Full Disclosure mailing list archives
RE: Disclose a bug, do not pass go, go directly to jail
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Fri, 8 Aug 2003 11:51:11 -0400
I just found this FBI press release on the case which says something a bit different. It claims that Bret set up a Web site that give details of the problem: http://www.fbi.gov/fieldnews/march/la032503.htm The FBI also portrays Bret as a spammer for sending out 14,000 email messages on three occasions. How come none of the real spammers who send out millions of unsolicited spam email messages everyday aren't in jail for overloading email servers? For example, two years ago Verizon email basically stopped working for a week because of a spammer attack. Richard -----Original Message----- From: Stephen Clowater [mailto:steve () stevesworld hopto org] Sent: Friday, August 08, 2003 2:32 PM To: Richard M. Smith; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Disclose a bug, do not pass go, go directly to jail No, Bret had fears that the bug may be exploited once it was disclosed on a List, so he emailed the customers to only let them know about the bug. In hopes of heading off a mass-owning of the software, while making sure the customers were informed. So that the bug would be fixed Or that was what he testified to when he took the stand, and he maintained it during cross-examniations. ----- Original Message ----- From: "Richard M. Smith" <rms () computerbytesman com> To: <full-disclosure () lists netsys com> Sent: Friday, August 08, 2003 11:18 AM Subject: [Full-disclosure] Disclose a bug, do not pass go, go directly to jail
Does anyone know if this Tornado bug was ever disclosed on Bugtraq or any other security list? For the description of this incident, it sounds to me like there might be a civil case against Mr. McDanel, since he worked for Tornado and likely signed some sort of employee agreement, but this hardly
qualifies
as a criminal matter. Richard Jailbird appeals in bug disclosure case http://www.theregister.co.uk/content/55/32237.html By SecurityFocus Posted: 08/08/2003 at 07:45 GMT Bret McDanel already served his 16 months in federal prison for violating the Federal Computer Fraud and Abuse Act. Now he wants to clear his record. McDanel was wrongly convicted under the federal computer fraud
statute,
criminal code 18 U.S.C. 1030, claims a 62-page appeal filed on
McDanel's
behalf by his new attorney, Jennifer Granick, clinical director for
the
Center for Internet and Society at Stanford Law School. The criminal code was misinterpreted to bring about his conviction, and McDanel's public defender denied him a fair trial, asserts the brief, filed Wednesday in the Ninth Circuit Court of Appeals. Between August 31 and September 5th, 2000, the 29-year-old McDanel, under the moniker, "Secret Squirrel," sent 5,600 e-mail letters to customers of his former employer, Tornado Development, Inc., a Los Angeles-based unified messaging business that provided Web-based
e-mail,
voice mail and other communications. McDanel's e-mails informed Tornado's customers of a serious vulnerability in the e-mail system which left e-mail login credentials, called Network Identifiers or
NIDs,
in plain view in their Web browser address boxes, which could then be scooped up by Web sites that harvest surfing information from
visitors'
browsers. According to prosecutors, McDanel intended to cause damage to
Tornado's
mail server by overloading it with too many messages, and caused a costly public relations problem by making public confidential information that was damaging to Tornado's reputation. But the appeal brief claims that the e-mails did not cause a denial of service. Instead, the systems were taken down to repair the security flaw, which McDanel had pointed out a year earlier at Tornado. The government's other argument was that McDaniel impaired system integrity by exposing the vulnerability publicly. Granick says that doesn't fly under existing law. .... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Disclose a bug, do not pass go, go directly to jail Richard M. Smith (Aug 08)
- Re: Disclose a bug, do not pass go, go directly to jail Stephen Clowater (Aug 08)
- RE: Disclose a bug, do not pass go, go directly to jail Richard M. Smith (Aug 08)
- Re: Disclose a bug, do not pass go, go directly to jail Stephen Clowater (Aug 08)
- Re: Disclose a bug, do not pass go, go directly to jail morning_wood (Aug 08)
- RE: Disclose a bug, do not pass go, go directly to jail Richard M. Smith (Aug 08)
- <Possible follow-ups>
- Re: Disclose a bug, do not pass go, go directly to jail Stephen Clowater (Aug 08)
- Re: Disclose a bug, do not pass go, go directly to jail Stephen Clowater (Aug 08)