Interesting People mailing list archives
Whistle Blower in Prison for Disclosing Security Hole? More insightfull details from an insider (unconfirmed yet)
From: Dave Farber <dave () farber net>
Date: Wed, 20 Aug 2003 16:28:05 -0400
Date: Wed, 20 Aug 2003 22:11:34 +0200 From: Egor Kobylkin <egor () kobylkin com> Subject: For IP: Whistle Blower in Prison for Disclosing Security Hole? More insightfull details from an insider (unconfirmed yet) To: dave () farber net > ---------------------------------------------------------------------- > From: Dave Farber <dave () farber net> > Subject: Whistle Blower in Prison for Disclosing > Security Hole? (fwd) > Date: Tue, 19 Aug 2003 18:03:35 -0400 .... > >The Sad Tale of a Security Whistleblower > >Federal prosecutors in California went too far when they put a man in prison > >for disclosing a website security hole to the people at risk from it. > >By Mark Rasch Aug 18 2003 05:00AM PT > > .... Dave, there is a very interesting and insightfull comment posted to the same site by somebody claiming to be an insider. I want to point your attention, because the fact that the Whistleblower (former employee) was able to collect 5,600 user email addresses of his former employer to sent his email to, itself raises serious doubts of his personal integrity. So I would rather take the content of the article with a grain of salt and pay attention to the comment below: http://www.securityfocus.com/columnists/179/comment/21596#MSG I was there when this happened by Anonymous Aug 19 2003 6:46AM I can confirm that Bret McDanel is no hero. He's actually quite an asshole. The kind of guy who spits out a nasty insult about reading the man page when you ask him how to set up a VPN so you can help a customer. He seemed to really enjoy carrying grudges against people. I had the distinct displeasure of working with him at Tornado, I was the on-duty sysadmin when the attack occurred, and I was one of the witnesses at the trial against him. Bret was not prosecuted for revealing a security vulnerability. He was prosecuted for DOS'ing our server. He sent 14,000 emails to our system, and it overloaded and stopped accepting mail. He did this several times, and knew it overloaded the system when he did it, and knew the FBI had been called after the first time, so nobody needs to feel sorry for him. Holding him up as a martyr or hero is just asinine, but it speaks volumes about how our media works these days. Of course, there's plenty of culpability to go around...the main server was a Sun Enterprise 4500 with 4x450 CPU and 4Gb RAM. A machine like that should swallow 14,000 emails without a trace. Of course, Tornado's brain-dead custom system implementation meant that every single incoming email spawned off an SQL script to take the message apart and inject it into the database, and a shell process to control the SQL script. The system load went over 100. I had to write a script to kill off all the processes. Since the load was so high, sendmail stopped accepting incoming mail and the rest of the spam piled up on the backup server, where it was rm'd. So, it was Bret's fault for spamming us, but it was Tornado's fault for such a painfully bad email processing method. This actually raises the most interesting question of all, is it a crime to knock down a system that was incompetently implemented? Of course, the email system was not the only part of the system that was breakable...we had system outages several times a week from different causes, and really, the Bret thing was not that bad, being in that it was easily identifiable and fixable. Another fun thing was that Tornado initially claimed $300,000 in losses from the incident. This is important because the FBI will not get involved with anything under $50,000. This figure was later reduced (much, much later) to $9,000. Oh yeah, what else...Tornado's great email implementation also meant that we had to run an open relay, which was frequently abused. We sent out hundreds of thousands of nigerian bank account emails. A manager who took a stand and turned off the relaying one weekend was demoted and ultimately fired. Basically Tornado was a bunch of Windows developers who couldn't use Windows to implement their custom email/fax/paging application because Windows wouldn't scale to the sizes they needed. So they had to use Unix, and they didn't know anything about Unix, and they made just about all of the predictable errors that the ignorant make. In conclusion, it's scary that every time this story comes up, there's a different (wrong) angle on it. -- Egor Kobylkin.com Emails welcome in English, German, Russian and Spanish
------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- Whistle Blower in Prison for Disclosing Security Hole? More insightfull details from an insider (unconfirmed yet) Dave Farber (Aug 20)