Point Out A Security Vulnerability, Go To Jail
from the the-anti-whistleblowing-culture dept
Last year, Time’s “People of the Year” were three whistleblowers who brought attention to the various corporate scandals. While the government keeps saying it’s important for those who know about corporate scams to blow the whistle, the same apparently does not apply for technology vulnerabilities. Blowing the the whistle on security vulnerabilities can be considered a felony for which you can serve time in jail. The article describes the case of a guy working at an ISP who revealed a security hole in their webmail application, which he reported to management. Management did nothing about it, and the guy eventually left to work elsewhere. A few months later, after determining that the security hole was still open he spammed all of their customers to tell them about the hole. Now, his method was not particularly smart, but he wasn’t sued for spamming. He was charged with a felony for “impairing the integrity” of a network, and spent 16 months in jail. This is, of course, ridiculous – because it wasn’t he who impaired the integrity of the network, but those who, upon being alerted, refused to fix it.
Comments on “Point Out A Security Vulnerability, Go To Jail”
Security solely through obscurity
I agree that McDanel probably shouldn’t have done what he did, after all, sending SPAM is not a good idea. However the fact that he was arrested for exposing a hole in the system is rediculous. Then again, I myself was threatened several times with unemployment or civil/criminal prosecution for bugs I’ve discovered and published. Luckily, I outlived at least one of the companies who threatened me. This is unfortunately a common business practice for over litigious businesses who would rather save their “good” name than fix errors in their software.
The unfortunate thing is not that companies use lawsuits and law enforcement officers to hide security faults, but the fact that we, as customers, don’t demand more of the vendors. If we would stand up as a collective group and not support those companies who do this, the stupidity would stop. However, I find myself usually on the receiving end of anger and hatred for even mentioning that we should fight back, because most customers *want* to be sheep, and would much rather not care about security issues, and certainly would not want to stand up since obviously the company knows best.
Then again, if companies view me, a security researcher, as a thorn in their side for exposing vulnerabilities in their software, and they retaliate, like McDanel, I am ready to take the punishment too. Hopefully as more of these cases are exposed, more people will be aware of the stupidity, and more changes will occur.
Bad.....
That is bogus. It is illegal to prosecute someone for revealing bugs and such. Revealing bugs and such is a right granted by the US constitution. The most important appendment, too, the first one.
There is no way that someone could in good faith find this practice of bug hunter hunting to be ethical or legal. No laws allow it. And don’t even think of mentioning the DMCA; that isn’t a law (it can’t be, as it doesn’t fit the required criteria), it is an abomination. The DMCA makes CAN-SPAM look like a rosy, positive solution.