can be used by others to impair the integrity of
    a computer system (or cause loss of reputation) if done without
    authorisation (and who would authorise it?) is a federal crime.
    
    The law requires the impairment to be "intentional," but under US case
    law a person is presumed to intend "the natural and probably
    consequences of his or her actions." You know that revealing the
    vulnerability will embarrass the company, and this fact alone "impairs
    the integrity" of the network, according to the government's theory.
    
    If you were to come into my office and ask my legal opinion about
    whether you should reveal a vulnerability under this interpretation of
    "impairing the integrity" of a computer, I would have to tell you that
    it was a federal felony to do so.
    
    What we really need is for Congress to produce stringent guidelines
    for prosecutors about what kinds of conduct "impairs" integrity, and
    therefore runs afoul of the criminal law. These guidelines should be
    binding on all federal and state prosecutors so there is a clear
    understanding about what people in McDanel's position are permitted to
    do.
    
    A code of conduct for security specialists with clear guidelines on
    what they can do when a company or entity refuses to fix a
    vulnerability would be helpful as well. Until then, as the canny desk
    sergeant in Hill Street Blues used to say, "Let's be careful out
    there."
    
    
    SecurityFocus columnist Mark D Rasch, J.D., is a former head of the
    Justice Department's computer crime unit, and now serves as Senior VP
    and Chief Security Counsel at Solutionary, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 11:03:15 PDT